IETF Logo Mail Archive

Re: [Netconf] reverse ssh recommendation

Joe Touch <touch@isi.edu> Fri, 21 June 2013 21:19 UTC

Return-Path: <touch@isi.edu>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB42E21F9E16 for <netconf@ietfa.amsl.com>; Fri, 21 Jun 2013 14:19:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.994
X-Spam-Level:
X-Spam-Status: No, score=-102.994 tagged_above=-999 required=5 tests=[AWL=-0.395, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbX-Qt3xedbP for <netconf@ietfa.amsl.com>; Fri, 21 Jun 2013 14:19:43 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id 75ED121F9E01 for <netconf@ietf.org>; Fri, 21 Jun 2013 14:19:39 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id r5LLJL30002090 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 21 Jun 2013 14:19:21 -0700 (PDT)
Message-ID: <51C4C342.4010108@isi.edu>
Date: Fri, 21 Jun 2013 14:18:58 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Kent Watsen <kwatsen@juniper.net>
References: <CDEA1417.395CA%kwatsen@juniper.net>
In-Reply-To: <CDEA1417.395CA%kwatsen@juniper.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] reverse ssh recommendation
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jun 2013 21:19:48 -0000

On 6/21/2013 12:02 PM, Kent Watsen wrote:
>
>> Ports are a scarce resource; they should not be consumed for convenience.
>
>
> I've been wondering about why tcpmux (port #1, rfc 1078) hasn't been more
> popular, after all, no one believes port-based firewalls matter anymore
> and, with it, only one port would ever need to be opened...

See http://www.isi.edu/touch/pubs/draft-touch-tcp-portnames-00.txt, esp. 
Section 2.4

We are actually implementing the TCP port option described in this doc 
(which isn't TCPMUX), but that doesn't address this problem at all - nor 
does TCPMUX. Either way, the question is whether this is one service or 
two different services.

> With the potential desire to reverse the TLS protocol as well, I was
> thinking that we could ourselves use tcpmux with service names
> "NETCONF_REVERSE_SSH" and "NETCONF_REVERSE_TLS".  But no other protocol
> does this and there is no IANA-maintained assignment for TCPMUX services,
> so maybe the port-scarcity issue isn't quite so dire?

It isn't dire, but that's *because* they require substantial review, and 
many requests for "yet another port for the same service for 
convenience" are declined.

The modern equivalent of TCPMUX, FWIW, would be Service Names in the DNS 
service records, for which there is an active IANA registry and a BOF 
coming up (dnssdext).

> Note for anyone who wants to take the survey, please assume that in
> question #2, using TCPMUX is the same as using "an IANA-assigned port".

Yes, if you mean DNS SRV records.

No, if you mean TCPMUX. It effectively doesn't exist.

Joe

v2.23.0 | Report a Bug | By Email