Re: [Netconf] ietf-netconf-server and ietf-ssh-server draft module
Kent Watsen <kwatsen@juniper.net> Tue, 02 August 2016 22:35 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F0612D60A for <netconf@ietfa.amsl.com>; Tue, 2 Aug 2016 15:35:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eA2bG3uXA2ra for <netconf@ietfa.amsl.com>; Tue, 2 Aug 2016 15:35:33 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0118.outbound.protection.outlook.com [104.47.32.118]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08D1712B061 for <netconf@ietf.org>; Tue, 2 Aug 2016 15:35:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rdkxz4dkdeZ97CzigHcGMR8UZdVEbYhw2Q8wNn0IiSQ=; b=KIVM1gJTyL+Dz31hRLo8uTvmiUGrenP2mGwb44zzmy0CDmROPjrtdKy/tkzmQrr8AhF6mOyFB6G5mKdKHx8YgBR4fZh5X0nojzOnTq+nOHgRN77OsnqCgcKesmGLCxolocwFcR/kttyjjenFxg5PuSLq3/IR66s0d17+PEnIW8w=
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com (10.160.149.11) by CY1PR0501MB1452.namprd05.prod.outlook.com (10.160.149.13) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.557.8; Tue, 2 Aug 2016 22:35:19 +0000
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) by CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) with mapi id 15.01.0557.009; Tue, 2 Aug 2016 22:35:19 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Michal Vaško <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] ietf-netconf-server and ietf-ssh-server draft module
Thread-Index: AQHR7MpBnyt/euAXQ0KDAHfiSYYKWqA1/6iA
Date: Tue, 02 Aug 2016 22:35:19 +0000
Message-ID: <A94F83C3-53E1-4AB7-9A63-9DBB9176AE56@juniper.net>
References: <7eb3-57a0ae00-9b-3e7ef100@122083013>
In-Reply-To: <7eb3-57a0ae00-9b-3e7ef100@122083013>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.18.0.160709
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.12]
x-ms-office365-filtering-correlation-id: 54882b7c-692b-49cf-3006-08d3bb2548b7
x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1452; 6:A/JFX4cMu2RZdyVNdPFBal65uOJIT7JFcfhHRndQ+utf6Z83fcsEEEFknm42OfSEicKqPcKzQCDBOWfdeGU3bpQtiMTd7ZvGGV7lA+FAC/nQi7E1J+TmkdKZ5SLaH5Ivqop6s42TJUMezGMns9i7l9hEEOr0w4GdG0po4DMqXmm/RKmjgR850TvjmDiGxuXcUlw8yfzrZUdQhyhzOXtMW70OZ5D5zfejpCft7G7WYHNff3VSy6A4ifFVmXPXc+PaDnI4yyJFYGUvk1oaMUnmC6lHIc20hIjcDrt9NxPidwkU+qn+kjVOgUy/Ew0Xw8mAzi+9ZiDhUzTNELXb9LzTsw==; 5:lu6KYdPUD+8CHDeWPmBn+KNfI0sqkgITgI3bpCQ2JFpme60wl1AU8I1nom6zYcjyoKdMUf7q4NRJ3qVG1Q1Gvwo9Xy/OwQx9U4v1qa5MLLBEZ527KNWXyCHxb40WsoF+jbFKWmIdXc+Drbxk1wRvxg==; 24:BLPhQvzReDkeReAZlDrI/l1vsXHX8Jwzh5P039MTbbGH1X4njc0067eTnTzV9LnfOU/bzJRTugouc13nMmfhzBv93Cy3tvUv6jb6eSspxOA=; 7:o/fieJs9n0uF8DwDV4jJWg+RduSZlZ3uCz+hDzztIt54pL83g20szoVmzUlKjvldxHKutMsbIVYAHnahNyYq7p8UN4PyADYNmYAFrtqk53pZY5Nf1YOh5sm1IrWsTNqW1Xj13mK00CF2MNLiqF0IZwPrDDuM0eFHuGnahYOZ0BydsDeLHyxWJtcRz8S/1eLFh5pcb87KQgsZfiR0Da2BXvJrCVjqLLkM454bJHEAXNJfVOKTZrXpqB9TdR6lk05N
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1452;
x-microsoft-antispam-prvs: <CY1PR0501MB1452CC1AD7173EEEE47690FCA5050@CY1PR0501MB1452.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:CY1PR0501MB1452; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1452;
x-forefront-prvs: 0022134A87
