IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

t.petch <ietfc@btconnect.com> Fri, 16 May 2014 16:51 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DDDC1A02B0 for <netconf@ietfa.amsl.com>; Fri, 16 May 2014 09:51:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D8UyfuEyCo45 for <netconf@ietfa.amsl.com>; Fri, 16 May 2014 09:51:13 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lp0084.outbound.protection.outlook.com [213.199.154.84]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 180F41A02E6 for <netconf@ietf.org>; Fri, 16 May 2014 09:51:12 -0700 (PDT)
Received: from DBXPRD0210HT002.eurprd02.prod.outlook.com (157.56.253.181) by AMXPR07MB054.eurprd07.prod.outlook.com (10.242.67.143) with Microsoft SMTP Server (TLS) id 15.0.944.11; Fri, 16 May 2014 16:51:03 +0000
Message-ID: <008601cf7126$abc5da00$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Kent Watsen <kwatsen@juniper.net>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net> <CF8FD96F.6E752%kwatsen@juniper.net> <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net> <CF929D94.6F4D4%kwatsen@juniper.net> <00da01cf6dd5$ce36e740$4001a8c0@gateway.2wire.net> <CF9664F8.6F7B6%kwatsen@juniper.net> <021c01cf6f54$e6ed96a0$4001a8c0@gateway.2wire.net> <CF99485B.7172F%kwatsen@juniper.net>
Date: Fri, 16 May 2014 17:38:38 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [157.56.253.181]
X-ClientProxiedBy: DB3PR07CA010.eurprd07.prod.outlook.com (10.242.134.50) To AMXPR07MB054.eurprd07.prod.outlook.com (10.242.67.143)
X-Forefront-PRVS: 02135EB356
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(6009001)(428001)(13464003)(164054003)(199002)(189002)(377454003)(101416001)(99396002)(87976001)(20776003)(23756003)(46102001)(89996001)(77982001)(14496001)(77156001)(76482001)(42186004)(4396001)(80022001)(66066001)(85852003)(64706001)(19300405004)(102836001)(33646001)(81542001)(50466002)(1941001)(79102001)(44716002)(81342001)(87286001)(92726001)(86362001)(81816999)(62966002)(81686999)(84392001)(76176999)(74502001)(50226001)(88136002)(83322001)(19580405001)(62236002)(19580395003)(50986999)(61296002)(21056001)(74416001)(7726001)(562404015); DIR:OUT; SFP:; SCL:1; SRVR:AMXPR07MB054; H:DBXPRD0210HT002.eurprd02.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
Received-SPF: None (: btconnect.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/wftRNPksnIaapyXgBe9wmtqcuOI
Cc: netconf@ietf.org
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 May 2014 16:51:16 -0000

----- Original Message -----
From: "Kent Watsen" <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>; "Bert Wijnen (IETF)"
<bertietf@bwijnen.net>
Cc: <netconf@ietf.org>
Sent: Wednesday, May 14, 2014 10:30 PM

Hi Tom,


>No, we are still not meeting anywhere in the middle.

On this we can agree, but hopefully we'll get there soon  ;)

>It seems to me that you are proposing that all devices share the same
>private key and so the same public key (in which case the choice of CA
>seems irrelevant).

Of course not, each device must have unique private keys.  The
zero-touch
draft goes into more specifics regarding certificate construction and
use
of PKI.

>As
>http://www.rfc-editor.org/rfc/rfc5592.txt
>says "this requires the client
>   to know the host's public key a priori and to verify that the
correct
>   key is being used."
>which is the sort of thing I would expect to see, in the absence of
>X.509 certificates.  With certificates, then you know the
subjectAltName
>a priori.  Either way, you configure the NMS for every device.

The zero-touch draft touches on this as well:

<tp>

So what:-)  Perhaps we are not agreeing because you have zero touch in
mind, whereas I expect certificates to be used without zero touch (as
they long have been with TLS).  I expect this I-D to make sense when
taken with its Normative references and, for me, at present, it does
not.

If you have 1000 devices, then the NMS needs configuring with 1000
identifiers, and if that does not scale for host keys, then I do not see
it scaling for any other identifier, be it the subjectAlternateName in a
certificate or anything else, so for me, the references to 'does not
scale' do not make sense.  There is no magic short cut to configuring
the NMS once for 1000 devices, unless they share some property such as a
private key.

Likewise, if the identifier is embedded in the host key by some means,
you still have 1000 identifiers to configure in the NMS

I do not think it enough to leave it up to implementations.  We should
recommend something that is secure, and do it not just because a
Security AD says so.  My experience is that Security ADs usually ask for
too much but equally, most WGs start out with too little and for me at
present, we are too close to the latter.

Tom Petch



Section 3.5:

   The NMS SHOULD also validate that the unique identifier (e.g., serial
   number), within the "Common Name" field of the device's X.509
   certificate, is an identity that the NMS is expecting, and not
   another device having the same device type.  In order for the NMS to
   know the unique identifiers for devices shipped directly to their
   destinations, it may be necessary for the device manufacturer to
   provide the unique identifiers along with other shipping or billing
   information.  This draft not specify a format for this information
   exchange.

Section 4.1:

   The unique identifier MUST be something that is both known to the
   device and easily tracked through labels affixed to the device as
   well as the box it is packaged in.  A device's serial number is
   commonly treated this way and would be suitable for this purpose.


I guess my point is that we agree on how the solution can scale.  The
reverse-ssh draft leaves it up to deployments to decide what to do,
while
the zero-touch draft specifies a specific solution that satisfies all
its
particular use-cases.


Thanks,
Kent

v2.23.0 | Report a Bug | By Email