Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
t.petch <ietfc@btconnect.com> Mon, 12 May 2014 11:34 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73E981A067A for <netconf@ietfa.amsl.com>; Mon, 12 May 2014 04:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHx5FQKOj2BM for <netconf@ietfa.amsl.com>; Mon, 12 May 2014 04:34:40 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lp0081.outbound.protection.outlook.com [213.199.154.81]) by ietfa.amsl.com (Postfix) with ESMTP id A01E81A0675 for <netconf@ietf.org>; Mon, 12 May 2014 04:34:39 -0700 (PDT)
Received: from DBXPRD0610HT003.eurprd06.prod.outlook.com (157.56.252.181) by DB3PR07MB059.eurprd07.prod.outlook.com (10.242.137.149) with Microsoft SMTP Server (TLS) id 15.0.939.12; Mon, 12 May 2014 11:34:32 +0000
Message-ID: <00da01cf6dd5$ce36e740$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Kent Watsen <kwatsen@juniper.net>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net> <CF8FD96F.6E752%kwatsen@juniper.net> <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net> <CF929D94.6F4D4%kwatsen@juniper.net>
Date: Mon, 12 May 2014 12:29:52 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [157.56.252.181]
X-ClientProxiedBy: DB4PR07CA024.eurprd07.prod.outlook.com (10.242.229.34) To DB3PR07MB059.eurprd07.prod.outlook.com (10.242.137.149)
X-Forefront-PRVS: 0209425D0A
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(189002)(164054003)(199002)(377454003)(40224001)(13464003)(19580395003)(77982001)(92726001)(19580405001)(76482001)(79102001)(76176999)(62236002)(42186004)(99396002)(31966008)(74502001)(44716002)(101416001)(87976001)(46102001)(33646001)(86362001)(50226001)(93916002)(61296002)(81686999)(85852003)(81816999)(81542001)(62966002)(87286001)(64706001)(20776003)(14496001)(74662001)(89996001)(81342001)(88136002)(83322001)(47776003)(50986999)(92566001)(66066001)(23756003)(4396001)(80022001)(50466002)(83072002)(77156001)(21056001)(74416001)(7726001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB3PR07MB059; H:DBXPRD0610HT003.eurprd06.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (: btconnect.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/mzZweAc8h5Wh4eb-UxAp2NF2gZk
Cc: netconf@ietf.org
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 11:34:43 -0000
----- Original Message ----- From: "Kent Watsen" <kwatsen@juniper.net> To: "t.petch" <ietfc@btconnect.com>; "Bert Wijnen (IETF)" <bertietf@bwijnen.net> Cc: <netconf@ietf.org> Sent: Friday, May 09, 2014 10:08 PM Hi Tom, Regarding the paragraph you quoted below, note that it's about more than just X.509. Specifically, there are other SSH host-key formats that can encode a unique identifier and be signed by a common trust anchor (e.g., the PGP keys from RFC 4253). I admit the text could be made better - how about this? Examples of suitable public host keys are the X.509v3 keys defined in defined in [RFC6187] and the PGP keys defined in [RFC5253]. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <tp> Kent This is where we start to part company. A host key is a host key, it is public, it is generated for me as part of a key pair for use in public key cryptography. Of itself, it conveys nothing, no verification, no validation, no identification. It only acquires value when it can be tied into an identity or identifier, which X.509 certificates do. Or it can preconfigured into the NMS (the key or a fingerprint thereof) but is the act of configuring that gives the key some value, there is nothing inherent in the key. You say in the I-D that this does not scale, but that is true of (almost) everything. If you use X.509 certificates, then they bind the key to an identity; guess what, that identity has to be configured into the NMS, so if configuring raw keys does not scale then neither do X.509 certificates:-( The only thing that scales is Trust On First Use, which I think too flaky for us to recommend. Manual acceptance when a key is first used is more secure, but, arguably, scales no better. We have been here before - look at RFC5592, which basically says 'preconfigure host keys' to which I would now add 'or else use certificates', RFC6125 etc. So my section 5 (skating over PGP use) would be more like "When the management system accepts a new incoming TCP connection on the NETCONF over SSH Call Home port, it starts the SSH client protocol. As the SSH client, it MUST authenticate the SSH server, by both identifying the network element and verifying its SSH host key. When not using call home, the management system initiates the TCP connection and so may place some reliance on the fact that the device that responds is the one that it is configured to communicate with. With call home, the network element initiates the TCP connection and no reliance can be placed on the source IP address of the TCP connection. Identifying the remote peer by its source IP address, as recommended in [RFC6187] is NOT RECOMMENDED in the case of call home, unless the network takes steps to validate IP source addresses. The management system may be configured with the host keys of the network elements, or fingerprints thereof, and these MAY be used as an identifier. The management system MAY request manually verification of a host key or a fingerprint thereof the first time the network element connects, and any time the host key changes thereafter. Digital certificates, such as those in X.509 version 3 (X.509v3) bind a public key to a digital identity [RFC5280] and are used in many environments for identity management. This approach is discussed in more detail in [5539bis]; this approach is RECOMMENDED." Tom Petch If this doesn't resolve the issue, can you also provide the text you hope to now show up in 5539bis? I see below what text is proposed to be removed from draft-ietf-netconf-reverse-ssh, but it doesn't make sense to just put that into 5539bis, what more do you hope to see in 5539bis? Thanks, Kent ><tp> >Kent > >No, I think I am not making myself clear. > >I am not saying that we need a common call home section. > >I am saying that having obtained a public key somehow, then it needs >verifying, that it is tied to the party that we are trying to >communicate with, and that that process is largely the same whether this >is call home or not. > >One form of verification is using X.509 certs, and that is the usual way >for TLS. My logic then is put everything we have to say about the use >of X.509 certs for verification in the TLS I-D and reference it from the >(reverse-)ssh I-D. The approach is the same for SSH and TLS and call >home and not call home IMHO so put it in the one place. > >Currently, reverse-ssh lacks some of the points that 5539bis makes about >the use of certs, and the base ssh RFC says nothing, but reverse-ssh has >points that 5539bis does not such as the paragraph >" Since both the identification and verification issues are addressed > using certificates, this draft RECOMMENDS network elements use a host > key that can encode a unique identifier (e.g., its serial number) and > be signed by a common trust anchor (e.g., a certificate authority). > Examples of suitable public host keys are the X.509v3 keys defined in > defined in [RFC6187]." >5539bis would be better for having that information in it alongside what >it currently has so I would move that to 5539bis leaving behind >something like > >" Since both the identification and verification issues are addressed > using certificates, this draft RECOMMENDS network elements use them - > more details can be found in [5539bis]." > >By contrast, the use of raw public keys is rare in TLS and commonplace >in SSH, so I would keep everything about that that is currently there in >reverse-ssh - mostly it is nothing to do with call home but the base ssh >RFC does not cover it so we might as well do the job properly now. > >So between them, reverse-ssh and 5539bis currently have all we need, it >is just that you have to read both in tandem to learn what you should >know.
- [Netconf] Comments on draft-ietf-netconf-reverse-… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Alan Luchuk
- Re: [Netconf] WG Last Call Comments on draft-ietf… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments on draft-ietf… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Juergen Schoenwaelder
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Martin Bjorklund
- [Netconf] periodic connections, heartbeats, recon… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] periodic connections, heartbeats, r… Kent Watsen
- Re: [Netconf] periodic connections, heartbeats, r… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf keep-alive (was periodic connec… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Phil Shafer
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive Martin Bjorklund
- Re: [Netconf] Netconf keep-alive t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf running state indication-//RE: … Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Radek Krejčí
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)