[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of netconf to configure Unix systems

To: "Joel M. Halpern" <joel@stevecrocker.com>
Subject: Re: use of netconf to configure Unix systems
From: Eliot Lear <lear@cisco.com>
Date: Fri, 17 Mar 2006 18:24:56 -0800
Authentication-results: imail.cisco.com; header.From=lear@cisco.com; dkim=pass ( message from cisco.com verified; );
Cc: Andy Bierman <ietf@andybierman.com>, netconf <netconf@ops.ietf.org>
Dkim-signature: a=rsa-sha1; q=dns; l=2741; t=1142648769; x=1143080969; c=relaxed/simple; s=nebraska; h=Subject:From:Date:Content-Type:Content-Transfer-Encoding:Mime-Version; d=cisco.com; i=lear@cisco.com; z=From:Eliot=20Lear=20<lear@cisco.com> |Subject:Re=3A=20use=20of=20netconf=20to=20configure=20Unix=20systems |To:=22Joel=20M.=20Halpern=22=20<joel@stevecrocker.com>; X=v=3Dmtcc.com=3B=20h=3DrPzZURbWLbzhQYItnBUzDdiDVlw=3D; b=iC0/0uGuLIYtzPWgvrwZTD+TkRW3tG7JgsEAIJJ5igLKXe51/OtZxqT0cUe2F2pqrnhjwzA0 qIRObpI3DMWfP9/I5Qh12fkT/9I6sV+o4u8DCYeXIMmoLCwGf5NtSo01fVk+5TusHXdI1sOdYun HsoONwmEqJyRSfCDaKa+Uo7I=;
In-reply-to: <7.0.1.0.0.20060317205107.0329ef90@stevecrocker.com>
References: <CFEE79A465B35C4385389BA5866BEDF00C7FBB@mailsrvnt02.enet.sharplabs.com> <441B5A19.3080701@cisco.com> <7.0.1.0.0.20060317201708.032d5e08@stevecrocker.com> <441B6629.80606@andybierman.com> <7.0.1.0.0.20060317205107.0329ef90@stevecrocker.com>
User-agent: Thunderbird 1.5 (Macintosh/20051201)

Joel,

First thanks for the productive comments.  Please see below.

Joel M. Halpern wrote:
> If the network operators gained anything by having Netconf running on
> ports below 1024, I would be more inclined to see that used.
I would agree that from a network perspective it's just as easy to block
a port below 1024 as it is above.  That having been said, I was confused
by what you wrote earlier as to how a well known port would harm efforts
in this area.

> And the notion of user space routers is not theoretical.  I would like
> the ForCES CE to be able to be managed using netconf.  And it is a
> specific design goal that ForCES CEs are NOT part of the kernel.
Just to be clear, at least on UNIX, ports below 1024 are accessed in
user space, the only difference being that root must own the process at
the time the port is assigned.  Processes that do not need well known
ports really SHOULDN'T have them because dealing with root permissions
*is* a minor complication - you really do want to isolate the code that
owns that port (for instance through use of inetd).  If this doesn't
address your concern, could you please clarify?

But it also sounds like you may wish for there to be some sort of
virtualization in NETCONF, as Elwyn discussed in his review (RFC
3620?).  That might be a worthy extension to consider.
>
> Looking at the list of assigned ports, there are an awful lot of
> things there that I can imagine would be run on a router control
> processor, and which better not have their port stolen.  (I am not
> naming protocols because the odds are that some of them are not for
> routers, and that some I am not even noticing are for routers.) It
> also looks like there are plenty of host oriented protocols that would
> need to have their ports remain available above 1024.  It sure looks
> like folks have learned to live with protocols (not just SIP and STUN,
> but many, many operationally necessary protocols) running above 1024. 
> Hence, it does not seem to me that the risk of "port occupation" is
> any more relevant for this protocol than for many, many other protocols.
>
> So, is there some other reason that I have not seen for wanting to use
> a low numbered port?

Ultimately not from me because I think a better approach is to have some
sort of authorization mechanism in the bind() and listen() routines, so
I would largely agree with you that the distinction should go away. 
Given that it's here I've attempted to apply it as intended.  In my mind
it's not a router versus host thing, but simply a matter of whether you
believe there is something special about < 1024 and what criteria should
be used to assign below it.

Thanks again,

Eliot

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- RE: use of netconf to configure Unix systems
  - From: "McDonald, Ira" <imcdonald@sharplabs.com>
- Re: use of netconf to configure Unix systems
  - From: Eliot Lear <lear@cisco.com>
- Re: use of netconf to configure Unix systems
  - From: "Joel M. Halpern" <joel@stevecrocker.com>
- Re: use of netconf to configure Unix systems
  - From: Andy Bierman <ietf@andybierman.com>
- Re: use of netconf to configure Unix systems
  - From: "Joel M. Halpern" <joel@stevecrocker.com>

Prev by Date: Re: use of netconf to configure Unix systems
Next by Date: Re: use of netconf to configure Unix systems
Previous by thread: Re: use of netconf to configure Unix systems
Next by thread: Re: use of netconf to configure Unix systems
Index(es):
- Date
- Thread