On Fri, Jun 02, 2006 at 04:29:48PM -0400, Phil Shafer wrote:
BEEP handles the device-initiated connection easily, and one can
use 'sshd -i' on the device side to pass a device-initiated connection
into the ssh daemon code, allowing us to preserve the existing
client/server relationship in netconf. I'm clueless about how soap
would handle this.
While I love the simplicity of this approach (agent establishes the
TCP connection and once established it takes over the SSH server
role), I had the feeling that security folks seriously disliked it
during the ISMS discussions. Instead, they seemed to prefer something
where you have to use host-key authentication and you end up with
different notions of access control rules since you have different
authenticated identities to deal with.
I like to see a common approach to deal with "agent" initiated
connections between netconf and ISMS and as I said I love the
simplicity of what you propose for netconf...