From stpeter@stpeter.im Tue Jun 4 16:29:33 2013 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2163D21F99F0; Tue, 4 Jun 2013 16:29:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvMJpDWRsl0p; Tue, 4 Jun 2013 16:29:28 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 5D5C121F992A; Tue, 4 Jun 2013 16:29:25 -0700 (PDT) Received: from ergon.local (unknown [71.237.13.154]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 0B90741240; Tue, 4 Jun 2013 17:42:13 -0600 (MDT) Message-ID: <51AE783F.5060204@stpeter.im> Date: Tue, 04 Jun 2013 17:29:03 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: saag@ietf.org, "apps-discuss@ietf.org" References: <51AE771F.6080005@stpeter.im> In-Reply-To: <51AE771F.6080005@stpeter.im> X-Enigmail-Version: 1.5.1 X-Forwarded-Message-Id: <51AE771F.6080005@stpeter.im> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [saag] Fwd: [POSH] PKIX Over Secure HTTP (POSH) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jun 2013 23:29:33 -0000 FYI. -------- Original Message -------- Subject: [POSH] PKIX Over Secure HTTP (POSH) Date: Tue, 04 Jun 2013 17:24:15 -0600 From: Peter Saint-Andre To: posh@ietf.org Matt Miller and I have been working on a specification for "PKIX Over Secure HTTP" (POSH), which aims to make it easier to ensure proper TLS server identity checking in multi-tenanted environments (where it's basically impossible right now): https://datatracker.ietf.org/doc/draft-miller-posh/ As the abstract says: This document defines two methods that make it easier to deploy certificates for proper server identity checking in application protocols. The first method enables a TLS client to obtain a TLS server's end-entity certificate over secure HTTP as an alternative to standard Public Key Infrastructure using X.509 (PKIX) and DNS-Based Authentication of Named Entities (DANE). The second method enables a source domain to securely delegate an application to a derived domain using HTTPS redirects. We love PKIX (really!), we love DNSSEC, and we love DANE (which solves some of the same problems for some application protocols as POSH does). However, we want a technology that can be deployed more quickly than DANE in order to solve pressing operational security issues with standard PKIX in multi-tenanted environments. This effort emerged from the XMPP community, but we have heard from folks working on other application technologies that it might be useful for things like IMAP and SMTP, thus the more generalized version of POSH that we published today (superseding draft-miller-xmpp-posh-prooftype). We are planning to hold a BoF on this topic in Berlin, but in the meantime comments are very much welcome. Please post your feedback to the new posh@ietf.org list: https://www.ietf.org/mailman/listinfo/posh Thanks! Peter _______________________________________________ posh mailing list posh@ietf.org https://www.ietf.org/mailman/listinfo/posh From mcr@sandelman.ca Wed Jun 5 07:23:35 2013 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DDE621F9AE1 for ; Wed, 5 Jun 2013 07:23:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyGHmgxV7knp for ; Wed, 5 Jun 2013 07:23:30 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id BFD7B21F9AD0 for ; Wed, 5 Jun 2013 07:23:27 -0700 (PDT) Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id 478792017F for ; Wed, 5 Jun 2013 10:36:19 -0400 (EDT) Received: by sandelman.ca (Postfix, from userid 179) id 7415F63A8C; Wed, 5 Jun 2013 10:22:33 -0400 (EDT) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 3CEA363A5E for ; Wed, 5 Jun 2013 10:22:33 -0400 (EDT) From: Michael Richardson To: saag@ietf.org X-Mailer: MH-E 8.3; nmh 1.3-dev; XEmacs 21.4 (patch 22) X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Subject: [saag] XML reference for ISO 7498-2 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jun 2013 14:23:35 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable Is there a reference.xml file out there for ISO 7498-2? I'm hesistant to reference it, given that it is not particularly available, but it seems like a good idea. =2D-=20 Michael Richardson , Sandelman Software Works=20 --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQCVAwUAUa9JqIqHRg3pndX9AQIa2AP6A8KGd669F2NB2xL2cN9MPILFkNmRYMnv alvXbWSHZLJFfVVmZkYc0VmLoNqJcMxPdvjnmfejib2sdveRioYJGNsCFvu9hzFC pXKVzaY9pIfRxi4YbikbiCdSaMn9lYwUpzBGnfhsJoXkSVSJ7EJVS50zBS9eWj21 4f1zUS3Qk1g= =oUm7 -----END PGP SIGNATURE----- --=-=-=-- From housley@vigilsec.com Wed Jun 5 12:09:20 2013 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BBE21F9643 for ; Wed, 5 Jun 2013 12:09:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.513 X-Spam-Level: X-Spam-Status: No, score=-102.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wNw6ocx3QeoI for ; Wed, 5 Jun 2013 12:09:15 -0700 (PDT) Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 03E9521F9C79 for ; Wed, 5 Jun 2013 12:08:45 -0700 (PDT) Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id A79E0F2407E; Wed, 5 Jun 2013 15:08:50 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 8mdh3gc7qgSs; Wed, 5 Jun 2013 15:08:10 -0400 (EDT) Received: from [192.168.2.109] (pool-96-241-156-29.washdc.fios.verizon.net [96.241.156.29]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 7BF67F2407D; Wed, 5 Jun 2013 15:08:49 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Russ Housley In-Reply-To: <30305.1370442153@sandelman.ca> Date: Wed, 5 Jun 2013 15:08:30 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <30305.1370442153@sandelman.ca> To: Michael Richardson X-Pgp-Agent: GPGMail 1.4.1 X-Mailer: Apple Mail (2.1085) Cc: saag@ietf.org Subject: Re: [saag] XML reference for ISO 7498-2 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jun 2013 19:09:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is available for download these days if you are willing to get it = from the ITU instead of ISO. You may recall that this is a joint = product of ISO and ITU-T. You can get it here: http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=3DX.800 Russ On Jun 5, 2013, at 10:22 AM, Michael Richardson wrote: >=20 > Is there a reference.xml file out there for ISO 7498-2? > I'm hesistant to reference it, given that it is not particularly > available, but it seems like a good idea. >=20 >=20 > --=20 > Michael Richardson , Sandelman Software Works=20= >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlGvjK8ACgkQiuTu0PWcEcstTACcDCrG5urLbCprmM5jfwaryHUI N3EAoMslsnWLvW6mFKB22jBtJ2gGuV2j =3DcDsD -----END PGP SIGNATURE----- From mcr@sandelman.ca Thu Jun 6 06:43:38 2013 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C75DF21F9298 for ; Thu, 6 Jun 2013 06:43:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.185 X-Spam-Level: X-Spam-Status: No, score=-0.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MrMT33yvqtgK for ; Thu, 6 Jun 2013 06:43:37 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE2E21F9246 for ; Thu, 6 Jun 2013 06:43:37 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id B18C020170; Thu, 6 Jun 2013 09:56:30 -0400 (EDT) Received: by sandelman.ca (Postfix, from userid 179) id C245063A8C; Thu, 6 Jun 2013 09:42:40 -0400 (EDT) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id B4D2863A5E; Thu, 6 Jun 2013 09:42:40 -0400 (EDT) From: Michael Richardson To: Russ Housley , saag@ietf.org In-Reply-To: References: <30305.1370442153@sandelman.ca> X-Mailer: MH-E 8.3; nmh 1.3-dev; XEmacs 21.4 (patch 22) X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Subject: Re: [saag] XML reference for ISO 7498-2 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jun 2013 13:43:38 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable >>>>> "Russ" =3D=3D Russ Housley writes: Russ> It is available for download these days if you are willing to get= it =3D Russ> from the ITU instead of ISO. You may recall that this is a joint= =3D Russ> product of ISO and ITU-T. Russ> You can get it here: Russ> http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=3D3DX.800 A search for 7498 got me nothing... http://www.itu.int/ITU-T/recommendations/rec.aspx?id=3D3102 is it, I think. Still looking for a repo of reference.*.xml on this document. =2D-=20 Michael Richardson , Sandelman Software Works=20 --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQCVAwUAUbCR0IqHRg3pndX9AQI/0QP+IBqFnPIeMG4es47Cgw/js7oDW69UvkFj M9YypRlZybeLqeM4iVdPQt9jVKt4PN/lROm+j3/rnmKdgvxf2/yVnGh4Sm2PYwwd yQZN6YO3TOqwvGZegKL8z9zd8SbvQagVUJZnanfiF/vrtmyCOj45XlQbqIld01Hj 8z60xlfZtyw= =syod -----END PGP SIGNATURE----- --=-=-=-- From mdchalmers@gmail.com Thu Jun 6 06:54:05 2013 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40D9D21F994D for ; Thu, 6 Jun 2013 06:54:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CdvGxW+2hfWM for ; Thu, 6 Jun 2013 06:54:04 -0700 (PDT) Received: from mail-qa0-x236.google.com (mail-qa0-x236.google.com [IPv6:2607:f8b0:400d:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id 82F7C21F96E8 for ; Thu, 6 Jun 2013 06:54:04 -0700 (PDT) Received: by mail-qa0-f54.google.com with SMTP id n20so308249qaj.6 for ; Thu, 06 Jun 2013 06:54:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=CNkAbQMpskJw18/fRBZ0fkUkwlDrqa/JHNfNPLTaz8k=; b=zysKOcCWPGPPYc6/A9eh1ALGBXVrPLLnRFLTYg48LBBJpgtnDGKLeEZN/W5BfP+smB Cc2TaX30CMLd95MBrpU6QTiQ/gpf7uyMyN1mOMQ+Fl6zS7XtZJMGADztADJ5amLwDH24 YxUde6SUdWXGSDtaSPEciVfsjedUNXQ7X0/zRUx6eTdUNrVN0HlyvCQtKQEFAU5vcaSJ Pskn8Kc4K3W0GHlZfbJZFIXDtuWvqsBJqVwXR8lRMiRP/CVsC6XGBZJzkYD7z4A/qHFb nqdi+vES/rE05wCIzS0iZOm4xDX4m977nQhyC61byYqu/PtgcSP+nhjowRjKkQBHrvVc m/rg== X-Received: by 10.49.116.9 with SMTP id js9mr39601081qeb.15.1370526843478; Thu, 06 Jun 2013 06:54:03 -0700 (PDT) MIME-Version: 1.0 Sender: mdchalmers@gmail.com Received: by 10.49.105.99 with HTTP; Thu, 6 Jun 2013 06:53:43 -0700 (PDT) In-Reply-To: <32251.1370526160@sandelman.ca> References: <30305.1370442153@sandelman.ca> <32251.1370526160@sandelman.ca> From: Matthew Chalmers Date: Thu, 6 Jun 2013 08:53:43 -0500 X-Google-Sender-Auth: 6M1tear-HnOPpF2lnDhcd1hur7E Message-ID: To: Michael Richardson Content-Type: multipart/alternative; boundary=047d7b6da782a92af404de7ca56b Cc: "saag@ietf.org" Subject: Re: [saag] XML reference for ISO 7498-2 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jun 2013 13:54:05 -0000 --047d7b6da782a92af404de7ca56b Content-Type: text/plain; charset=ISO-8859-1 Delete the "3D" from Russ's link (not sure why it was inserted for you). It worked for me, but your link works as well. On Thu, Jun 6, 2013 at 8:42 AM, Michael Richardson wrote: > > >>>>> "Russ" == Russ Housley writes: > Russ> It is available for download these days if you are willing to > get it = > Russ> from the ITU instead of ISO. You may recall that this is a > joint = > Russ> product of ISO and ITU-T. > > Russ> You can get it here: > Russ> http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=3DX.800 > > A search for 7498 got me nothing... > > http://www.itu.int/ITU-T/recommendations/rec.aspx?id=3102 > is it, I think. > > Still looking for a repo of reference.*.xml on this document. > > -- > Michael Richardson , Sandelman Software Works > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > --047d7b6da782a92af404de7ca56b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Delete the "3D" from Russ's link (not sure w= hy it was inserted for you). It worked for me, but your link works as well.=


On Thu,= Jun 6, 2013 at 8:42 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

>>>>> "Russ" =3D=3D Russ Housley <housley@vigilsec.com> writes:
=A0 =A0 Russ> It is available for download these days if you are willing= to get it =3D
=A0 =A0 Russ> from the ITU instead of ISO. =A0You may recall that this i= s a joint =3D
=A0 =A0 Russ> product of ISO and ITU-T.

=A0 =A0 Russ> You can get it here:
=A0 =A0 Russ> http://www.itu.int/ITU-T/recommendation= s/rec.aspx?rec=3D3DX.800

A search for 7498 got me nothing...

http://www.itu.int/ITU-T/recommendations/rec.aspx?id=3D3102<= /a>
is it, I think.

Still looking for a repo of reference.*.xml on this document.

--
Michael Richardson <mcr+IETF@= sandelman.ca>, Sandelman Software Works



_______________________________________________
saag mailing list
saag@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/saag


--047d7b6da782a92af404de7ca56b-- From rstruik.ext@gmail.com Thu Jun 6 06:57:30 2013 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D505F21F96A9 for ; Thu, 6 Jun 2013 06:57:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKRjujvepD6Z for ; Thu, 6 Jun 2013 06:57:30 -0700 (PDT) Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id B375321F944F for ; Thu, 6 Jun 2013 06:57:29 -0700 (PDT) Received: by mail-ie0-f180.google.com with SMTP id f4so2132231iea.25 for ; Thu, 06 Jun 2013 06:57:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=kEF52fCHq9qUA5adqdXkKTscgKmh8mjfkQtbNfBn4vc=; b=dprgIVRL5UE90F/Pc/rGx29PCP/doNlL7tXjfVcwCEJzCaHbojxT38zLc/YsvyZCwf UOOWBQo7S7LO0VGVbbhXiZAQjM8TxwE60kSMqnRWOd6K7AdOrsE8jNjOtZNr28wT3Uta JJBvO+o2G8ZD4uETWZkVMfqoSVyZyJKRCAhXmEU32qn8V8gVRrC1SfPpkxLCG/6xMMzJ TtEXb6kX4FeJG3WLadaqNtmNiADMpBTfVja+L0l4CI/k8NejCIGRlwGS7IMbyMuWR2Y5 O8VDbNi55QJ+r1EQY2arXAzO8YqMy0g4rNubX+6MSVXrGCgqNF8d11Jb7QVkA3oQC9/L i2uQ== X-Received: by 10.50.33.115 with SMTP id q19mr5708609igi.108.1370527049316; Thu, 06 Jun 2013 06:57:29 -0700 (PDT) Received: from [192.168.1.100] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.4.27]) by mx.google.com with ESMTPSA id d7sm11413354igx.5.2013.06.06.06.57.27 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 06 Jun 2013 06:57:28 -0700 (PDT) Message-ID: <51B0952D.2030705@gmail.com> Date: Thu, 06 Jun 2013 09:57:01 -0400 From: Rene Struik User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: Michael Richardson References: <30305.1370442153@sandelman.ca> <32251.1370526160@sandelman.ca> In-Reply-To: <32251.1370526160@sandelman.ca> Content-Type: multipart/alternative; boundary="------------030007070909090305000503" Cc: saag@ietf.org Subject: Re: [saag] XML reference for ISO 7498-2 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jun 2013 13:57:31 -0000 This is a multi-part message in MIME format. --------------030007070909090305000503 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dear Michael: Not sure why you need this two-decades old reference. However, here you go: http://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.800-199103-I!!PDF-E&type=items Rene On 6/6/2013 9:42 AM, Michael Richardson wrote: >>>>>> "Russ" == Russ Housley writes: > Russ> It is available for download these days if you are willing to get it = > Russ> from the ITU instead of ISO. You may recall that this is a joint = > Russ> product of ISO and ITU-T. > > Russ> You can get it here: > Russ> http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=3DX.800 > > A search for 7498 got me nothing... > > http://www.itu.int/ITU-T/recommendations/rec.aspx?id=3102 > is it, I think. > > Still looking for a repo of reference.*.xml on this document. > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 --------------030007070909090305000503 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Dear Michael:

Not sure why you need this two-decades old reference. However, here you go:

http://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.800-199103-I!!PDF-E&type=items

Rene

On 6/6/2013 9:42 AM, Michael Richardson wrote:

      

        

          

            

              

                
"Russ" == Russ Housley <housley@vigilsec.com> writes:


              

            

          

        

      

      
    Russ> It is available for download these days if you are willing to get it =
    Russ> from the ITU instead of ISO.  You may recall that this is a joint =
    Russ> product of ISO and ITU-T.

