IETF Logo Mail Archive

Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt

"Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com> Sat, 02 November 2013 20:01 UTC

Return-Path: <mehmet.ersue@nsn.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B8E21E80E2 for <netconf@ietfa.amsl.com>; Sat, 2 Nov 2013 13:01:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.857
X-Spam-Level:
X-Spam-Status: No, score=-105.857 tagged_above=-999 required=5 tests=[AWL=0.142, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxdvNb81vAg1 for <netconf@ietfa.amsl.com>; Sat, 2 Nov 2013 13:01:40 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id 4106821E80DC for <netconf@ietf.org>; Sat, 2 Nov 2013 13:01:33 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id rA2K1Rpv030733 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 2 Nov 2013 21:01:27 +0100
Received: from DEMUHTC004.nsn-intra.net ([10.159.42.35]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id rA2K1QsW025768 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 2 Nov 2013 21:01:26 +0100
Received: from DEMUHTC007.nsn-intra.net (10.159.42.38) by DEMUHTC004.nsn-intra.net (10.159.42.35) with Microsoft SMTP Server (TLS) id 14.3.123.3; Sat, 2 Nov 2013 21:01:26 +0100
Received: from DEMUMBX005.nsn-intra.net ([169.254.5.220]) by DEMUHTC007.nsn-intra.net ([10.159.42.38]) with mapi id 14.03.0123.003; Sat, 2 Nov 2013 21:01:26 +0100
From: "Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com>
To: ext Joe Touch <touch@isi.edu>, Kent Watsen <kwatsen@juniper.net>, "t.petch" <ietfc@btconnect.com>
Thread-Topic: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt
Thread-Index: AQHO1OPawXUSQhu+mUmffU8BzRNWW5oMIYQAgAFDogCAAHbQAIAAhZ+AgACnnQCAAAt7gIAAA6wA///CpoCAAEVhAIAAANAAgAE5S4CAABXsgIAABmwAgAAD8wCAAARdgP//wF4AgABZTID//8Q6AAALgFoA///ICACAAEdOgP//nlkw
Date: Sat, 02 Nov 2013 20:01:25 +0000
Message-ID: <E4DE949E6CE3E34993A2FF8AE79131F81E5619@DEMUMBX005.nsn-intra.net>
References: <CE9974B0.4B276%kwatsen@juniper.net> <52740FD3.3000901@isi.edu>
In-Reply-To: <52740FD3.3000901@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.159.42.112]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 3246
X-purgate-ID: 151667::1383422488-00005753-C73A3859/0-0/0-0
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 20:01:49 -0000

Dear Joe, All,

We indeed are going in circles.

> and I am hoping those involved here can at least:
> 	- appreciate the problem
> 	- address it more carefully in this doc
> 	- explore alternatives, and at least explain why
> 	they don't currently work

Thank you for your suggestions. We will.

At the end the decision will be taken in the NETCONF session based on the options available.

Cheers, 
Mehmet 


> -----Original Message-----
> From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf Of ext
> Joe Touch
> Sent: Friday, November 01, 2013 9:32 PM
> To: Kent Watsen; t.petch
> Cc: Netconf
> Subject: Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt
> 
> 
> 
> On 11/1/2013 12:17 PM, Kent Watsen wrote:
> >
> > Good point, Tom.
> >
> > Even good old tcpmux (port 1) defined by Jon Postel...
> >
> > You're right that, if a session-layer were added between TLS and the
> > app-protocol, then the necessary indirection would be in place to allow
> > IETF to only use one port for all protocols.  I recall Joe Touch
> > mentioning working on such a thing as well.   [technically, we'd need two
> > ports, one for TLS and another for reverse-TLS]
> 
> Not quite; I was working on a way to decouple the service name from the
> port number. That would not involve using a single port for all
> services; that would constrain the number of concurrent connections more
> than now, rather than relieve those constraints.
> 
> The original idea is here, though it's evolving and we should be issuing
> an update shortly, as we're implementing it in Linux and FreeBSD:
> http://www.isi.edu/touch/pubs/draft-touch-tcp-portnames-00.txt
> 
> > To be honest, I don't know why we're still clinging to ports, given that
> > firewalls have long-past moved beyond port-based filtering.  I would
> > welcome IETF standardizing something in this area.  In the meanwhile, we
> > are where we are, hence the request for a port.
> 
> To to be clear, I'm not talking about zeroconf, mDNS, tcpmux, or
> portnames as an alternative. Regardless of the utility of those
> mechanisms, there will always be requests for specific port numbers,
> e.g., to allow network administrators to (try to) identify services by
> port and manage access (e.g., firewalls) accordingly.
> 
> I do see the goal here, and the reason for the request. I appreciate
> that the floodgates have not yet opened, but I'm concerned that if
> netconf over SSH or SSL needs separate port numbers for each service
> when connections are initiated in reverse, that the same will be true
> for dozens of other services over SSH or SSL. So this problem isn't
> going away, and I am hoping those involved here can at least:
> 
> 	- appreciate the problem
> 	- address it more carefully in this doc
> 	- explore alternatives, and at least explain why
> 	they don't currently work
> 
> At a minimum that would help us all figure out how to handle this for
> the next service that makes this request.
> 
> Joe
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email