NETCONF Call Home and RESTCONF Call Home
draft-ietf-netconf-call-home-17

[Ballot comment]
Thank for addressing my prior discuss points!


In section 1.3, please add a sentence that points to the threat/security analysis for use of this function with NETCONF and RESTCONF after the last sentence:

  In such circumstances, allowing the SSH/TLS server to contact the
  SSH/TLS client would open new vulnerabilities.  Any use of call home
  with SSH/TLS for purposes other than NETCONF or RESTCONF will need a
  thorough, contextual security analysis.

[Ballot comment]

Thanks for addressing my discuss points. Just a couple of nits
remain that I can see.

- Typo: "SSH and clients may not be as robust" is missing a TLS
I guess.

-Saying "don't use Verisign" seems a bit wrong, maybe re-word
that.

[Ballot comment]
Three points in decreasing order of importance:
1) Why is this parapraph below (and subsequently the other similar ones)  using RFC 2119 language with respect to the port numbers
      The NETCONF/RESTCONF client listens for TCP connection requests
      from NETCONF/RESTCONF servers.  The client SHOULD listen for
      connections on the IANA-assigned ports defined in section
      Section 5, but MAY be configured to use a non-standard port.

Using the right port number is not something that influences the interoperability of the protocol per se, but is an operational parameter. Checking other protocol specifications, e.g. HTTP/1.1, there is no RFC 2119 language about the usage of specific port numbers. 

2) I am not a fan of having different port numbers to differentiate different vanilla flavors of a protocol. However, I can understand the why this is happening this way. But what is happening if there is X-over-TLS/SSH/foo coming after RESTCONF? Are you again in need of more port numbers? This does not look like a tactical wise and sustainable way.

3) This document will benefit from an overview figure that details who is the server/client on what level for what.

[Ballot discuss]


Section 2.1 & 3.1
Why is authentication limited to server-side authentication?  It seems that this really should be mutual authentication to ensure the server is also connecting to the correct client and there was no attack prior to the callback.
3.1 S3 - Why is client-side authentication optional?

Without this must, there should be a security consideration that the call back could go to a malicious client.  The types of authentication matter as well, but that's covered in Stephen's discuss points along with the SecDir review questions on TLS-PSK.

[Ballot comment]
In section 1.3, please add a sentence that points to the threat/security analysis for use of this function with NETCONF and RESTCONF after the last sentence:

  In such circumstances, allowing the SSH/TLS server to contact the
  SSH/TLS client would open new vulnerabilities.  Any use of call home
  with SSH/TLS for purposes other than NETCONF or RESTCONF will need a
  thorough, contextual security analysis.

[Ballot comment]
One comment and a question:

- 3.1, S1:

If the client MAY be configured to listen on a non-standard port, doesn’t that imply that the server MUST be _capable_ of being configured to connect to a non-standard port?

- 4:

I'm curious why people felt it necessary to reverse the usual TLS or SSH client and server roles. Did the working group consider having the NETCONF/RESTCONF server act as the TLS or SSH client? If so, can the reasons be summarized in a sentence or two?

[Ballot comment]
In this text:

  C1  The NETCONF/RESTCONF client listens for TCP connection requests
      from NETCONF/RESTCONF servers.  The client SHOULD listen for
      connections on the IANA-assigned ports defined in section
      Section 5, but MAY be configured to use a non-standard port.
     
are SHOULD/MAY mutually exclusive here, or can you do both? I'd be guessing if I said I knew, from this text. Could you provide "as well as" or "instead of" guidance?

[Ballot comment]
In Section 2.1, C5:

      This validation MAY be accomplished by certificate
      path validation or by comparing the host key or certificate to a
      previously trusted or "pinned" value.

It's a finnicky point, but I think it's an important one:  You list two methods for validation: (1) cert path validation, and (2) comparing to a pinned value.  Is it (A) acceptable for the validation to be done by other methods as well as those two?  Or is it (B) required that one of those two be used, but either is acceptable?

If (A), then the text is fine as it is.  But if (B), the text as written doesn't require the use of one of the specified methods, because "MAY" is optional.  If you mean (B), you should write it as "MUST be accomplished either by [...] or by [...]."  Alternatively, you could just add it to the previous sentence, as, '...client MUST validate the server's presented host key or certificate, either using certificate path validation or by comparing the host key or certificate to a previously trusted or "pinned" value.'

(That wasn't a DISCUSS point because I think implmentors are likely to get it right anyway.  But I do think the text needs to be tightened up in order to make it fully clear.)

In Section 2.1, C8, an even more finnicky and not very important point:

      Once the SSH or TLS connection is established, the NETCONF/
      RESTCONF client MUST immediately start using either the NETCONF-
      client [RFC6241] or RESTCONF-client [draft-ietf-netconf-restconf]
      protocol.

What *else* might the client do, which merits a MUST here?  I think all you should say here is, "Once the SSH or TLS connection is established, the NETCONF/RESCONF client starts using either [...the protocols...]."

Continuing...

      Assuming the use of the IANA-assigned ports, the
      NETCONF-client protocol is started when the connection is
      accepted on either port PORT-X or PORT-Y and the RESTCONF-client
      protocol is started when the connection is accepted on port PORT-
      Z.

But no: the (NETCONF/RESCONF)-client protocol is NOT started when the connection is accepted (that was in C2), but when the SSH/TLS connection/session is established.  Which you already said in the previous sentence, and C1 already said what ports the client listens on.  Why is this sentence even here?  Why not just remove it?

