IETF Logo Mail Archive

Re: [Netconf] Ben Campbell's No Objection on draft-ietf-netconf-call-home-11: (with COMMENT)

Kent Watsen <kwatsen@juniper.net> Fri, 23 October 2015 00:26 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE5D11B2D75; Thu, 22 Oct 2015 17:26:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMLuk6w7PDzB; Thu, 22 Oct 2015 17:26:23 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0115.outbound.protection.outlook.com [65.55.169.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04FF71B2D58; Thu, 22 Oct 2015 17:26:22 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB457.namprd05.prod.outlook.com (10.141.72.141) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 00:26:20 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.16.52]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.16.52]) with mapi id 15.01.0306.003; Fri, 23 Oct 2015 00:26:20 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Ben Campbell <ben@nostrum.com>, Benoit Claise <bclaise@cisco.com>
Thread-Topic: [Netconf] Ben Campbell's No Objection on draft-ietf-netconf-call-home-11: (with COMMENT)
Thread-Index: AQHRC4NwSO9HeS5EiE2jlg9x14GRTZ51dggAgAA4poCAAAM9AIAAUjGAgAAdHgCAATxjgIAAmPAAgAACPAA=
Date: Fri, 23 Oct 2015 00:26:19 +0000
Message-ID: <85DC7141-7A79-4923-AA4E-D493299DBCFE@juniper.net>
References: <20151020220528.1103.2866.idtracker@ietfa.amsl.com> <C4B32A05-BA53-43CA-ABDD-4E46EC0331CE@gmail.com> <CALaySJ+S+AmY6+4f1OePmgdgsGV5WHr37PsRGLzHCg_StQGLvw@mail.gmail.com> <20151021094008.GB65099@elstar.local> <5C065838-2633-4BDF-A514-9A0E31207C1B@nostrum.com> <8034DC26-F098-42C6-A90D-F15E2B2DAEE6@juniper.net> <5628C43F.1030304@cisco.com> <74936F60-A7E9-4E21-8E5A-DE709C315763@nostrum.com>
In-Reply-To: <74936F60-A7E9-4E21-8E5A-DE709C315763@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/0.0.0.151008
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.10]
x-microsoft-exchange-diagnostics: 1; CO1PR05MB457; 5:oVks2EQzNYFPD+/Wl3/WsfY0zzqROfO6/mt4DaFyA0BL35n24+HiN5A7IcVrs7n91sJt6UTctfP5YwVLrUlWHmUrNqQvF5jrDLx2SFbmYTTY/up4X3Xy8S+0nyrKXq5f519mmpdwJ7mpArnrLD1psA==; 24:IfkU96b2TF8oaIXck3DCtZrCF2d9fXrXD89IV1xS87C2WP30DnDkflK+1mxQmlrRVeYc6+NZzdYvf7/9M4PZS6wgNc8KAiIqXh7XlJ0xf0o=; 20:KS6pBrV1NT0+Wq2VTgFjDKPB8GHRd6w3C3daNCV6vCg3LWdAbyem4r6M58GeD/dq0xEOAKqkQS0IxI68z9ebTA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB457;
x-microsoft-antispam-prvs: <CO1PR05MB457F9BCEAFD59B47DFDC10FA5260@CO1PR05MB457.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(102215026); SRVR:CO1PR05MB457; BCL:0; PCL:0; RULEID:; SRVR:CO1PR05MB457;
x-forefront-prvs: 0738AF4208
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(164054003)(199003)(189002)(76176999)(92566002)(93886004)(81156007)(86362001)(99286002)(106116001)(36756003)(4001350100001)(106356001)(97736004)(33656002)(66066001)(5001770100001)(50986999)(54356999)(40100003)(2950100001)(10400500002)(122556002)(82746002)(2900100001)(5001960100002)(189998001)(83506001)(5007970100001)(102836002)(5002640100001)(105586002)(11100500001)(83716003)(5004730100002)(87936001)(230783001)(101416001)(5008740100001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB457; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <BF7388142EB26648A540EB26AC3236A8@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2015 00:26:19.9955 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR05MB457
Archived-At: <http://mailarchive.ietf.org/arch/msg/netconf/pXnCtwwRG-EO95O4rr5ZO69Cp5o>
Cc: "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "draft-ietf-netconf-call-home@ietf.org" <draft-ietf-netconf-call-home@ietf.org>, The IESG <iesg@ietf.org>, Barry Leiba <barryleiba@computer.org>, Netconf <netconf@ietf.org>
Subject: Re: [Netconf] Ben Campbell's No Objection on draft-ietf-netconf-call-home-11: (with COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 00:26:24 -0000




>>>> I'm curious why people felt it necessary to reverse the usual TLS or 
>>>> SSH
>>>> client and server roles. Did the working group consider having the
>>>> NETCONF/RESTCONF server act as the TLS or SSH client? If so, can the
>>> As Juergen noted, this allows all existing authentication to 
>>> continue working.  Also, since SSH is not a symmetric protocol, 
>>> it’s actually important for the client to be the SSH-client so it 
>>> can open/close SSH channels (e.g., to start the “netconf” 
>>> subsystem).
>> Ben, do you feel we need to mention it in the draft?

Actually, the draft already has this:

  Having consistency in both the secure transport layer (SSH, TLS) and
  application layer (NETCONF, RESTCONF) roles conveniently enables
  deployed network management infrastructure to support call home also.
  For instance, existing certificate chains and user authentication
  mechanisms are unaffected by call home.

Good enough?



>I am happy with Stephen's suggestion (in a different branch of the 
>thread) to send some questions to the TLS wg and openssh list. I will be 
>fine with whatever results from that.

Yes, we’ll see how that plays out.

Thanks,
Kent

v2.23.0 | Report a Bug | By Email