    Russ> You can get it here:
    Russ> http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=3DX.800

A search for 7498 got me nothing...

http://www.itu.int/ITU-T/recommendations/rec.aspx?id=3102
is it, I think.

Still looking for a repo of reference.*.xml on this document.



      

      

      

      
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


    

    

    

    
-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

  


--------------030007070909090305000503--

From housley@vigilsec.com  Thu Jun  6 07:00:01 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6591621F939E for ; Thu,  6 Jun 2013 07:00:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaMHZmQ4YCWP for ; Thu,  6 Jun 2013 06:59:56 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 84B5E21F9399 for ; Thu,  6 Jun 2013 06:59:56 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 35AEDF24077; Thu,  6 Jun 2013 10:00:43 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 99kZmc+Np0vk; Thu,  6 Jun 2013 09:59:29 -0400 (EDT)
Received: from [192.168.2.109] (pool-96-241-156-29.washdc.fios.verizon.net [96.241.156.29]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 3F297F24070; Thu,  6 Jun 2013 10:00:42 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Russ Housley 
In-Reply-To: <32251.1370526160@sandelman.ca>
Date: Thu, 6 Jun 2013 09:59:52 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <07DAA9FC-E61E-4B1F-A05B-71228AC6157B@vigilsec.com>
References: <30305.1370442153@sandelman.ca>  <32251.1370526160@sandelman.ca>
To: Michael Richardson 
X-Pgp-Agent: GPGMail 1.4.1
X-Mailer: Apple Mail (2.1085)
Cc: saag@ietf.org
Subject: Re: [saag] XML reference for ISO 7498-2
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 06 Jun 2013 14:00:01 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael:

>    Russ> It is available for download these days if you are willing to =
get it =3D
>    Russ> from the ITU instead of ISO.  You may recall that this is a =
joint =3D
>    Russ> product of ISO and ITU-T.
>=20
>    Russ> You can get it here:
>    Russ> http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=3D3DX.800=

>=20
> A search for 7498 got me nothing...
>=20
> http://www.itu.int/ITU-T/recommendations/rec.aspx?id=3D3102
> is it, I think.

Correct.  I do not know what helpful software inserted the 3D.  Try this =
for ISO 7498-2 (also known as X.800):
http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=3DX.800 or the URL =
above.

> Still looking for a repo of reference.*.xml on this document.

I do not have the reference.*.xml for this document.

Also, The basic reference model is ISO 7498 (also known as X.200).  It =
is here:
http://www.itu.int/ITU-T/recommendations/rec.aspx?id=3D2820

Russ
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlGwldkACgkQiuTu0PWcEcv8KQCgjJ7SRMaO1I2C9YxGy9fH9chy
nl4AnjYbJp2f5iXWFcbhZz9fg6dKD+42
=3DA+w1
-----END PGP SIGNATURE-----

From mcr@sandelman.ca  Thu Jun  6 07:55:32 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1741D21F972C for ; Thu,  6 Jun 2013 07:55:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1+UIJ37AKgvk for ; Thu,  6 Jun 2013 07:55:31 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id 3415221F9923 for ; Thu,  6 Jun 2013 07:55:26 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 0E9A620177; Thu,  6 Jun 2013 11:08:18 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 339F263A8C; Thu,  6 Jun 2013 10:54:28 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 2436763A5E; Thu,  6 Jun 2013 10:54:28 -0400 (EDT)
From: Michael Richardson 
To: Rene Struik 
In-Reply-To: <51B0952D.2030705@gmail.com>
References: <30305.1370442153@sandelman.ca>  <32251.1370526160@sandelman.ca> <51B0952D.2030705@gmail.com>
X-Mailer: MH-E 8.3; nmh 1.3-dev; XEmacs 21.4 (patch 22)
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m
Sender: mcr@sandelman.ca
Cc: saag@ietf.org
Subject: Re: [saag] XML reference for ISO 7498-2
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 06 Jun 2013 14:55:32 -0000

>>>>> "Rene" == Rene Struik  writes:
    Rene> Not sure why you need this two-decades old reference. However, here you go:

that's exactly it, it's a reference.
I'm looking for a *reference*.xml file, so that I can reference it
accurately.  I also want to make sure that I can read it to be sure what
I want to quote.

It's funny that Russ' mail program simply can't avoid quoted printable
on the =
  http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=X.800


-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [ 
	

From prvs=787098c2bd=scott.mansfield@ericsson.com  Fri Jun  7 02:22:40 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07F721F8C08 for ; Fri,  7 Jun 2013 02:22:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmW3LojaOxH4 for ; Fri,  7 Jun 2013 02:22:34 -0700 (PDT)
Received: from usevmg20.ericsson.net (usevmg20.ericsson.net [198.24.6.45]) by ietfa.amsl.com (Postfix) with ESMTP id 14B4521F8FBE for ; Fri,  7 Jun 2013 02:22:25 -0700 (PDT)
X-AuditID: c618062d-b7f936d000004481-27-51b1a650ee2a
Received: from EUSAAHC006.ericsson.se (Unknown_Domain [147.117.188.90]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id 8C.57.17537.056A1B15; Fri,  7 Jun 2013 11:22:24 +0200 (CEST)
Received: from EUSAAMB102.ericsson.se ([147.117.188.119]) by EUSAAHC006.ericsson.se ([147.117.188.90]) with mapi id 14.02.0328.009; Fri, 7 Jun 2013 05:22:23 -0400
From: Scott Mansfield 
To: "saag@ietf.org" 
Thread-Topic: ITU-T Recommendation ITU-T X.1037, Technical security guideline on deploying IPv6
Thread-Index: Ac5jYIPck0d+2CUNT3Sp/Yo0Bb4r3g==
Date: Fri, 7 Jun 2013 09:22:22 +0000
Message-ID: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [147.117.188.134]
Content-Type: multipart/alternative; boundary="_000_EF35EE4B92789843B1DECBC0E245586411522300eusaamb102erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrHLMWRmVeSWpSXmKPExsUyuXRPlG7Aso2BBnubVC2m9HcyOTB6LFny kymAMYrbJimxpCw4Mz1P3y6BO+PwxbvMBdsUKn7f3crcwDhRpouRk0NCwESie8JpFghbTOLC vfVsXYxcHEICRxklTp79wQLhLGOUuHvlORtIFRtQx9Zd0xlBbBEBZYnlf56zg9jCAjES/29v gYonSpx71cYCYetJfFvynAnEZhFQkXjRdA1sDq+Ar8T6b6dZQWxGoM3fT60Bq2EWEJe49WQ+ E8RFAhJL9pxnhrBFJV4+/scKYStLLHmynwWiPl9ixzGIel4BQYmTM5+wTGAUmoVk1CwkZbOQ lEHEdSQW7P7EBmFrSyxb+JoZxj5z4DETsvgCRvZVjBylxalluelGBpsYgcF/TIJNdwfjnpeW hxilOViUxHnVeBcHCgmkJ5akZqemFqQWxReV5qQWH2Jk4uAEEVxSDYwuey/vDw+Qqnic13JT OePoVPP2t5XlwbU7lCyPcefJrK0OXqCdpeW49e7fRzfZu96xRnfpzb+zt6vi3/YAW2VH07yN D5yzRNa75f20VZJNuzlfqVZi4sHg01Y8m50ddc8Wqjr+9RFmcm18aXaQ27Ha3rd6XXT5tiWT 2TjKHq96/mRHAM/mFiWW4oxEQy3mouJEANi09N1RAgAA
Subject: [saag] ITU-T Recommendation ITU-T X.1037, Technical security guideline on deploying IPv6
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 07 Jun 2013 09:22:40 -0000

--_000_EF35EE4B92789843B1DECBC0E245586411522300eusaamb102erics_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

https://datatracker.ietf.org/liaison/1255/

Further information on this document.  X.1037 is in an ITU approval process=
 called AAP.  The deadline for comments on the document is 12 June 2013.  T=
here are a number of comments on the document already submitted by an ITU s=
ector member, so the document will have to be reviewed and modified before =
it can move forward.  The next step in the process would be something call =
additional review.  In additional review, comments are accepted only on the=
 parts of the document that were modified, no new substantive comments on t=
he rest of the document are accepted.  So, if there are comments anyone wou=
ld like to make on the document, please send them to be before 12 June.

Regards,
-scott.

Scott Mansfield
Ericsson Inc.
+1 724 931 9316


--_000_EF35EE4B92789843B1DECBC0E245586411522300eusaamb102erics_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











https://datatracker.ietf.org/liaison/1255/



 


Further information on this document.  X.1037 i=
s in an ITU approval process called AAP.  The deadline for comments on=
 the document is 12 June 2013.  There are a number of comments on the =
document already submitted by an ITU sector member,
 so the document will have to be reviewed and modified before it can move f=
orward.  The next step in the process would be something call addition=
al review.  In additional review, comments are accepted only on the pa=
rts of the document that were modified, no
 new substantive comments on the rest of the document are accepted.  S=
o, if there are comments anyone would like to make on the document, please =
send them to be before 12 June.


 


Regards,


-scott.


 


Scott Mansfield


Ericsson Inc.


+1 724 931 9316


 






--_000_EF35EE4B92789843B1DECBC0E245586411522300eusaamb102erics_--

From stephen.farrell@cs.tcd.ie  Fri Jun  7 04:23:39 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD43E21F853A for ; Fri,  7 Jun 2013 04:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1KMaDC5eeZK8 for ; Fri,  7 Jun 2013 04:23:35 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA1621F88A9 for ; Fri,  7 Jun 2013 04:23:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3A519BEAF; Fri,  7 Jun 2013 12:23:13 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I310awcWgC9y; Fri,  7 Jun 2013 12:23:13 +0100 (IST)
Received: from [IPv6:2001:770:10:203:80ef:4ae:b4e0:a4c4] (unknown [IPv6:2001:770:10:203:80ef:4ae:b4e0:a4c4]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0A97CBEA4; Fri,  7 Jun 2013 12:23:13 +0100 (IST)
Message-ID: <51B1C2A2.5040506@cs.tcd.ie>
Date: Fri, 07 Jun 2013 12:23:14 +0100
From: Stephen Farrell 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Scott Mansfield 
References: 
In-Reply-To: 
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "saag@ietf.org" 
Subject: Re: [saag] ITU-T Recommendation ITU-T X.1037, Technical security guideline on deploying IPv6
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 07 Jun 2013 11:23:40 -0000

Hi Scott,

On 06/07/2013 10:22 AM, Scott Mansfield wrote:
> https://datatracker.ietf.org/liaison/1255/
> 
> Further information on this document.  X.1037 is in an ITU approval process called AAP.  The deadline for comments on the document is 12 June 2013.  There are a number of comments on the document already submitted by an ITU sector member, so the document will have to be reviewed and modified before it can move forward.  The next step in the process would be something call additional review.  In additional review, comments are accepted only on the parts of the document that were modified, no new substantive comments on the rest of the document are accepted.  So, if there are comments anyone would like to make on the document, please send them to be before 12 June.

First, thanks for sending this to the list. I think that's a
more effective way to get stuff looked at compared to waiting
for the SEC ADs to get on the case:-) If someone has comments
then replying in this thread is probably the right thing.

On the document itself, I only have a meta-comment, feel free
to edit the wording however you'd like but my suggestion is
that they include a bit of extra text in either the summary or
section 1 "scope" along the following lines:

"This recommendation considers the security aspects of IPv6
which is standardised by the IETF. As can be seen from the
text below, IETF standards evolve over time as new RFCs are
produced, so before applying suggested mitigating measures,
readers should check for more recent work on relevant IETF
specifications. For security related questions, one way to
do that is to send an email to the IETF's security area
mailing list: saag@ietf.org. Another is to send a mail to
the IETF's general discussion list: ietf@ietf.org."

The reason to suggest that is that we've seen a number of
comments on previous liaisons along the lines of "yeah that
used to be a problem but RFCxxx has fixed that or draft-foo
is fixing that" or "your suggested mitigation is counter
to RFCyyy or draft-bar" and a pointer like the above might
lessen folks concerns about ITU_T text resulting in bad
outcomes.

If you think my comment would set off some kind of SDO turf
war then I'm ok that we not make it a formal liaison response.

Cheers,
S.


