From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Jun 16 08:31:34 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBDB621F9B82 for ; Sun, 16 Jun 2013 08:31:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-qpS3v4PJwX for ; Sun, 16 Jun 2013 08:31:30 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 48DD421F9B63 for ; Sun, 16 Jun 2013 08:31:27 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 477A014A1A7; Sun, 16 Jun 2013 15:31:25 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 525B314A1A1 for ; Sun, 16 Jun 2013 15:31:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (1024-bit key) header.d=yeah.net Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id bwkz2PB3D3S2 for ; Sun, 16 Jun 2013 15:31:23 +0000 (UTC) Received: from m208-177.yeah.net (m208-177.yeah.net [123.58.177.208]) by mail.netbsd.org (Postfix) with ESMTP id CCAF214A177 for ; Sun, 16 Jun 2013 15:31:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yeah.net; s=s110527; h=Received:Date:From:To:Message-ID:Subject: MIME-Version:Content-Type:Content-Transfer-Encoding; bh=47DEQpj8 HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=gjaiwg85D6SKIeEw97Vafw24 KRVAbb1ymsXKQ3tjd9CQl6LLrXdBswMUSClOcJLxOyfc5c7RHv5re3UccVtRXnwc nhx0TEY/w/xWsFbXaPglB2K5OWmoC6oLoljQMRhQ7B3r/hQ+GJ6DMtMWMAZUcP/2 e4ASaPv6qWoH5bA7NC4= Received: from hhk857$yeah.net ( [122.227.87.174] ) by ajax-webmail-sdy2 (Coremail) ; Sun, 16 Jun 2013 23:24:57 +0800 (GMT+08:00) Date: Sun, 16 Jun 2013 23:24:58 +0800 From: "hhk857" To: "ietf-ssh" Message-ID: <2836b0ad.1224c1.13f4d96d1fa.Coremail.hhk857@yeah.net> Subject: Re: golf merchandise golf articles from China ,would you please reply for more info 4732 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Mailer: NetEase Flash Mail 2.3.1.12 X-Priority: 3 (Normal) X-Originating-IP: [122.227.87.174] X-CM-TRANSID:2lUQrAB3eeHJ2L1RwTkSAA--.17925W X-CM-SenderInfo: xkknmk2x61vtnkoqv3/1tbiBQUvIVGRzsQWzQAVsK X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU== Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Jun 21 14:17:47 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0FA021F9DC1 for ; Fri, 21 Jun 2013 14:17:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.411 X-Spam-Level: X-Spam-Status: No, score=-0.411 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LoIxRj3R3lQ for ; Fri, 21 Jun 2013 14:17:41 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 28A2D21F9DDD for ; Fri, 21 Jun 2013 14:17:41 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id B179114A165; Fri, 21 Jun 2013 21:17:25 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 5B3E114A163 for ; Fri, 21 Jun 2013 21:17:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 6z5LC1UvHdCE for ; Fri, 21 Jun 2013 21:17:20 +0000 (UTC) Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe001.messaging.microsoft.com [216.32.180.11]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 505A214A162 for ; Fri, 21 Jun 2013 21:17:19 +0000 (UTC) Received: from mail140-va3-R.bigfish.com (10.7.14.233) by VA3EHSOBE009.bigfish.com (10.7.40.29) with Microsoft SMTP Server id 14.1.225.23; Fri, 21 Jun 2013 20:17:06 +0000 Received: from mail140-va3 (localhost [127.0.0.1]) by mail140-va3-R.bigfish.com (Postfix) with ESMTP id 8F4A6E0113 for ; Fri, 21 Jun 2013 20:17:06 +0000 (UTC) X-Forefront-Antispam-Report: CIP:66.129.224.52;KIP:(null);UIP:(null);IPV:NLI;H:P-EMHUB01-HQ.jnpr.net;RD:none;EFVD:NLI X-SpamScore: -27 X-BigFish: VPS-27(zzbb2dI98dI9371I936eI1b0bI1432I4015Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah8275dhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h) Received-SPF: pass (mail140-va3: domain of juniper.net designates 66.129.224.52 as permitted sender) client-ip=66.129.224.52; envelope-from=kwatsen@juniper.net; helo=P-EMHUB01-HQ.jnpr.net ;-HQ.jnpr.net ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197;KIP:(null);UIP:(null);(null);H:CH1PRD0511HT004.namprd05.prod.outlook.com;R:internal;EFV:INT Received: from mail140-va3 (localhost.localdomain [127.0.0.1]) by mail140-va3 (MessageSwitch) id 1371845824891915_26373; Fri, 21 Jun 2013 20:17:04 +0000 (UTC) Received: from VA3EHSMHS027.bigfish.com (unknown [10.7.14.236]) by mail140-va3.bigfish.com (Postfix) with ESMTP id D11C3160047 for ; Fri, 21 Jun 2013 20:17:04 +0000 (UTC) Received: from P-EMHUB01-HQ.jnpr.net (66.129.224.52) by VA3EHSMHS027.bigfish.com (10.7.99.37) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 21 Jun 2013 20:16:59 +0000 Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 21 Jun 2013 13:16:58 -0700 Received: from o365mail.juniper.net (207.17.137.224) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Fri, 21 Jun 2013 13:16:57 -0700 Received: from tx2outboundpool.messaging.microsoft.com (65.55.88.12) by o365mail.juniper.net (207.17.137.224) with Microsoft SMTP Server (TLS) id 14.1.355.2; Fri, 21 Jun 2013 13:28:54 -0700 Received: from mail162-tx2-R.bigfish.com (10.9.14.253) by TX2EHSOBE015.bigfish.com (10.9.40.35) with Microsoft SMTP Server id 14.1.225.23; Fri, 21 Jun 2013 20:16:57 +0000 Received: from mail162-tx2 (localhost [127.0.0.1]) by mail162-tx2-R.bigfish.com (Postfix) with ESMTP id 2EADD4A0064 for ; Fri, 21 Jun 2013 20:16:57 +0000 (UTC) Received: from mail162-tx2 (localhost.localdomain [127.0.0.1]) by mail162-tx2 (MessageSwitch) id 1371845815550109_26863; Fri, 21 Jun 2013 20:16:55 +0000 (UTC) Received: from TX2EHSMHS032.bigfish.com (unknown [10.9.14.253]) by mail162-tx2.bigfish.com (Postfix) with ESMTP id 78178100046; Fri, 21 Jun 2013 20:16:55 +0000 (UTC) Received: from CH1PRD0511HT004.namprd05.prod.outlook.com (157.56.245.197) by TX2EHSMHS032.bigfish.com (10.9.99.132) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 21 Jun 2013 20:16:50 +0000 Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT004.namprd05.prod.outlook.com ([10.255.159.39]) with mapi id 14.16.0324.000; Fri, 21 Jun 2013 20:16:50 +0000 From: Kent Watsen To: "netconf@ietf.org" CC: "saag@ietf.org" , "ietf-ssh@NetBSD.org" Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt Thread-Topic: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt Thread-Index: AQHOboQGz506FfWViUq1SGyFWdeosplAWG0A Date: Fri, 21 Jun 2013 20:16:49 +0000 Message-ID: In-Reply-To: <20130621133340.26792.55620.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.2.130206 x-originating-ip: [10.255.159.4] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-FOPE-CONNECTOR: Id%12219$Dn%NETBSD.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-OriginatorOrg: juniper.net Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list FYI, this -01 update simply removes the hmac-* family of public host key algorithms, since they were distracting from the primary focus of the document and can be easily defined in a draft of their own, at anytime, without affecting the remaining draft's validity. For ietf-ssh and saag list members, yesterday we had a snafu with the mail-archives because messages were being sent to multiple lists. If you want to reply, please consider joining the NETCONF mailing list so we can keep the discussion in one place. Thanks, Kent On 6/21/13 9:33 AM, "internet-drafts@ietf.org" wrote: > >A New Internet-Draft is available from the on-line Internet-Drafts >directories. > This draft is a work item of the Network Configuration Working Group of >the IETF. > > Title : Reverse Secure Shell (Reverse SSH) > Author(s) : Kent Watsen > Filename : draft-ietf-netconf-reverse-ssh-01.txt > Pages : 13 > Date : 2013-06-20 > >Abstract: > This memo presents a technique for a NETCONF server to initiate a SSH > connection to a NETCONF client. This is accomplished by the NETCONF > client listening on IANA-assigned TCP port YYYY and starting the SSH > client protocol immediately after accepting a TCP connection on it. > This role-reversal is necessary as the NETCONF server must also be > the SSH Server, in order for the NETCONF client to open the IANA- > assigned SSH subsystem "netconf". > > >The IETF datatracker status page for this draft is: >https://datatracker.ietf.org/doc/draft-ietf-netconf-reverse-ssh > >There's also a htmlized version available at: >http://tools.ietf.org/html/draft-ietf-netconf-reverse-ssh-01 > >A diff from the previous version is available at: >http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-netconf-reverse-ssh-01 > > >Internet-Drafts are also available by anonymous FTP at: >ftp://ftp.ietf.org/internet-drafts/ > >_______________________________________________ >Netconf mailing list >Netconf@ietf.org >https://www.ietf.org/mailman/listinfo/netconf > > From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Jun 21 20:32:34 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 427E521F9B92 for ; Fri, 21 Jun 2013 20:32:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.95 X-Spam-Level: X-Spam-Status: No, score=-1.95 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4Ey6VrCi34W for ; Fri, 21 Jun 2013 20:32:29 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 4174221F9B9E for ; Fri, 21 Jun 2013 20:32:29 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 27B3214A1AD; Sat, 22 Jun 2013 03:32:26 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 48C4E14A1A9 for ; Sat, 22 Jun 2013 03:32:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id szKk3Qyb8chh for ; Sat, 22 Jun 2013 03:32:23 +0000 (UTC) Received: from Chip.Rodents-Montreal.ORG (Chip.Rodents-Montreal.ORG [216.46.0.66]) by mail.netbsd.org (Postfix) with ESMTP id 6EB8614A141 for ; Sat, 22 Jun 2013 03:32:23 +0000 (UTC) Received: (from mouse@localhost) by Chip.Rodents-Montreal.ORG (8.8.8/8.8.8) id XAA17875; Fri, 21 Jun 2013 23:32:22 -0400 (EDT) Date: Fri, 21 Jun 2013 23:32:22 -0400 (EDT) From: Mouse Message-Id: <201306220332.XAA17875@Chip.Rodents-Montreal.