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(199003)(189002)(51444003)(122556002)(50986999)(2906002)(106356001)(97736004)(92566002)(54356999)(5001770100001)(5002640100001)(101416001)(7846002)(7736002)(305945005)(230783001)(586003)(82746002)(81156014)(81166006)(3660700001)(76176999)(8676002)(2900100001)(99286002)(83506001)(77096005)(106116001)(2950100001)(8936002)(3846002)(6116002)(83716003)(102836003)(36756003)(10400500002)(68736007)(105586002)(66066001)(33656002)(4001350100001)(2501003)(86362001)(107886002)(87936001)(3280700002)(11100500001)(189998001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1452; H:CY1PR0501MB1450.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C33881F05B76BB45BDBCE5415F16BDD6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2016 22:35:19.5078 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1452
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/mDr3tL3ngmbQafAwWYltYiI_XlA>
Subject: Re: [Netconf] ietf-netconf-server and ietf-ssh-server draft module
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 22:35:34 -0000
Hi Michal,
Hi, during first implementation steps of this module I noticed some issues, which may or may not be relevant, but I would like to receive some feedback.
[KENT] Again, it’s great to see that you’re trying to use this module. Implementations are what’s needed to prove everything works.
Regarding the subtree /netconf-server/listen/endpoint/ssh, there is no configuration of known and accepted client SSH public keys during NETCONF server SSH authentication. There is a list of trusted-ssh-host-keys in ietf-system-keychain module for NETCONF client verification of server keys, why not the other way around? In our NETCONF server we used a list of pairs of trusted client SSH keys with their username (sort-of like simplified cert-to-name on SSH keys instead certificates) and it worked well.
[KENT] Currently the expectation is that admin accounts are configured via the ietf-system module [RFC 7317]. This module enables the configuration of ssh public keys for client-auth (see /system/authentication/user/authorized-key). I think that this separation is fine as it is mimics SSH using PAM. Of course, then you might wonder about /netconf-server/listen/endpoint/ssh/client-cert-auth, such as 1) why doesn’t it have a “cert-maps” structure like tls-listen or 2) should the client’s X.509 cert be augmented into /ietf-system:system/authentication/user/? Something isn’t right here, but I haven’t decided on a fix yet - any suggestions? Additionally, it seems that this section should say something about its interaction with RFC 7317, agreed?
Next, I am unsure about the host-keys/host-key list (relative to the container from the previosu paragraph) meaning, In the description it says that it is used for announcing the supported key algorithms. So these keys are not used as SSH server host keys (whose digest is sent to SSH clients)? If so, why is the configuration of these host keys missing?
[KENT] These are indeed the server’s SSH host-keys, but in the SSH protocol, the name of the algorithm for the host-key is sent first. So, for instance, if the configured host key happened to be an X.509v3 certificate with 2048 RSA and SHA256, then the server would send the algorithm name “x509v3-rsa2048-sha256” (from RFC 6187). Perhaps the text can be improved?
Lastly, I have noticed that in the list /netconf-server/listen/endpoint/ssh/host-keys/host-key, the name leaf is mandatory even though it is a key, while the choice type is not and I believe it should be. Perhaps a misplaced mandatory?
[KENT] Indeed, and I have fixed this in my local copy, thanks!
Regards,
Michal Vasko
Thanks,
Kent
- Re: [Netconf] ?==?utf-8?q? ietf-netconf-server an… Michal Vaško
- Re: [Netconf] ietf-netconf-server and ietf-ssh-se… Kent Watsen
- [Netconf] ietf-netconf-server and ietf-ssh-server… Michal Vaško