Presentation is loading. Please wait.

Presentation is loading. Please wait.

draft-ietf-netconf-reverse-ssh

Published byDwight Jesse Mills Modified over 5 years ago

Similar presentations

Presentation on theme: "draft-ietf-netconf-reverse-ssh"— Presentation transcript:

1 draft-ietf-netconf-reverse-ssh
Call Home using SSH

2 Motivation Proactive device-initiated discovery
Manage devices deployed behind firewalls SSH is NETCONF’s mandatory transport protocol

3 Normal SSH SSH client initiates the TCP connection… 830 Device NMS
NMS initiates TCP connection 830 Device NMS

4 SSH on top of TCP connection
Normal SSH SSH client initiates the TCP connection… NMS initiates TCP connection SSH on top of TCP connection 830 Device NMS

5 Reverse SSH Device initiates the TCP connection… TBD Device NMS
Device initiates TCP connection TBD Device NMS

6 SSH on top of TCP connection
Reverse SSH Device initiates the TCP connection… Device initiates TCP connection SSH on top of TCP connection TBD Device NMS

7 SSH Roles are Always the Same!
Regardless which side initiates the TCP connection: NMS is the SSH client Device is the SSH Server Security wise: NMS authenticates device’s SSH host key Device authenticates NMS’s “user” credentials RFC 6242 Compliant NETCONF server extracts username from ssh-userauth service NETCONF client opens session channel and invokes “netconf” subsystem

8 Very Easy to Implement Normal SSH `inetd` listens on a port 830
Accepts TCP connection Forks/execs “sshd -i” Reverse SSH Agent on device initiates TCP connection to NMS on port TBD Forks/execs “sshd –i” Reference implementation will be posted - using OpenSSH and J2SSH Maverick

9 Bootstrap Parameters Devices must be configured
the IP/port of the NMS to initiate connection to A user account and credentials for the NMS to use NMS should be configured Identities for expected device connections Device SSH Host Keys or an ability to authenticate devices (e.g. PKI)

10 Zero-Touch Bootstrap Automated configuration of Bootstrap Parameters from previous slide A highly-requested feature Device bootstrap procedure Device placed on isolated network Device configures its network stack via DHCP Device fetches Bootstrap Parameters from network Security Recommendations NMS’s “user” credentials SHOULD be an asymmetric key Device’s Host-Key SHOULD be a X.509 certificate

11 Regarding X.509 Based Keys RFC 6187 defines
X.509v3 Certificates for Secure Shell Authentication March 2011 Currently no known implementations some implementations of draft-saarenmaa-ssh-x509-00 Following are planning to support The OpenSSH patch by Roumen Petrov J2SSH Maverick by SSHTOOLS Limited

12 Questions / Concerns ?

13 Alternative Strategy Device is SSH Client TBD Device NMS
Device initiates TCP connection TBD Device NMS

14 SSH on top of TCP connection
Alternative Strategy Device is SSH Client Device initiates TCP connection SSH on top of TCP connection TBD Device NMS

15 Alternative Strategy Device is SSH Client
Device initiates TCP connection SSH on top of TCP connection TBD NMS opens channel on device Device NMS

16 Bootstrap Parameters Devices must be configured
the IP/port of the NMS to initiate connection to NMS’s SSH Host Key or an ability to authenticate it (e.g. PKI) A user account and credentials to log into the NMS A local user account to bind session to

Download ppt "draft-ietf-netconf-reverse-ssh"

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
COS 420 DAY 25. Agenda Assignment 5 posted Chap 22-26 Due May 4 Final exam will be take home and handed out May 4 and Due May 10 Latest version of Protocol.

COS 420 DAY 25. Agenda Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due May 10 Latest version of Protocol.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov. 2002 Jeb Linton, EarthLink

Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov Jeb Linton, EarthLink
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Computation for Physics 計算物理概論 Introduction to Linux.

Computation for Physics 計算物理概論 Introduction to Linux.
Enabling Embedded Systems to access Internet Resources.

Enabling Embedded Systems to access Internet Resources.
70-411: Administering Windows Server 2012

70-411: Administering Windows Server 2012
draft-kwatsen-netconf-zerotouch-01

draft-kwatsen-netconf-zerotouch-01
User Authentication By Eric Sita. Message Security Privacy: To expect confidentiality from a sender. Authentication: To be sure of someone's identity.

User Authentication By Eric Sita. Message Security Privacy: To expect confidentiality from a sender. Authentication: To be sure of someone's identity.
Andreas Steffen, 15.11.2011, 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.

Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.
draft-ietf-netconf-call-home-01

draft-ietf-netconf-call-home-01
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google