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway. X-Message-Flag: Microsoft: the company who gave us the botnet zombies. X-Composition-Start-Date: Fri, 21 Jun 2013 23:26:11 -0400 (EDT) To: Kent Watsen , ietf-ssh@NetBSD.org Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt In-Reply-To: References: Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list [Feel free to forward elselist as seems appropriate; after what saag@ started doing, I'm disinclined to subscribe to more @ietf.org lists.] >> This memo presents a technique for a NETCONF server to initiate a >> SSH connection to a NETCONF client. This is accomplished by the >> NETCONF client listening on IANA-assigned TCP port YYYY and >> starting the SSH client protocol immediately after accepting a TCP >> connection on it. This role-reversal is necessary as the NETCONF >> server must also be the SSH Server, in order for the NETCONF >> client to open the IANA-assigned SSH subsystem "netconf". I don't see why the netconf client has to be the one to initiate the subsystem open. It seems to me it does less violence to ssh for the netconf server to be the ssh client (and conversely of course), with the netconf protocol designed to know that the ssh roles are reverse from the netconf roles. (If the netconf subsystem is too standardized for this at this point, that seems to me like a reason to define a new subsystem that works more usefully.) Note that the ssh server on the netconf client does not necessarily have to also operate as a normal ssh server; it might, for example, refuse shell and exec requests and all subsystems except netconf. Am I just revealing my ignorance of netconf here? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Jun 21 23:19:34 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28FEE21F9DAB for ; Fri, 21 Jun 2013 23:19:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.925 X-Spam-Level: X-Spam-Status: No, score=-1.925 tagged_above=-999 required=5 tests=[AWL=1.541, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCf8YWPKyeIa for ; Fri, 21 Jun 2013 23:19:28 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 6065121F9DA3 for ; Fri, 21 Jun 2013 23:19:28 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 1976514A1B5; Sat, 22 Jun 2013 06:19:24 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id 8769114A1B2; Sat, 22 Jun 2013 06:19:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 5F81D14A14C for ; Fri, 21 Jun 2013 19:26:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id yr-XmjRsCrU7 for ; Fri, 21 Jun 2013 19:26:56 +0000 (UTC) Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe003.messaging.microsoft.com [65.55.88.13]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 6F35D14A126 for ; Fri, 21 Jun 2013 19:26:56 +0000 (UTC) Received: from mail82-tx2-R.bigfish.com (10.9.14.230) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Fri, 21 Jun 2013 19:26:55 +0000 Received: from mail82-tx2 (localhost [127.0.0.1]) by mail82-tx2-R.bigfish.com (Postfix) with ESMTP id F41C6440202 for ; Fri, 21 Jun 2013 19:26:54 +0000 (UTC) X-Forefront-Antispam-Report: CIP:66.129.224.50;KIP:(null);UIP:(null);IPV:NLI;H:P-EMHUB03-HQ.jnpr.net;RD:none;EFVD:NLI X-SpamScore: -21 X-BigFish: VPS-21(zzc85eh4015Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah18c673h8275bh8275dhz2fh2a8h683h839hbe3he5bhf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1bceh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h) Received-SPF: pass (mail82-tx2: domain of juniper.net designates 66.129.224.50 as permitted sender) client-ip=66.129.224.50; envelope-from=kwatsen@juniper.net; helo=P-EMHUB03-HQ.jnpr.net ;-HQ.jnpr.net ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197;KIP:(null);UIP:(null);(null);H:CH1PRD0511HT003.namprd05.prod.outlook.com;R:internal;EFV:INT Received: from mail82-tx2 (localhost.localdomain [127.0.0.1]) by mail82-tx2 (MessageSwitch) id 1371842813334952_7528; Fri, 21 Jun 2013 19:26:53 +0000 (UTC) Received: from TX2EHSMHS024.bigfish.com (unknown [10.9.14.233]) by mail82-tx2.bigfish.com (Postfix) with ESMTP id 433C6400092 for ; Fri, 21 Jun 2013 19:26:53 +0000 (UTC) Received: from P-EMHUB03-HQ.jnpr.net (66.129.224.50) by TX2EHSMHS024.bigfish.com (10.9.99.124) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 21 Jun 2013 19:26:53 +0000 Received: from P-CLDFE02-HQ.jnpr.net (172.24.192.60) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 21 Jun 2013 12:26:52 -0700 Received: from o365mail.juniper.net (207.17.137.224) by o365mail.juniper.net (172.24.192.60) with Microsoft SMTP Server id 14.1.355.2; Fri, 21 Jun 2013 12:26:51 -0700 Received: from ch1outboundpool.messaging.microsoft.com (216.32.181.182) by o365mail.juniper.net (207.17.137.224) with Microsoft SMTP Server (TLS) id 14.1.355.2; Fri, 21 Jun 2013 12:38:48 -0700 Received: from mail70-ch1-R.bigfish.com (10.43.68.241) by CH1EHSOBE017.bigfish.com (10.43.70.67) with Microsoft SMTP Server id 14.1.225.23; Fri, 21 Jun 2013 19:26:50 +0000 Received: from mail70-ch1 (localhost [127.0.0.1]) by mail70-ch1-R.bigfish.com (Postfix) with ESMTP id A9D8E4800C9 for ; Fri, 21 Jun 2013 19:26:50 +0000 (UTC) Received: from mail70-ch1 (localhost.localdomain [127.0.0.1]) by mail70-ch1 (MessageSwitch) id 1371842808976689_3627; Fri, 21 Jun 2013 19:26:48 +0000 (UTC) Received: from CH1EHSMHS023.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.241]) by mail70-ch1.bigfish.com (Postfix) with ESMTP id E2FBE80444 for ; Fri, 21 Jun 2013 19:26:48 +0000 (UTC) Received: from CH1PRD0511HT003.namprd05.prod.outlook.com (157.56.245.197) by CH1EHSMHS023.bigfish.com (10.43.70.23) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 21 Jun 2013 19:26:47 +0000 Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT003.namprd05.prod.outlook.com ([10.255.159.38]) with mapi id 14.16.0324.000; Fri, 21 Jun 2013 19:26:46 +0000 From: Kent Watsen To: "ietf-ssh@NetBSD.org" Subject: draft-ietf-netconf-reverse-ssh Thread-Topic: draft-ietf-netconf-reverse-ssh Thread-Index: AQHObrVEgHKjWXouLUWy58NaSS/+ow== Date: Fri, 21 Jun 2013 19:26:46 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.2.130206 x-originating-ip: [10.255.159.4] Content-Type: multipart/alternative; boundary="_000_CDEA21343964Fkwatsenjunipernet_" MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%12219$Dn%NETBSD.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-OriginatorOrg: juniper.net Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list --_000_CDEA21343964Fkwatsenjunipernet_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable All, Yesterday I posted draft-ietf-netconf-reverse-ssh-00. The I-D announcement= was forwarded to the SAAG list and a lively conversation pursued. Unfortu= nately, because it was being sent to two lists, the mail archive is not eas= y to follow: http://www.ietf.org/mail-archive/web/netconf/current/maillist.html http://www.ietf.org/mail-archive/web/saag/current/maillist.html You may recall this being discussed nearly two years ago, hopefully somethi= ng will stick this time ;) PS: I'll be sending this list another email momentarily announcing the =960= 1 draft Thanks, Kent --_000_CDEA21343964Fkwatsenjunipernet_ Content-Type: text/html; charset="Windows-1252" Content-ID: <7166529A72A8494FB8646485596F3941@namprd05.prod.outlook.com> Content-Transfer-Encoding: quoted-printable

