Re: [Netconf] NETCONF call home and new port assignment

[Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>]

Hi,

I am somewhat confused. NETCONF so far assumes that the device can be
contacted by opening a TCP connection from the NMS to the device. In
case the NMS is behind a NAT, this works just fine. The call home work
was started to deal with situations where the device is behind a NAT
while the NMS is not. This is the problem we are solving.

The case of both the device behind a NAT and the NMS behind a NAT is
somewhat esoteric - does someone deploying networks really expect that
this would work? Are you saying this problem needs to be solved based
on real deployment experience where this happens? (I would assume in
such a setup pretty much everything stops working.)

/js

On Tue, Feb 25, 2014 at 05:06:25PM +0000, Reinaldo Penno (repenno) wrote:
> I have some comments on this draft.
> 
> Since the draft proposes a ³cold² reverse connection I was expecting some
> discussion on the traversal of middleboxes. Given folks that have been
> deploying NMS implicitly take for granted that connections are always
> inside->out, with the exception of SNMP traps, such a draft should assume
> some pitfalls and suggest ways around them. In the case of SNMP for
> example, the ³solution² is firewalls/NATs that implement SNMP ALG, but
> even then, a first inside->outside connection is expected.
> 
> Some points to consider:
> 
> - The NMS IP address downloaded from config server can not be behind a
> firewall unless there is some pinhole or traversal method the device can
> use
> - If NMS is behind a NAT, the IP:port should be the outside and stable.
> - In the worst case maybe configuration server (which theoretically could
> be reached by both parties) could d server as a relay.
> - If a NAT exists between NMS and device, one can not assume registered
> ports will be available.  Therefore config server needs to be able to send
> port information.
> - Device should be prepared to check with configuration server is external
> port has changed due to state being removed on the NAT.
> 
> Thanks,
> 
> -RP
> 
> 
> On 2/25/14, 7:48 AM, "Bert Wijnen (IETF)" <bertietf@bwijnen.net> wrote:
> 
> >
> >
> >On 25/02/14 16:41, Kent Watsen wrote:
> >>
> >> I believe that is the case as well, but note that we need two port
> >> assignments - one for reverse-SSH and another for reverse-TLS.
> >>
> >I think that is fine.
> >It was/is the principle that we CAN ask for a port number if we have
> >consecensus
> >that that is what we want.
> >
> >Bert
> >
> >> Cheers!
> >> Kent
> >>
> >>
> >>
> >> On 2/25/14 6:31 AM, "Bert Wijnen (IETF)" <bertietf@bwijnen.net> wrote:
> >>
> >>> NETCONF WG participants,
> >>>
> >>> there has been quite some discussion about this topic on our mailing
> >>>list.
> >>> We (WG chairs) have asked our AD (Benoit) to follow up in the IESG.
> >>>
> >>> Our current understanding is that if our WG has consensus on asking for
> >>> a new port, then we can do so and we should get one.
> >>>
> >>> We (WG chairs) belive we have (at least rough) consensus on this matter
> >>> and so we will ask for a new port.
> >>>
> >>> Bert and Mehmet
> >>>
> >>>
> >>> -------- Original Message --------
> >>> Subject: Re: NETCONF call home and new port assignment
> >>> Resent-To: bertietf@bwijnen.net, mehmet.ersue@nsn.com,,
> >>> bclaise@cisco.com, joelja@bogus.com, jjaeggli@zynga.com
> >>> Date: Mon, 20 Jan 2014 15:58:52 +0100
> >>> From: Benoit Claise <bclaise@cisco.com>
> >>> CC: Joe Touch <touch@isi.edu>,        "netconf-chairs@tools.ietf.org"
> >>> <netconf-chairs@tools.ietf.org>,        "Romascanu, Dan (Dan)"
> >>> <dromasca@avaya.com>,        Lemon Ted <ted.lemon@nominum.com>,
> >>> "ops-ads@tools.ietf.org" <ops-ads@tools.ietf.org>,
> >>> Kent Watsen <kwatsen@juniper.net>
> >>>
> >>> Dear all,
> >>>
> >>> We discussed the issue of potentially allocating a new port for the
> >>> NETCONF call home during our informal telechat last week.
> >>> Personally, I wanted a confirmation on the procedure.
> >>> Material:
> >>> 
> >>>http://www.iana.org/assignments/service-names-port-numbers/service-names
> >>>-p
> >>> ort-numbers.xhtml
> >>> an
> >>>      RFC 6335
> >>>
> >>> Bottom line: The review of the port assignment via IETF standards
> >>> (consensus based) does not go to the port review
> >>>
> >>> There is strong consensus to allocate this port in the NETCONF WG.
> >>> - http://www.ietf.org/proceedings/88/minutes/minutes-88-netconf
> >>>    30 in favor, 0 against
> >>> - doublechecked on the mailing list
> >>> http://www.ietf.org/mail-archive/web/netconf/current/msg08445.html
> >>>
> >>> So we're good here, let's proceed with the new port design
> >>>
> >>> Regards, Benoit
> >>>
> >>>> Hi, Benoit,
> >>>>
> >>>> On 11/4/2013 10:30 AM, Benoit Claise wrote:
> >>>>> Hi Joe,
> >>>>>
> >>>>> Regarding the "NETCONF call home and new port assignment" discussion
> >>>>>on
> >>>>> the NETCONF mailer, I'm wondering if your comments are made as the
> >>>>>port
> >>>>> expert reviewer or as a contributor.
> >>>>
> >>>> The ports review team doesn't participate in that role on these
> >>>> discussions on the lists; we review requests and report directly to
> >>>> IANA. So I'm speaking as a contributor, but it's with the ports review
> >>>> in the back of my mind.
> >>>>
> >>>>> In the NETCONF WG, there is strong consensus that the new port is the
> >>>>> preferred way. We checked that today: by a show of hand, everybody
> >>>>> wanted a new port.
> >>>>
> >>>> Everyone always does.
> >>>>
> >>>>> I want to understand if there is a major flaw in requesting this
> >>>>>port.
> >>>>
> >>>> There's often a case where the individual request makes sense, but in
> >>>> the broader context of "tragedy of the commons" it doesn't. That's my
> >>>> impression here. There should be other ways to accomplish this - the
> >>>> SYN attempt I recently saw looked like a good alternative that would
> >>>> scale to other assignments, e.g.
> >>>>
> >>>>> Note: I contacted it you directly, because I'm not sure how to reach
> >>>>> all
> >>>>> the expert reviewers at the same time.
> >>>>
> >>>> There's no official way to do that. We respond to requests for reviews
> >>>> from IANA, and report back to IANA directly. There's no "official"
> >>>> role for us in the IETF directly.
> >>>>
> >>>> Joe
> >>>>
> >>>>>
> >>>>> 
> >>>>>http://www.iana.org/assignments/service-names-port-numbers/service-nam
> >>>>>es
> >>>>> -port-numbers.xhtml
> >>>>>
> >>>>> is not explicit
> >>>>>
> >>>>> Regards, Benoit (OPS AD)
> >>>> .
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Netconf mailing list
> >>> Netconf@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/netconf
> >>>
> >>>
> >>
> >>
> >>
> >
> >_______________________________________________
> >Netconf mailing list
> >Netconf@ietf.org
> >https://www.ietf.org/mailman/listinfo/netconf
> 
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>