IETF Logo Mail Archive

[Netconf] ietf-netconf-server and ietf-ssh-server draft module

Michal Vaško <mvasko@cesnet.cz> Tue, 02 August 2016 14:29 UTC

Return-Path: <mvasko@cesnet.cz>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5784E12D757 for <netconf@ietfa.amsl.com>; Tue, 2 Aug 2016 07:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.077
X-Spam-Level:
X-Spam-Status: No, score=-3.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-1.287, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cesnet.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BIj7O-ULvsEl for <netconf@ietfa.amsl.com>; Tue, 2 Aug 2016 07:29:14 -0700 (PDT)
Received: from kalendar.cesnet.cz (kalendar.cesnet.cz [IPv6:2001:718:1:1f:50:56ff:feee:34]) by ietfa.amsl.com (Postfix) with ESMTP id 4358312D666 for <netconf@ietf.org>; Tue, 2 Aug 2016 07:29:12 -0700 (PDT)
Received: by kalendar.cesnet.cz (Postfix, from userid 999) id 552426017B; Tue, 2 Aug 2016 16:29:12 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cesnet.cz; s=kalendar; t=1470148152; bh=WGyxds22PrRTOHk39Df5xFq7GweMaJRFjGl6l+kyU4A=; h=to:date:subject:from; b=3TnOmPtACvAiyGHTFOoCgesnumEIDPtsCuvUbYRFO09dPP2Inw1ibDFo3ql9x1xZV X2lp+f2s5EVtKClcESqFIGQCyR2IX0xxvA/G/hYxCAu/ZeH0mIOiUumuuUg0gh5UIY 5dPWFmWC7Qm5UaK3PP4Ex/tVn4Is5cv11bEX//88=
content-type: text/plain; charset="utf-8"
to: netconf@ietf.org
User-Agent: SOGoMail 2.3.13
MIME-Version: 1.0
date: Tue, 02 Aug 2016 16:29:12 +0200
message-id: <7eb3-57a0ae00-9b-3e7ef100@122083013>
X-Forward: 2001:67c:1220:80c:c47c:d5c8:6d97:6cdf
from: Michal Vaško <mvasko@cesnet.cz>
content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/wNpHIxM4Hht0dkNQbrEJ0ZCVuh0>
Subject: [Netconf] ietf-netconf-server and ietf-ssh-server draft module
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 14:29:16 -0000

Hi,
during first implementation steps of this module I noticed some issues, which may or may not be relevant, but I would like to receive some feedback.

Regarding the subtree /netconf-server/listen/endpoint/ssh, there is no configuration of known and accepted client SSH public keys during NETCONF server SSH authentication. There is a list of trusted-ssh-host-keys in ietf-system-keychain module for NETCONF client verification of server keys, why not the other way around? In our NETCONF server we used a list of pairs of trusted client SSH keys with their username (sort-of like simplified cert-to-name on SSH keys instead certificates) and it worked well.

Next, I am unsure about the host-keys/host-key list (relative to the container from the previosu paragraph) meaning, In the description it says that it is used for announcing the supported key algorithms. So these keys are not used as SSH server host keys (whose digest is sent to SSH clients)? If so, why is the configuration of these host keys missing?

Lastly, I have noticed that in the list /netconf-server/listen/endpoint/ssh/host-keys/host-key, the name leaf is mandatory even though it is a key, while the choice type is not and I believe it should be. Perhaps a misplaced mandatory?

Regards,
Michal Vasko

v2.23.0 | Report a Bug | By Email