All,

Yesterday I posted draft-ietf-netconf-reverse-ssh-00.  The I-D an= nouncement was forwarded to the SAAG list and a lively conversation pursued= .  Unfortunately, because it was being sent to two lists, the mail arc= hive is not easy to follow:

    http://www.ietf.org/mail-archive/web/netconf/current/mai= llist.html
    http://www.ietf.org/mail-archive/web/saag/current/mailli= st.html

You may recall this being discussed nearly two years ago, hopefully so= mething will stick this time ;)

PS: I'll be sending this list another email momentarily announcing the= =9601 draft

Thanks,
Kent

--_000_CDEA21343964Fkwatsenjunipernet_-- From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 00:00:39 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA05121F91B4 for ; Wed, 26 Jun 2013 00:00:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wo+-iiVjopMs for ; Wed, 26 Jun 2013 00:00:39 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 3E43511E819A for ; Wed, 26 Jun 2013 00:00:36 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id BD02314A0DA; Wed, 26 Jun 2013 07:00:34 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 50E8014A105 for ; Wed, 26 Jun 2013 07:00:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id eGbnciR5jjM7 for ; Wed, 26 Jun 2013 07:00:29 +0000 (UTC) Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 229F614A0E7 for ; Wed, 26 Jun 2013 07:00:28 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 9179F4000C; Wed, 26 Jun 2013 09:00:25 +0200 (CEST) Received: from stalhein.lysator.liu.se (stalhein.lysator.liu.se [IPv6:2001:6b0:17:f0a0::cc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPS id 7CA434000B; Wed, 26 Jun 2013 09:00:25 +0200 (CEST) Received: from stalhein.lysator.liu.se (localhost [127.0.0.1]) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4) with ESMTP id r5Q70PLQ016316; Wed, 26 Jun 2013 09:00:25 +0200 (MEST) Received: (from nisse@localhost) by stalhein.lysator.liu.se (8.14.4+Sun/8.14.4/Submit) id r5Q70NjO016315; Wed, 26 Jun 2013 09:00:23 +0200 (MEST) X-Authentication-Warning: stalhein.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f From: nisse@lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) To: Mouse Cc: Kent Watsen , ietf-ssh@NetBSD.org Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt References: <201306220332.XAA17875@Chip.Rodents-Montreal.ORG> Date: Wed, 26 Jun 2013 09:00:23 +0200 In-Reply-To: <201306220332.XAA17875@Chip.Rodents-Montreal.ORG> (mouse@rodents-montreal.org's message of "Fri, 21 Jun 2013 23:32:22 -0400 (EDT)") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (usg-unix-v) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list [ Feel free to forward this message whereever appropriate ] Mouse writes: > I don't see why the netconf client has to be the one to initiate the > subsystem open. I agree. The draft draft-ietf-netconf-reverse-ssh-01 says It is necessary because SSH channels and subsystems can only be opened on the SSH Server. That is plain wrong. E.g., channels of type "forwarded-tcpip" are normally opened by the server. As for channels of type "session", used for the subsystem request, the ssh spec says (RFC 4254, section 6.1): Client implementations SHOULD reject any session channel open requests to make it more difficult for a corrupt server to attack the client. netconf may well have a perfectly reasonable use-case for deviating from that "SHOULD". The SSH protocol is pretty flexible. It's also possible to have the client initiate the channel open, and still have the server issue the subsystem request. Or have the client initiate both the channel open *and* the subsystem request, but define the meaning of that subsystem so that it is the client that actually starts the "server" end of the subsystem (the channel is just a bidirectional pipe, it doesn't matter for the ssh protocol which end is connected to a "server"). Or introduce a new channel type rather than using a "session" channel and a subsystem request. I think there are several ways of solving the problem which are both simpler and more in the spirit of the ssh protocol, than introducing some "role reversal" of the ssh *transport* layer. After thinking for some 10 minutes about the problem, I think I'll suggest the following: Introduce a new channel type "reverse-session". It will work exactly like a "session" channel, except that the party opening the channel expects the remote end to issue a "shell", "exec" or "subsystem" request, and that any SSH_CHANNEL_EXTENDED_DATA messages (for stderr) is sent in the same direction as the initial channel open request. As far as I understand, not doing protocol reversal seems to also simplify authentication for netconf. Authenticating the server, which is going to control the client, is done using ssh host authentication mechanism in the ssh transport layer, and that's going to be important for security. Authenticating the client would be using the ssh user authentication layer, but I imagine that in many cases that will not even be necessary. I'd expect that the common case is that an attacker can't get any benefit from configuring a "rogue" device, have that device call in to the server, and say "please control me!". And that the server doesn't trust any device anyway, authenticated or not. Best regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 03:19:06 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A35E11E81AF for ; Wed, 26 Jun 2013 03:19:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.449 X-Spam-Level: X-Spam-Status: No, score=-3.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V++R5+5OkshL for ; Wed, 26 Jun 2013 03:18:59 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 3D53D11E80D2 for ; Wed, 26 Jun 2013 03:18:59 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id D0F3514A109; Wed, 26 Jun 2013 10:18:55 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8051F14A105 for ; Wed, 26 Jun 2013 10:18:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id HVQWxZwe-iWW for ; Wed, 26 Jun 2013 10:18:48 +0000 (UTC) Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe003.messaging.microsoft.com [216.32.180.186]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 9412714A0F3 for ; Wed, 26 Jun 2013 10:18:48 +0000 (UTC) Received: from mail148-co1-R.bigfish.com (10.243.78.225) by CO1EHSOBE014.bigfish.com (10.243.66.77) with Microsoft SMTP Server id 14.1.225.23; Wed, 26 Jun 2013 09:48:44 +0000 Received: from mail148-co1 (localhost [127.0.0.1]) by mail148-co1-R.bigfish.com (Postfix) with ESMTP id EF7AFDC045F; Wed, 26 Jun 2013 09:48:43 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.249.85;KIP:(null);UIP:(null);IPV:NLI;H:AMSPRD0710HT001.eurprd07.prod.outlook.com;RD:none;EFVD:NLI X-SpamScore: 5 X-BigFish: PS5(zz9371Ic89bh1454I146fI542Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz8275ch8275dhz2dh2a8h5a9h668h839h947hd24hf0ah1177h1179h1288h12a5h12a9h12bdh137ah139eh13b6h1441h1504h1537h162dh1631h1758h17f1h184fh1898h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h304l1d11m1155h) Received: from mail148-co1 (localhost.localdomain [127.0.0.1]) by mail148-co1 (MessageSwitch) id 1372240122313486_18910; Wed, 26 Jun 2013 09:48:42 +0000 (UTC) Received: from CO1EHSMHS028.bigfish.com (unknown [10.243.78.253]) by mail148-co1.bigfish.com (Postfix) with ESMTP id 47B1318006D; Wed, 26 Jun 2013 09:48:42 +0000 (UTC) Received: from AMSPRD0710HT001.eurprd07.prod.outlook.com (157.56.249.85) by CO1EHSMHS028.bigfish.com (10.243.66.38) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 26 Jun 2013 09:48:42 +0000 Received: from DBXPRD0411HT001.eurprd04.prod.outlook.com (157.56.253.165) by pod51017.outlook.com (10.255.160.164) with Microsoft SMTP Server (TLS) id 14.16.324.0; Wed, 26 Jun 2013 09:48:35 +0000 Message-ID: <022e01ce7252$66a076c0$4001a8c0@gateway.2wire.net> From: t.petch To: =?iso-8859-1?Q?Niels_M=F6ller?= , Mouse CC: Kent Watsen , References: <201306220332.XAA17875@Chip.Rodents-Montreal.ORG> Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt Date: Wed, 26 Jun 2013 10:44:53 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [157.56.253.165] Content-Transfer-Encoding: quoted-printable X-OriginatorOrg: btconnect.com Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list ----- Original Message ----- From: "Niels M=F6ller" To: "Mouse" Cc: "Kent Watsen" ; Sent: Wednesday, June 26, 2013 8:00 AM Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt [ Feel free to forward this message whereever appropriate ] Mouse writes: > I don't see why the netconf client has to be the one to initiate the > subsystem open. I agree. The draft draft-ietf-netconf-reverse-ssh-01 says It is necessary because SSH channels and subsystems can only be opened on the SSH Server. That is plain wrong. E.g., channels of type "forwarded-tcpip" are normally opened by the server. As for channels of type "session", used for the subsystem request, the ssh spec says (RFC 4254, section 6.1): What Kent is saying on the Netconf list is that the devices are behind a firewall which does not allow inbound SSH connections ie the device/Netconf server must initiate the SSH connection (although not necessarily the TCP connection). I cannot see this in the current I-D so I am confused as to what requirements this design is meeting. And when the device does initiate the SSH connection then, arguably, the security properties are wrong, as got discussed last time this came up (and also in ISMS). They may be right for alerts, that the NMS can know that the alert came from a trusted device, but are wrong for configuration, when the device needs to know it can trust the NMS. What follows below is a fine addition to SSH, except that it does not meet the requirements, as I understand them, of Netconf call home. Tom Petch Client implementations SHOULD reject any session channel