[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On SSH ports

To: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
Subject: Re: On SSH ports
From: Eliot Lear <lear@cisco.com>
Date: Thu, 05 Feb 2004 15:59:01 -0500
Cc: netconf@ops.ietf.org
In-reply-to: <200402052046.i15Kkgec007813@hansa.ibr.cs.tu-bs.de>
References: <5.1.0.14.2.20040204144303.03c71598@ms101.mail1.com> <200401300758.i0U7wmBE030236@idle.juniper.net> <200401300758.i0U7wmBE030236@idle.juniper.net> <5.1.0.14.2.20040204144303.03c71598@ms101.mail1.com> <5.1.0.14.2.20040205124557.03d00fa8@ms101.mail1.com> <402290F0.5050203@cisco.com> <200402052046.i15Kkgec007813@hansa.ibr.cs.tu-bs.de>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6) Gecko/20040113

I guess I view it slightly differently. SSH has built into it a subsystem facility. This seems like a clear example of a subsystem. Why should we use any other, EVEN if we're on a different port?

As I wrote, I could argue both sides of the issue on the port.

The layering that we're using buys us code re-use. The more code re-use the better. That's important for cost's sake. If we're doing something different, let's ensure we're doing it for the right reason. In general, I agree with Wes' logic. The only reason I would vary from his position in this case is because of the constrained problem space we find ourselves considering.

But here's something I can do in a more productive sense. Let me ask the operators whether they're opposed to running SSH on a different port for this purpose, and how much work they would have to do to update their ACLs. If they don't think it's a big deal, I don't see why we should.

Eliot

Juergen Schoenwaelder wrote:

Eliot Lear writes:

Eliot> Egads...  I could argue either side of the port issue for SSH.
Eliot> One the one hand, its primary use in NETWORK devices today is
Eliot> configuration, and so since the primary use isn't really
Eliot> changing, the port doesn't need to and shouldn't change.

Eliot> On the other hand, if the primary use becomes something OTHER
Eliot> than network configuration (and there might be a good argument
Eliot> for this), then we should get this right the first time and use
Eliot> a different port.

Eliot> Do I have the parameters of the decision about right?

Do you run IMAP over the POP port just because the function of both is
to some extend similar??

We are talking here about a new protocol named netconf which uses ssh
purely as a mechanism to achieve cheap security. So it seems just
natural to give the new protocol its own port number.

The way we use ssh is similar to using TLS. And IMAP over TLS and SMTP
over TLS still use the IMAP and the SMTP ports, not a TLS port number.

Unless I completely misunderstand the layering we are doing, I would
argue for netconf port number just for purely architectural reasons.

[I realize that in the "run everything over HTTP world", people look
 at this issue differently and netconf over SOAP might end up on port
 80, but this we probably can't fix anymore.]

/js


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: On SSH ports
  - From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>

References:
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- Ever onward
  - From: Phil Shafer <phil@juniper.net>
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- On SSH ports
  - From: Eliot Lear <lear@cisco.com>
- Re: On SSH ports
  - From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>

Prev by Date: Re: Ever onward
Next by Date: Re: Ever onward
Previous by thread: Re: On SSH ports
Next by thread: Re: On SSH ports
Index(es):
- Date
- Thread