> Regards,
> -scott.
> 
> Scott Mansfield
> Ericsson Inc.
> +1 724 931 9316
> 
> 
> 
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 

From prvs=587022e219=scott.mansfield@ericsson.com  Fri Jun  7 05:09:11 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08E1E21F9488 for ; Fri,  7 Jun 2013 05:09:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNJpPIttXZO2 for ; Fri,  7 Jun 2013 05:09:05 -0700 (PDT)
Received: from usevmg20.ericsson.net (usevmg20.ericsson.net [198.24.6.45]) by ietfa.amsl.com (Postfix) with ESMTP id 760EA21F925A for ; Fri,  7 Jun 2013 05:09:05 -0700 (PDT)
X-AuditID: c618062d-b7f936d000004481-55-51b1cd60bf74
Received: from EUSAAHC005.ericsson.se (Unknown_Domain [147.117.188.87]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id 00.E9.17537.06DC1B15; Fri,  7 Jun 2013 14:09:04 +0200 (CEST)
Received: from EUSAAMB102.ericsson.se ([147.117.188.119]) by EUSAAHC005.ericsson.se ([147.117.188.87]) with mapi id 14.02.0328.009; Fri, 7 Jun 2013 08:09:04 -0400
From: Scott Mansfield 
To: Stephen Farrell 
Thread-Topic: [saag] ITU-T Recommendation ITU-T X.1037, Technical security guideline on deploying IPv6
Thread-Index: Ac5jYIPck0d+2CUNT3Sp/Yo0Bb4r3gAMmmQAAAcd4WA=
Date: Fri, 7 Jun 2013 12:09:02 +0000
Message-ID: 
References:  <51B1C2A2.5040506@cs.tcd.ie>
In-Reply-To: <51B1C2A2.5040506@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [147.117.188.134]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrCLMWRmVeSWpSXmKPExsUyuXRPuG7C2Y2BBrP2WlhM6e9kspi+9xq7 A5PH2u6rbB5LlvxkCmCK4rZJSiwpC85Mz9O3S+DOWHRvGnvBPJmKnwv+MTUwnhXrYuTkkBAw kVj8bDMThC0mceHeerYuRi4OIYGjjBL/1jSyQDjLGCVOXT4DVsUG1LF113RGEFtEQF9i7+Zz 7CA2s4CyxNs/T8BqhAXSJU5u3sYMUZMhcenmFlYI20ribc9WFhCbRUBFYuvyS2BxXgFfiW+v PoLNFBLIkdj+4A3YHE4BTYl7e4+DxRmBrvt+ag0TxC5xiVtP5kNdLSCxZM95ZghbVOLl43+s ELayxJIn+1kg6nUkFuz+xAZha0ssW/iaGWKvoMTJmU9YJjCKzUIydhaSlllIWmYhaVnAyLKK kaO0OLUsN93IYBMjMFKOSbDp7mDc89LyEKM0B4uSOK8a7+JAIYH0xJLU7NTUgtSi+KLSnNTi Q4xMHJwggkuqgbH31JF565cfiDFWfqy/+pqFfZL2eotXn37d0v9mNPHt0ajWpSG9uco31Y68 /Nbc8Lt38ce/xiXz7f2vfDmsyHE7+N38x7fyErqVwo1VblzecUP7TueNGdczYzVUyq+LFoS8 6ptgkeakeFpC69xRlYqbmzOjtXSYL7MxzoydHh82Q2+u2HfX6BlKLMUZiYZazEXFiQBHE8LN ZwIAAA==
Cc: "saag@ietf.org" 
Subject: Re: [saag] ITU-T Recommendation ITU-T X.1037, Technical security guideline on deploying IPv6
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 07 Jun 2013 12:09:11 -0000

We have four options and it really is up to you....  We can send your comme=
nt as a liaison response, we can submit your comment as a LC comment to the=
 document itself, we could do both, or neither.

My opinion is that we don't necessarily want to open the door that a refere=
nce to an IETF RFC is going to remain forward-compatible in perpetuity.  Wh=
en an ITU-T recommendation references a document, it references a specific =
version of that document.  I think it would be important to require a rev o=
f the recommendation if a newer IETF document is to be referenced.

I do like the first sentence and is something that always bears repeating.

Just my two cents.=20

Regards,
-scott.

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]=20
Sent: Friday, June 07, 2013 7:23 AM
To: Scott Mansfield
Cc: saag@ietf.org
Subject: Re: [saag] ITU-T Recommendation ITU-T X.1037, Technical security g=
uideline on deploying IPv6


Hi Scott,

On 06/07/2013 10:22 AM, Scott Mansfield wrote:
> https://datatracker.ietf.org/liaison/1255/
>=20
> Further information on this document.  X.1037 is in an ITU approval proce=
ss called AAP.  The deadline for comments on the document is 12 June 2013. =
 There are a number of comments on the document already submitted by an ITU=
 sector member, so the document will have to be reviewed and modified befor=
e it can move forward.  The next step in the process would be something cal=
l additional review.  In additional review, comments are accepted only on t=
he parts of the document that were modified, no new substantive comments on=
 the rest of the document are accepted.  So, if there are comments anyone w=
ould like to make on the document, please send them to be before 12 June.

First, thanks for sending this to the list. I think that's a more effective=
 way to get stuff looked at compared to waiting for the SEC ADs to get on t=
he case:-) If someone has comments then replying in this thread is probably=
 the right thing.

On the document itself, I only have a meta-comment, feel free to edit the w=
ording however you'd like but my suggestion is that they include a bit of e=
xtra text in either the summary or section 1 "scope" along the following li=
nes:

"This recommendation considers the security aspects of IPv6 which is standa=
rdised by the IETF. As can be seen from the text below, IETF standards evol=
ve over time as new RFCs are produced, so before applying suggested mitigat=
ing measures, readers should check for more recent work on relevant IETF sp=
ecifications. For security related questions, one way to do that is to send=
 an email to the IETF's security area mailing list: saag@ietf.org. Another =
is to send a mail to the IETF's general discussion list: ietf@ietf.org."

The reason to suggest that is that we've seen a number of comments on previ=
ous liaisons along the lines of "yeah that used to be a problem but RFCxxx =
has fixed that or draft-foo is fixing that" or "your suggested mitigation i=
s counter to RFCyyy or draft-bar" and a pointer like the above might lessen=
 folks concerns about ITU_T text resulting in bad outcomes.

If you think my comment would set off some kind of SDO turf war then I'm ok=
 that we not make it a formal liaison response.

Cheers,
S.


> Regards,
> -scott.
>=20
> Scott Mansfield
> Ericsson Inc.
> +1 724 931 9316
>=20
>=20
>=20
>=20
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>=20

From stephen.farrell@cs.tcd.ie  Fri Jun  7 05:35:52 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E973921F91CA for ; Fri,  7 Jun 2013 05:35:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QswIYcjQTH3R for ; Fri,  7 Jun 2013 05:35:48 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 78A7221F8633 for ; Fri,  7 Jun 2013 05:35:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6CD7ABE87; Fri,  7 Jun 2013 13:35:20 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O+EK-kAY2dXD; Fri,  7 Jun 2013 13:35:20 +0100 (IST)
Received: from [IPv6:2001:770:10:203:80ef:4ae:b4e0:a4c4] (unknown [IPv6:2001:770:10:203:80ef:4ae:b4e0:a4c4]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4A463BE77; Fri,  7 Jun 2013 13:35:20 +0100 (IST)
Message-ID: <51B1D389.9030601@cs.tcd.ie>
Date: Fri, 07 Jun 2013 13:35:21 +0100
From: Stephen Farrell 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Scott Mansfield 
References:  <51B1C2A2.5040506@cs.tcd.ie> 
In-Reply-To: 
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "saag@ietf.org" 
Subject: Re: [saag] ITU-T Recommendation ITU-T X.1037, Technical security guideline on deploying IPv6
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 07 Jun 2013 12:35:53 -0000

Hi Scott,

On 06/07/2013 01:09 PM, Scott Mansfield wrote:
> 
> We have four options and it really is up to you....  We can send your
> comment as a liaison response, we can submit your comment as a LC
> comment to the document itself, we could do both, or neither.

I'm happy to let you choose which is most useful. (Incl. the "neither"
option if you think that best.) Not knowing about how they process
stuff, I'd say this is maybe more of a "LC comment" type thing.

> My opinion is that we don't necessarily want to open the door that a
> reference to an IETF RFC is going to remain forward-compatible in
> perpetuity. When an ITU-T recommendation references a document, it
> references a specific version of that document.  I think it would be
> important to require a rev of the recommendation if a newer IETF
> document is to be referenced.

Fair point. If you do use my text then maybe:

OLD:

  As can be seen from the text below, IETF standards evolve over time
  as new RFCs are produced...

NEW:

  As can be seen from the text below, Internet technologies evolve
  over time and new RFCs are produced reflecting that evolution...

But you should also feel free to edit the text any way you like
that gets the message over. (Or not send it at all.)

> 
> I do like the first sentence and is something that always bears
> repeating.

Yep:-)

> 
> Just my two cents.

Thanks,
S.


> 
> Regards, -scott.
> 
> -----Original Message----- From: Stephen Farrell
> [mailto:stephen.farrell@cs.tcd.ie] Sent: Friday, June 07, 2013 7:23
> AM To: Scott Mansfield Cc: saag@ietf.org Subject: Re: [saag] ITU-T
> Recommendation ITU-T X.1037, Technical security guideline on
> deploying IPv6
> 
> 
> Hi Scott,
> 
> On 06/07/2013 10:22 AM, Scott Mansfield wrote:
>> https://datatracker.ietf.org/liaison/1255/
>> 
>> Further information on this document.  X.1037 is in an ITU approval
>> process called AAP.  The deadline for comments on the document is
>> 12 June 2013.  There are a number of comments on the document
>> already submitted by an ITU sector member, so the document will
>> have to be reviewed and modified before it can move forward.  The
>> next step in the process would be something call additional review.
>> In additional review, comments are accepted only on the parts of
>> the document that were modified, no new substantive comments on the
>> rest of the document are accepted.  So, if there are comments
>> anyone would like to make on the document, please send them to be
>> before 12 June.
> 
> First, thanks for sending this to the list. I think that's a more
> effective way to get stuff looked at compared to waiting for the SEC
> ADs to get on the case:-) If someone has comments then replying in
> this thread is probably the right thing.
> 
> On the document itself, I only have a meta-comment, feel free to edit
> the wording however you'd like but my suggestion is that they include
> a bit of extra text in either the summary or section 1 "scope" along
> the following lines:
> 
> "This recommendation considers the security aspects of IPv6 which is
> standardised by the IETF. As can be seen from the text below, IETF
> standards evolve over time as new RFCs are produced, so before
> applying suggested mitigating measures, readers should check for more
> recent work on relevant IETF specifications. For security related
> questions, one way to do that is to send an email to the IETF's
> security area mailing list: saag@ietf.org. Another is to send a mail
> to the IETF's general discussion list: ietf@ietf.org."
> 
> The reason to suggest that is that we've seen a number of comments on
> previous liaisons along the lines of "yeah that used to be a problem
> but RFCxxx has fixed that or draft-foo is fixing that" or "your
> suggested mitigation is counter to RFCyyy or draft-bar" and a pointer
> like the above might lessen folks concerns about ITU_T text resulting
> in bad outcomes.
> 
> If you think my comment would set off some kind of SDO turf war then
> I'm ok that we not make it a formal liaison response.
> 
> Cheers, S.
> 
> 
>> Regards, -scott.
>> 
>> Scott Mansfield Ericsson Inc. +1 724 931 9316
>> 
>> 
>> 
>> 
>> _______________________________________________ saag mailing list 
>> saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
>> 
> 
> 

From sm@resistor.net  Fri Jun  7 08:04:32 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C895421F86D3 for ; Fri,  7 Jun 2013 08:03:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.382
X-Spam-Level: 
X-Spam-Status: No, score=-102.382 tagged_above=-999 required=5 tests=[AWL=0.217, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WreiC5-n-VKs for ; Fri,  7 Jun 2013 08:03:04 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 03E7921F8CDD for ; Fri,  7 Jun 2013 08:03:01 -0700 (PDT)
Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r57F0Cw2003760; Fri, 7 Jun 2013 08:00:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1370617218; bh=YjInckVQnDFiABtuLE/e6SBkKbeB+QLHpfSmGHTl4pg=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=z5VY7mLAm5hDU6L6sxOGlL4Why497UFt5bwtaMSVMGRDyq2L9QwH5oDbLmVPfSF5b bUBrri0grrzV38JGaFtYM8H9W2sEI/cP2skrCL31C0vqibFHoAs1UtgJyvKfY3i8Al 2kLLyPTIxhSe5r6ebwWhZFOfZnkIc9xUb1cBDT8I=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1370617218; i=@resistor.net; bh=YjInckVQnDFiABtuLE/e6SBkKbeB+QLHpfSmGHTl4pg=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=BCcZDMJyToars2puItdDrXlm51llED0UNFz5MMwlcdubnSHkAIYwo1JWyLahQV8NS bYMIMPvg22QC9W5fbIOUbVZCjHLmvLCkKpq9V2qjO94sEAOHzIMq/uSaUZoGbC7zUi a/fmL2atP6hDWxg+O7rbkjNraXnEHgYpwfBMyKaw=
Message-Id: <6.2.5.6.2.20130607070839.0caf7be0@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Fri, 07 Jun 2013 07:59:20 -0700
To: Scott Mansfield 
From: SM 
In-Reply-To: 
References:  <51B1C2A2.5040506@cs.tcd.ie> 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: saag@ietf.org
Subject: Re: [saag] ITU-T Recommendation ITU-T X.1037, Technical  security guideline on deploying IPv6
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 07 Jun 2013 15:04:32 -0000
X-List-Received-Date: Fri, 07 Jun 2013 15:04:32 -0000

Hi Scott,
At 05:09 07-06-2013, Scott Mansfield wrote:
>My opinion is that we don't necessarily want to open the door that a 
>reference to an IETF RFC is going to remain forward-compatible in 
>perpetuity.  When an ITU-T recommendation references a document, it 
>references a specific version of that document.  I think it would be 
>important to require a rev of the recommendation if a newer IETF 
>document is to be referenced.

References being subject to revision is mentioned in Section 2 of 
"Technical security guideline on deploying IPv6".  I would go with 
the text suggested by Stephen Farrell and use "published" to follow 
the ITU line.

Measure 5 (Page 9) mentions RFC 3627.  The guidance in RFC 6164 
supercedes what is in RFC 3627.  RFC 3627 is Historic (see RFC 
6547).  I suggest removing the following sentence:

   "Even though [IETF RFC3627]declares that /127 prefix on a point-to-point
    link is illegal, [IETF RFC6164] permits to use /127 prefix under certain
    conditions."

Regards,
-sm 


From lear@cisco.com  Wed Jun 12 10:35:35 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73A721F9A13 for ; Wed, 12 Jun 2013 10:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level: 
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYHwdQGUWDBm for ; Wed, 12 Jun 2013 10:35:30 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 43FAE11E80E0 for ; Wed, 12 Jun 2013 10:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=613; q=dns/txt; s=iport; t=1371058525; x=1372268125; h=message-id:date:from:mime-version:to:subject: content-transfer-encoding; bh=NobNXs4RmUGn8ps/MCuHgKltt2u+H7iOOqyJjhttO+w=; b=EakdceFtI0h7Hkh7ltleNTwxv9vGedI+Vi/oJa6YAhFTyOKlCtXNOc5z HLNvUOUiPNJiBUMeLidsNKHHd9sLElkWtCVYuMv+bf5APVakDPqEir+5o cH54RHlknbleo+M3ii20HXeKJXaS5VXKYbRghxb4pUAKxkDXCvigIC/XP 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AoEFAKmwuFGtJV2Z/2dsb2JhbABbgwkwgnZHvFcWdIIoJTIjNgIFFgsCCwMCAQIBSwEMCAEBEAeHcwypP5E+gSaQcIEUA5dAgSmQGYMrIA
X-IronPort-AV: E=Sophos;i="4.87,853,1363132800"; d="scan'208";a="222003169"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-6.cisco.com with ESMTP; 12 Jun 2013 17:35:24 +0000
Received: from rtp-vpn6-136.cisco.com (rtp-vpn6-136.cisco.com [10.82.248.136]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r5CHZNuH004521 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 Jun 2013 17:35:24 GMT
Message-ID: <51B8B15B.8010107@cisco.com>
Date: Wed, 12 Jun 2013 13:35:23 -0400
From: Eliot Lear 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "saag@ietf.org" , "ietf-http-wg@w3.org Group" , Internet Architecture Board 
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: [saag] Is the CA market broken?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 12 Jun 2013 17:35:35 -0000

I'd like to bring to your attention the following paper:

http://weis2013.econinfosec.org/papers/AsghariWEIS2013.pdf

What it says is that there is market concentration, no race to the
bottom for price, and that technical solutions may be the best
approach.  A key callout from the talk was the conflict within the
browser community between assuring security and assuring connectivity.