open requests to make it more difficult for a corrupt server to attack the client. netconf may well have a perfectly reasonable use-case for deviating from that "SHOULD". The SSH protocol is pretty flexible. It's also possible to have the client initiate the channel open, and still have the server issue the subsystem request. Or have the client initiate both the channel open *and* the subsystem request, but define the meaning of that subsystem so that it is the client that actually starts the "server" end of the subsystem (the channel is just a bidirectional pipe, it doesn't matter for the ssh protocol which end is connected to a "server"). Or introduce a new channel type rather than using a "session" channel and a subsystem request. I think there are several ways of solving the problem which are both simpler and more in the spirit of the ssh protocol, than introducing some "role reversal" of the ssh *transport* layer. After thinking for some 10 minutes about the problem, I think I'll suggest the following: Introduce a new channel type "reverse-session". It will work exactly like a "session" channel, except that the party opening the channel expects the remote end to issue a "shell", "exec" or "subsystem" request, and that any SSH_CHANNEL_EXTENDED_DATA messages (for stderr) is sent in the same direction as the initial channel open request. As far as I understand, not doing protocol reversal seems to also simplify authentication for netconf. Authenticating the server, which is going to control the client, is done using ssh host authentication mechanism in the ssh transport layer, and that's going to be important for security. Authenticating the client would be using the ssh user authentication layer, but I imagine that in many cases that will not even be necessary. I'd expect that the common case is that an attacker can't get any benefit from configuring a "rogue" device, have that device call in to the server, and say "please control me!". And that the server doesn't trust any device anyway, authenticated or not. Best regards, /Niels -- Niels M=F6ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 04:19:16 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABFBF21E8119 for ; Wed, 26 Jun 2013 04:19:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.549 X-Spam-Level: X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdxLXl2NRcUa for ; Wed, 26 Jun 2013 04:19:10 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 74F0821E8086 for ; Wed, 26 Jun 2013 04:19:10 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 3922214A0F3; Wed, 26 Jun 2013 11:19:06 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id BCD9F14A0E7 for ; Wed, 26 Jun 2013 11:19:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 3P20Dw_VwM32 for ; Wed, 26 Jun 2013 11:19:02 +0000 (UTC) Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe004.messaging.microsoft.com [216.32.180.187]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id D22B114A0CA for ; Wed, 26 Jun 2013 11:19:01 +0000 (UTC) Received: from mail121-co1-R.bigfish.com (10.243.78.227) by CO1EHSOBE026.bigfish.com (10.243.66.89) with Microsoft SMTP Server id 14.1.225.23; Wed, 26 Jun 2013 09:48:42 +0000 Received: from mail121-co1 (localhost [127.0.0.1]) by mail121-co1-R.bigfish.com (Postfix) with ESMTP id 84D597C00A5; Wed, 26 Jun 2013 09:48:42 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.249.85;KIP:(null);UIP:(null);IPV:NLI;H:AMSPRD0710HT001.eurprd07.prod.outlook.com;RD:none;EFVD:NLI X-SpamScore: -17 X-BigFish: PS-17(zzbb2dI98dI9371I542I1432I4015Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzc2hz8275ch1033IL8275bh8275dhz2dh2a8h5a9h668h839h947hd24hf0ah1177h1179h1288h12a5h12a9h12bdh137ah139eh13b6h1441h1504h1537h162dh1631h1758h17f1h184fh1898h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h304l1d11m1155h) Received: from mail121-co1 (localhost.localdomain [127.0.0.1]) by mail121-co1 (MessageSwitch) id 1372240120244991_8209; Wed, 26 Jun 2013 09:48:40 +0000 (UTC) Received: from CO1EHSMHS019.bigfish.com (unknown [10.243.78.231]) by mail121-co1.bigfish.com (Postfix) with ESMTP id 2EE7AA40055; Wed, 26 Jun 2013 09:48:40 +0000 (UTC) Received: from AMSPRD0710HT001.eurprd07.prod.outlook.com (157.56.249.85) by CO1EHSMHS019.bigfish.com (10.243.66.29) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 26 Jun 2013 09:48:40 +0000 Received: from DBXPRD0411HT001.eurprd04.prod.outlook.com (157.56.253.165) by pod51017.outlook.com (10.255.160.164) with Microsoft SMTP Server (TLS) id 14.16.324.0; Wed, 26 Jun 2013 09:48:33 +0000 Message-ID: <022c01ce7252$65dead60$4001a8c0@gateway.2wire.net> From: t.petch To: Kent Watsen , Jeffrey Hutzelman CC: , References: Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Date: Wed, 26 Jun 2013 10:44:05 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [157.56.253.165] X-OriginatorOrg: btconnect.com Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list ----- Original Message ----- From: "Kent Watsen" To: "t.petch" ; "Jeffrey Hutzelman" Cc: Sent: Tuesday, June 25, 2013 11:06 PM On 6/25/13 10:44 AM, "t.petch" wrote: >It seems to me that call home needs a Signal, like an answerphone >message (Please Call) and that that signal can be any PDU over any >protocol but must specify the protocols to be used for the call - >Netconf over SSH, SNMP over TLS, etc. > >Here the signal seems to be a 3-way handshake, in which case the >destination port would have to differentiate between the protocol >combinations and so this cannot be a generic mechanism. The security >consideration that then comes first to me is a DoS attack via the 3-way >handshake, nothing to do with SAAG but rather TCPM territory. I'm not following your analogy, but I agree that there is a DoS attack, as there is with any open TCP port, perhaps worse because it can start expensive asymmetric key algs. Of course, many people I know claim that they'd rather see the app get DoS-ed over the device, since it can more easily overcome such an event. >It would seem from the I-D that whether the TCP connection is reused, or >whether the Netconf client fires up a fresh connection is unspecified; I >would assume the latter, to the regular port on the Netconf server. We (Juniper) have also explored this - using SNMP Traps actually. It works fairly well for automating the discovery of devices with static IPs on a reachable network, but not at all when the devices are behind a firewall that won't allow inbound SSH connections. I am really confused. If the device/netconf server will not allow inbound SSH connections, then I cannot see how your I-D can work. It has the device setting up a TCP connection on a port which signals to the Netconf client/NMS to make an SSH connection to the Netconf server/device - which cannot succeed because the devices are behind a firewall which won't allow inbound SSH connections. So as I understand the design it cannot meet what I understand to be the requirements. Tom Petch Thanks, Kent From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 04:26:46 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0EAF21E8119 for ; Wed, 26 Jun 2013 04:26:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.046 X-Spam-Level: X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQ8lYQjaYkLB for ; Wed, 26 Jun 2013 04:26:41 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id E7DED21E8086 for ; Wed, 26 Jun 2013 04:26:39 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id D995014A116; Wed, 26 Jun 2013 11:26:37 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 72A0414A0C9 for ; Wed, 26 Jun 2013 11:26:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id V9NQ3OrfFenK for ; Wed, 26 Jun 2013 11:26:35 +0000 (UTC) Received: from mail.tail-f.com (de-2007.d.ipeer.se [213.180.74.102]) by mail.netbsd.org (Postfix) with ESMTP id A776714A11C for ; Wed, 26 Jun 2013 11:26:35 +0000 (UTC) Received: from localhost (138.162.241.83.in-addr.dgcsystems.net [83.241.162.138]) by mail.tail-f.com (Postfix) with ESMTPSA id 8E3771200D00; Wed, 26 Jun 2013 12:08:52 +0200 (CEST) Date: Wed, 26 Jun 2013 12:08:52 +0200 (CEST) Message-Id: <20130626.120852.1934986189444174338.mbj@tail-f.com> To: ietfc@btconnect.com Cc: kwatsen@juniper.net, jhutz@cmu.edu, ietf-ssh@NetBSD.org, netconf@ietf.org Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt From: Martin Bjorklund In-Reply-To: <022c01ce7252$65dead60$4001a8c0@gateway.2wire.net> References: <022c01ce7252$65dead60$4001a8c0@gateway.2wire.net> X-Mailer: Mew version 6.5rc2 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Hi, t.petch wrote: > I am really confused. If the device/netconf server will not allow > inbound SSH connections, then I cannot see how your I-D can work. It > has the device setting up a TCP connection on a port which signals to > the Netconf client/NMS to make an SSH connection to the Netconf > server/device No, the device sets up the TCP connection, and then the SSH protocol is run on this connection. o The NETCONF client accepts an incoming TCP connection and immediately starts the SSH client protocol. This can probably be made more clear in the text... /martin From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 07:24:22 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBBF921F9FE2 for ; Wed, 26 Jun 2013 07:24:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.209 X-Spam-Level: X-Spam-Status: No, score=-3.209 tagged_above=-999 required=5 tests=[AWL=-0.210, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULxtj-szT8hu for ; Wed, 26 Jun 2013 07:24:12 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id A4EA821F9A3E for ; Wed, 26 Jun 2013 07:24:12 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id ABA6314A109; Wed, 26 Jun 2013 14:24:08 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id BECA014A116 for ; Wed, 26 Jun 2013 