IETF Logo Mail Archive

Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt

Joe Touch <touch@isi.edu> Fri, 01 November 2013 20:31 UTC

Return-Path: <touch@isi.edu>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8297E21E80FA for <netconf@ietfa.amsl.com>; Fri, 1 Nov 2013 13:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.474
X-Spam-Level:
X-Spam-Status: No, score=-103.474 tagged_above=-999 required=5 tests=[AWL=-0.875, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnHB59AcECTw for <netconf@ietfa.amsl.com>; Fri, 1 Nov 2013 13:31:18 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id C0E3621E8104 for <netconf@ietf.org>; Fri, 1 Nov 2013 13:31:13 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id rA1KUhcc017083 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 1 Nov 2013 13:30:43 -0700 (PDT)
Message-ID: <52740FD3.3000901@isi.edu>
Date: Fri, 01 Nov 2013 13:32:19 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Kent Watsen <kwatsen@juniper.net>, "t.petch" <ietfc@btconnect.com>
References: <CE9974B0.4B276%kwatsen@juniper.net>
In-Reply-To: <CE9974B0.4B276%kwatsen@juniper.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] I-D ACTION:draft-ietf-netconf-reverse-ssh-02.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 20:31:23 -0000

On 11/1/2013 12:17 PM, Kent Watsen wrote:
>
> Good point, Tom.
>
> Even good old tcpmux (port 1) defined by Jon Postel...
>
> You're right that, if a session-layer were added between TLS and the
> app-protocol, then the necessary indirection would be in place to allow
> IETF to only use one port for all protocols.  I recall Joe Touch
> mentioning working on such a thing as well.   [technically, we'd need two
> ports, one for TLS and another for reverse-TLS]

Not quite; I was working on a way to decouple the service name from the 
port number. That would not involve using a single port for all 
services; that would constrain the number of concurrent connections more 
than now, rather than relieve those constraints.

The original idea is here, though it's evolving and we should be issuing 
an update shortly, as we're implementing it in Linux and FreeBSD:
http://www.isi.edu/touch/pubs/draft-touch-tcp-portnames-00.txt

> To be honest, I don't know why we're still clinging to ports, given that
> firewalls have long-past moved beyond port-based filtering.  I would
> welcome IETF standardizing something in this area.  In the meanwhile, we
> are where we are, hence the request for a port.

To to be clear, I'm not talking about zeroconf, mDNS, tcpmux, or 
portnames as an alternative. Regardless of the utility of those 
mechanisms, there will always be requests for specific port numbers, 
e.g., to allow network administrators to (try to) identify services by 
port and manage access (e.g., firewalls) accordingly.

I do see the goal here, and the reason for the request. I appreciate 
that the floodgates have not yet opened, but I'm concerned that if 
netconf over SSH or SSL needs separate port numbers for each service 
when connections are initiated in reverse, that the same will be true 
for dozens of other services over SSH or SSL. So this problem isn't 
going away, and I am hoping those involved here can at least:

	- appreciate the problem
	- address it more carefully in this doc
	- explore alternatives, and at least explain why
	they don't currently work

At a minimum that would help us all figure out how to handle this for 
the next service that makes this request.

Joe

v2.23.0 | Report a Bug | By Email