DANE is also called out in the paper.

A reminder: Cisco has an open RFP at http://www.cisco.com in the area of
HTTP2, and a separate one on Internet Economics.  This would be covered
by either or both.

Eliot

From lear@cisco.com  Wed Jun 12 12:04:04 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D9521E80CB for ; Wed, 12 Jun 2013 12:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.699
X-Spam-Level: 
X-Spam-Status: No, score=-110.699 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jofIBZFyR+1x for ; Wed, 12 Jun 2013 12:04:03 -0700 (PDT)
Received: from ams-iport-3.cisco.com (ams-iport-3.cisco.com [144.254.224.146]) by ietfa.amsl.com (Postfix) with ESMTP id 8BD4A21E80AF for ; Wed, 12 Jun 2013 12:03:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=284; q=dns/txt; s=iport; t=1371063832; x=1372273432; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=UZCJbOO1XTW0GdjTU0GBx24Wv+KXDgrtjbbv6Kj+Ayo=; b=CnKu72VlWNqb1Zd6BxGLgslGtAx1/+1JUdm8Qxba0RSvCO6ycZvqwhug n1Z2++qmhy33+8/f2dP2vjQcBDgSsQvJRtXc7MJjK19iOVSI6pUcL9Lyi Uo3jVJq8FCaQEJio0iQwiBxbMA7VHT+YxGKslVAgmbojupvRS7Jpyuiaz M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AoIFADzFuFGQ/khN/2dsb2JhbABbgwkwgnZHu1WBAxZ0giQBAQQjVQEQCxoCBRYLAgIJAwIBAgErGgYNAQcBAYgKqVKRR4Emjh0HgkyBFAOXQIwhhSGDKyA
X-IronPort-AV: E=Sophos;i="4.87,854,1363132800"; d="scan'208";a="14184664"
Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-3.cisco.com with ESMTP; 12 Jun 2013 19:03:49 +0000
Received: from mctiny.local ([10.61.204.157]) by ams-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r5CJ3jG7015802 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 Jun 2013 19:03:46 GMT
Message-ID: <51B8C611.5080009@cisco.com>
Date: Wed, 12 Jun 2013 15:03:45 -0400
From: Eliot Lear 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Wes Hardaker 
References: <51B8B15B.8010107@cisco.com> <0lsj0nqhmb.fsf@wjh.hardakers.net>
In-Reply-To: <0lsj0nqhmb.fsf@wjh.hardakers.net>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: Internet Architecture Board , "saag@ietf.org" , "ietf-http-wg@w3.org Group" 
Subject: Re: [saag] Is the CA market broken?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 12 Jun 2013 19:04:07 -0000

Wes (and others) have pointed out that I goofed on the URL.

The Cisco research URL to go to is http://www.cisco.com/research. 
Please note two specific RFPs:

RFP-2009-057 on Internet Economic Models and Policy Impact
RFP-2013-077 on Next Generation Web Technologies

Eliot

From stephen.farrell@cs.tcd.ie  Fri Jun 14 05:55:30 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5F921F9A50 for ; Fri, 14 Jun 2013 05:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.699
X-Spam-Level: 
X-Spam-Status: No, score=-102.699 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZX+dJhokRTpR for ; Fri, 14 Jun 2013 05:55:30 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 6AA4521F9A42 for ; Fri, 14 Jun 2013 05:55:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D302DBED6 for ; Fri, 14 Jun 2013 13:55:08 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmy8Y-iI0h+T for ; Fri, 14 Jun 2013 13:55:08 +0100 (IST)
Received: from [IPv6:2001:770:10:203:1d5c:b21a:982e:7128] (unknown [IPv6:2001:770:10:203:1d5c:b21a:982e:7128]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id AD8C3BEC9 for ; Fri, 14 Jun 2013 13:55:08 +0100 (IST)
Message-ID: <51BB12AD.2080209@cs.tcd.ie>
Date: Fri, 14 Jun 2013 13:55:09 +0100
From: Stephen Farrell 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: "saag@ietf.org" 
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [saag] Possible BoF in Berlin on profiling DTLS for Constrained Environments
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 14 Jun 2013 12:55:30 -0000

Hiya,

There may be a BoF in Berlin on this topic. Details
are at [1], the IESG will decide whether or not to
schedule the BoF next week.

Please take any discussion to the dtls-iot list [2]

Thanks,
S.

[1] https://trac.tools.ietf.org/bof/trac/wiki#DICE
[2] https://www.ietf.org/mailman/listinfo/dtls-iot

From ietfdbh@comcast.net  Wed Jun 19 07:02:41 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73AE721F9CC2 for ; Wed, 19 Jun 2013 07:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.437
X-Spam-Level: 
X-Spam-Status: No, score=-100.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611,  RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sIE3F6rGn+Ru for ; Wed, 19 Jun 2013 07:02:33 -0700 (PDT)
Received: from qmta03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:32]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4F321F9C1E for ; Wed, 19 Jun 2013 07:02:31 -0700 (PDT)
Received: from omta18.westchester.pa.mail.comcast.net ([76.96.62.90]) by qmta03.westchester.pa.mail.comcast.net with comcast id qBA91l0011wpRvQ53E2W3F; Wed, 19 Jun 2013 14:02:30 +0000
Received: from JV6RVH1 ([67.189.237.137]) by omta18.westchester.pa.mail.comcast.net with comcast id qE2V1l00k2yZEBF3eE2VbQ; Wed, 19 Jun 2013 14:02:30 +0000
From: "ietfdbh" 
To: 
References: <20130619080054.9246.47628.idtracker@ietfa.amsl.com>
In-Reply-To: <20130619080054.9246.47628.idtracker@ietfa.amsl.com>
Date: Wed, 19 Jun 2013 10:02:21 -0400
Message-ID: <011901ce6cf5$9e7b4870$db71d950$@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQD45+X2mFEm72nCCFv7fOwTSthORJroFhWA
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1371650550; bh=1QxcA/9jIPro1Fe6asxtqMphWV/Txw4/3ZqLiw0prCc=; h=Received:Received:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type; b=PTdD2fNtMWV2ClkKP9tNeawh6Ab4ALt5zBaRCi+OiemYOKftWZXJlUyOc7GBCAPc3 XqtDiCzCqCigfls+l515D100j16DY0LA0jxAQ9sbdIzlvONLIrW6x/GDRqMJe3E/fR obuXORJzjlUck2eKO5MR+e4/D5C4jDYwFWN0R5idiRycsugW9mtDDrHS42KinGCO5v FDumAtm6gEEo9BgnOiKFQllYtibkaR0+e8dueToC0I4sJM7dY2nWOEA8GxwuTadt7M 9CiT7Shxde92MWOkkj/83dgf+tYxs//BAkrkWyovUa9vBMEIgI11sBgSi70PO+Mb/q rn7m3EsAtcrnQ==
X-Mailman-Approved-At: Wed, 19 Jun 2013 08:01:15 -0700
Cc: netconf@ietf.org, saag@ietf.org
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 14:02:41 -0000

Hi Kent,

I think your draft needs to target two different audiences - the security
audience for SSH security considerations, and application designers that
want to use reverse-SSH, such as Netconf.

Few people are experts both in hmac and SSH, and in Netconf and YANG.
I think this would be better written as two separate drafts, with different
audiences in mind, even if each draft would be short.

David Harrington
ietfdbh@comcast.net
+1-603-828-1401
-----Original Message-----
From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org]
On Behalf Of internet-drafts@ietf.org
Sent: Wednesday, June 19, 2013 4:01 AM
To: i-d-announce@ietf.org
Cc: netconf@ietf.org
Subject: I-D Action: draft-ietf-netconf-reverse-ssh-00.txt


A New Internet-Draft is available from the on-line Internet-Drafts
directories.
 This draft is a work item of the Network Configuration Working Group of the
IETF.

	Title           : Reverse Secure Shell (Reverse SSH)
	Author(s)       : Kent Watsen
	Filename        : draft-ietf-netconf-reverse-ssh-00.txt
	Pages           : 16
	Date            : 2013-06-18

Abstract:
   This memo presents a technique for a NETCONF server to initiate a SSH
   connection to a NETCONF client.  This is accomplished by the NETCONF
   client listening on IANA-assigned TCP port XXX and starting the SSH
   client protocol immediately after accepting a TCP connection on it.
   This role-reversal is necessary as the NETCONF server must also be
   the SSH Server, in order for the NETCONF client to open the IANA-
   assigned SSH subsystem "netconf".


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-netconf-reverse-ssh

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-netconf-reverse-ssh-00


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html or
ftp://ftp.ietf.org/ietf/1shadow-sites.txt


From jhutz@cmu.edu  Wed Jun 19 10:22:11 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA9921F9E4C; Wed, 19 Jun 2013 10:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vKsYf4aUvxbl; Wed, 19 Jun 2013 10:22:02 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by ietfa.amsl.com (Postfix) with ESMTP id 300FE21F9E46; Wed, 19 Jun 2013 10:22:01 -0700 (PDT)
Received: from [192.168.202.142] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id r5JHLvBo018732 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 19 Jun 2013 13:21:58 -0400 (EDT)
Message-ID: <1371662516.23088.44.camel@destiny.pc.cs.cmu.edu>
From: Jeffrey Hutzelman 
To: ietfdbh 
Date: Wed, 19 Jun 2013 13:21:56 -0400
In-Reply-To: <25492_1371654090_r5JF1SHh022730_011901ce6cf5$9e7b4870$db71d950$@comcast.net>
References: <20130619080054.9246.47628.idtracker@ietfa.amsl.com> <25492_1371654090_r5JF1SHh022730_011901ce6cf5$9e7b4870$db71d950$@comcast.net>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.6.2-0ubuntu0.1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
Cc: saag@ietf.org, draft-ietf-netconf-reverse-ssh@tools.ietf.org, netconf@ietf.org, jhutz@cmu.edu
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 17:22:12 -0000

On Wed, 2013-06-19 at 10:02 -0400, ietfdbh wrote:
> Hi Kent,
> 
> I think your draft needs to target two different audiences - the security
> audience for SSH security considerations, and application designers that
> want to use reverse-SSH, such as Netconf.

This was discussed two years ago on the ietf-ssh mailing list, which is
the appropriate forum for discussion of SSH extensions and protocol
changes.  There was much discussion about what port number things should
run on, but unfortunately relatively little discussion of the security
aspects of running SSH "in reverse" like this.

I haven't read this recent document, but when this came up in 2011, I
was concerned about the security aspects of running SSH "in reverse"
like this; it's really not designed for that.  I expressed concerns
about the new hmac-* host key algorithms defined in that version, about
the layering violations inherent in using them for negotiation, and
commented that they don't really provide any operational advantage over
using X.509 certificates or pre-shared RSA keys.  Those comments were
never really addressed.


The SECSH WG concluded some time ago, but its mailing list is still
somewhat active and regularly discusses SSH protocol extensions.  I
would be very concerned if the NETCONF WG were to send the IESG an SSH
protocol document without the involvement of that group.  I will note
that the 2011 discussion included approaches that did not require this
level of protocol change, or indeed any.  I'm fine with NETCONF not
having chosen one of those approaches, but this really does need to
involve people with SSH expertise.

-- Jeff


From ietfdbh@comcast.net  Wed Jun 19 12:20:14 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4CA21E808D for ; Wed, 19 Jun 2013 12:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.437
X-Spam-Level: 
X-Spam-Status: No, score=-100.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611,  RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5ZK6HTVEuaC for ; Wed, 19 Jun 2013 12:20:09 -0700 (PDT)
Received: from qmta05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:48]) by ietfa.amsl.com (Postfix) with ESMTP id A251421E8085 for ; Wed, 19 Jun 2013 12:20:07 -0700 (PDT)
Received: from omta09.westchester.pa.mail.comcast.net ([76.96.62.20]) by qmta05.westchester.pa.mail.comcast.net with comcast id qBCo1l0040SCNGk55KL6bp; Wed, 19 Jun 2013 19:20:06 +0000
Received: from JV6RVH1 ([67.189.237.137]) by omta09.westchester.pa.mail.comcast.net with comcast id qKL61l00m2yZEBF3VKL6W6; Wed, 19 Jun 2013 19:20:06 +0000
From: "ietfdbh" 
To: "'Jeffrey Hutzelman'" 
References: <20130619080054.9246.47628.idtracker@ietfa.amsl.com>	 <25492_1371654090_r5JF1SHh022730_011901ce6cf5$9e7b4870$db71d950$@comcast.net> <1371662516.23088.44.camel@destiny.pc.cs.cmu.edu>
In-Reply-To: <1371662516.23088.44.camel@destiny.pc.cs.cmu.edu>
Date: Wed, 19 Jun 2013 21:19:58 +0200
Message-ID: <0b9e01ce6d21$fcf24fd0$f6d6ef70$@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQD45+X2mFEm72nCCFv7fOwTSthORAIaCC9GAlIuTwGaxQmGoA==
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1371669606; bh=e4fxTAcLLxDNUL8Z1UbEZF4onbSa0vfh4RA2Eue8frs=; h=Received:Received:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type; b=U43QTBh2pwz0pZ/ucMjx8sCDgyeseLBi5DVfZtKjF4STbb2U58mWSmc81zfhK6qo4 0d75a8TP3KLP8fTR07OP/nuJ1gBD5F0Zqx2hCZtzZM29kZFj3H2GjbLNaRUb1EzxuX vxDia0s1pzWxHeUEToKdIANGCFVv+CWI+l/BFKxrK6YL2TsmRRFZSb6N7ynYbVmy4v YH0fTfbFPgVQ65zHuBUqMS/hoUkbxAQD4fBYmrH3Gw11/8kRa0lWuWs02N/eJwJDfC bj+sX0GHFmSmmtXjRfMKGzYIYCSO2bvu9HrcvChQd8ulIJflXCGieC3fPKmknFBFQO 8jk0QbOuGXxNA==
Cc: draft-ietf-netconf-reverse-ssh@tools.ietf.org, netconf@ietf.org, saag@ietf.org
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 19:20:14 -0000

For anyone who wishes to access/subscribe to the secsh mailing list,
See http://www.ietf.org/wg/concluded/secsh.html

Jeff, I assume that is the list you refer to??

David Harrington
ietfdbh@comcast.net
+1-603-828-1401

-----Original Message-----
From: Jeffrey Hutzelman [mailto:jhutz@cmu.edu]=20
Sent: Wednesday, June 19, 2013 7:22 PM
To: ietfdbh
Cc: jhutz@cmu.edu; draft-ietf-netconf-reverse-ssh@tools.ietf.org; =
netconf@ietf.org; saag@ietf.org
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt

On Wed, 2013-06-19 at 10:02 -0400, ietfdbh wrote:
> Hi Kent,
>=20
> I think your draft needs to target two different audiences - the=20
> security audience for SSH security considerations, and application=20
> designers that want to use reverse-SSH, such as Netconf.