14:24:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id AhsOek80NHDR for ; Wed, 26 Jun 2013 14:24:04 +0000 (UTC) Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe010.messaging.microsoft.com [216.32.180.30]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id BE8EA14A0F3 for ; Wed, 26 Jun 2013 14:24:03 +0000 (UTC) Received: from mail34-va3-R.bigfish.com (10.7.14.243) by VA3EHSOBE009.bigfish.com (10.7.40.29) with Microsoft SMTP Server id 14.1.225.23; Wed, 26 Jun 2013 13:08:46 +0000 Received: from mail34-va3 (localhost [127.0.0.1]) by mail34-va3-R.bigfish.com (Postfix) with ESMTP id 39EC32A0122; Wed, 26 Jun 2013 13:08:46 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.249.85;KIP:(null);UIP:(null);IPV:NLI;H:AMSPRD0710HT001.eurprd07.prod.outlook.com;RD:none;EFVD:NLI X-SpamScore: -15 X-BigFish: PS-15(zz98dI9371I542I1432Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz8275ch1033IL8275bh8275dhz2dh2a8h5a9h668h839h947hd24hf0ah1177h1179h1288h12a5h12a9h12bdh137ah139eh13b6h1441h1504h1537h162dh1631h1758h17f1h184fh1898h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h304l1d11m1155h) Received: from mail34-va3 (localhost.localdomain [127.0.0.1]) by mail34-va3 (MessageSwitch) id 1372252124584119_4487; Wed, 26 Jun 2013 13:08:44 +0000 (UTC) Received: from VA3EHSMHS027.bigfish.com (unknown [10.7.14.238]) by mail34-va3.bigfish.com (Postfix) with ESMTP id 89C871E0063; Wed, 26 Jun 2013 13:08:44 +0000 (UTC) Received: from AMSPRD0710HT001.eurprd07.prod.outlook.com (157.56.249.85) by VA3EHSMHS027.bigfish.com (10.7.99.37) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 26 Jun 2013 13:08:36 +0000 Received: from DBXPRD0411HT005.eurprd04.prod.outlook.com (157.56.253.165) by pod51017.outlook.com (10.255.160.164) with Microsoft SMTP Server (TLS) id 14.16.324.0; Wed, 26 Jun 2013 13:08:34 +0000 Message-ID: <02bd01ce726e$56c45700$4001a8c0@gateway.2wire.net> From: t.petch To: Martin Bjorklund CC: , , References: <022c01ce7252$65dead60$4001a8c0@gateway.2wire.net> <20130626.120852.1934986189444174338.mbj@tail-f.com> Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Date: Wed, 26 Jun 2013 14:09:00 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [157.56.253.165] X-OriginatorOrg: btconnect.com Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list ----- Original Message ----- From: "Martin Bjorklund" To: Cc: ; ; ; Sent: Wednesday, June 26, 2013 11:08 AM > t.petch wrote: > > I am really confused. If the device/netconf server will not allow > > inbound SSH connections, then I cannot see how your I-D can work. It > > has the device setting up a TCP connection on a port which signals to > > the Netconf client/NMS to make an SSH connection to the Netconf > > server/device > > No, the device sets up the TCP connection, and then the SSH protocol > is run on this connection. > > o The NETCONF client accepts an incoming TCP connection and > immediately starts the SSH client protocol. > > This can probably be made more clear in the text... Martin Yes! That is exactly what I said. But what I also said is that Kent says " It works fairly well for automating the discovery of devices with static IPs on a reachable network, but not at all when the devices are behind a firewall that won't allow inbound SSH connections." Works not at all .. when the devices are behind a firewall. So if devices behind a firewall is a requirement, then the design fails to meet it. If that is not a requirement, why has Kent raised it (and it has been raised before)? This should confuse everyone (not just me:-) Tom Petch > > > /martin > From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 10:54:14 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B383121F9FCC for ; Wed, 26 Jun 2013 10:54:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.134 X-Spam-Level: X-Spam-Status: No, score=-1.134 tagged_above=-999 required=5 tests=[AWL=-1.667, BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p++1v0wRyBNv for ; Wed, 26 Jun 2013 10:54:02 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 1553721F9EE0 for ; Wed, 26 Jun 2013 10:54:02 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id D333A14A11B; Wed, 26 Jun 2013 17:53:58 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2A8C014A116 for ; Wed, 26 Jun 2013 17:53:55 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id K9OzJxVWzaIT for ; Wed, 26 Jun 2013 17:53:54 +0000 (UTC) Received: from db9outboundpool.messaging.microsoft.com (mail-db9lp0251.outbound.messaging.microsoft.com [213.199.154.251]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id DD90E14A0CD for ; Wed, 26 Jun 2013 17:53:53 +0000 (UTC) Received: from mail143-db9-R.bigfish.com (10.174.16.247) by DB9EHSOBE041.bigfish.com (10.174.14.104) with Microsoft SMTP Server id 14.1.225.23; Wed, 26 Jun 2013 16:38:39 +0000 Received: from mail143-db9 (localhost [127.0.0.1]) by mail143-db9-R.bigfish.com (Postfix) with ESMTP id ECEE640171 for ; Wed, 26 Jun 2013 16:38:38 +0000 (UTC) X-Forefront-Antispam-Report: CIP:66.129.224.50;KIP:(null);UIP:(null);IPV:NLI;H:P-EMHUB03-HQ.jnpr.net;RD:none;EFVD:NLI X-SpamScore: -5 X-BigFish: VPS-5(zzbb2dI98dI9371I1432I4015Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz8275bhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h) Received-SPF: pass (mail143-db9: domain of juniper.net designates 66.129.224.50 as permitted sender) client-ip=66.129.224.50; envelope-from=kwatsen@juniper.net; helo=P-EMHUB03-HQ.jnpr.net ;-HQ.jnpr.net ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197;KIP:(null);UIP:(null);(null);H:CH1PRD0511HT003.namprd05.prod.outlook.com;R:internal;EFV:INT Received: from mail143-db9 (localhost.localdomain [127.0.0.1]) by mail143-db9 (MessageSwitch) id 137226471786219_22946; Wed, 26 Jun 2013 16:38:37 +0000 (UTC) Received: from DB9EHSMHS001.bigfish.com (unknown [10.174.16.232]) by mail143-db9.bigfish.com (Postfix) with ESMTP id 10FF33C0046 for ; Wed, 26 Jun 2013 16:38:37 +0000 (UTC) Received: from P-EMHUB03-HQ.jnpr.net (66.129.224.50) by DB9EHSMHS001.bigfish.com (10.174.14.11) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 26 Jun 2013 16:38:35 +0000 Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 26 Jun 2013 09:38:18 -0700 Received: from o365mail.juniper.net (207.17.137.149) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Wed, 26 Jun 2013 09:38:17 -0700 Received: from ch1outboundpool.messaging.microsoft.com (216.32.181.186) by o365mail.juniper.net (207.17.137.149) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 26 Jun 2013 09:42:33 -0700 Received: from mail4-ch1-R.bigfish.com (10.43.68.235) by CH1EHSOBE010.bigfish.com (10.43.70.60) with Microsoft SMTP Server id 14.1.225.23; Wed, 26 Jun 2013 16:38:17 +0000 Received: from mail4-ch1 (localhost [127.0.0.1]) by mail4-ch1-R.bigfish.com (Postfix) with ESMTP id 701864E024D for ; Wed, 26 Jun 2013 16:38:17 +0000 (UTC) Received: from mail4-ch1 (localhost.localdomain [127.0.0.1]) by mail4-ch1 (MessageSwitch) id 1372264695732506_29144; Wed, 26 Jun 2013 16:38:15 +0000 (UTC) Received: from CH1EHSMHS036.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.239]) by mail4-ch1.bigfish.com (Postfix) with ESMTP id A5FF5A084C; Wed, 26 Jun 2013 16:38:15 +0000 (UTC) Received: from CH1PRD0511HT003.namprd05.prod.outlook.com (157.56.245.197) by CH1EHSMHS036.bigfish.com (10.43.69.245) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 26 Jun 2013 16:38:14 +0000 Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT003.namprd05.prod.outlook.com ([10.255.159.38]) with mapi id 14.16.0324.000; Wed, 26 Jun 2013 16:38:13 +0000 From: Kent Watsen To: t.petch , Martin Bjorklund CC: "ietf-ssh@NetBSD.org" , "netconf@ietf.org" Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Thread-Topic: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Thread-Index: AQHOcRTSVLNZ5bG3CkeqP19tE7+OCZlGg4QogAA34ACAAQdCEYAABYEAgAAyU13///dpAA== Date: Wed, 26 Jun 2013 16:38:13 +0000 Message-ID: In-Reply-To: <02bd01ce726e$56c45700$4001a8c0@gateway.2wire.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.2.130206 x-originating-ip: [10.255.159.4] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%12219$Dn%BTCONNECT.COM$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-FOPE-CONNECTOR: Id%12219$Dn%TAIL-F.COM$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-FOPE-CONNECTOR: Id%12219$Dn%NETBSD.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-OriginatorOrg: juniper.net X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list On 6/26/13 9:09 AM, "t.petch" wrote: > >Yes! That is exactly what I said. But what I also said is that Kent >says >" It works fairly well for automating the discovery of devices with >static IPs >on a reachable network, but not at all when the devices are behind a >firewall that won't allow inbound SSH connections." > >Works not at all .. when the devices are behind a firewall. > >So if devices behind a firewall is a requirement, then the design fails >to meet it. > >If that is not a requirement, why has Kent raised it (and it has been >raised before)? > >This should confuse everyone (not just me:-) Hi Tom, By saying a firewall wouldn't allow inbound SSH connections, let's simplify and assume the firewall doesn't allow any inbound TCP connections, but outbound TCP-connections are fine. The proposed solution is to repurpose the TCP connection initiated from behind the firewall. Once the network management application accepts the TCP connection, it can pass the accepted TCP socket into its SSH client of choice (e.g. a SSH library like J2SSH or even using OpenSSH's "ControlPath" parameter). On the "device" side, the accepted TCP connection can be passed into an SSH server - for instance using `sshd -i` exactly like `inetd` would do when listening on port 22. Does it make sense now? [Martin is right that this section of the draft could be clearer] Thanks, Kent