IETF Logo Mail Archive

Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-reverse-ssh

Kent Watsen <kwatsen@juniper.net> Wed, 13 July 2011 19:47 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D441A11E8115; Wed, 13 Jul 2011 12:47:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxayTTzAY-Lj; Wed, 13 Jul 2011 12:47:41 -0700 (PDT)
Received: from exprod7og111.obsmtp.com (exprod7og111.obsmtp.com [64.18.2.175]) by ietfa.amsl.com (Postfix) with ESMTP id 10E8F11E80BE; Wed, 13 Jul 2011 12:47:41 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob111.postini.com ([64.18.6.12]) with SMTP ID DSNKTh32WpBPlm5vRujmtINpZN7y6bsp0VL0@postini.com; Wed, 13 Jul 2011 12:47:41 PDT
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB02-HQ.jnpr.net ([fe80::88f9:77fd:dfc:4d51%11]) with mapi; Wed, 13 Jul 2011 12:26:15 -0700
From: Kent Watsen <kwatsen@juniper.net>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "f@elstar.local" <f@elstar.local>
Date: Wed, 13 Jul 2011 12:26:13 -0700
Thread-Topic: [OPSAWG] guidance on draft-kwatsen-reverse-ssh
Thread-Index: AcxBF/FkbqvUHA6ISYKp5j4aUVsh9AAeGTeg
Message-ID: <84600D05C20FF943918238042D7670FD3E8429F98E@EMBX01-HQ.jnpr.net>
References: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net> <20110713044711.GA80654@elstar.local>
In-Reply-To: <20110713044711.GA80654@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-reverse-ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 19:47:41 -0000

> There is some history of this discussion in the ISMS working group.
> When ISMS did SNMP over SSH, we had a hard time dealing with
> notifications and the Juniper approach was already put on the table at
> that time as "running code that seems to work in practice to solve an
> operational problem". As far as I recall, there was no doubt about the
> operational problem and the need to solve it _but_ there were security
> concerns brought forward. I would have to do several hours of reading
> of ISMS archives in order to phrase them correctly. But simply put (as
> far as I recall - and I don't really recall any details and so I might
> be totally off), the concern had to do with something not truely
> authenticated to tell a box to SSH somewhere which involves the usage
> of identities with cryptographic keys. In ISMS, we ended up making the
> notification originator the SSH client - and this caused quite some
> costs since the amount of config increases and the identity to bind
> access control to becomes different.

As a security person myself, I'm fairly confident that the "Juniper approach" is OK.  We've also had numerous security folks look at it as well as the US government (it's FIPS certified) and Tier-1 SPs...

The only security issue raised so far by the SAAG and IETF-SSH lists was regarding the new HMAC family of host-key algorithms defined in the -01 draft.  By nature, it requires a symmetric key and they didn't see how a symmetric-key could be provided in a first-time "call-home" scenario.  Of course, the symmetric key can be provided to the device, either keyed in or read off a USB pen-drive...


> So in essence, I believe we have been for years at a deadlock
> situation where operational people were clear that a solution for
> devices to "call home" is clearly needed but the security people had
> security concerns with the solutions presented and the solutions liked
> more by security people to be operationally a pain. 

Exactly.


> Perhaps one path forward is to have the operational people push a
> solution that is implementable and solves an operational problem
> (without creating a new operational problem) through the whole IETF
> process forcing the security people to clearly document their security
> concerns and then it can be seen whether that text all goes into the
> Security Considerations and the protocol passes or the document stops
> at the IESG. This is potentially a painful exercise.

As painful as it may be, I think this is our best-case scenario.  We could push it forward as an independent submission (EXPERIMENTAL?), but it would be much better if either the NETCONF and OPSAWG WGs could sponsor it.  Personally, I still agree that it's not NETCONF-specific and hence not for the NETCONF WG, but it makes sense for OPSAWG, if the WG agrees...


Thanks,
Kent

v2.23.0 | Report a Bug | By Email