Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt
"Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com> Sat, 02 November 2013 20:01 UTC
Return-Path: <mehmet.ersue@nsn.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B8E21E80E2 for <netconf@ietfa.amsl.com>; Sat, 2 Nov 2013 13:01:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.857
X-Spam-Level:
X-Spam-Status: No, score=-105.857 tagged_above=-999 required=5 tests=[AWL=0.142, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxdvNb81vAg1 for <netconf@ietfa.amsl.com>; Sat, 2 Nov 2013 13:01:40 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id 4106821E80DC for <netconf@ietf.org>; Sat, 2 Nov 2013 13:01:33 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id rA2K1Rpv030733 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 2 Nov 2013 21:01:27 +0100
Received: from DEMUHTC004.nsn-intra.net ([10.159.42.35]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id rA2K1QsW025768 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 2 Nov 2013 21:01:26 +0100
Received: from DEMUHTC007.nsn-intra.net (10.159.42.38) by DEMUHTC004.nsn-intra.net (10.159.42.35) with Microsoft SMTP Server (TLS) id 14.3.123.3; Sat, 2 Nov 2013 21:01:26 +0100
Received: from DEMUMBX005.nsn-intra.net ([169.254.5.220]) by DEMUHTC007.nsn-intra.net ([10.159.42.38]) with mapi id 14.03.0123.003; Sat, 2 Nov 2013 21:01:26 +0100
From: "Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com>
To: ext Joe Touch <touch@isi.edu>, Kent Watsen <kwatsen@juniper.net>, "t.petch" <ietfc@btconnect.com>
Thread-Topic: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt
Thread-Index: AQHO1OPawXUSQhu+mUmffU8BzRNWW5oMIYQAgAFDogCAAHbQAIAAhZ+AgACnnQCAAAt7gIAAA6wA///CpoCAAEVhAIAAANAAgAE5S4CAABXsgIAABmwAgAAD8wCAAARdgP//wF4AgABZTID//8Q6AAALgFoA///ICACAAEdOgP//nlkw
Date: Sat, 02 Nov 2013 20:01:25 +0000
Message-ID: <E4DE949E6CE3E34993A2FF8AE79131F81E5619@DEMUMBX005.nsn-intra.net>
References: <CE9974B0.4B276%kwatsen@juniper.net> <52740FD3.3000901@isi.edu>
In-Reply-To: <52740FD3.3000901@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.159.42.112]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 3246
X-purgate-ID: 151667::1383422488-00005753-C73A3859/0-0/0-0
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 20:01:49 -0000
Dear Joe, All, We indeed are going in circles. > and I am hoping those involved here can at least: > - appreciate the problem > - address it more carefully in this doc > - explore alternatives, and at least explain why > they don't currently work Thank you for your suggestions. We will. At the end the decision will be taken in the NETCONF session based on the options available. Cheers, Mehmet > -----Original Message----- > From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf Of ext > Joe Touch > Sent: Friday, November 01, 2013 9:32 PM > To: Kent Watsen; t.petch > Cc: Netconf > Subject: Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt > > > > On 11/1/2013 12:17 PM, Kent Watsen wrote: > > > > Good point, Tom. > > > > Even good old tcpmux (port 1) defined by Jon Postel... > > > > You're right that, if a session-layer were added between TLS and the > > app-protocol, then the necessary indirection would be in place to allow > > IETF to only use one port for all protocols. I recall Joe Touch > > mentioning working on such a thing as well. [technically, we'd need two > > ports, one for TLS and another for reverse-TLS] > > Not quite; I was working on a way to decouple the service name from the > port number. That would not involve using a single port for all > services; that would constrain the number of concurrent connections more > than now, rather than relieve those constraints. > > The original idea is here, though it's evolving and we should be issuing > an update shortly, as we're implementing it in Linux and FreeBSD: > http://www.isi.edu/touch/pubs/draft-touch-tcp-portnames-00.txt > > > To be honest, I don't know why we're still clinging to ports, given that > > firewalls have long-past moved beyond port-based filtering. I would > > welcome IETF standardizing something in this area. In the meanwhile, we > > are where we are, hence the request for a port. > > To to be clear, I'm not talking about zeroconf, mDNS, tcpmux, or > portnames as an alternative. Regardless of the utility of those > mechanisms, there will always be requests for specific port numbers, > e.g., to allow network administrators to (try to) identify services by > port and manage access (e.g., firewalls) accordingly. > > I do see the goal here, and the reason for the request. I appreciate > that the floodgates have not yet opened, but I'm concerned that if > netconf over SSH or SSL needs separate port numbers for each service > when connections are initiated in reverse, that the same will be true > for dozens of other services over SSH or SSL. So this problem isn't > going away, and I am hoping those involved here can at least: > > - appreciate the problem > - address it more carefully in this doc > - explore alternatives, and at least explain why > they don't currently work > > At a minimum that would help us all figure out how to handle this for > the next service that makes this request. > > Joe > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf
- [Netconf] I-D ACTION:draft-ietf-netconf-reverse-s… Internet-Drafts
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Kent Watsen
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Juergen Schoenwaelder
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Andy Bierman
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Kent Watsen
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Martin Bjorklund
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Juergen Schoenwaelder
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Martin Bjorklund
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Andy Bierman
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Martin Bjorklund
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Kent Watsen
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Kent Watsen
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… t.petch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Andy Bierman
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Kent Watsen
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… t.petch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Juergen Schoenwaelder
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Martin Bjorklund
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Joe Touch
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Kent Watsen
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Yi Yang (yiya)
- Re: [Netconf] I-D ACTION:draft-ietf-netconf-rever… Kent Watsen