From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 11:22:38 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6140321F9A38 for ; Wed, 26 Jun 2013 11:22:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.131 X-Spam-Level: X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[AWL=-1.664, BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VB+j54g3WjpU for ; Wed, 26 Jun 2013 11:22:32 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id AD82321F9C73 for ; Wed, 26 Jun 2013 11:22:25 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 1ACB314A120; Wed, 26 Jun 2013 18:22:25 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 6D11714A11F for ; Wed, 26 Jun 2013 18:22:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id P2p3IY5KGLwM for ; Wed, 26 Jun 2013 18:22:19 +0000 (UTC) Received: from db8outboundpool.messaging.microsoft.com (mail-db8lp0188.outbound.messaging.microsoft.com [213.199.154.188]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4554514A11C for ; Wed, 26 Jun 2013 18:22:18 +0000 (UTC) Received: from mail60-db8-R.bigfish.com (10.174.8.225) by DB8EHSOBE010.bigfish.com (10.174.4.73) with Microsoft SMTP Server id 14.1.225.23; Wed, 26 Jun 2013 17:37:07 +0000 Received: from mail60-db8 (localhost [127.0.0.1]) by mail60-db8-R.bigfish.com (Postfix) with ESMTP id D7B8C3003FE; Wed, 26 Jun 2013 17:37:07 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.250.181;KIP:(null);UIP:(null);IPV:NLI;H:AMSPRD0711HT003.eurprd07.prod.outlook.com;RD:none;EFVD:NLI X-SpamScore: -17 X-BigFish: PS-17(zzbb2dI98dI9371I542I1432I4015Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzc2hz8275ch1033IL8275bh8275dhz2dh2a8h5a9h668h839h947hd24hf0ah1177h1179h1288h12a5h12a9h12bdh137ah139eh13b6h1441h1504h1537h162dh1631h1758h17f1h184fh1898h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h304l1d11m1155h) Received: from mail60-db8 (localhost.localdomain [127.0.0.1]) by mail60-db8 (MessageSwitch) id 1372268225640768_15823; Wed, 26 Jun 2013 17:37:05 +0000 (UTC) Received: from DB8EHSMHS028.bigfish.com (unknown [10.174.8.235]) by mail60-db8.bigfish.com (Postfix) with ESMTP id 7A555B8004E; Wed, 26 Jun 2013 17:37:05 +0000 (UTC) Received: from AMSPRD0711HT003.eurprd07.prod.outlook.com (157.56.250.181) by DB8EHSMHS028.bigfish.com (10.174.4.38) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 26 Jun 2013 17:37:04 +0000 Received: from DBXPRD0411HT004.eurprd04.prod.outlook.com (157.56.253.165) by pod51017.outlook.com (10.242.14.164) with Microsoft SMTP Server (TLS) id 14.16.324.0; Wed, 26 Jun 2013 17:37:04 +0000 Message-ID: <035301ce7293$d8bac1c0$4001a8c0@gateway.2wire.net> From: t.petch To: Kent Watsen , Martin Bjorklund CC: , References: Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Date: Wed, 26 Jun 2013 18:36:25 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [157.56.253.165] X-OriginatorOrg: btconnect.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%0$Dn%JUNIPER.NET$RO%1$TLS%0$FQDN%$TlsDn% Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list ----- Original Message ----- From: "Kent Watsen" To: "t.petch" ; "Martin Bjorklund" Cc: ; Sent: Wednesday, June 26, 2013 5:38 PM On 6/26/13 9:09 AM, "t.petch" wrote: > >Yes! That is exactly what I said. But what I also said is that Kent >says >" It works fairly well for automating the discovery of devices with >static IPs >on a reachable network, but not at all when the devices are behind a >firewall that won't allow inbound SSH connections." > >Works not at all .. when the devices are behind a firewall. > >So if devices behind a firewall is a requirement, then the design fails >to meet it. > >If that is not a requirement, why has Kent raised it (and it has been >raised before)? > >This should confuse everyone (not just me:-) Hi Tom, By saying a firewall wouldn't allow inbound SSH connections, let's simplify and assume the firewall doesn't allow any inbound TCP connections, but outbound TCP-connections are fine. The proposed solution is to repurpose the TCP connection initiated from behind the firewall. Once the network management application accepts the TCP connection, it can pass the accepted TCP socket into its SSH client of choice (e.g. a SSH library like J2SSH or even using OpenSSH's "ControlPath" parameter). On the "device" side, the accepted TCP connection can be passed into an SSH server - for instance using `sshd -i` exactly like `inetd` would do when listening on port 22. Does it make sense now? [Martin is right that this section of the draft could be clearer] Yes, that I understand. But ... the firewalls I know, at least the better ones, can look for and reject PDU of protocols such as SSH, regardless of which ports the TCP connection is using. So in that sense, a device behind a firewall that filters SSH connections still cannot be accessed. Is this an acceptable limitation? My other point is that I cannot see how this is a generic solution as the I-D claims. You need something to signal that this three-way TCP handshake is for Netconf over SSH and the only parameter I can see is the port number, so this I-D cannot be used for anything else over anything else; each combination of protocols will need a different port number. Tom Petch Thanks, Kent From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 26 12:31:36 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C415E21F9E82 for ; Wed, 26 Jun 2013 12:31:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.277 X-Spam-Level: X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[AWL=0.699, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ABuNOB-EYnxq for ; Wed, 26 Jun 2013 12:31:36 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id 2819521F9E30 for ; Wed, 26 Jun 2013 12:31:36 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id D17DE14A0E0; Wed, 26 Jun 2013 19:31:32 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id 78AEA14A0DF; Wed, 26 Jun 2013 19:31:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id ED19B14A11C for ; Wed, 26 Jun 2013 17:14:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id UIYmZ12Xk5Wr for ; Wed, 26 Jun 2013 17:14:00 +0000 (UTC) Received: from mail-pb0-x235.google.com (mail-pb0-x235.google.com [IPv6:2607:f8b0:400e:c01::235]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 216DD14A116 for ; Wed, 26 Jun 2013 17:13:59 +0000 (UTC) Received: by mail-pb0-f53.google.com with SMTP id xb12so14366422pbc.26 for ; Wed, 26 Jun 2013 10:13:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=vPb4lrjSIrVgoEixH5cIZAcxtpaqE6qYb2X3FeOj0Tg=; b=C8bYhBTFJpJ+sOiOFc5IN6rMyJ5RNgU+lOl0er9K6B24+x06XBYp6rKT6LtQokMKMM WLQrJq7b8Mr7DLr2wue52lhj1OK8mnlD3GQUG9MTJj/FoBUasoukUJHELh4Sp86kPkzT 6m4NpPkeMIdHC7qnBd3T/FP9bsmfScJTuvMSlp6DhLOsuzO1sqSJyT/j+U96cFAfrqNe PcVSmvmThd0QHNS4ZJyEbFouu210gk76fSCpzN0A5b0Jg1dBB20aCuW7gS1m4Er1aLKb JoSt0sgnqW1R5ZDHmY7Dy/mVKGbrg1x7ujjkN/1gcWmdM+9vmXBL/pKhNWDc/OoWyoYe 9sxA== MIME-Version: 1.0 X-Received: by 10.68.111.228 with SMTP id il4mr1693507pbb.134.1372266839561; Wed, 26 Jun 2013 10:13:59 -0700 (PDT) Received: by 10.70.48.233 with HTTP; Wed, 26 Jun 2013 10:13:59 -0700 (PDT) In-Reply-To: References: <02bd01ce726e$56c45700$4001a8c0@gateway.2wire.net> Date: Wed, 26 Jun 2013 10:13:59 -0700 Message-ID: Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt From: Andy Bierman To: Kent Watsen Cc: "t.petch" , Martin Bjorklund , "ietf-ssh@NetBSD.org" , "netconf@ietf.org" Content-Type: multipart/alternative; boundary=047d7b67201a8268d804e011c56b X-Gm-Message-State: ALoCoQkrxKrPvwcc2U/YqUt4xT3hTKYEpXF+kzO29RE7J+D3lEvM+4y4p/biKcvVitOrxn9sFEGa Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list --047d7b67201a8268d804e011c56b Content-Type: text/plain; charset=ISO-8859-1 On Wed, Jun 26, 2013 at 9:38 AM, Kent Watsen wrote: > > > On 6/26/13 9:09 AM, "t.petch" wrote: > > > > >Yes! That is exactly what I said. But what I also said is that Kent > >says > >" It works fairly well for automating the discovery of devices with > >static IPs > >on a reachable network, but not at all when the devices are behind a > >firewall that won't allow inbound SSH connections." > > > >Works not at all .. when the devices are behind a firewall. > > > >So if devices behind a firewall is a requirement, then the design fails > >to meet it. > > > >If that is not a requirement, why has Kent raised it (and it has been > >raised before)? > > > >This should confuse everyone (not just me:-) > > > Hi Tom, > > By saying a firewall wouldn't allow inbound SSH connections, let's > simplify and assume the firewall doesn't allow any inbound TCP > connections, but outbound TCP-connections are fine. > > The proposed solution is to repurpose the TCP connection initiated from > behind the firewall. Once the network management application accepts the > TCP connection, it can pass the accepted TCP socket into its SSH client of > choice (e.g. a SSH library like J2SSH or even using OpenSSH's > "ControlPath" parameter). On the "device" side, the accepted TCP > connection can be passed into an SSH server - for instance using `sshd -i` > exactly like `inetd` would do when listening on port 22. > > Does it make sense now? [Martin is right that this section of the draft > could be clearer] > > There are valid use-cases (e.g, SOHO) for wanting a manageable device to connect to its manager from behind a firewall. IMO it's up to the Security Area to figure out how to do that, not NETCONF, but as long as the proper reviewers are found, that is not too important. Does the client have to be pre-configured with all the keys of the servers it will accept these connections from in advance? How does the client decide to start an SSH session on the open connection or just drop it? Thanks, > Kent > > Andy --047d7b67201a8268d804e011c56b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Wed, Jun 26, 2013 at 9:38 AM, Kent Wa= tsen <kwatsen@juniper.net> wrote:


