Re: [OPSAWG] guidance on draft-kwatsen-reverse-ssh
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 13 July 2011 04:47 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9E8321F85CB; Tue, 12 Jul 2011 21:47:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.465
X-Spam-Level:
X-Spam-Status: No, score=-102.465 tagged_above=-999 required=5 tests=[AWL=0.784, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z05i--VFSeSl; Tue, 12 Jul 2011 21:47:16 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by ietfa.amsl.com (Postfix) with ESMTP id 39C1C21F8596; Tue, 12 Jul 2011 21:47:15 -0700 (PDT)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 6E4D820BFD; Wed, 13 Jul 2011 06:47:14 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id MqnYEH4GeUob; Wed, 13 Jul 2011 06:47:11 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 8273320BE9; Wed, 13 Jul 2011 06:47:11 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 39D9619E0E58; Wed, 13 Jul 2011 06:47:11 +0200 (CEST)
Date: Wed, 13 Jul 2011 06:47:11 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kwatsen@juniper.net>, f@elstar.local
Message-ID: <20110713044711.GA80654@elstar.local>
Mail-Followup-To: Kent Watsen <kwatsen@juniper.net>, f@elstar.local, "netconf@ietf.org" <netconf@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
References: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [OPSAWG] guidance on draft-kwatsen-reverse-ssh
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 04:47:20 -0000
On Tue, Jul 12, 2011 at 04:24:18PM -0700, Kent Watsen wrote: > And now, without further ado, here are the four possible solutions: [...] > How to move forward? > > - first, it would be interesting to get some feedback on the various > proposals from the NETCONF and OPSAWG WG members. I realize that > above are very high-level descriptions, but hopefully it's enough > to get the gist of what's being proposed... > > - if it turns out that there is significant support for solution #1 > (or even #2), then we might be able to take that back to the SAAG > and IETF-SSH lists for their reconsideration. Alternatively, perhaps > either the OPSAWG or the NETCONF WG would be interested in picking > up this I-D? As a last-ditch effort, would it make sense to submit > it as an EXPERIMENTAL RFC? - would others who asked for this draft > to be submitted even implement an EXPERIMENTAL RFC? There is some history of this discussion in the ISMS working group. When ISMS did SNMP over SSH, we had a hard time dealing with notifications and the Juniper approach was already put on the table at that time as "running code that seems to work in practice to solve an operational problem". As far as I recall, there was no doubt about the operational problem and the need to solve it _but_ there were security concerns brought forward. I would have to do several hours of reading of ISMS archives in order to phrase them correctly. But simply put (as far as I recall - and I don't really recall any details and so I might be totally off), the concern had to do with something not truely authenticated to tell a box to SSH somewhere which involves the usage of identities with cryptographic keys. In ISMS, we ended up making the notification originator the SSH client - and this caused quite some costs since the amount of config increases and the identity to bind access control to becomes different. So in essence, I believe we have been for years at a deadlock situation where operational people were clear that a solution for devices to "call home" is clearly needed but the security people had security concerns with the solutions presented and the solutions liked more by security people to be operationally a pain. Perhaps one path forward is to have the operational people push a solution that is implementable and solves an operational problem (without creating a new operational problem) through the whole IETF process forcing the security people to clearly document their security concerns and then it can be seen whether that text all goes into the Security Considerations and the protocol passes or the document stops at the IESG. This is potentially a painful exercise. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Bert (IETF) Wijnen
- [OPSAWG] guidance on draft-kwatsen-reverse-ssh Kent Watsen
- Re: [OPSAWG] guidance on draft-kwatsen-reverse-ssh Juergen Schoenwaelder
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Kent Watsen
- Re: [OPSAWG] guidance on draft-kwatsen-reverse-ssh Kent Watsen
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Kent Watsen
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… t.petch
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Juergen Schoenwaelder
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Randy Presuhn
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Randy Presuhn
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Andy Bierman
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Juergen Schoenwaelder
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Phil Shafer
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Kent Watsen
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… t.petch
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… t.petch
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… Kent Watsen
- Re: [OPSAWG] [Netconf] guidance on draft-kwatsen-… t.petch