Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Kent Watsen <kwatsen@juniper.net> Thu, 10 April 2014 21:55 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B81E71A0236 for <netconf@ietfa.amsl.com>; Thu, 10 Apr 2014 14:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Level:
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xtzqESmlM_d for <netconf@ietfa.amsl.com>; Thu, 10 Apr 2014 14:55:27 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe005.messaging.microsoft.com [207.46.163.28]) by ietfa.amsl.com (Postfix) with ESMTP id CA4761A01AF for <netconf@ietf.org>; Thu, 10 Apr 2014 14:55:27 -0700 (PDT)
Received: from mail36-co9-R.bigfish.com (10.236.132.239) by CO9EHSOBE033.bigfish.com (10.236.130.96) with Microsoft SMTP Server id 14.1.225.22; Thu, 10 Apr 2014 21:55:02 +0000
Received: from mail36-co9 (localhost [127.0.0.1]) by mail36-co9-R.bigfish.com (Postfix) with ESMTP id 16A5ADC01F5; Thu, 10 Apr 2014 21:55:02 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT002.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -2
X-BigFish: VPS-2(z579ehz1418I4015Izz1f42h2148h1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzzz2fh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24ach24d7h2516h2545h255eh25cch25f6h2605h262fh268bh26c8h26d3h1155h)
Received-SPF: pass (mail36-co9: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=kwatsen@juniper.net; helo=BL2PRD0510HT002.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(428001)(199002)(189002)(51444003)(164054003)(92726001)(4396001)(92566001)(87936001)(76482001)(2656002)(79102001)(77982001)(80976001)(83072002)(80022001)(20776003)(76176999)(50986999)(54356999)(83506001)(85852003)(46102001)(36756003)(99396002)(99286001)(81342001)(86362001)(74662001)(66066001)(83322001)(81542001)(74502001)(31966008); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:EEE7CEE5.ABF2D391.FED12DB7.9EE6D171.205DC; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail36-co9 (localhost.localdomain [127.0.0.1]) by mail36-co9 (MessageSwitch) id 1397166898975582_29500; Thu, 10 Apr 2014 21:54:58 +0000 (UTC)
Received: from CO9EHSMHS004.bigfish.com (unknown [10.236.132.249]) by mail36-co9.bigfish.com (Postfix) with ESMTP id E98F4F00048; Thu, 10 Apr 2014 21:54:58 +0000 (UTC)
Received: from BL2PRD0510HT002.namprd05.prod.outlook.com (157.56.240.101) by CO9EHSMHS004.bigfish.com (10.236.130.14) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 10 Apr 2014 21:54:59 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by BL2PRD0510HT002.namprd05.prod.outlook.com (10.255.100.37) with Microsoft SMTP Server (TLS) id 14.16.435.0; Thu, 10 Apr 2014 21:55:22 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.0.913.9; Thu, 10 Apr 2014 21:55:20 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.17]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.17]) with mapi id 15.00.0913.002; Thu, 10 Apr 2014 21:55:20 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Thread-Topic: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Thread-Index: AQHPU0KVQTfYkuZcEUioVZNKor+uVZsHpGQAgAMV01OAAGtSAA==
Date: Thu, 10 Apr 2014 21:55:19 +0000
Message-ID: <CF6C7090.68D97%kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <CF69971C.685E2%kwatsen@juniper.net> <005101cf54b0$16a93940$4001a8c0@gateway.2wire.net>
In-Reply-To: <005101cf54b0$16a93940$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [66.129.241.11]
x-forefront-prvs: 0177904E6B
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6278DCFFBB140849B9B96E770EA2692D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CRA-Verdict: 157.56.240.101$btconnect.com%0%1%DuplicateDomain-c684c95e-93ad-459f-9d80-96fa46cd75af.juniper.net%False%False%0$
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%0$Dn%BTCONNECT.COM$RO%1$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/Yt9mJUMErHeTuUzZqVf_c7jpuew
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 21:55:30 -0000
Hi Tom, >The biggest difference is that 5539-bis never talks about reverse-TLS >because TLS is not reversed; NETCONF client = TLS client, NETCONF server >= TLS server always - simple, straightforward. With SSH, it is also always the case that the NETCONF client = SSH client, and the NETCONF server = SSH server. Please take another look at 5539-bis, section 2.1.3, as it regards the call-home case and it's definitely the case that TLS is reversed in exactly the same way that SSH is in the reverse-ssh draft. The two are very consistent in this regard. >So why does reverse-ssh talk about reverse-ssh when ssh is NOT reversed? >To confuse people and raise hackles? I know, times past we - or at >least I - was really talking about SSH role reversal but now we are not. SSH *is* reversed or, more specifically, the directionality of the SSH transport on top of its TCP transport is reversed (same way as with the TLS-based call-home). The best way to fix the consistency issue with the drafts is to merge reverse-SSH into rfc4742 (i.e. rfc4742bis). >Keeping the term reverse-ssh I think politically unwise since we know it >rings alarm bells with those who know the security properties of SSH. >It confuses those who were not around when we really were discussing it, >since the term is technically wrong. It makes ssh call home sound >completely different to TLS call home, which will confuse even more >people. And it leads to section 5 which, since the