This was discussed two years ago on the ietf-ssh mailing list, which is =
the appropriate forum for discussion of SSH extensions and protocol =
changes.  There was much discussion about what port number things should =
run on, but unfortunately relatively little discussion of the security =
aspects of running SSH "in reverse" like this.

I haven't read this recent document, but when this came up in 2011, I =
was concerned about the security aspects of running SSH "in reverse"
like this; it's really not designed for that.  I expressed concerns =
about the new hmac-* host key algorithms defined in that version, about =
the layering violations inherent in using them for negotiation, and =
commented that they don't really provide any operational advantage over =
using X.509 certificates or pre-shared RSA keys.  Those comments were =
never really addressed.


The SECSH WG concluded some time ago, but its mailing list is still =
somewhat active and regularly discusses SSH protocol extensions.  I =
would be very concerned if the NETCONF WG were to send the IESG an SSH =
protocol document without the involvement of that group.  I will note =
that the 2011 discussion included approaches that did not require this =
level of protocol change, or indeed any.  I'm fine with NETCONF not =
having chosen one of those approaches, but this really does need to =
involve people with SSH expertise.

-- Jeff


From jhutz@cmu.edu  Wed Jun 19 12:38:02 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10BA21F9B85; Wed, 19 Jun 2013 12:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tS7SHbR882Fe; Wed, 19 Jun 2013 12:37:57 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by ietfa.amsl.com (Postfix) with ESMTP id 1B63421F9E3C; Wed, 19 Jun 2013 12:37:55 -0700 (PDT)
Received: from [192.168.202.142] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id r5JJboxd023654 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 19 Jun 2013 15:37:51 -0400 (EDT)
Message-ID: <1371670670.23088.59.camel@destiny.pc.cs.cmu.edu>
From: Jeffrey Hutzelman 
To: ietfdbh 
Date: Wed, 19 Jun 2013 15:37:50 -0400
In-Reply-To: <0b9e01ce6d21$fcf24fd0$f6d6ef70$@comcast.net>
References: <20130619080054.9246.47628.idtracker@ietfa.amsl.com> <25492_1371654090_r5JF1SHh022730_011901ce6cf5$9e7b4870$db71d950$@comcast.net> <1371662516.23088.44.camel@destiny.pc.cs.cmu.edu> <0b9e01ce6d21$fcf24fd0$f6d6ef70$@comcast.net>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.6.2-0ubuntu0.1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
Cc: saag@ietf.org, draft-ietf-netconf-reverse-ssh@tools.ietf.org, netconf@ietf.org, jhutz@cmu.edu
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 19:38:02 -0000

On Wed, 2013-06-19 at 21:19 +0200, ietfdbh wrote:
> For anyone who wishes to access/subscribe to the secsh mailing list,
> See http://www.ietf.org/wg/concluded/secsh.html
> 
> Jeff, I assume that is the list you refer to??

Yes, that's the group, and ietf-ssh@netbsd.org is/was the mailing list.
The IETF archives are still subscribed, last time I checked.

-- Jeff


From kwatsen@juniper.net  Wed Jun 19 13:17:33 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 321B121E8051; Wed, 19 Jun 2013 13:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.467
X-Spam-Level: 
X-Spam-Status: No, score=-1.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQhj29EqSw4C; Wed, 19 Jun 2013 13:17:27 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id 5F3BB21E8050; Wed, 19 Jun 2013 13:17:27 -0700 (PDT)
Received: from mail111-tx2-R.bigfish.com (10.9.14.233) by TX2EHSOBE014.bigfish.com (10.9.40.34) with Microsoft SMTP Server id 14.1.225.23; Wed, 19 Jun 2013 20:17:26 +0000
Received: from mail111-tx2 (localhost [127.0.0.1])	by mail111-tx2-R.bigfish.com (Postfix) with ESMTP id 4B083180071; Wed, 19 Jun 2013 20:17:26 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:66.129.224.54; KIP:(null); UIP:(null); IPV:NLI; H:P-EMHUB03-HQ.jnpr.net; RD:none; EFVD:NLI
X-SpamScore: -24
X-BigFish: VPS-24(zzbb2dI98dI9371I936eI542I1432I4015I853kzz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz8275ch1033IL17326ah8275dhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail111-tx2: domain of juniper.net designates 66.129.224.54 as permitted sender) client-ip=66.129.224.54; envelope-from=kwatsen@juniper.net; helo=P-EMHUB03-HQ.jnpr.net ; -HQ.jnpr.net ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197; KIP:(null); UIP:(null); (null); H:CH1PRD0511HT003.namprd05.prod.outlook.com; R:internal; EFV:INT
Received: from mail111-tx2 (localhost.localdomain [127.0.0.1]) by mail111-tx2 (MessageSwitch) id 1371673044913228_21433; Wed, 19 Jun 2013 20:17:24 +0000 (UTC)
Received: from TX2EHSMHS025.bigfish.com (unknown [10.9.14.250])	by mail111-tx2.bigfish.com (Postfix) with ESMTP id D10F58005F; Wed, 19 Jun 2013 20:17:24 +0000 (UTC)
Received: from P-EMHUB03-HQ.jnpr.net (66.129.224.54) by TX2EHSMHS025.bigfish.com (10.9.99.125) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 19 Jun 2013 20:17:22 +0000
Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 19 Jun 2013 13:17:09 -0700
Received: from o365mail.juniper.net (207.17.137.224) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Wed, 19 Jun 2013 13:17:09 -0700
Received: from DB8EHSOBE022.bigfish.com (213.199.154.189) by o365mail.juniper.net (207.17.137.224) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 19 Jun 2013 13:29:08 -0700
Received: from mail209-db8-R.bigfish.com (10.174.8.254) by DB8EHSOBE022.bigfish.com (10.174.4.85) with Microsoft SMTP Server id 14.1.225.23; Wed, 19 Jun 2013 20:17:07 +0000
Received: from mail209-db8 (localhost [127.0.0.1])	by mail209-db8-R.bigfish.com (Postfix) with ESMTP id 85718200BC; Wed, 19 Jun 2013 20:17:07 +0000 (UTC)
Received: from mail209-db8 (localhost.localdomain [127.0.0.1]) by mail209-db8 (MessageSwitch) id 1371673025401361_2287; Wed, 19 Jun 2013 20:17:05 +0000 (UTC)
Received: from DB8EHSMHS025.bigfish.com (unknown [10.174.8.243])	by mail209-db8.bigfish.com (Postfix) with ESMTP id 59D5A480045; Wed, 19 Jun 2013 20:17:05 +0000 (UTC)
Received: from CH1PRD0511HT003.namprd05.prod.outlook.com (157.56.245.197) by DB8EHSMHS025.bigfish.com (10.174.4.35) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 19 Jun 2013 20:16:58 +0000
Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT003.namprd05.prod.outlook.com ([10.255.159.38]) with mapi id 14.16.0324.000; Wed, 19 Jun 2013 20:16:54 +0000
From: Kent Watsen 
To: ietfdbh , "draft-ietf-netconf-reverse-ssh@tools.ietf.org" 
Thread-Topic: I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
Thread-Index: AQHObPW+Vn5jk8r2NUOmxzx4RR9st5k9NuUA
Date: Wed, 19 Jun 2013 20:16:54 +0000
Message-ID: 
In-Reply-To: <011901ce6cf5$9e7b4870$db71d950$@comcast.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.255.159.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9FE78B020E582240AFF0A4CFF660D5C7@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%COMCAST.NET$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%TOOLS.IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-OriginatorOrg: juniper.net
Cc: "netconf@ietf.org" , "saag@ietf.org" 
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 20:17:33 -0000

Hi David,

Thanks for your comments.

My suggestion for partitioning this draft is to extract the
hmac-* family of public host key algorithms into its own draft.
There is precedent for defining new public key algorithms in a
distinct draft given by RFC 6187.  However, this strategy would
retain the YANG module definition in the current draft and thus
doesn't address your stated concern.  That said, please consider:

  1. It is generally hoped that the design of any device
     feature (e.g. a routing protocol) includes a YANG module
     for how it can be managed.  Keeping the YANG module
     definition in this draft is consistent with that goal.

  2. The configuration model has no impact on the protocol
     and hence can be ignored by those who are only interested
     in the protocol/security aspects.  The draft almost says
     this itself in the first paragraph of section 6 (Device
     Configuration).

Another option would to extract the YANG module definition into
its own draft.  As you say, it would be very small, but at least
it would be focused.

And, of course, we could do both options - resulting in a total
of three distinct drafts.


Which of these options you think is best?

Thanks,
Kent






On 6/19/13 10:02 AM, "ietfdbh"  wrote:

>Hi Kent,
>
>I think your draft needs to target two different audiences - the security
>audience for SSH security considerations, and application designers that
>want to use reverse-SSH, such as Netconf.
>
>Few people are experts both in hmac and SSH, and in Netconf and YANG.
>I think this would be better written as two separate drafts, with
>different
>audiences in mind, even if each draft would be short.
>
>David Harrington
>ietfdbh@comcast.net
>+1-603-828-1401
>-----Original Message-----
>From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org]
>On Behalf Of internet-drafts@ietf.org
>Sent: Wednesday, June 19, 2013 4:01 AM
>To: i-d-announce@ietf.org
>Cc: netconf@ietf.org
>Subject: I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
>
>
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
> This draft is a work item of the Network Configuration Working Group of
>the
>IETF.
>
>	Title           : Reverse Secure Shell (Reverse SSH)
>	Author(s)       : Kent Watsen
>	Filename        : draft-ietf-netconf-reverse-ssh-00.txt
>	Pages           : 16
>	Date            : 2013-06-18
>
>Abstract:
>   This memo presents a technique for a NETCONF server to initiate a SSH
>   connection to a NETCONF client.  This is accomplished by the NETCONF
>   client listening on IANA-assigned TCP port XXX and starting the SSH
>   client protocol immediately after accepting a TCP connection on it.
>   This role-reversal is necessary as the NETCONF server must also be
>   the SSH Server, in order for the NETCONF client to open the IANA-
>   assigned SSH subsystem "netconf".
>
>
>The IETF datatracker status page for this draft is:
>https://datatracker.ietf.org/doc/draft-ietf-netconf-reverse-ssh
>
>There's also a htmlized version available at:
>http://tools.ietf.org/html/draft-ietf-netconf-reverse-ssh-00
>
>
>Internet-Drafts are also available by anonymous FTP at:
>ftp://ftp.ietf.org/internet-drafts/
>
>_______________________________________________
>I-D-Announce mailing list
>I-D-Announce@ietf.org
>https://www.ietf.org/mailman/listinfo/i-d-announce
>Internet-Draft directories: http://www.ietf.org/shadow.html or
>ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>
>




From kwatsen@juniper.net  Wed Jun 19 15:03:39 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 179BF21F9D4D; Wed, 19 Jun 2013 15:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.467
X-Spam-Level: 
X-Spam-Status: No, score=-1.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkAp7Un5GwrA; Wed, 19 Jun 2013 15:03:33 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe001.messaging.microsoft.com [207.46.163.24]) by ietfa.amsl.com (Postfix) with ESMTP id 56E2921F9D70; Wed, 19 Jun 2013 15:03:33 -0700 (PDT)
Received: from mail78-co9-R.bigfish.com (10.236.132.249) by CO9EHSOBE012.bigfish.com (10.236.130.75) with Microsoft SMTP Server id 14.1.225.23; Wed, 19 Jun 2013 22:03:32 +0000
Received: from mail78-co9 (localhost [127.0.0.1])	by mail78-co9-R.bigfish.com (Postfix) with ESMTP id AFAB7A01E2; Wed, 19 Jun 2013 22:03:32 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:66.129.224.52; KIP:(null); UIP:(null); IPV:NLI; H:P-EMHUB03-HQ.jnpr.net; RD:none; EFVD:NLI
X-SpamScore: -26
X-BigFish: PS-26(zzbb2dI98dI9371I936eI1432I4015Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah8275dhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail78-co9: domain of juniper.net designates 66.129.224.52 as permitted sender) client-ip=66.129.224.52; envelope-from=kwatsen@juniper.net; helo=P-EMHUB03-HQ.jnpr.net ; -HQ.jnpr.net ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197; KIP:(null); UIP:(null); (null); H:CH1PRD0511HT005.namprd05.prod.outlook.com; R:internal; EFV:INT
Received: from mail78-co9 (localhost.localdomain [127.0.0.1]) by mail78-co9 (MessageSwitch) id 1371679410187461_5539; Wed, 19 Jun 2013 22:03:30 +0000 (UTC)
Received: from CO9EHSMHS005.bigfish.com (unknown [10.236.132.230])	by mail78-co9.bigfish.com (Postfix) with ESMTP id 2B9802E0062; Wed, 19 Jun 2013 22:03:30 +0000 (UTC)
Received: from P-EMHUB03-HQ.jnpr.net (66.129.224.52) by CO9EHSMHS005.bigfish.com (10.236.130.15) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 19 Jun 2013 22:03:27 +0000
Received: from P-CLDFE02-HQ.jnpr.net (172.24.192.60) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 19 Jun 2013 15:03:26 -0700
Received: from o365mail.juniper.net (207.17.137.224) by o365mail.juniper.net (172.24.192.60) with Microsoft SMTP Server id 14.1.355.2; Wed, 19 Jun 2013 15:03:25 -0700
Received: from CO9EHSOBE038.bigfish.com (207.46.163.27) by o365mail.juniper.net (207.17.137.224) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 19 Jun 2013 15:15:24 -0700
Received: from mail121-co9-R.bigfish.com (10.236.132.254) by CO9EHSOBE038.bigfish.com (10.236.130.101) with Microsoft SMTP Server id 14.1.225.23; Wed, 19 Jun 2013 22:03:25 +0000
Received: from mail121-co9 (localhost [127.0.0.1])	by mail121-co9-R.bigfish.com (Postfix) with ESMTP id 30E66940342; Wed, 19 Jun 2013 22:03:25 +0000 (UTC)
Received: from mail121-co9 (localhost.localdomain [127.0.0.1]) by mail121-co9 (MessageSwitch) id 1371679403250852_30544; Wed, 19 Jun 2013 22:03:23 +0000 (UTC)
Received: from CO9EHSMHS024.bigfish.com (unknown [10.236.132.239])	by mail121-co9.bigfish.com (Postfix) with ESMTP id 31204BC004C; Wed, 19 Jun 2013 22:03:23 +0000 (UTC)
Received: from CH1PRD0511HT005.namprd05.prod.outlook.com (157.56.245.197) by CO9EHSMHS024.bigfish.com (10.236.130.34) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 19 Jun 2013 22:03:21 +0000
Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT005.namprd05.prod.outlook.com ([10.255.159.40]) with mapi id 14.16.0324.000; Wed, 19 Jun 2013 22:03:21 +0000
From: Kent Watsen 
To: Jeffrey Hutzelman , ietfdbh 
Thread-Topic: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
Thread-Index: AQHObRGgGnqI147cKUqC8qWv6JY1X5k9VGoA
Date: Wed, 19 Jun 2013 22:03:20 +0000
Message-ID: 
In-Reply-To: <1371662516.23088.44.camel@destiny.pc.cs.cmu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.255.159.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%CMU.EDU$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%COMCAST.NET$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%TOOLS.IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-OriginatorOrg: juniper.net
Cc: "draft-ietf-netconf-reverse-ssh@tools.ietf.org" , "netconf@ietf.org" , "saag@ietf.org" 
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 22:03:39 -0000

Hi Jeff,

You've touched on a lot of points.

