Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt

[Jeffrey Hutzelman <jhutz@cmu.edu>]

On Wed, 2013-06-19 at 22:03 +0000, Kent Watsen wrote:


> From a protocol perspective, the solution presented in this draft
> is the same as presented in draft-kwatsen-reverse-ssh-01 with one
> exception, it now requests an IANA-assigned port, instead of using
> port 22, to be consistent with draft-ietf-netconf-rfc5539bis-03,
> which makes the same request.

Given the previous discussion about port numbers, I think that's both
prudent and unfortunate.  It would be nice to be able to multiplex
everything on one port, but the reality is that the netconf application
that a device is connecting to is unlikely to have anything to do with
the SSH server running on the same machine.  However, unless I'm
misunderstanding the intent here, using a fixed port at all seems
limiting to me.  What if I'm running two different applications on my
machine, and expect different devices to connect to them, or even the
same device to both?  What if there are other people sharing my machine?
Shouldn't be port be either one dynamically assigned to the application
by the OS, or configured by an administrator?


> Regarding the security aspects of running SSH "in reverse", this
> draft's Security Considerations section has been greatly expanded
> to address this concern and I very much hope that the SAAG will
> take it up now.

OK; I'll try to find some time to re-review it, then.  In the meantime,
it would probably be good to bring this document up on the ietf-ssh list
again.


> Finally, regarding the HMAC-* family of public host key algorithms,
> I think herein lies a good reason to extract them into a draft of
> their own, as it would be a shame for them to distract from the
> primary discussion of running SSH (and TLS) in reverse.

Yes, I think that's a good idea.  These should be able to be treated
independently.

-- Jeff