These same two comments apply to S6 in Section 3.1.

[Ballot discuss]

I have three points to discuss, I think these may be fairly
easy to resolve, or maybe not, but I'd like to chat about 'em.

(1) HTTP Auth: is it ok for a client to send it's e.g. basic
auth credential to any of the servers that the client can
validate? I.e., is an additional level of pinning needed for
this? That would be a new form of pinning and is not defined
for either TLS or SSH afaik. That could also be done in
various ways and I'm not sure if those might have
interoperability consequences. Or perhaps if not doing that,
this draft should say something about a need for stronger
credentials esp. for basic auth. Did the WG consider this?

(2) The secdir review [1] calls out issues related to TLS-PSK
and (I guess also) bare keys. I think it'd be good to be
speific as to wheher or how those are to be supported here. If
you are going to say those are supported, then I suspect some
additional text is needed. Kent's answer to that (which was
"see RFC7589" as I read it) doesn't quite do it here I think.
that says that certificates must be supported (which is fine)
but doesn't say that TLS-PSK or bare keys can or cannot be
supported.

  [1] https://www.ietf.org/mail-archive/web/secdir/current/msg06087.html

(3) Consider zmap. When this is deployed, what'll be the
effect of surveys that fingerprint all of the devices on the
visible Internet who implement this protocol? Did the WG
consider that? I'm not sure of the impact, if any, but it
could be good if there's a way to help deployments end up less
vulnerable to fingerprinting (and the ensuing exposure to
unpatched vulns).

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-netconf-call-home-11. If any part of this review is inaccurate, please let us know.

Upon approval of this document, IANA will register the following in the Service Name and Transport Protocol Port Number Registry:

  Service Name:          netconf-ch-ssh
  Transport Protocol(s):  TCP
  Assignee:              IESG
  Contact:                IETF Chair
  Description:            NETCONF Call Home (SSH)
  Reference:              RFC XXXX
  Port Number:            PORT-X

  Service Name:          netconf-ch-tls
  Transport Protocol(s):  TCP
  Assignee:              IESG
  Contact:                IETF Chair
  Description:            NETCONF Call Home (TLS)
  Reference:              RFC XXXX
  Port Number:            PORT-Y

  Service Name:          restconf-ch-tls
  Transport Protocol(s):  TCP
  Assignee:              IESG
  Contact:                IETF Chair
  Description:            RESTCONF Call Home (TLS)
  Reference:              RFC XXXX
  Port Number:            PORT-Z


Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (NETCONF Call Home and RESTCONF Call Home) to Proposed Standard


The IESG has received a request from the Network Configuration WG
(netconf) to consider the following document:
- 'NETCONF Call Home and RESTCONF Call Home'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-10-07. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This RFC presents NETCONF Call Home and RESTCONF Call Home, which
  enable a NETCONF or RESTCONF server to initiate a secure connection
  to a NETCONF or RESTCONF client respectively.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-netconf-call-home/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-netconf-call-home/ballot/


The following IPR Declarations may be related to this I-D:

  https://datatracker.ietf.org/ipr/2170/
  https://datatracker.ietf.org/ipr/2445/

Hi Kent,

I have completed the shepherd review of the NETCONF Call Home and RESTCONF Call Home draft. I believe the document is well written and is easy to read.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This document is intended to be a Standards document, and it indicates it as such in the document.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

This RFC presents NETCONF Call Home and RESTCONF Call Home, which enable a NETCONF or RESTCONF server to initiate a secure connection to a NETCONF or RESTCONF client respectively.

Working Group Summary

This document is a result of a split between this document and the server configuration data model which is its own draft. With the split most of the complexity in configuration has moved to the server model draft.

There were 10 issues that were opened and closed on the draft. At this point there are no open issues.

Document Quality

This document was extensively reviewed and comments were provided both in IETF meetings and on the mailing list. Perhaps the most important discussion and which resulted in the split, is the discussion around hostname keys and SSH and TLS configuration. Both Tom Petch and Juergen gave extensive comments on the draft.

Personnel

The document shepherd is Mahesh Jethanandani. The responsible AD will be Benoit Claise.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The Document Shepherd have followed the progression of the document through the WG, and has reviewed the document. At this time the document has addressed all the outstanding comments in the latest draft version.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

The document shepherds does not have any concerns about the amount of review the document has received. It has been reviewed by several parties.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

The document does not need review from any additional parties.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

No, the Document Shepherds do not have any specific concerns.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

Yes, the author has confirmed two IPRs related to the draft.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

An IPR disclosure is documented under https://datatracker.ietf.org/ipr/2445/ and it has been published on the WG mailing list. There were no discussions as a result of the disclosure of the IPR.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is strong consensus from a diverse set of individuals, who have voiced support for the document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

No Indnits revealed in this document.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

No formal review criteria encountered.

(13) Have all references within this document been identified as
either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

No.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

No.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The IANA considerations section details the changes that would be required as a result of this draft requesting three TCP port numbers in the “Registered Port Numbers” of IANA registry entry. The request follows the template rules identified in RFC 6335.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

The IANA registry needs to review the request for three new TCP ports, one for SSH over NETCONF and two for NETCONF and RESTCONF over TLS. There was some discussion in the WG over whether there was anyway to combine the port requests and reduce the number of port requests.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

None.