First, yes, this was discussed a couple years ago.  I wanted this
submission to indicate it was a continuation of the previous I-D
draft-kwatsen-reverse-ssh-01.  That it doesn't is only because
I didn't see an option to indicate that during submission - I'll
check again...

The discussion from two years ago died because no common ground
could be reached.  It has resurfaced now because operators have
requested the NETCONF WG to define strategies for devices to
"call home" using both NETCONF's transports, SSH and TLS.  The
NETCONF WG has now chartered this work and I volunteered to pick
it up again.

>From a protocol perspective, the solution presented in this draft
is the same as presented in draft-kwatsen-reverse-ssh-01 with one
exception, it now requests an IANA-assigned port, instead of using
port 22, to be consistent with draft-ietf-netconf-rfc5539bis-03,
which makes the same request.

Regarding the security aspects of running SSH "in reverse", this
draft's Security Considerations section has been greatly expanded
to address this concern and I very much hope that the SAAG will
take it up now.  I also hope SAAG will consider the security
aspects of running TLS "in reverse", as one of my comments on
rfc5539bis-03 [1] was that doing so would enable the "client" to
defer sending its client-certificate until after receiving the
server's cert, consistent with draft-agl-tls-encryptedclientcerts
and draft-badra-tls-identity-protection.  Though both of these
drafts are now defunct, it seems that there's sufficient interest
in protecting the client's identity, which a TLS-based "call home"
could only leverage someday if it ran TLS "in reverse" as well.

Finally, regarding the HMAC-* family of public host key algorithms,
I think herein lies a good reason to extract them into a draft of
their own, as it would be a shame for them to distract from the
primary discussion of running SSH (and TLS) in reverse.


[1] http://www.ietf.org/mail-archive/web/netconf/current/msg08075.html

Thanks,
Kent



On 6/19/13 1:21 PM, "Jeffrey Hutzelman"  wrote:

>On Wed, 2013-06-19 at 10:02 -0400, ietfdbh wrote:
>> Hi Kent,
>>=20
>> I think your draft needs to target two different audiences - the
>>security
>> audience for SSH security considerations, and application designers that
>> want to use reverse-SSH, such as Netconf.
>
>This was discussed two years ago on the ietf-ssh mailing list, which is
>the appropriate forum for discussion of SSH extensions and protocol
>changes.  There was much discussion about what port number things should
>run on, but unfortunately relatively little discussion of the security
>aspects of running SSH "in reverse" like this.
>
>I haven't read this recent document, but when this came up in 2011, I
>was concerned about the security aspects of running SSH "in reverse"
>like this; it's really not designed for that.  I expressed concerns
>about the new hmac-* host key algorithms defined in that version, about
>the layering violations inherent in using them for negotiation, and
>commented that they don't really provide any operational advantage over
>using X.509 certificates or pre-shared RSA keys.  Those comments were
>never really addressed.
>
>
>The SECSH WG concluded some time ago, but its mailing list is still
>somewhat active and regularly discusses SSH protocol extensions.  I
>would be very concerned if the NETCONF WG were to send the IESG an SSH
>protocol document without the involvement of that group.  I will note
>that the 2011 discussion included approaches that did not require this
>level of protocol change, or indeed any.  I'm fine with NETCONF not
>having chosen one of those approaches, but this really does need to
>involve people with SSH expertise.
>
>-- Jeff
>
>
>




From touch@isi.edu  Wed Jun 19 15:14:33 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3335821F9E99; Wed, 19 Jun 2013 15:14:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.993
X-Spam-Level: 
X-Spam-Status: No, score=-102.993 tagged_above=-999 required=5 tests=[AWL=-0.394, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJqipr8Jlk1a; Wed, 19 Jun 2013 15:14:27 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id 5FDBF21F9E8B; Wed, 19 Jun 2013 15:14:27 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id r5JMDiQi024969 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 19 Jun 2013 15:13:44 -0700 (PDT)
Message-ID: <51C22D02.9030802@isi.edu>
Date: Wed, 19 Jun 2013 15:13:22 -0700
From: Joe Touch 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Kent Watsen 
References: 
In-Reply-To: 
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "saag@ietf.org" , "draft-ietf-netconf-reverse-ssh@tools.ietf.org" , ietfdbh , "netconf@ietf.org" , Jeffrey Hutzelman 
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 22:14:33 -0000

On 6/19/2013 3:03 PM, Kent Watsen wrote:
>>From a protocol perspective, the solution presented in this draft
> is the same as presented in draft-kwatsen-reverse-ssh-01 with one
> exception, it now requests an IANA-assigned port, instead of using
> port 22, to be consistent with draft-ietf-netconf-rfc5539bis-03,
> which makes the same request.

Hi, all,

I was party to the discussion of this issue during the original draft 
(see archives of 5/24/2011), and thought there was appreciation that 
there was no reason to need a new port for this service.

Regarding the netconf draft, that might warrant a single port, but again 
not two ports for the different directions.

As I noted on this list in 2011, directionality should be negotiated 
in-band, not by port number.

Joe

From jhutz@cmu.edu  Wed Jun 19 15:24:07 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC82F21F9CEC; Wed, 19 Jun 2013 15:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNCvKck8fvYG; Wed, 19 Jun 2013 15:24:01 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by ietfa.amsl.com (Postfix) with ESMTP id E1BBD21F9F17; Wed, 19 Jun 2013 15:23:57 -0700 (PDT)
Received: from [192.168.202.142] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id r5JMNrTN029188 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 19 Jun 2013 18:23:54 -0400 (EDT)
Message-ID: <1371680633.23088.71.camel@destiny.pc.cs.cmu.edu>
From: Jeffrey Hutzelman 
To: Kent Watsen 
Date: Wed, 19 Jun 2013 18:23:53 -0400
In-Reply-To: 
References: 
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.6.2-0ubuntu0.1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
Cc: "saag@ietf.org" , "draft-ietf-netconf-reverse-ssh@tools.ietf.org" , ietfdbh , "netconf@ietf.org" , jhutz@cmu.edu
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 19 Jun 2013 22:24:07 -0000

On Wed, 2013-06-19 at 22:03 +0000, Kent Watsen wrote:


> From a protocol perspective, the solution presented in this draft
> is the same as presented in draft-kwatsen-reverse-ssh-01 with one
> exception, it now requests an IANA-assigned port, instead of using
> port 22, to be consistent with draft-ietf-netconf-rfc5539bis-03,
> which makes the same request.

Given the previous discussion about port numbers, I think that's both
prudent and unfortunate.  It would be nice to be able to multiplex
everything on one port, but the reality is that the netconf application
that a device is connecting to is unlikely to have anything to do with
the SSH server running on the same machine.  However, unless I'm
misunderstanding the intent here, using a fixed port at all seems
limiting to me.  What if I'm running two different applications on my
machine, and expect different devices to connect to them, or even the
same device to both?  What if there are other people sharing my machine?
Shouldn't be port be either one dynamically assigned to the application
by the OS, or configured by an administrator?


> Regarding the security aspects of running SSH "in reverse", this
> draft's Security Considerations section has been greatly expanded
> to address this concern and I very much hope that the SAAG will
> take it up now.

OK; I'll try to find some time to re-review it, then.  In the meantime,
it would probably be good to bring this document up on the ietf-ssh list
again.


> Finally, regarding the HMAC-* family of public host key algorithms,
> I think herein lies a good reason to extract them into a draft of
> their own, as it would be a shame for them to distract from the
> primary discussion of running SSH (and TLS) in reverse.

Yes, I think that's a good idea.  These should be able to be treated
independently.

-- Jeff


From kwatsen@juniper.net  Wed Jun 19 17:38:09 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64F6A21F9E3F; Wed, 19 Jun 2013 17:38:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.467
X-Spam-Level: 
X-Spam-Status: No, score=-1.467 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Os74HYI7dVMH; Wed, 19 Jun 2013 17:38:02 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ietfa.amsl.com (Postfix) with ESMTP id 8925D21F9E37; Wed, 19 Jun 2013 17:38:02 -0700 (PDT)
Received: from mail94-co9-R.bigfish.com (10.236.132.227) by CO9EHSOBE037.bigfish.com (10.236.130.100) with Microsoft SMTP Server id 14.1.225.23; Thu, 20 Jun 2013 00:38:02 +0000
Received: from mail94-co9 (localhost [127.0.0.1])	by mail94-co9-R.bigfish.com (Postfix) with ESMTP id 0A35CB8024F; Thu, 20 Jun 2013 00:38:02 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:66.129.224.50; KIP:(null); UIP:(null); IPV:NLI; H:P-EMHUB01-HQ.jnpr.net; RD:none; EFVD:NLI
X-SpamScore: -4
X-BigFish: PS-4(zzbb2dI98dI9371I4015Idb82hzz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz8275bhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail94-co9: domain of juniper.net designates 66.129.224.50 as permitted sender) client-ip=66.129.224.50; envelope-from=kwatsen@juniper.net; helo=P-EMHUB01-HQ.jnpr.net ; -HQ.jnpr.net ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197; KIP:(null); UIP:(null); (null); H:CH1PRD0511HT004.namprd05.prod.outlook.com; R:internal; EFV:INT
Received: from mail94-co9 (localhost.localdomain [127.0.0.1]) by mail94-co9 (MessageSwitch) id 1371688679549562_20774; Thu, 20 Jun 2013 00:37:59 +0000 (UTC)
Received: from CO9EHSMHS017.bigfish.com (unknown [10.236.132.238])	by mail94-co9.bigfish.com (Postfix) with ESMTP id 7A5F5300060; Thu, 20 Jun 2013 00:37:59 +0000 (UTC)
Received: from P-EMHUB01-HQ.jnpr.net (66.129.224.50) by CO9EHSMHS017.bigfish.com (10.236.130.27) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 20 Jun 2013 00:37:59 +0000
Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 19 Jun 2013 17:37:58 -0700
Received: from o365mail.juniper.net (207.17.137.149) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Wed, 19 Jun 2013 17:37:58 -0700
Received: from CO9EHSOBE018.bigfish.com (207.46.163.25) by o365mail.juniper.net (207.17.137.149) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 19 Jun 2013 17:41:28 -0700
Received: from mail125-co9-R.bigfish.com (10.236.132.237) by CO9EHSOBE018.bigfish.com (10.236.130.81) with Microsoft SMTP Server id 14.1.225.23; Thu, 20 Jun 2013 00:37:57 +0000
Received: from mail125-co9 (localhost [127.0.0.1])	by mail125-co9-R.bigfish.com (Postfix) with ESMTP id 4879C2E06DF; Thu, 20 Jun 2013 00:37:57 +0000 (UTC)
Received: from mail125-co9 (localhost.localdomain [127.0.0.1]) by mail125-co9 (MessageSwitch) id 1371688675126316_16297; Thu, 20 Jun 2013 00:37:55 +0000 (UTC)
Received: from CO9EHSMHS024.bigfish.com (unknown [10.236.132.245])	by mail125-co9.bigfish.com (Postfix) with ESMTP id 19F52400060; Thu, 20 Jun 2013 00:37:55 +0000 (UTC)
Received: from CH1PRD0511HT004.namprd05.prod.outlook.com (157.56.245.197) by CO9EHSMHS024.bigfish.com (10.236.130.34) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 20 Jun 2013 00:37:54 +0000
Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT004.namprd05.prod.outlook.com ([10.255.159.39]) with mapi id 14.16.0324.000; Thu, 20 Jun 2013 00:37:54 +0000
From: Kent Watsen 
To: Joe Touch 
Thread-Topic: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
Thread-Index: AQHObRGgGnqI147cKUqC8qWv6JY1X5k9VGoAgABF3gD//+VQgA==
Date: Thu, 20 Jun 2013 00:37:53 +0000
Message-ID: 
In-Reply-To: <51C22D02.9030802@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.255.159.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%ISI.EDU$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%CMU.EDU$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%COMCAST.NET$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%TOOLS.IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-OriginatorOrg: juniper.net
Cc: "saag@ietf.org" , "draft-ietf-netconf-reverse-ssh@tools.ietf.org" , ietfdbh , "netconf@ietf.org" , Jeffrey Hutzelman 
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 20 Jun 2013 00:38:09 -0000

On 6/19/13 6:13 PM, "Joe Touch"  wrote:
>I was party to the discussion of this issue during the original draft
>(see archives of 5/24/2011), and thought there was appreciation that
>there was no reason to need a new port for this service.

This is why the -01 draft from before was using port 22, but
the problem is that there will be a conflict if the application
may want to run real SSH on port 22.


>Regarding the netconf draft, that might warrant a single port, but again
>not two ports for the different directions.

The same principle applies here.  Yes, we could repurpose the
NETCONF port (830), but then there will be a port conflict if
the application server itself wants to be managed via NETCONF
on port 830.  Besides, this draft is truly about reversing SSH,
any SSH subsystem could be run on top of it...


>As I noted on this list in 2011, directionality should be negotiated
>in-band, not by port number.

This seem fine (assuming it's done in the SSH Transport protocol,
such the device is the SSH server and the application is the SSH
client), except for one thing, it's not implementable *today*.
Optimistically, it might take a couple years for implementations
to support it, if ever.  Case in point, did you know that after
more than two years, there is still not a single implementation
for RFC 6187 (x.509v3 certs for SSH)?

In contrast, I have running code for the solution presented in
the current draft that I hope to post to code.google.com as a
reference implementation.  Mind you that this implementation
doesn't make use of all the the host-key algs we'd like, but
it works with at least two SSH-implementations (Petrov's patch
to OpenSSH and a Java library called J2SSH Maverick).

A little off topic, but the -00 draft I submitted before, in
2011, worked with *every* SSH implementation I tried, without
any patches necessary.  But I chose to model this draft after
the -01 proposal because I believe it's better to leverage the
algorithm negotiation built into SSH and I have running code
for the common case of the device running openssh and the
management app written in Java.