On 6/26/13 9:09 AM, "t.petch" <ietfc@btconnect.com> wrote:

>
>Yes! =A0That is exactly what I said. =A0But what I also said is that Ke= nt
>says
>" It works fairly well for automating the discovery of devices wit= h
>static IPs
>on a reachable network, but not at all when the devices are behind a >firewall that won't allow inbound SSH connections."
>
>Works not at all .. =A0when the devices are behind a firewall.
>
>So if devices behind a firewall is a requirement, then the design fails=
>to meet it.
>
>If that is not a requirement, why has Kent raised it (and it has been >raised before)?
>
>This should confuse everyone (not just me:-)


Hi Tom,

By saying a firewall wouldn't allow inbound SSH connections, let's<= br> simplify and assume the firewall doesn't allow any inbound TCP
connections, but outbound TCP-connections are fine.

The proposed solution is to repurpose the TCP connection initiated from
behind the firewall. =A0Once the network management application accepts the=
TCP connection, it can pass the accepted TCP socket into its SSH client of<= br> choice (e.g. a SSH library like J2SSH or even using OpenSSH's
"ControlPath" parameter). =A0On the "device" side, the = accepted TCP
connection can be passed into an SSH server - for instance using `sshd -i`<= br> exactly like `inetd` would do when listening on port 22.

Does it make sense now? =A0 [Martin is right that this section of the draft=
could be clearer]


There are valid use-cases (e.g, SOHO) = for wanting a manageable device
to connect to its manager from be= hind a firewall. IMO it's up to the Security Area
to figure o= ut how to do that, not NETCONF, but as long as the proper reviewers
are found, that is not too important.

Does th= e client have to be pre-configured with all the keys of the servers
it will accept these connections from in advance? =A0How does the client= decide
to start an SSH session on the open connection or just drop it?
<= div>