usage of SSH is >identical to that of RFC4742, effectively updates RFC4742. Perhaps, I don't know. As it stands, "reverse ssh" is pretty well known, but we certainly wouldn't want ssh call home to sound completely different to TLS call home... >So, make it RFC4742bis? Could do, or have done so, but I do not think >it necessary. Rather >- change the terminology from reverse-ssh to call home >- specify that it updates the security considerations of RFC4742 by >fleshing out what is acceptable verification and authentication in the >Security Considerations of RFC4742 >- point to 5539-bis for the rules on X.509 cert checking when certs are >used for identification - I think that 5539-bis does a good job there >which reverse-ssh s.5 does not >- provide text on security checking with raw host keys (as in current >section 5), since that is SSH specific; netmod-system has something on >this but probably not enough. It's good to have a concrete list of suggestions to work off of, thanks. These are fairly extensive changes, before jumping in and doing it, how does this look to everyone else? >The other grey area is that netconf-server introduces periodic >connections, heartbeats, reconnection, timeouts. All good transport-ey >stuff which impacts both SSH and TLS transports and, at least for >heartbeats and probably for more than that, needs protocol specific >details. I think reverse-ssh and 5539-bis incomplete if netconf-server >includes these features and the other two do not at least reference >them; which makes netconf-server a Normative Reference. All but heartbeats don't require interoperability. It was mentioned in London that Heartbeats were under-specified. For SSH, heartbeats are done within the existing SSH protocol, so there is nothing for an NMS to do special in order to reply to heartbeats from a device, but I'm perfectly OK with calling it out explicitly in the reverse-ssh draft. For TLS, heartbeats depend on rfc6520 (e.g. run a OpenSSL version 1.0.1 or greater*), which *needs* to be called out in 5539-bis. Once how heartbeating is needed and is implemented is called out in both drafts, then I believe NMS/device interoperability can be achieve, without a Normative reference to netconf-server-model. For instance, the NMS doesn't need to know if the device's connection is periodic or a reconnection, or if it was disconnected due to a timeout - all that state is solely on the device side. Thus I still think that the netconf-server-model is optional to support and hence should be Informational. * or the very very latest if you want to avoid the recent "heartbleed" bug >The rod we make for our backs is to introduce functional enhancements as >part of a data model, not something the IETF has tended to do in the >past; rather the function has been sorted out first as text, or >pseudo-code or some such, and then the data model has been created to >support it i.e. we should not be introducing new function in >netconf-server, as if having a data model is all we need. I agree with the statement, but disagree that it applies here (with the caveat that we add some explicit text into 5539bis and reverse-ssh draft about heartbeats). >This also means that whether or not something is optional in the data >model is irrelevant. The question should be, does it make sense, in >future, to implement NETCONF over SSH or TLS while being completely >ignorant of periodic connections, heartbeats, reconnection, timeouts >because they are only in netconf-server which is only a passing, >Informative Reference, nothing you need to know about? If >netconf-server progresses with something like its current contents, then >I think my answer is apparent. For reverse-ssh, I think it's Informative, as it truly is an optional data-model (see above) For 5539bis, there may be a need for a Normative reference, but only because of the psk-maps and cert-maps, which *might* get moved to the netmod-system-mgmt draft. >Given the xml, I would be willing to edit the reverse-ssh I-D changing >all references to 'reverse-ssh' to 'call home' leaving the rest of the >text unchanged pro tem. I feel that strongly about it. I appreciate the offer and gladly accept it, but let's wait to hear if anyone has objections, or if we plan to merge reverse-ssh into a 4742bis. Thanks, Kent
- [Netconf] Comments on draft-ietf-netconf-reverse-… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Alan Luchuk
- Re: [Netconf] WG Last Call Comments on draft-ietf… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments on draft-ietf… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Juergen Schoenwaelder
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Martin Bjorklund
- [Netconf] periodic connections, heartbeats, recon… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] periodic connections, heartbeats, r… Kent Watsen
- Re: [Netconf] periodic connections, heartbeats, r… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf keep-alive (was periodic connec… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Phil Shafer
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive Martin Bjorklund
- Re: [Netconf] Netconf keep-alive t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf running state indication-//RE: … Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Radek Krejčí
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)