Thanks,
Kent




From touch@isi.edu  Wed Jun 19 18:04:00 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 535E221F9F15; Wed, 19 Jun 2013 18:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.982
X-Spam-Level: 
X-Spam-Status: No, score=-104.982 tagged_above=-999 required=5 tests=[AWL=1.617, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5up7sSCkvER; Wed, 19 Jun 2013 18:03:49 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by ietfa.amsl.com (Postfix) with ESMTP id 2CD5B21F9EBD; Wed, 19 Jun 2013 18:03:43 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id r5K12l34014404 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 19 Jun 2013 18:02:51 -0700 (PDT)
Message-ID: <51C254A2.2020409@isi.edu>
Date: Wed, 19 Jun 2013 18:02:26 -0700
From: Joe Touch 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Kent Watsen 
References: 
In-Reply-To: 
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "saag@ietf.org" , "draft-ietf-netconf-reverse-ssh@tools.ietf.org" , ietfdbh , "netconf@ietf.org" , Jeffrey Hutzelman 
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 20 Jun 2013 01:04:00 -0000

On 6/19/2013 5:37 PM, Kent Watsen wrote:
>
>
> On 6/19/13 6:13 PM, "Joe Touch"  wrote:
>> I was party to the discussion of this issue during the original draft
>> (see archives of 5/24/2011), and thought there was appreciation that
>> there was no reason to need a new port for this service.
>
> This is why the -01 draft from before was using port 22, but
> the problem is that there will be a conflict if the application
> may want to run real SSH on port 22.

Why is this a conflict in that way? It's just a matter of who initiates 
the connection, and who initiates the security exchange after that. 
I.e., why wouldn't this be most naturally implemented as "real SSH on 
port 22"?

>> Regarding the netconf draft, that might warrant a single port, but again
>> not two ports for the different directions.
>
> The same principle applies here.  Yes, we could repurpose the
> NETCONF port (830), but then there will be a port conflict if
> the application server itself wants to be managed via NETCONF
> on port 830.

The same answer above applies.

>  Besides, this draft is truly about reversing SSH,
> any SSH subsystem could be run on top of it...
>
>> As I noted on this list in 2011, directionality should be negotiated
>> in-band, not by port number.
>
> This seem fine (assuming it's done in the SSH Transport protocol,
> such the device is the SSH server and the application is the SSH
> client), except for one thing, it's not implementable *today*.

I understand why it has not yet been *implemented*, but disagree that it 
is not *implementable*.

> Optimistically, it might take a couple years for implementations
> to support it, if ever.  Case in point, did you know that after
> more than two years, there is still not a single implementation
> for RFC 6187 (x.509v3 certs for SSH)?
>
> In contrast, I have running code for the solution presented in
> the current draft that I hope to post to code.google.com as a
> reference implementation.  Mind you that this implementation
> doesn't make use of all the the host-key algs we'd like, but
> it works with at least two SSH-implementations (Petrov's patch
> to OpenSSH and a Java library called J2SSH Maverick).

I sincerely hope you are posting code that uses some arbitrary dynamic 
port, rather than squatting on an assigned port.

However, it would be useful to explain further the issue here. So far, 
all I can tell is that it would be easier to pull up a demo 
implementation using a separate port, but there doesn't seem to be 
enough justification as to why this is a separate *service* than forward 
SSH.

Joe

From kwatsen@juniper.net  Wed Jun 19 18:23:46 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0DD421F9F15; Wed, 19 Jun 2013 18:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level: 
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[AWL=-2.000,  BAYES_00=-2.599, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rc67-zgE0ibz; Wed, 19 Jun 2013 18:23:41 -0700 (PDT)
Received: from db9outboundpool.messaging.microsoft.com (mail-db9lp0252.outbound.messaging.microsoft.com [213.199.154.252]) by ietfa.amsl.com (Postfix) with ESMTP id B921221F9F13; Wed, 19 Jun 2013 18:23:38 -0700 (PDT)
Received: from mail46-db9-R.bigfish.com (10.174.16.241) by DB9EHSOBE003.bigfish.com (10.174.14.66) with Microsoft SMTP Server id 14.1.225.23; Thu, 20 Jun 2013 01:23:37 +0000
Received: from mail46-db9 (localhost [127.0.0.1])	by mail46-db9-R.bigfish.com (Postfix) with ESMTP id 2AA82BE0323; Thu, 20 Jun 2013 01:23:37 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:66.129.224.50; KIP:(null); UIP:(null); IPV:NLI; H:P-EMHUB01-HQ.jnpr.net; RD:none; EFVD:NLI
X-SpamScore: -27
X-BigFish: VPS-27(zzbb2dI98dI9371I15bfK111aIzz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah8275dhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail46-db9: domain of juniper.net designates 66.129.224.50 as permitted sender) client-ip=66.129.224.50; envelope-from=kwatsen@juniper.net; helo=P-EMHUB01-HQ.jnpr.net ; -HQ.jnpr.net ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197; KIP:(null); UIP:(null); (null); H:CH1PRD0511HT004.namprd05.prod.outlook.com; R:internal; EFV:INT
Received: from mail46-db9 (localhost.localdomain [127.0.0.1]) by mail46-db9 (MessageSwitch) id 1371691415766849_639; Thu, 20 Jun 2013 01:23:35 +0000 (UTC)
Received: from DB9EHSMHS031.bigfish.com (unknown [10.174.16.240])	by mail46-db9.bigfish.com (Postfix) with ESMTP id B73F0680049; Thu, 20 Jun 2013 01:23:35 +0000 (UTC)
Received: from P-EMHUB01-HQ.jnpr.net (66.129.224.50) by DB9EHSMHS031.bigfish.com (10.174.14.41) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 20 Jun 2013 01:23:29 +0000
Received: from P-CLDFE02-HQ.jnpr.net (172.24.192.60) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 19 Jun 2013 18:23:28 -0700
Received: from o365mail.juniper.net (207.17.137.149) by o365mail.juniper.net (172.24.192.60) with Microsoft SMTP Server id 14.1.355.2; Wed, 19 Jun 2013 18:23:27 -0700
Received: from db9outboundpool.messaging.microsoft.com (213.199.154.253) by o365mail.juniper.net (207.17.137.149) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 19 Jun 2013 18:26:57 -0700
Received: from mail151-db9-R.bigfish.com (10.174.16.242) by DB9EHSOBE011.bigfish.com (10.174.14.74) with Microsoft SMTP Server id 14.1.225.23; Thu, 20 Jun 2013 01:23:25 +0000
Received: from mail151-db9 (localhost [127.0.0.1])	by mail151-db9-R.bigfish.com (Postfix) with ESMTP id EF2533E0092; Thu, 20 Jun 2013 01:23:24 +0000 (UTC)
Received: from mail151-db9 (localhost.localdomain [127.0.0.1]) by mail151-db9 (MessageSwitch) id 1371691402813796_28321; Thu, 20 Jun 2013 01:23:22 +0000 (UTC)
Received: from DB9EHSMHS028.bigfish.com (unknown [10.174.16.228])	by mail151-db9.bigfish.com (Postfix) with ESMTP id B874B4000DC; Thu, 20 Jun 2013 01:23:22 +0000 (UTC)
Received: from CH1PRD0511HT004.namprd05.prod.outlook.com (157.56.245.197) by DB9EHSMHS028.bigfish.com (10.174.14.38) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 20 Jun 2013 01:23:21 +0000
Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT004.namprd05.prod.outlook.com ([10.255.159.39]) with mapi id 14.16.0324.000; Thu, 20 Jun 2013 01:23:21 +0000
From: Kent Watsen 
To: Jeffrey Hutzelman 
Thread-Topic: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
Thread-Index: AQHObRGgGnqI147cKUqC8qWv6JY1X5k9VGoAgABIzoD//+8TAA==
Date: Thu, 20 Jun 2013 01:23:20 +0000
Message-ID: 
In-Reply-To: <1371680633.23088.71.camel@destiny.pc.cs.cmu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.255.159.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1F5E6F46F3340E478AA2BB6BA600A4E6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%CMU.EDU$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%COMCAST.NET$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%TOOLS.IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "draft-ietf-netconf-reverse-ssh@tools.ietf.org" , ietfdbh , "netconf@ietf.org" , "saag@ietf.org" 
Subject: Re: [saag] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 20 Jun 2013 01:23:47 -0000

On 6/19/13 6:23 PM, "Jeffrey Hutzelman"  wrote:

>However, unless I'm
>misunderstanding the intent here, using a fixed port at all seems
>limiting to me.  What if I'm running two different applications on my
>machine, and expect different devices to connect to them, or even the
>same device to both?  What if there are other people sharing my machine?
>Shouldn't be port be either one dynamically assigned to the application
>by the OS, or configured by an administrator?


Indeed, it is not uncommon for deployments to use non-standard ports.
For this reason, the YANG module presented in the Device Configuration
section defines the  field as optional, stating that the IANA-
assigned port is assumed if it's not filled in.


>OK; I'll try to find some time to re-review it, then.  In the meantime,
>it would probably be good to bring this document up on the ietf-ssh list
>again.

Very much looking forward to your review of the Security Considerations.
If at all possible, please also try to expand your review to the
possibility of reversing the TLS protocol in the same fashion (i.e. The
TCP client becomes the TLS server, and visa versa).


As for the ietf-ssh list, I know you're right, but we have a problem, the
mail archives have half of today's messages under the NETCONF list and
half under the SAAG list:

   http://www.ietf.org/mail-archive/web/netconf/current/maillist.html
   http://www.ietf.org/mail-archive/web/saag/current/maillist.html

Worse, at least one message shows up under both archives and clicking the
"Follow-Ups" links drops some of the responses because they're in the
other group's archive.  This will make it very hard for someone to piece
together the exchange that has occurred so far.  Suggestions?


Thanks again,
Kent










From turners@ieca.com  Thu Jun 20 05:50:56 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0969621F957B for ; Thu, 20 Jun 2013 05:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.253
X-Spam-Level: 
X-Spam-Status: No, score=-102.253 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQPHYDEEl-wA for ; Thu, 20 Jun 2013 05:50:51 -0700 (PDT)
Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com [67.18.62.19]) by ietfa.amsl.com (Postfix) with ESMTP id 2D54C21F909A for ; Thu, 20 Jun 2013 05:50:51 -0700 (PDT)
Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id A5FA539910B5C; Thu, 20 Jun 2013 07:50:49 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway01.websitewelcome.com (Postfix) with ESMTP id 9A7EC39910B38 for ; Thu, 20 Jun 2013 07:50:49 -0500 (CDT)
Received: from [147.28.0.178] (port=57653 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from ) id 1UpeK9-0000ts-A3 for saag@ietf.org; Thu, 20 Jun 2013 07:50:49 -0500
Message-ID: <51C2FAA6.4030609@ieca.com>
Date: Thu, 20 Jun 2013 21:50:46 +0900
From: Sean Turner 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: saag@ietf.org
References: <66B937CC-F190-405B-BCB4-160A8EC13DA6@emc.com>
In-Reply-To: <66B937CC-F190-405B-BCB4-160A8EC13DA6@emc.com>
X-Forwarded-Message-Id: <66B937CC-F190-405B-BCB4-160A8EC13DA6@emc.com>
Content-Type: multipart/mixed; boundary="------------070003030008050704020006"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (thunderfish.local) [147.28.0.178]:57653
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: [saag] Workshop on Security Incident Information Sharing
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 20 Jun 2013 12:50:56 -0000

This is a multi-part message in MIME format.
--------------070003030008050704020006
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I'd been meaning to send this along to this list.

-------- Original Message --------
Subject: 	[mile] Workshop on Security Incident Information Sharing
Date: 	Mon, 17 Jun 2013 00:42:37 -0400
From: 	Moriarty, Kathleen 
To: 	mile@ietf.org 



Hello,

We would like to invite you to participate in the upcoming workshop on
Security Incident Information Sharing (SIIS).  It is scheduled on July
26, 2013 in Berlin, Germany, the Friday before the next IETF meeting.

Details and registration information can be found on the following web site:

http://siis.realmv6.org/

We hope to see you there for a productive workshop.

Best regards,
Kathleen & Brian

--------------070003030008050704020006
Content-Type: text/plain; charset=UTF-8;
 name="Attached Message Part"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="Attached Message Part"

_______________________________________________
mile mailing list
mile@ietf.org
https://www.ietf.org/mailman/listinfo/mile


--------------070003030008050704020006--

From kwatsen@juniper.net  Fri Jun 21 13:18:01 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C9B21F9C0F; Fri, 21 Jun 2013 13:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.038
X-Spam-Level: 
X-Spam-Status: No, score=-0.038 tagged_above=-999 required=5 tests=[AWL=-0.571, BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7AxmLuVK8An; Fri, 21 Jun 2013 13:17:55 -0700 (PDT)
Received: from db8outboundpool.messaging.microsoft.com (mail-db8lp0187.outbound.messaging.microsoft.com [213.199.154.187]) by ietfa.amsl.com (Postfix) with ESMTP id 41B0421F9C1B; Fri, 21 Jun 2013 13:17:55 -0700 (PDT)
Received: from mail4-db8-R.bigfish.com (10.174.8.226) by DB8EHSOBE038.bigfish.com (10.174.4.101) with Microsoft SMTP Server id 14.1.225.23; Fri, 21 Jun 2013 20:17:54 +0000
Received: from mail4-db8 (localhost [127.0.0.1])	by mail4-db8-R.bigfish.com (Postfix) with ESMTP id 2952C900125; Fri, 21 Jun 2013 20:17:54 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:66.129.224.53; KIP:(null); UIP:(null); IPV:NLI; H:P-EMHUB03-HQ.jnpr.net; RD:none; EFVD:NLI
X-SpamScore: -27
X-BigFish: VPS-27(zzbb2dI98dI9371I936eI1b0bI1432I4015Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah8275dhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail4-db8: domain of juniper.net designates 66.129.224.53 as permitted sender) client-ip=66.129.224.53; envelope-from=kwatsen@juniper.net; helo=P-EMHUB03-HQ.jnpr.net ; -HQ.jnpr.net ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197; KIP:(null); UIP:(null); (null); H:CH1PRD0511HT004.namprd05.prod.outlook.com; R:internal; EFV:INT
Received: from mail4-db8 (localhost.localdomain [127.0.0.1]) by mail4-db8 (MessageSwitch) id 1371845871883040_10016; Fri, 21 Jun 2013 20:17:51 +0000 (UTC)
Received: from DB8EHSMHS015.bigfish.com (unknown [10.174.8.253])	by mail4-db8.bigfish.com (Postfix) with ESMTP id CFD0A4C0046; Fri, 21 Jun 2013 20:17:51 +0000 (UTC)
Received: from P-EMHUB03-HQ.jnpr.net (66.129.224.53) by DB8EHSMHS015.bigfish.com (10.174.4.25) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 21 Jun 2013 20:17:00 +0000
Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 21 Jun 2013 13:16:58 -0700
Received: from o365mail.juniper.net (207.17.137.224) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Fri, 21 Jun 2013 13:16:58 -0700
Received: from tx2outboundpool.messaging.microsoft.com (65.55.88.12) by o365mail.juniper.net (207.17.137.224) with Microsoft SMTP Server (TLS) id 14.1.355.2; Fri, 21 Jun 2013 13:28:55 -0700
Received: from mail162-tx2-R.bigfish.com (10.9.14.234) by TX2EHSOBE012.bigfish.com (10.9.40.32) with Microsoft SMTP Server id 14.1.225.23; Fri, 21 Jun 2013 20:16:57 +0000
Received: from mail162-tx2 (localhost [127.0.0.1])	by mail162-tx2-R.bigfish.com (Postfix) with ESMTP id 3951E4A0098; Fri, 21 Jun 2013 20:16:57 +0000 (UTC)
Received: from mail162-tx2 (localhost.localdomain [127.0.0.1]) by mail162-tx2 (MessageSwitch) id 1371845815550109_26863; Fri, 21 Jun 2013 20:16:55 +0000 (UTC)
Received: from TX2EHSMHS032.bigfish.com (unknown [10.9.14.253])	by mail162-tx2.bigfish.com (Postfix) with ESMTP id 78178100046; Fri, 21 Jun 2013 20:16:55 +0000 (UTC)
Received: from CH1PRD0511HT004.namprd05.prod.outlook.com (157.56.245.197) by TX2EHSMHS032.bigfish.com (10.9.99.132) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 21 Jun 2013 20:16:50 +0000
Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT004.namprd05.prod.outlook.com ([10.255.159.39]) with mapi id 14.16.0324.000; Fri, 21 Jun 2013 20:16:50 +0000
From: Kent Watsen 
To: "netconf@ietf.org" 
Thread-Topic: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt
Thread-Index: AQHOboQGz506FfWViUq1SGyFWdeosplAWG0A
Date: Fri, 21 Jun 2013 20:16:49 +0000
Message-ID: 
In-Reply-To: <20130621133340.26792.55620.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.255.159.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%NETBSD.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "ietf-ssh@NetBSD.org" , "saag@ietf.org" 
Subject: Re: [saag] [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 21 Jun 2013 20:18:01 -0000

FYI, this -01 update simply removes the hmac-* family of public host key
algorithms, since they were distracting from the primary focus of the
document and can be easily defined in a draft of their own, at anytime,
without affecting the remaining draft's validity.

