IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

t.petch <ietfc@btconnect.com> Thu, 08 May 2014 09:08 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4C91A026A for <netconf@ietfa.amsl.com>; Thu, 8 May 2014 02:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ifgun98iZOh for <netconf@ietfa.amsl.com>; Thu, 8 May 2014 02:07:59 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lp0013.outbound.protection.outlook.com [213.199.154.13]) by ietfa.amsl.com (Postfix) with ESMTP id AEBCE1A0239 for <netconf@ietf.org>; Thu, 8 May 2014 02:07:58 -0700 (PDT)
Received: from DBXPRD0210HT001.eurprd02.prod.outlook.com (157.56.253.181) by DB3PR07MB059.eurprd07.prod.outlook.com (10.242.137.149) with Microsoft SMTP Server (TLS) id 15.0.939.12; Thu, 8 May 2014 09:07:52 +0000
Message-ID: <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Kent Watsen <kwatsen@juniper.net>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net> <CF8FD96F.6E752%kwatsen@juniper.net>
Date: Thu, 08 May 2014 09:59:31 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [157.56.253.181]
X-ClientProxiedBy: AM3PR07CA0045.eurprd07.prod.outlook.com (10.141.45.173) To DB3PR07MB059.eurprd07.prod.outlook.com (10.242.137.149)
X-Forefront-PRVS: 0205EDCD76
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009001)(979002)(6009001)(428001)(51444003)(51704005)(189002)(164054003)(199002)(377454003)(40224001)(13464003)(50226001)(76176999)(66066001)(81686999)(79102001)(62236002)(20776003)(50466002)(77982001)(88136002)(89996001)(50986999)(99396002)(44736004)(84392001)(19580395003)(93916002)(101416001)(46102001)(76482001)(74502001)(42186004)(87976001)(92726001)(19580405001)(86362001)(83322001)(4396001)(44716002)(33646001)(31966008)(81342001)(85852003)(61296002)(62966002)(81816999)(80022001)(83072002)(74662001)(87286001)(47776003)(1941001)(64706001)(92566001)(77156001)(21056001)(23756003)(14496001)(81542001)(74416001)(7726001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB3PR07MB059; H:DBXPRD0210HT001.eurprd02.prod.outlook.com; FPR:; MLV:ovrnspm; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (: btconnect.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/SgNTg2jRFnjbEcO6IBkmXRg38hY
Cc: netconf@ietf.org
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 09:08:04 -0000

----- Original Message -----
From: "Kent Watsen" <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>; "Bert Wijnen (IETF)"
<bertietf@bwijnen.net>
Cc: <netconf@ietf.org>
Sent: Wednesday, May 07, 2014 6:54 PM

Hi Tom,

>So, my still outstanding points are
>
>- s.5, re-arrange to dovetail better with 5539bis

My understanding is that you believe that both drafts share the issue of
the northbound management application being able to identify and verify
the [SSH/TLS] server that uses call-home to connect to it.   I agree.

And that the text in the reverse-ssh draft, while ostensibly about SSH
host keys, could similarly apply to TLS and its use of X.509
certificates.
  I agree again, there is an overlap.

Thus you think that much of the text should be moved to 5539bis and for
the reverse-ssh draft to reference it there.  I don¹t agree, for two
reasons:

1) if there is a need to define common call-home behavior, we should
have
a ³call-home² draft that covers both TLS and SSH call-home together.  I
recall this being one of the options discussed before, but the WG
decided
to move ahead with this document structure.  In lieu of that, I think
that
the reverse-ssh draft is closer to being a ³call-home² draft than
5539bis,
and so suggest putting common call-home information into it, perhaps
pulled out into a section called ³common call-home behavious² - what do
you think?

2) The text in the reverse-ssh draft is also much about the use of
legacy
host-keys versus the new X.509 based keys with SSH.  Saying that use of
legacy keys is possible and allowed, but fraught with issues that are
resolved when using X.509 keys.  Maybe this needs to be may clearer, but
I
don¹t think the information should be lost.

<tp>
Kent

No, I think I am not making myself clear.

I am not saying that we need a common call home section.

I am saying that having obtained a public key somehow, then it needs
verifying, that it is tied to the party that we are trying to
communicate with, and that that process is largely the same whether this
is call home or not.

One form of verification is using X.509 certs, and that is the usual way
for TLS.  My logic then is put everything we have to say about the use
of X.509 certs for verification in the TLS I-D and reference it from the
(reverse-)ssh I-D.  The approach is the same for SSH and TLS and call
home and not call home IMHO so put it in the one place.

Currently, reverse-ssh lacks some of the points that 5539bis makes about
the use of certs, and the base ssh RFC says nothing, but reverse-ssh has
points that 5539bis does not such as the paragraph
" Since both the identification and verification issues are addressed
   using certificates, this draft RECOMMENDS network elements use a host
   key that can encode a unique identifier (e.g., its serial number) and
   be signed by a common trust anchor (e.g., a certificate authority).
   Examples of suitable public host keys are the X.509v3 keys defined in
   defined in [RFC6187]."
5539bis would be better for having that information in it alongside what
it currently has so I would move that to 5539bis leaving behind
something like

" Since both the identification and verification issues are addressed
   using certificates, this draft RECOMMENDS network elements use them -
   more details can be found in [5539bis]."

By contrast, the use of raw public keys is rare in TLS and commonplace
in SSH, so I would keep everything about that that is currently there in
reverse-ssh - mostly it is nothing to do with call home but the base ssh
RFC does not cover it so we might as well do the job properly now.

So between them, reverse-ssh and 5539bis currently have all we need, it
is just that you have to read both in tandem to learn what you should
know.

Tom Petch

>- wordsmith the Abstract/Introduction (as first suggested last
>November:-) where I think the first reference to 'SSH Connection' is
>wrong, so make it something like
>
>"This memo presents a technique for a NETCONF server to request that a
>NETCONF client initiates a SSH connection to the NETCONF server,
>a technique referred to as 'call home'."

I like this text, especially since we switched everything else to
"call-home" in -05.   I just updated my local copy this this change, but
will wait for resolution of the above before putting out -06

Thanks,
Kent

v2.23.0 | Report a Bug | By Email