Re: [Netconf] Updating RFC 5539 WAS:FW: New version of draft-badra-netconf-rfc5539bis
Kent Watsen <kwatsen@juniper.net> Tue, 03 April 2012 20:57 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89EF211E809D for <netconf@ietfa.amsl.com>; Tue, 3 Apr 2012 13:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TFmQZaw6ZaEQ for <netconf@ietfa.amsl.com>; Tue, 3 Apr 2012 13:57:16 -0700 (PDT)
Received: from exprod7og125.obsmtp.com (exprod7og125.obsmtp.com [64.18.2.28]) by ietfa.amsl.com (Postfix) with ESMTP id 06AC511E80B6 for <netconf@ietf.org>; Tue, 3 Apr 2012 13:57:15 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob125.postini.com ([64.18.6.12]) with SMTP ID DSNKT3tkJkKJGydvCfN0kKE4yIjntd9s7/Q7@postini.com; Tue, 03 Apr 2012 13:57:16 PDT
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB02-HQ.jnpr.net ([fe80::88f9:77fd:dfc:4d51%11]) with mapi; Tue, 3 Apr 2012 13:57:07 -0700
From: Kent Watsen <kwatsen@juniper.net>
To: Mohamad Badra <mbadra@gmail.com>, Alan Luchuk <luchuk@snmp.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Date: Tue, 03 Apr 2012 13:57:06 -0700
Thread-Topic: [Netconf] Updating RFC 5539 WAS:FW: New version of draft-badra-netconf-rfc5539bis
Thread-Index: Acz92IHtWBTTQbw8QOKKOHUaXPGgzAUA0qDg
Message-ID: <84600D05C20FF943918238042D7670FD48C072467A@EMBX01-HQ.jnpr.net>
References: <80A0822C5E9A4440A5117C2F4CD36A64036645FF@DEMUEXC006.nsn-intra.net> <4F551E13.2000907@bwijnen.net> <84600D05C20FF943918238042D7670FD48B8829189@EMBX01-HQ.jnpr.net> <CAOhHAXw3jX19hho1b9tDEHPCzoef2MaumkjZPg1OYiLR4OMQiw@mail.gmail.com>
In-Reply-To: <CAOhHAXw3jX19hho1b9tDEHPCzoef2MaumkjZPg1OYiLR4OMQiw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_84600D05C20FF943918238042D7670FD48C072467AEMBX01HQjnprn_"
MIME-Version: 1.0
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] Updating RFC 5539 WAS:FW: New version of draft-badra-netconf-rfc5539bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 20:57:17 -0000
> RFC5246 doesn't support reverse proxy as well, and all RFCs' Applications over TLS have the same above language. > > However, what about rewriting it as follow: > > The peer actively opens the TLS connection, and the server passively > listens for the incoming TLS connection. Yes, this leaves the door open better Section 2.2: what about <close-session>? - why define another mechanism? If important, then why doesn't RFC6242 require the client to send SSH_MSG_CHANNEL_CLOSE and/or SSH_MSG_DISCONNECT. Regardless, I disagree with the intent of forcing graceful closures - in reality, devices MUST be coded to support ungraceful closures and, once the code is written, there isn't much value to a graceful close anymore. Also the second paragraph seems out of place - shouldn't it be in the TLS RFC? [Note: this language was also in RFC5539] I didn't see a response to this comment... > I would prefer not moving it to the "Security Considerations" and I will replace the 1st paragraph with > > If the server's presented certificate has passed > certification path validation [RFC5280] to a configured > trust anchor, the client MUST carefully examine the > certificate presented by the server to determine if it meets the > client's expectations. Particularly, the client MUST check its > understanding of the server hostname against the server's identity as > presented in the server Certificate message, in order to prevent man- > in-the-middle attacks. Better, thanks Kent
- [Netconf] Updating RFC 5539 WAS:FW: New version o… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Juergen Schoenwaelder
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Bert Wijnen (IETF)
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Mohamad Badra
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Bert Wijnen (IETF)
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Ladislav Lhotka
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Kent Watsen
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Andy Bierman
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Juergen Schoenwaelder
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Martin Bjorklund
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Mohamad Badra
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Phil Shafer
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Alan Luchuk
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Wes Hardaker
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Kent Watsen
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Kent Watsen
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Juergen Schoenwaelder
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Mohamad Badra
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Juergen Schoenwaelder
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Mohamad Badra
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Juergen Schoenwaelder
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Mohamad Badra
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Mohamad Badra
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Juergen Schoenwaelder
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Mohamad Badra
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Juergen Schoenwaelder
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Kent Watsen
- Re: [Netconf] Updating RFC 5539 WAS:FW: New versi… Kent Watsen