IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

Kent Watsen <kwatsen@juniper.net> Wed, 07 May 2014 17:55 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E04F1A0896 for <netconf@ietfa.amsl.com>; Wed, 7 May 2014 10:55:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q7KCh8TGuSFR for <netconf@ietfa.amsl.com>; Wed, 7 May 2014 10:55:04 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (dns-bn1lp0143.outbound.protection.outlook.com [207.46.163.143]) by ietfa.amsl.com (Postfix) with ESMTP id 1E36A1A07BA for <netconf@ietf.org>; Wed, 7 May 2014 10:55:03 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.0.934.12; Wed, 7 May 2014 17:54:58 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.173]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.173]) with mapi id 15.00.0934.000; Wed, 7 May 2014 17:54:58 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Thread-Topic: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Thread-Index: AQHPU0KVQTfYkuZcEUioVZNKor+uVZsro1aWgAfuBgCAAXRlEYAAS5QA
Date: Wed, 07 May 2014 17:54:57 +0000
Message-ID: <CF8FD96F.6E752%kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net>
In-Reply-To: <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [66.129.241.14]
x-forefront-prvs: 0204F0BDE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(199002)(189002)(164054003)(51444003)(51704005)(87936001)(36756003)(101416001)(81542001)(81342001)(21056001)(99396002)(99286001)(2656002)(83322001)(46102001)(76176999)(54356999)(50986999)(64706001)(20776003)(79102001)(83506001)(92566001)(74662001)(83072002)(74502001)(85852003)(77982001)(4396001)(80022001)(76482001)(86362001)(31966008)(66066001)(92726001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <DDD811F8BA75B54780155AFBC4EEB9E3@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/bBgTFa2KyhNEhyGBVTfefPW6gQI
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 17:55:06 -0000

Hi Tom,


>So, my still outstanding points are
>
>- s.5, re-arrange to dovetail better with 5539bis

My understanding is that you believe that both drafts share the issue of
the northbound management application being able to identify and verify
the [SSH/TLS] server that uses call-home to connect to it.   I agree.

And that the text in the reverse-ssh draft, while ostensibly about SSH
host keys, could similarly apply to TLS and its use of X.509 certificates.
  I agree again, there is an overlap.

Thus you think that much of the text should be moved to 5539bis and for
the reverse-ssh draft to reference it there.  I don¹t agree, for two
reasons:

1) if there is a need to define common call-home behavior, we should have
a ³call-home² draft that covers both TLS and SSH call-home together.  I
recall this being one of the options discussed before, but the WG decided
to move ahead with this document structure.  In lieu of that, I think that
the reverse-ssh draft is closer to being a ³call-home² draft than 5539bis,
and so suggest putting common call-home information into it, perhaps
pulled out into a section called ³common call-home behavious² - what do
you think?

2) The text in the reverse-ssh draft is also much about the use of legacy
host-keys versus the new X.509 based keys with SSH.  Saying that use of
legacy keys is possible and allowed, but fraught with issues that are
resolved when using X.509 keys.  Maybe this needs to be may clearer, but I
don¹t think the information should be lost.
 


>- wordsmith the Abstract/Introduction (as first suggested last
>November:-) where I think the first reference to 'SSH Connection' is
>wrong, so make it something like
>
>"This memo presents a technique for a NETCONF server to request that a
>NETCONF client initiates a SSH connection to the NETCONF server,
>a technique referred to as 'call home'."

I like this text, especially since we switched everything else to
"call-home" in -05.   I just updated my local copy this this change, but
will wait for resolution of the above before putting out -06



Thanks,
Kent

v2.23.0 | Report a Bug | By Email