[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]

To: "'Steve Moulton'" <moulton@snmp.com>, "Netconf (E-mail)" <netconf@ops.ietf.org>, Andy Bierman <ietf@andybierman.com>
Subject: RE: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
From: "McDonald, Ira" <imcdonald@sharplabs.com>
Date: Fri, 17 Mar 2006 11:50:05 -0800

Steve Moulton wrote:
> 
> On Friday, March 17 2006, Andy Bierman <ietf@andybierman.com> wrote: 
> 
> > We don't think we are improving security.
> > It is about following current practice, 'best' or otherwise.
> > IMO, there is a strong pre-existing expectation that a configuration
> > protocol like NETCONF should be in the system port number range.
> 
> As far as I can tell, the only security implication one way or the
> other is whether non-netconf (i.e., other user) applications can
> bind to the port, possibly preempting use by netconf (even though
> the netconf service is likely to start before user applications).  
> On unix-like systems, port numbers below 1024 enforce this.  
> On non-unix-like systems, this argument may not hold.
> 
> If there is a difference wrt authentication, I don't see it (but my
> security glasses are, at best, astigmatic).  
> 
> So, to my understanding, there are two arguments for reserving
> a port below 1024:  preempting user processes, and pre-existing
> expectation as noted by Andy.  It is not clear to me that
> those at IANA who gatekeep such things will find these sufficiently
> strong arguments.
> 

Netconf is at best a 'niche' protocol at present, because:

(a) Netconf currently has no standard data models

(b) Netconf currently is intended for use only with routers and
    other intermediate network elements

(c) Netconf operations have fuzzy semantics, due to the lack of any
    standard data models (e.g., "merge this blob with that blob")

Therefore, Netconf in not plausibly a critical system service.

An IANA-assigned "Registered Port" (greater than 1024) is appropriate.

The argument that user processes may pre-bind the Netconf port applies
equally to an IANA-assigned "Well Known Port" (less than 1024).

I encourage the IETF ADs to intervene here and provide direction.

Cheers,
- Ira


Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald@sharplabs.com

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
  - From: Eliot Lear <lear@cisco.com>

Prev by Date: Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Next by Date: Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Previous by thread: Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Next by thread: Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Index(es):
- Date
- Thread