1 / 16

draft- ietf - netconf -reverse- ssh

draft- ietf - netconf -reverse- ssh. Call Home using SSH. Motivation. Proactive device-initiated discovery Manage d evices deployed behind firewalls SSH is NETCONF’s mandatory transport protocol. Normal SSH. SSH client initiates the TCP connection…. 830. Device. NMS.

hue
Download Presentation

draft- ietf - netconf -reverse- ssh

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. draft-ietf-netconf-reverse-ssh Call Home using SSH

  2. Motivation • Proactive device-initiated discovery • Manage devices deployed behind firewalls SSH is NETCONF’s mandatory transport protocol

  3. Normal SSH • SSH client initiates the TCP connection… 830 Device NMS NMS initiates TCP connection

  4. Normal SSH • SSH client initiates the TCP connection… 830 Device NMS SSH on top of TCP connection NMS initiates TCP connection

  5. Reverse SSH • Device initiates the TCP connection… TBD Device NMS Device initiates TCP connection

  6. Reverse SSH • Device initiates the TCP connection… TBD Device NMS SSH on top of TCP connection Device initiates TCP connection

  7. SSH Roles are Always the Same! Regardless which side initiates the TCP connection: • NMS is the SSH client • Device is the SSH Server Security wise: • NMS authenticates device’s SSH host key • Device authenticates NMS’s “user” credentials RFC 6242 Compliant • NETCONF server extracts username from ssh-userauth service • NETCONF client opens session channel and invokes “netconf” subsystem

  8. Very Easy to Implement Normal SSH • `inetd` listens on a port 830 • Accepts TCP connection • Forks/execs “sshd -i” Reverse SSH • Agent on device initiates TCP connection to NMS on port TBD • Forks/execs “sshd –i” Reference implementation will be posted - using OpenSSH and J2SSH Maverick

  9. Bootstrap Parameters • Devices must be configured • the IP/port of the NMS to initiate connection to • A user account and credentials for the NMS to use • NMS should be configured • Identities for expected device connections • Device SSH Host Keys • or an ability to authenticate devices (e.g. PKI)

  10. Zero-Touch Bootstrap Automated configuration of Bootstrap Parameters from previous slide • A highly-requested feature • Device bootstrap procedure • Device placed on isolated network • Device configures its network stack via DHCP • Device fetches Bootstrap Parameters from network • Security Recommendations • NMS’s “user” credentials SHOULD be an asymmetric key • Device’s Host-Key SHOULD be a X.509 certificate

  11. Regarding X.509 Based Keys • RFC 6187 defines • X.509v3 Certificates for Secure Shell Authentication • March 2011 • Currently no known implementations • some implementations of draft-saarenmaa-ssh-x509-00 • Following are planning to support • The OpenSSH patch by RoumenPetrov • J2SSH Maverick by SSHTOOLS Limited

  12. Questions / Concerns ?

  13. Alternative Strategy • Device is SSH Client TBD Device NMS Device initiates TCP connection

  14. Alternative Strategy • Device is SSH Client TBD Device NMS SSH on top of TCP connection Device initiates TCP connection

  15. Alternative Strategy • Device is SSH Client TBD Device NMS SSH on top of TCP connection Device initiates TCP connection NMS opens channel on device

  16. Bootstrap Parameters • Devices must be configured • the IP/port of the NMS to initiate connection to • NMS’s SSH Host Key • or an ability to authenticate it (e.g. PKI) • A user account and credentials to log into the NMS • A local user account to bind session to

More Related