IETF Logo Mail Archive

Re: [Netconf] Updating RFC 5539 WAS:FW: New version of draft-badra-netconf-rfc5539bis

Kent Watsen <kwatsen@juniper.net> Tue, 03 April 2012 20:57 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89EF211E809D for <netconf@ietfa.amsl.com>; Tue, 3 Apr 2012 13:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TFmQZaw6ZaEQ for <netconf@ietfa.amsl.com>; Tue, 3 Apr 2012 13:57:16 -0700 (PDT)
Received: from exprod7og125.obsmtp.com (exprod7og125.obsmtp.com [64.18.2.28]) by ietfa.amsl.com (Postfix) with ESMTP id 06AC511E80B6 for <netconf@ietf.org>; Tue, 3 Apr 2012 13:57:15 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob125.postini.com ([64.18.6.12]) with SMTP ID DSNKT3tkJkKJGydvCfN0kKE4yIjntd9s7/Q7@postini.com; Tue, 03 Apr 2012 13:57:16 PDT
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB02-HQ.jnpr.net ([fe80::88f9:77fd:dfc:4d51%11]) with mapi; Tue, 3 Apr 2012 13:57:07 -0700
From: Kent Watsen <kwatsen@juniper.net>
To: Mohamad Badra <mbadra@gmail.com>, Alan Luchuk <luchuk@snmp.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Date: Tue, 03 Apr 2012 13:57:06 -0700
Thread-Topic: [Netconf] Updating RFC 5539 WAS:FW: New version of draft-badra-netconf-rfc5539bis
Thread-Index: Acz92IHtWBTTQbw8QOKKOHUaXPGgzAUA0qDg
Message-ID: <84600D05C20FF943918238042D7670FD48C072467A@EMBX01-HQ.jnpr.net>
References: <80A0822C5E9A4440A5117C2F4CD36A64036645FF@DEMUEXC006.nsn-intra.net> <4F551E13.2000907@bwijnen.net> <84600D05C20FF943918238042D7670FD48B8829189@EMBX01-HQ.jnpr.net> <CAOhHAXw3jX19hho1b9tDEHPCzoef2MaumkjZPg1OYiLR4OMQiw@mail.gmail.com>
In-Reply-To: <CAOhHAXw3jX19hho1b9tDEHPCzoef2MaumkjZPg1OYiLR4OMQiw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_84600D05C20FF943918238042D7670FD48C072467AEMBX01HQjnprn_"
MIME-Version: 1.0
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] Updating RFC 5539 WAS:FW: New version of draft-badra-netconf-rfc5539bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 20:57:17 -0000

> RFC5246 doesn't support reverse proxy as well, and all RFCs' Applications over TLS have the same above language.
>
> However, what about rewriting it as follow:
>
> The peer actively opens the TLS connection, and the server passively
> listens for the incoming TLS connection.

Yes, this leaves the door open better


Section 2.2: what about <close-session>?  - why define another mechanism?  If important, then why doesn't RFC6242 require the client to send SSH_MSG_CHANNEL_CLOSE and/or SSH_MSG_DISCONNECT.   Regardless, I disagree with the intent of forcing graceful closures - in reality, devices MUST be coded to support ungraceful closures and, once the code is written, there isn't much value to a graceful close anymore.  Also the second paragraph seems out of place - shouldn't it be in the TLS RFC? [Note: this language was also in RFC5539]

I didn't see a response to this comment...


> I would prefer not moving it to the "Security Considerations" and I will replace the 1st paragraph with
>
> If the server's presented certificate has passed
> certification path validation [RFC5280] to a configured
> trust anchor, the client MUST carefully examine the
> certificate presented by the server to determine if it meets the
> client's expectations. Particularly, the client MUST check its
> understanding of the server hostname against the server's identity as
> presented in the server Certificate message, in order to prevent man-
> in-the-middle attacks.

Better, thanks



Kent

v2.23.0 | Report a Bug | By Email