Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-reverse-ssh
"t.petch" <ietfc@btconnect.com> Wed, 20 July 2011 11:45 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B5B21F87FA; Wed, 20 Jul 2011 04:45:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbqpuIozSt0Z; Wed, 20 Jul 2011 04:45:46 -0700 (PDT)
Received: from mail.btconnect.com (c2beaomr08.btconnect.com [213.123.26.186]) by ietfa.amsl.com (Postfix) with ESMTP id 6728021F86EB; Wed, 20 Jul 2011 04:45:44 -0700 (PDT)
Received: from host86-185-125-164.range86-185.btcentralplus.com (HELO pc6) ([86.185.125.164]) by c2beaomr08.btconnect.com with SMTP id DQM06614; Wed, 20 Jul 2011 12:45:37 +0100 (BST)
Message-ID: <011d01cc46c9$c209e160$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Kent Watsen <kwatsen@juniper.net>, opsawg@ietf.org, netconf@ietf.org
References: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net><20110713044711.GA80654@elstar.local><84600D05C20FF943918238042D7670FD3E8429F98E@EMBX01-HQ.jnpr.net><01c401cc45ed$07d58060$4001a8c0@gateway.2wire.net> <20110719102454.GA67454@elstar.local> <4E25C2EE.8060004@andybierman.com> <84600D05C20FF943918238042D7670FD3E849038E3@EMBX01-HQ.jnpr.net>
Date: Wed, 20 Jul 2011 12:42:39 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mirapoint-IP-Reputation: reputation=Neutral-1, source=Queried, refid=tid=0001.0A0B0303.4E26BFE1.0094, actions=tag
X-Junkmail-Premium-Raw: score=9/50, refid=2.7.2:2011.7.20.104214:17:9.535, ip=86.185.125.164, rules=__HAS_MSGID, __OUTLOOK_MSGID_1, __SANE_MSGID, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __MIME_VERSION, __CT, CT_TP_8859_1, __CT_TEXT_PLAIN, __CTE, __HAS_X_PRIORITY, __HAS_MSMAIL_PRI, __HAS_X_MAILER, USER_AGENT_OE, __OUTLOOK_MUA_1, __USER_AGENT_MS_GENERIC, TO_IN_SUBJECT, __ANY_URI, __URI_NO_WWW, __URI_NO_PATH, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, __OUTLOOK_MUA, RDNS_SUSP, BODY_SIZE_7000_LESS
X-Junkmail-Status: score=10/50, host=c2beaomr08.btconnect.com
X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B0208.4E26BFE5.00DE, ss=1, fgs=0, ip=0.0.0.0, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=multiengine
X-Junkmail-IWF: false
Subject: Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-reverse-ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 11:45:46 -0000
----- Original Message ----- From: "Kent Watsen" <kwatsen@juniper.net> To: "Andy Bierman" <ietf@andybierman.com>; "t.petch" <ietfc@btconnect.com>; <opsawg@ietf.org>; <netconf@ietf.org> Sent: Tuesday, July 19, 2011 10:32 PM > My recollection of the conclusion was that the problem space was > not big enough, and an SSH-specific solution was inappropriate. > A more general approach should be investigated. If this is still a concern, we might be able to extend the protocol so that it could reverse *any* TCP-based client/server protocol (HTTP, POP, IMAP, etc.) Is there a perceived need to reverse other protocols? - perhaps to resolve the NAT traversal case? Kent As far as I can see, that is impossible with the architecture that the IETF currently uses. When a TCP connection is established, then the port (usually) determines the 'application'. What happens next is up to the application. It would have been immensely useful had there been a requirement for all applications (ie the layer above TCP/UDP/SCTP) to start with a negotiation, who is to be client, are we using security, ....? Some applications have precisely this, but it is specific to the application. So a generic call home has to be application specific, in which case it cannot be generic. What we can do, and what you could have done, is define a new port which conveys precisely that semantic, negotiation follows, or else role reversal follows, become the client to me instead of the server (which is part of what you have done). But it remains application specific and I cannot see any other solution. Where the application needs role reversal, allocate a new port; but I do not think that that is sufficiently complicated to warrant an I-D. Tom Petch > ...assuming the security experts approve So far their objections have primarily been that the solution proposed wasn't integrated into the SSH protocol enough. There were few comments/concerns regarding security (see my July 12 email for details) > The main reason given is that the client connection maintenance is > not worth the resources and coding effort. Just to clarify, the coding effort on the devices is really quite small. All that is needed is a daemon to initiate the TCP connection, complete the bootstrap sequence, and then fork/exec `sshd -i` in exactly the same way that `inetd` does. SSH itself can't differentiate how the underlying transport was established. Juniper has C-based source code for doing this that we have provided to partners in the past, but we should be able to open source it in order to validate the draft, presuming it moves forward... Thanks, Kent
- [Netconf] guidance on draft-kwatsen-reverse-ssh Kent Watsen
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Juergen Schoenwaelder
- Re: [Netconf] guidance on draft-kwatsen-reverse-s… Bert (IETF) Wijnen
- Re: [Netconf] guidance on draft-kwatsen-reverse-s… Kent Watsen
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Kent Watsen
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… t.petch
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Juergen Schoenwaelder
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Andy Bierman
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Randy Presuhn
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Randy Presuhn
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Juergen Schoenwaelder
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Phil Shafer
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Kent Watsen
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Kent Watsen
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… t.petch
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… t.petch
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… Kent Watsen
- Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-… t.petch