Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt

To: Kent Watsen <kwatsen%juniper.net@localhost>, Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
From: t.petch <ietfc%btconnect.com@localhost>
Date: Wed, 26 Jun 2013 10:44:05 +0100

----- Original Message -----
From: "Kent Watsen" <kwatsen%juniper.net@localhost>
To: "t.petch" <ietfc%btconnect.com@localhost>; "Jeffrey Hutzelman" <jhutz%cmu.edu@localhost>
Cc: <netconf%ietf.org@localhost>
Sent: Tuesday, June 25, 2013 11:06 PM
On 6/25/13 10:44 AM, "t.petch" <ietfc%btconnect.com@localhost> wrote:
>It seems to me that call home needs a Signal, like an answerphone
>message (Please Call) and that that signal can be any PDU over any
>protocol but must specify the protocols to be used for the call -
>Netconf over SSH, SNMP over TLS, etc.
>
>Here the signal seems to be a 3-way handshake, in which case the
>destination port would have to differentiate between the protocol
>combinations and so this cannot be a generic mechanism.  The security
>consideration that then comes first to me is a DoS attack via the 3-way
>handshake, nothing to do with SAAG but rather TCPM territory.

I'm not following your analogy, but I agree that there is a DoS attack,
as
there is with any open TCP port, perhaps worse because it can start
expensive asymmetric key algs.  Of course, many people I know claim that
they'd rather see the app get DoS-ed over the device, since it can more
easily overcome such an event.

>It would seem from the I-D that whether the TCP connection is reused,
or
>whether the Netconf client fires up a fresh connection is unspecified;
I
>would assume the latter, to the regular port on the Netconf server.

We (Juniper) have also explored this - using SNMP Traps actually.  It
works fairly well for automating the discovery of devices with static
IPs
on a reachable network, but not at all when the devices are behind a
firewall that won't allow inbound SSH connections.

<tp>

I am really confused.  If the device/netconf server will not allow
inbound SSH connections,  then I cannot see how your I-D can work.  It
has the device setting up a TCP connection on a port which signals to
the Netconf client/NMS to make an SSH connection to the Netconf
server/device - which cannot succeed because the devices are behind a
firewall which won't allow inbound SSH connections.

So as I understand the design it cannot meet what I understand to be the
requirements.

Tom Petch
</tp>
Thanks,
Kent

Follow-Ups:
- Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
  - From: Martin Bjorklund

Prev by Date: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt
Next by Date: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
Previous by Thread: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-01.txt
Next by Thread: Re: [Netconf] I-D Action: draft-ietf-netconf-reverse-ssh-00.txt
Indexes:

Home | Main Index | Thread Index | Old Index