Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-04.txt
Kent Watsen <kwatsen@juniper.net> Tue, 08 April 2014 17:13 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F8D11A064F for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 10:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Level:
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q6TZVaEO1xa8 for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 10:13:02 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id 48D761A0479 for <netconf@ietf.org>; Tue, 8 Apr 2014 10:13:01 -0700 (PDT)
Received: from mail113-tx2-R.bigfish.com (10.9.14.235) by TX2EHSOBE011.bigfish.com (10.9.40.31) with Microsoft SMTP Server id 14.1.225.22; Tue, 8 Apr 2014 17:12:43 +0000
Received: from mail113-tx2 (localhost [127.0.0.1]) by mail113-tx2-R.bigfish.com (Postfix) with ESMTP id 79D973A038B for <netconf@ietf.org>; Tue, 8 Apr 2014 17:12:43 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT004.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -6
X-BigFish: VPS-6(zzbb2dI98dI9371I1dbaI1432I4015Izz1f42h2148h1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzz1de098h8275bh1de097hz2fh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h262fh268bh26c8h26d3h1155h)
Received-SPF: pass (mail113-tx2: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=kwatsen@juniper.net; helo=BL2PRD0510HT004.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(428001)(199002)(189002)(24454002)(164054003)(51704005)(479174003)(377454003)(76482001)(56776001)(50986002)(97186001)(98676001)(47446003)(97336001)(47736002)(81342001)(90146001)(56816005)(54356002)(53806002)(69226001)(83072002)(47976002)(2656002)(85306002)(49866001)(4396001)(87936001)(54316003)(93136001)(99396002)(83322001)(19580395003)(19580405001)(87266001)(92566001)(92726001)(94316002)(46102001)(86362001)(93516002)(36756003)(83506001)(94946001)(74706001)(74876001)(74366001)(63696002)(76786001)(76796001)(20776003)(95416001)(79102001)(77096001)(65816001)(85852003)(80022001)(77982001)(66066001)(59766001)(80976001)(81686001)(81542001)(74502001)(31966008)(74662001)(95666003)(81816001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB459; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:2864C015.AE121C09.ED38F84.40E09069.2022E; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail113-tx2 (localhost.localdomain [127.0.0.1]) by mail113-tx2 (MessageSwitch) id 1396977161727637_32544; Tue, 8 Apr 2014 17:12:41 +0000 (UTC)
Received: from TX2EHSMHS040.bigfish.com (unknown [10.9.14.243]) by mail113-tx2.bigfish.com (Postfix) with ESMTP id A2813320056; Tue, 8 Apr 2014 17:12:41 +0000 (UTC)
Received: from BL2PRD0510HT004.namprd05.prod.outlook.com (157.56.240.101) by TX2EHSMHS040.bigfish.com (10.9.99.140) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 8 Apr 2014 17:12:41 +0000
Received: from CO1PR05MB459.namprd05.prod.outlook.com (10.141.72.146) by BL2PRD0510HT004.namprd05.prod.outlook.com (10.255.100.39) with Microsoft SMTP Server (TLS) id 14.16.435.0; Tue, 8 Apr 2014 17:12:57 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB459.namprd05.prod.outlook.com (10.141.72.146) with Microsoft SMTP Server (TLS) id 15.0.913.9; Tue, 8 Apr 2014 17:12:55 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.33]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.33]) with mapi id 15.00.0913.002; Tue, 8 Apr 2014 17:12:55 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>
Thread-Topic: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-04.txt
Thread-Index: AQHPUnLOkx3yKvhu3Ei0uW1S0+g+ypsGAHQAgAHvzWb//8NXAA==
Date: Tue, 08 Apr 2014 17:12:54 +0000
Message-ID: <CF69A189.68643%kwatsen@juniper.net>
References: <20140407150503.3491.36270.idtracker@ietfa.amsl.com> <CF68372D.6844E%kwatsen@juniper.net> <03ac01cf534a$3b2e2940$4001a8c0@gateway.2wire.net>
In-Reply-To: <03ac01cf534a$3b2e2940$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [66.129.241.13]
x-forefront-prvs: 017589626D
Content-Type: text/plain; charset="us-ascii"
Content-ID: <09BA81F8242ABC4ABBCAC3DACC9B0539@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CRA-Verdict: 157.56.240.101$btconnect.com%0%1%DuplicateDomain-c684c95e-93ad-459f-9d80-96fa46cd75af.juniper.net%False%False%0$
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%0$Dn%BTCONNECT.COM$RO%1$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/jEy527z3Rxgl6At5L29YDt3gprc
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-04.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 17:13:04 -0000
On 4/8/14 12:44 PM, "t.petch" <ietfc@btconnect.com> wrote: >Kent > >I saw your exchange with Alan about the paragraph starting > >"However, configuring distinct host keys on the management system > doesn't scale well, which is an important consideration to a network > management system. " > >That sounds plausible but seems to me to undermine the use of SSH for >NETCONF generally, nothing to do with call home. Why is this not an >implicit update to RFC4742? > >Tom Petch True, using PKI-based keys (e.g., X.509) would help scale the rolling out of deployments, regardless if TLS or SSH, and regardless if "normal" or reversed. So do we put something about this into all three documents, or remove it from all three documents, citing that key-distribution is a known problem? If we do remove it from these documents, we'd have to be sure that stated clearly in draft-ietf-netconf-zero-touch, as the solution described there relies on vendors shipping devices with a PKI-based X.509 "entity certificate" used for TLS and SSH NETCONF connections. What do you think? Thanks, Kent
- [Netconf] I-D Action: draft-ietf-netconf-reverse-… internet-drafts
- Re: [Netconf] I-D Action: draft-ietf-netconf-reve… Kent Watsen
- Re: [Netconf] I-D Action: draft-ietf-netconf-reve… t.petch
- Re: [Netconf] I-D Action: draft-ietf-netconf-reve… Kent Watsen