IETF Logo Mail Archive

Re: [Netconf] regarding combining reverse-tls and reverse-ssh

Kent Watsen <kwatsen@juniper.net> Fri, 22 November 2013 19:42 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A581AE277 for <netconf@ietfa.amsl.com>; Fri, 22 Nov 2013 11:42:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1-QAK_VuxFy for <netconf@ietfa.amsl.com>; Fri, 22 Nov 2013 11:42:50 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id 9576E1AE26C for <netconf@ietf.org>; Fri, 22 Nov 2013 11:42:50 -0800 (PST)
Received: from mail103-ch1-R.bigfish.com (10.43.68.243) by CH1EHSOBE022.bigfish.com (10.43.70.79) with Microsoft SMTP Server id 14.1.225.22; Fri, 22 Nov 2013 19:42:42 +0000
Received: from mail103-ch1 (localhost [127.0.0.1]) by mail103-ch1-R.bigfish.com (Postfix) with ESMTP id E7F391E08C0; Fri, 22 Nov 2013 19:42:42 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT003.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -4
X-BigFish: VPS-4(zzbb2dI98dI9371I1432Izz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h1d1ah1d2ah1fc6hzz1de098h8275bhz2fh109h2a8h839h947he5bhf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h22d0h1155h)
Received-SPF: pass (mail103-ch1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=kwatsen@juniper.net; helo=BL2PRD0510HT003.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(24454002)(51704005)(377454003)(479174003)(189002)(199002)(74502001)(65816001)(74662001)(66066001)(79102001)(81542001)(54316002)(87266001)(54356001)(49866001)(4396001)(80022001)(31966008)(46102001)(81342001)(51856001)(87936001)(63696002)(83506001)(56776001)(74366001)(76482001)(53806001)(2656002)(77982001)(59766001)(81686001)(74706001)(47976001)(76796001)(80976001)(76786001)(50986001)(77096001)(56816003)(74876001)(76176001)(47736001)(83322001)(36756003)(47446002)(19580405001)(69226001)(85306002)(81816001)(83072001); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; CLIP:66.129.241.15; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail103-ch1 (localhost.localdomain [127.0.0.1]) by mail103-ch1 (MessageSwitch) id 1385149361541703_29542; Fri, 22 Nov 2013 19:42:41 +0000 (UTC)
Received: from CH1EHSMHS010.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.249]) by mail103-ch1.bigfish.com (Postfix) with ESMTP id 7F9BB400031; Fri, 22 Nov 2013 19:42:41 +0000 (UTC)
Received: from BL2PRD0510HT003.namprd05.prod.outlook.com (157.56.240.101) by CH1EHSMHS010.bigfish.com (10.43.70.10) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 22 Nov 2013 19:42:37 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by BL2PRD0510HT003.namprd05.prod.outlook.com (10.255.100.38) with Microsoft SMTP Server (TLS) id 14.16.383.1; Fri, 22 Nov 2013 19:42:36 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.0.810.5; Fri, 22 Nov 2013 19:42:35 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.22]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.110]) with mapi id 15.00.0810.005; Fri, 22 Nov 2013 19:42:35 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Carl Moberg <calle@tail-f.com>, Ralf Skyper Kaiser <skyper@thc.org>
Thread-Topic: [Netconf] regarding combining reverse-tls and reverse-ssh
Thread-Index: AQHO5WIDegXxIGAwEEiJ+TMD1y2hkpov3tAAgABbugCAAT+DgP//3VcA
Date: Fri, 22 Nov 2013 19:42:34 +0000
Message-ID: <CEB51C95.4FDEB%kwatsen@juniper.net>
In-Reply-To: <5AE6D25B-AA9C-4727-8194-7CE257D5258F@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [66.129.241.15]
x-forefront-prvs: 0038DE95A2
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <0099D52557B9F048BB72F58CE1C347EB@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] regarding combining reverse-tls and reverse-ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2013 19:42:52 -0000

I also don't know of any NC over TLS deployments.   Juniper doesn't even
support it.   

The SSH transport is very intuitive with regards to mapping the user.  The
TLS transport requires special configuration to map the client cert, which
relegates it to special use-cases (e.g. constrained devices)

K.




On 11/22/13 11:46 AM, "Carl Moberg" <calle@tail-f.com> wrote:

>
> NETCONF over SSH is in very wide commercial deployment and is in at
>least 20+ implementations of networking equipment.
>
> I don¹t know of a single NETCONF over TLS implementation that is in use.
>
> My opinion is that SSH is required and TLS would be a great addition.

v2.23.0 | Report a Bug | By Email