For ietf-ssh and saag list members, yesterday we had a snafu with the
mail-archives because messages were being sent to multiple lists.  If you
want to reply, please consider joining the NETCONF mailing list so we can
keep the discussion in one place.

Thanks,
Kent





On 6/21/13 9:33 AM, "internet-drafts@ietf.org" 
wrote:

>
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
> This draft is a work item of the Network Configuration Working Group of
>the IETF.
>
>	Title           : Reverse Secure Shell (Reverse SSH)
>	Author(s)       : Kent Watsen
>	Filename        : draft-ietf-netconf-reverse-ssh-01.txt
>	Pages           : 13
>	Date            : 2013-06-20
>
>Abstract:
>   This memo presents a technique for a NETCONF server to initiate a SSH
>   connection to a NETCONF client.  This is accomplished by the NETCONF
>   client listening on IANA-assigned TCP port YYYY and starting the SSH
>   client protocol immediately after accepting a TCP connection on it.
>   This role-reversal is necessary as the NETCONF server must also be
>   the SSH Server, in order for the NETCONF client to open the IANA-
>   assigned SSH subsystem "netconf".
>
>
>The IETF datatracker status page for this draft is:
>https://datatracker.ietf.org/doc/draft-ietf-netconf-reverse-ssh
>
>There's also a htmlized version available at:
>http://tools.ietf.org/html/draft-ietf-netconf-reverse-ssh-01
>
>A diff from the previous version is available at:
>http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-netconf-reverse-ssh-01
>
>
>Internet-Drafts are also available by anonymous FTP at:
>ftp://ftp.ietf.org/internet-drafts/
>
>_______________________________________________
>Netconf mailing list
>Netconf@ietf.org
>https://www.ietf.org/mailman/listinfo/netconf
>
>




From omh1835@g.rit.edu  Sat Jun 22 04:51:10 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A4221F9E94 for ; Sat, 22 Jun 2013 04:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level: 
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sj8SnAXOpMst for ; Sat, 22 Jun 2013 04:51:06 -0700 (PDT)
Received: from sc3app27.rit.edu (sc3app27.rit.edu [129.21.35.56]) by ietfa.amsl.com (Postfix) with ESMTP id 33AA321F9FD3 for ; Sat, 22 Jun 2013 04:51:06 -0700 (PDT)
Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) by smtp-server.rit.edu (PMDF V6.3-x14 #31420) with ESMTPS id <0MOS00G9WM8M6V@smtp-server.rit.edu> for saag@ietf.org; Sat, 22 Jun 2013 07:50:47 -0400 (EDT)
Received: by mail-ie0-f180.google.com with SMTP id f4so20413501iea.25 for ; Sat, 22 Jun 2013 04:50:46 -0700 (PDT)
Received: by 10.43.115.3 with HTTP; Sat, 22 Jun 2013 04:50:46 -0700 (PDT)
X-Received: by 10.43.139.5 with SMTP id iu5mr4561225icc.107.1371901846478; Sat, 22 Jun 2013 04:50:46 -0700 (PDT)
X-Received: by 10.43.139.5 with SMTP id iu5mr4561221icc.107.1371901846356; Sat, 22 Jun 2013 04:50:46 -0700 (PDT)
Date: Sat, 22 Jun 2013 14:50:46 +0300
From: "OMAR HASSAN (RIT Student)" 
Sender: omh1835@rit.edu
To: saag@ietf.org
Message-id: 
MIME-version: 1.0
Content-type: multipart/alternative; boundary=001a11c2e9b83835dd04dfbcca70
X-RIT-Received-From: 209.85.223.180
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type:x-gm-message-state; bh=qpm96ePVx1GiLN8FRKmmUh8EQnUFAsdaelfeanUMSUg=; b=FEIWMULnrgJ1Dcx/oBtzXuOo19/bllG24fZW6zXKb1LGbyBAdBaO2fZI8X70PIQCRm SdR5eWJcMOJZzFRB4muES3NRR52qhgJ5IFZQHV/OUw533fGOSNvMr33U7/YDiv/BrU5l FmFDnxQu36DdxpVUFLGIIQI0fNWF/yQ22rASS+fxJarxqkcUK+YH5I3Tdv3AahKdlmve owoZLSzTfRo0PDRJ1Vq3pMSLKcuvWHXcQq5dhjse0LFAGKRxOCYlSSCJRyQhgqeA1iA2 2OTaxZliZWeTFhitBvL40JBWhAn0gNy98l97kEBHXDQ+kOLbYPPUhLotgIJ0nBxsQotl Anbw==
X-Google-Sender-Auth: rNyh4bj7EMpzCPtBQJFa4dSXLes
X-Gm-Message-State: ALoCoQm9ALO6wOZ/PASz/MMHAM8o4FO2mBhDxvHoUFGgL/28MGJ0Q+gkT0DXEY2Jr9dQ5W/vvPmeyuDAXwLkXp+EP4RpvkGEWSa4FXQpjVx8EmgyrFahBO18pnSgtgvb5S8xcbo9QdYS
Subject: [saag] User Defined Key Pair (no more passwords, no more CAs)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 22 Jun 2013 11:51:10 -0000

--001a11c2e9b83835dd04dfbcca70
Content-Type: text/plain; charset=ISO-8859-1

Hello Everyone

I have uploaded a new version of the User Defined Key pair protocol, I will
appreciate if you have a look and give me any comment or suggestion.


http://tools.ietf.org/html/draft-omar-tls-udkp-01

The new protocol is a new way of securing the traffic to websites without
being depending on any third party to secure the traffic between the user
and the website, so it will be possible for the user to secure his browsing
using his credential information, smart card, or a random file on usb. That
will make the use of two factor for authentication and traffic security is
separated from the application code, the website admin only needs to
configure how the users are going to access the website. Additionally there
are no passwords required to be transferred any more on the network, which
will render the Phishing attack useless.

The motivation behind the new protocol is to make the security the
responsibility of the two involved parties, because as you know, the
security and confidentiality of user browsing in TLS depend upon the number
of Certificate Authorities (CAs), major web browsers trust hundreds of
different firms to issue certificates. Each of these firms can be compelled
by their national government, or being compromised to issue a certificate
for any particular website that all web browsers will trust without
warning.Thus, users around the world are put in a position where their
browser entrusts their private data, indirectly, to a large number of
governments, and entities. (http://cryptome.org/ssl-mitm.pdf)

Thank You
Best Regards

--001a11c2e9b83835dd04dfbcca70
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable


Hello Everyone

I=
 have uploaded a new version of the User Defined Key pair protocol, I will =
appreciate if you have a look and give me any comment or suggestion.





The new protocol is a new way of securing the traffic =
to websites without being depending on any third party to secure the traffi=
c between the user and the website, so it will be possible for the user to =
secure his browsing using his credential information, smart card, or a rand=
om file on usb. That will make the use of two factor for authentication and=
 traffic security is separated from the application code, the website admin=
=A0only=A0needs to configure how the users are going to access the website.=
 Additionally there are no passwords required to be transferred any more on=
 the network, which will render the Phishing attack useless.



The motivation behind =
the new protocol is to make the security the responsibility of the two invo=
lved parties, because as you know, the security and confidentiality of user=
 browsing in TLS depend upon the number of Certificate Authorities (CAs), m=
ajor web browsers trust hundreds of different =0Cfirms to issue certificate=
s. Each of these =0Cfirms can be compelled by their national government, or=
 being compromised to issue a certificate for any particular website that a=
ll web browsers will trust without warning.Thus, users around the world are=
 put in a position where their browser entrusts their private data, indirec=
tly, to a large number of governments, and entities. (http://cryptome.org/ssl-mitm.pdf)



Thank You
Best Regards


--001a11c2e9b83835dd04dfbcca70--

From qiminpeng@chinamobile.com  Sun Jun 23 20:10:46 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B890621E80AA for ; Sun, 23 Jun 2013 20:10:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.774
X-Spam-Level: *
X-Spam-Status: No, score=1.774 tagged_above=-999 required=5 tests=[AWL=1.851,  BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RELAY_IS_221=2.222]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNIhz-QNFsVj for ; Sun, 23 Jun 2013 20:10:42 -0700 (PDT)
Received: from cmccmta.chinamobile.com (cmccmta.chinamobile.com [221.176.64.232]) by ietfa.amsl.com (Postfix) with SMTP id 16F3F21E8085 for ; Sun, 23 Jun 2013 20:10:41 -0700 (PDT)
Received: from spf.mail.chinamobile.com (unknown[172.16.20.21]) by rmmx-oa_allagent01-12001 (RichMail) with SMTP id 2ee151c7b87ff66-eff66; Mon, 24 Jun 2013 11:09:51 +0800 (CST)
X-RM-TRANSID: 2ee151c7b87ff66-eff66
Received: from RonPC (unknown[10.2.51.87]) by rmsmtp-oa_rmapp03-12003 (RichMail) with SMTP id 2ee351c7b87baad-7d84b; Mon, 24 Jun 2013 11:09:51 +0800 (CST)
X-RM-TRANSID: 2ee351c7b87baad-7d84b
From: =?utf-8?B?6b2Q5pe76bmP?= 
To: 
Date: Mon, 24 Jun 2013 11:10:41 +0800
Message-ID: <001501ce7088$6921f7a0$3b65e6e0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac5wgtAdgysqV4bRQJ6fBAPCrl+yywAA0yhg
Content-Language: zh-cn
Subject: [saag] FW: New Version Notification for draft-zhu-core-groupauth-00.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 24 Jun 2013 03:10:46 -0000

Hi everyone,

The authors have submit a new draft for the group authentication. We =
will appreciate if you have a look and give us any comment or =
suggestion. The link is as below.

Here is a problem that for group communication there is only uni-cast =
authentication instead of group authentication method can be used. This =
draft wants to analyze the problem, to summarize group authentication =
requirement and to provide a framework of solutions.

This draft is to discuss a new kind of authentication so we think it =
would be better to discuss it also in security email list and try to =
find a suitable subgroup to discuss it.

BRs,
Minpeng

-----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6-----
=E5=8F=91=E4=BB=B6=E4=BA=BA: internet-drafts@ietf.org =
[mailto:internet-drafts@ietf.org]=20
=E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2013=E5=B9=B46=E6=9C=8824=E6=97=A5 =
10:19
=E6=94=B6=E4=BB=B6=E4=BA=BA: Ye Tian; Minpeng Qi; Judy Zhu
=E4=B8=BB=E9=A2=98: New Version Notification for =
draft-zhu-core-groupauth-00.txt


A new version of I-D, draft-zhu-core-groupauth-00.txt
has been successfully submitted by Judy Zhu and posted to the
IETF repository.

Filename:	 draft-zhu-core-groupauth
Revision:	 00
Title:		 Group Authentication
Creation date:	 2013-06-24
Group:		 Individual Submission
Number of pages: 10
URL:             =
http://www.ietf.org/internet-drafts/draft-zhu-core-groupauth-00.txt
Status:          =
http://datatracker.ietf.org/doc/draft-zhu-core-groupauth
Htmlized:        http://tools.ietf.org/html/draft-zhu-core-groupauth-00


Abstract:
   The group communication is designed for the communication of Internet
   of Things. A threat is identified in [I-D.ietf-core-groupcomm] that
   current DTLS based approach is unicast oriented and there is no
   supporting on group authentication feature. Unicast oriented
   authentication will causing serious burden when a large number of
   terminal nodes will be involved inevitably. In another aspect, some
   terminals will own the same characteristics, such as owning same
   features, in the same place, working in the same time, etc. With this
   mechanism, all terminals can be authenticated together with little
   signaling and calculation at the same time. It will reduce the
   network burden and save time. This draft describes the security of
   group authentication and an group authentication implementation
   method for the Internet of things.

                                                                         =
        =20


The IETF Secretariat





From stephen.farrell@cs.tcd.ie  Fri Jun 28 07:42:35 2013
Return-Path: 
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B259221F9B97 for ; Fri, 28 Jun 2013 07:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level: 
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV2l9hMQF1-F for ; Fri, 28 Jun 2013 07:42:35 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id DB4B221F9BA2 for ; Fri, 28 Jun 2013 07:42:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 16FE8BE4C for ; Fri, 28 Jun 2013 15:42:06 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mDqzGL+Zg9Vd for ; Fri, 28 Jun 2013 15:42:06 +0100 (IST)
Received: from [IPv6:2001:770:10:203:3561:24ef:7ef:e35e] (unknown [IPv6:2001:770:10:203:3561:24ef:7ef:e35e]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E8590BED6 for ; Fri, 28 Jun 2013 15:42:05 +0100 (IST)
Message-ID: <51CDA0BF.8090402@cs.tcd.ie>
Date: Fri, 28 Jun 2013 15:42:07 +0100
From: Stephen Farrell 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: "saag@ietf.org" 
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [saag] kcipher-2 spec
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 28 Jun 2013 14:42:35 -0000

Hi,

The ISE is being asked to publish the kcipher-2 spec [1] as
an independent submission track RFC.

I'm handling the RFC 5742 review [2] for the IESG, which means
checking that this document doesn't conflict with IETF work.

I don't believe there is any such conflict, but do yell at
me if you think otherwise. (Before July 11th please.)

If you have comments on the draft (e.g. if you spot an error
or something) please send mail to the authors and the
independent submissions editor (rfc-ise@rfc-editor.org) so
they can consider your comments.

Thanks,
S.


[1] https://datatracker.ietf.org/doc/draft-kiyomoto-kcipher2/
[2] http://tools.ietf.org/html/rfc5742