Thanks,
Kent

=A0


Andy

<= /div>
--047d7b67201a8268d804e011c56b-- From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Jun 28 14:41:44 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BBD521F9CD7 for ; Fri, 28 Jun 2013 14:41:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.467 X-Spam-Level: X-Spam-Status: No, score=-1.467 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpynyapRHVuQ for ; Fri, 28 Jun 2013 14:41:38 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id E2D7D21F9CE1 for ; Fri, 28 Jun 2013 14:41:34 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 6ED5B14A105; Fri, 28 Jun 2013 21:41:30 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0638614A0F0 for ; Fri, 28 Jun 2013 21:41:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id mY8OuQmYAq93 for ; Fri, 28 Jun 2013 21:41:26 +0000 (UTC) Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 193F314A0CC for ; Fri, 28 Jun 2013 21:41:25 +0000 (UTC) Received: from mail131-co9-R.bigfish.com (10.236.132.247) by CO9EHSOBE008.bigfish.com (10.236.130.71) with Microsoft SMTP Server id 14.1.225.23; Fri, 28 Jun 2013 21:26:20 +0000 Received: from mail131-co9 (localhost [127.0.0.1]) by mail131-co9-R.bigfish.com (Postfix) with ESMTP id A85C53C0658 for ; Fri, 28 Jun 2013 21:26:20 +0000 (UTC) X-Forefront-Antispam-Report: CIP:66.129.224.53;KIP:(null);UIP:(null);IPV:NLI;H:P-EMHUB03-HQ.jnpr.net;RD:none;EFVD:NLI X-SpamScore: -5 X-BigFish: PS-5(zzbb2dI98dI9371I1432I4015Izz1f42h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz8275bhz2fh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h) Received-SPF: pass (mail131-co9: domain of juniper.net designates 66.129.224.53 as permitted sender) client-ip=66.129.224.53; envelope-from=kwatsen@juniper.net; helo=P-EMHUB03-HQ.jnpr.net ;-HQ.jnpr.net ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.245.197;KIP:(null);UIP:(null);(null);H:CH1PRD0511HT003.namprd05.prod.outlook.com;R:internal;EFV:INT Received: from mail131-co9 (localhost.localdomain [127.0.0.1]) by mail131-co9 (MessageSwitch) id 1372454777866531_21577; Fri, 28 Jun 2013 21:26:17 +0000 (UTC) Received: from CO9EHSMHS025.bigfish.com (unknown [10.236.132.243]) by mail131-co9.bigfish.com (Postfix) with ESMTP id D104F340060 for ; Fri, 28 Jun 2013 21:26:17 +0000 (UTC) Received: from P-EMHUB03-HQ.jnpr.net (66.129.224.53) by CO9EHSMHS025.bigfish.com (10.236.130.35) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 28 Jun 2013 21:26:17 +0000 Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 28 Jun 2013 14:26:16 -0700 Received: from o365mail.juniper.net (207.17.137.149) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Fri, 28 Jun 2013 14:26:16 -0700 Received: from ch1outboundpool.messaging.microsoft.com (216.32.181.184) by o365mail.juniper.net (207.17.137.149) with Microsoft SMTP Server (TLS) id 14.1.355.2; Fri, 28 Jun 2013 14:30:25 -0700 Received: from mail141-ch1-R.bigfish.com (10.43.68.244) by CH1EHSOBE006.bigfish.com (10.43.70.56) with Microsoft SMTP Server id 14.1.225.22; Fri, 28 Jun 2013 21:26:14 +0000 Received: from mail141-ch1 (localhost [127.0.0.1]) by mail141-ch1-R.bigfish.com (Postfix) with ESMTP id CD0AC4002D3 for ; Fri, 28 Jun 2013 21:26:14 +0000 (UTC) Received: from mail141-ch1 (localhost.localdomain [127.0.0.1]) by mail141-ch1 (MessageSwitch) id 1372454771541203_18307; Fri, 28 Jun 2013 21:26:11 +0000 (UTC) Received: from CH1EHSMHS042.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.227]) by mail141-ch1.bigfish.com (Postfix) with ESMTP id 771641A004D; Fri, 28 Jun 2013 21:26:11 +0000 (UTC) Received: from CH1PRD0511HT003.namprd05.prod.outlook.com (157.56.245.197) by CH1EHSMHS042.bigfish.com (10.43.69.251) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 28 Jun 2013 21:26:11 +0000 Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.216]) by CH1PRD0511HT003.namprd05.prod.outlook.com ([10.255.159.38]) with mapi id 14.16.0324.000; Fri, 28 Jun 2013 21:26:10 +0000 From: Kent Watsen To: t.petch , Martin Bjorklund CC: "ietf-ssh@NetBSD.org" , "netconf@ietf.org" Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Thread-Topic: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Thread-Index: AQHOcRTSVLNZ5bG3CkeqP19tE7+OCZlGg4QogAA34ACAAQdCEYAABYEAgAAyU13///dpAIAAU5X3gAMhhQA= Date: Fri, 28 Jun 2013 21:26:10 +0000 Message-ID: In-Reply-To: <035301ce7293$d8bac1c0$4001a8c0@gateway.2wire.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.5.130515 x-originating-ip: [10.255.159.4] Content-Type: text/plain; charset="us-ascii" Content-ID: <41262053C6FBD841869DBBB7A3C4B7D1@namprd05.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%12219$Dn%BTCONNECT.COM$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-FOPE-CONNECTOR: Id%12219$Dn%TAIL-F.COM$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-FOPE-CONNECTOR: Id%12219$Dn%NETBSD.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net X-OriginatorOrg: juniper.net Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list On 6/26/13 1:36 PM, "t.petch" wrote: >Yes, that I understand. > >But ... the firewalls I know, at least the better ones, can look for and >reject PDU of protocols such as SSH, regardless of which ports the TCP >connection is using. So in that sense, a device behind a firewall that >filters SSH connections still cannot be accessed. Is this an acceptable >limitation? I would think so - this is what Juniper has been doing for almost a decade now and I've never heard this raised as an issue before. >My other point is that I cannot see how this is a generic solution as >the I-D claims. You need something to signal that this three-way TCP >handshake is for Netconf over SSH and the only parameter I can see is >the port number, so this I-D cannot be used for anything else over >anything else; each combination of protocols will need a different port >number. By "generic", the draft is trying to say that the solution applied to solve this problem can equally well be applied to other protocols that use SSH for their transport. That said, I'll just add that the port number does not have to be bound to how the application might use the SSH connection. For instance, when a Junos device connects to our management server, yes, it knows it can open the "netconf" subsystem, but it also knows all the other subsystems it can start...and it does! For instance, it will open additional SSH channels for SFTP, notifications, packet captures, etc. It would've been easier if SSH defined a subsystem-discovery mechanism, but we worked around that too. Thanks, Kent From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sat Jun 29 04:42:09 2013 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1A2821F9FD5 for ; Sat, 29 Jun 2013 04:42:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.25 X-Spam-Level: X-Spam-Status: No, score=-0.25 tagged_above=-999 required=5 tests=[AWL=-0.783, BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2OW3Fn1Y4usj for ; Sat, 29 Jun 2013 04:42:03 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) by ietfa.amsl.com (Postfix) with ESMTP id BCE2D21F9F19 for ; Sat, 29 Jun 2013 04:42:02 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 9834114A170; Sat, 29 Jun 2013 11:41:59 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id C49EF14A16E for ; Sat, 29 Jun 2013 11:41:55 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Vq8zeXe2gThD for ; Sat, 29 Jun 2013 11:41:55 +0000 (UTC) Received: from db9outboundpool.messaging.microsoft.com (mail-db9lp0251.outbound.messaging.microsoft.com [213.199.154.251]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 8CBE314A166 for ; Sat, 29 Jun 2013 11:41:54 +0000 (UTC) Received: from mail120-db9-R.bigfish.com (10.174.16.253) by DB9EHSOBE028.bigfish.com (10.174.14.91) with Microsoft SMTP Server id 14.1.225.23; Sat, 29 Jun 2013 11:26:45 +0000 Received: from mail120-db9 (localhost [127.0.0.1]) by mail120-db9-R.bigfish.com (Postfix) with ESMTP id 921954001EE; Sat, 29 Jun 2013 11:26:45 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.249.85;KIP:(null);UIP:(null);IPV:NLI;H:AMSPRD0710HT001.eurprd07.prod.outlook.com;RD:none;EFVD:NLI X-SpamScore: -17 X-BigFish: PS-17(zzbb2dI98dI9371I542I1432I4015Izz1f42h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzc2hz8275ch1033IL8275bh8275dhz2dh2a8h5a9h668h839h947hd24hf0ah1177h1179h1288h12a5h12a9h12bdh137ah139eh13b6h1441h1504h1537h162dh1631h1758h17f1h184fh1898h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h304l1d11m1155h) Received: from mail120-db9 (localhost.localdomain [127.0.0.1]) by mail120-db9 (MessageSwitch) id 1372505204384834_4533; Sat, 29 Jun 2013 11:26:44 +0000 (UTC) Received: from DB9EHSMHS028.bigfish.com (unknown [10.174.16.230]) by mail120-db9.bigfish.com (Postfix) with ESMTP id 4F6C918004B; Sat, 29 Jun 2013 11:26:44 +0000 (UTC) Received: from AMSPRD0710HT001.eurprd07.prod.outlook.com (157.56.249.85) by DB9EHSMHS028.bigfish.com (10.174.14.38) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sat, 29 Jun 2013 11:26:43 +0000 Received: from DB3PRD0511HT003.eurprd05.prod.outlook.com (157.56.254.213) by pod51017.outlook.com (10.255.160.164) with Microsoft SMTP Server (TLS) id 14.16.324.0; Sat, 29 Jun 2013 11:26:33 +0000 Message-ID: <00bd01ce74bb$934e1f40$4001a8c0@gateway.2wire.net> From: t.petch To: Kent Watsen CC: , References: Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt Date: Sat, 29 Jun 2013 12:23:55 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [157.56.254.213] X-OriginatorOrg: btconnect.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%0$Dn%JUNIPER.NET$RO%1$TLS%0$FQDN%$TlsDn% Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list ---- Original Message ----- From: "Kent Watsen" To: "t.petch" ; "Martin Bjorklund" Cc: ; Sent: Friday, June 28, 2013 10:26 PM On 6/26/13 1:36 PM, "t.petch" wrote: >Yes, that I understand. > >But ... the firewalls I know, at least the better ones, can look for and >reject PDU of protocols such as SSH, regardless of which ports the TCP >connection is using. So in that sense, a device behind a firewall that >filters SSH connections still cannot be accessed. Is this an acceptable >limitation? I would think so - this is what Juniper has been doing for almost a decade now and I've never heard this raised as an issue before. >My other point is that I cannot see how this is a generic solution as >the I-D claims. You need something to signal that this three-way TCP >handshake is for Netconf over SSH and the only parameter I can see is >the port number, so this I-D cannot be used for anything else over >anything else; each combination of protocols will need a different port >number. By "generic", the draft is trying to say that the solution applied to solve this problem can equally well be applied to other protocols that use SSH for their transport. OK, so it is limited to reverse SSH (as opposed to a generic call home) and that is what the I-D says, so that is ok. But ... I would like to see a note added that the server/device must be prepared to receive any SSH PDU and act appropriately and not just assume it is netconf. I am wondering if there is a Security Consideration in there somewhere but cannot put my finger on one. Tom Petch That said, I'll just add that the port number does not have to be bound to how the application might use the SSH connection. For instance, when a Junos device connects to our management server, yes, it knows it can open the "netconf" subsystem, but it also knows all the other subsystems it can start...and it does! For instance, it will open additional SSH channels for SFTP, notifications, packet captures, etc. It would've been easier if SSH defined a subsystem-discovery mechanism, but we worked around that too. Thanks, Kent