IETF Logo Mail Archive

Re: [Netconf] guidance on draft-kwatsen-reverse-ssh

"Bert (IETF) Wijnen" <bertietf@bwijnen.net> Wed, 13 July 2011 07:42 UTC

Return-Path: <bertietf@bwijnen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E029121F87A5; Wed, 13 Jul 2011 00:42:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbjRo03T-qJ6; Wed, 13 Jul 2011 00:42:19 -0700 (PDT)
Received: from postgirl.ripe.net (postgirl.ipv6.ripe.net [IPv6:2001:67c:2e8:11::c100:1342]) by ietfa.amsl.com (Postfix) with ESMTP id 2E52921F87A4; Wed, 13 Jul 2011 00:42:19 -0700 (PDT)
Received: from dodo.ripe.net ([193.0.23.4]) by postgirl.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <bertietf@bwijnen.net>) id 1Qgu5H-0007Ul-D4; Wed, 13 Jul 2011 09:42:16 +0200
Received: from dog.ripe.net ([193.0.1.217] helo=BWMACBOOK.local) by dodo.ripe.net with esmtp (Exim 4.72) (envelope-from <bertietf@bwijnen.net>) id 1Qgu5H-0003W5-79; Wed, 13 Jul 2011 09:42:15 +0200
Message-ID: <4E1D4C56.8090307@bwijnen.net>
Date: Wed, 13 Jul 2011 09:42:14 +0200
From: "Bert (IETF) Wijnen" <bertietf@bwijnen.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Kent Watsen <kwatsen@juniper.net>
References: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net>
In-Reply-To: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-RIPE-Spam-Level: --
X-RIPE-Spam-Report: Spam Total Points: -2.9 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 86ab03e524994f79ca2c75a176445dd40b09c11924f2885c38fdc1155279150c
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] guidance on draft-kwatsen-reverse-ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 07:42:20 -0000

On 7/13/11 1:24 AM, Kent Watsen wrote:

on solution 2:
>       This solution has some pros and cons to the first solution.  On
>       the positive side, leveraging the existing MAC and host-key
>       negotiation logic built into the SSH protocol is pretty slick.
>       On the negative side, needing to modify the SSH client/server
>       code support the x.509 and HMAC based keys would take some time
>       and further, restricting which hosts keys can be advertized
>       to just these is somewhat uncomfortable (i.e. no ssh-rsa or
>       ssh-dsa allowed), unlike with solution #1.
So Kent, do I understand correctly from your email that the
SAAG and SSH people prefer solution 2?

If so, are they (I guess specifically the SSH guys) willing to work on the spec and
then implement this in SSH implementations/products/distributions?

Bert

v2.23.0 | Report a Bug | By Email