[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On SSH ports

To: Margaret Wasserman <margaret@thingmagic.com>
Subject: Re: On SSH ports
From: Wes Hardaker <wjhns1@hardakers.net>
Date: Thu, 05 Feb 2004 13:49:12 -0800
Cc: Eliot Lear <lear@cisco.com>, Wes Hardaker <wjhns1@hardakers.net>, Phil Shafer <phil@juniper.net>, netconf <netconf@ops.ietf.org>
In-reply-to: <5.1.0.14.2.20040205154422.03d003d8@ms101.mail1.com> (Margaret Wasserman's message of "Thu, 05 Feb 2004 15:51:22 -0500")
Organization: Sparta
References: <5.1.0.14.2.20040205124557.03d00fa8@ms101.mail1.com> <5.1.0.14.2.20040204144303.03c71598@ms101.mail1.com> <200401300758.i0U7wmBE030236@idle.juniper.net> <200401300758.i0U7wmBE030236@idle.juniper.net> <5.1.0.14.2.20040204144303.03c71598@ms101.mail1.com> <5.1.0.14.2.20040205124557.03d00fa8@ms101.mail1.com> <5.1.0.14.2.20040205154422.03d003d8@ms101.mail1.com>
User-agent: Gnus/5.110002 (No Gnus v0.2) XEmacs/21.5 (celeriac, linux)

>>>>> On Thu, 05 Feb 2004 15:51:22 -0500, Margaret Wasserman <margaret@thingmagic.com> said:

Margaret> so I don't see how adding a netconf subsystem to that same
Margaret> SSH server fundamentally changes the security picture.

Because at the border, the subsystem differentiator is encrypted. A
firewall can't say "don't allow external management traffic into my
network" because the packets are encrypted and it couldn't tell the
difference between normal ssh traffic and netconf over ssh traffic.

Margaret> In many ways, NETCONF/SSH could be viewed as a more
Margaret> computer-friendly way to access the CLI. The current CLI
Margaret> will probably remain as a more human-friendly interface.

Margaret> So, what do we gain by specifying that NETCONF/SSH should
Margaret> run over a different port?

The ability for network security operators to differentiate at the
border between legitimate ssh connections used by login servers (etc),
and network management specific traffic they don't want to allow in.

Margaret> BTW, I just checked a couple of SSH clients, and they both include a
Margaret> -p option to set the server port. So, changing the port would be
Margaret> consistent with existing clients, if we choose to do that.

Every client I've used lets you specify a port. In fact, I have a
tunnel open right now (and do daily) to a non-standard ssh port.

--
"In the bathtub of history the truth is harder to hold than the soap,
and much more difficult to find." -- Terry Pratchett

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- Ever onward
  - From: Phil Shafer <phil@juniper.net>
- Re: On SSH ports
  - From: Margaret Wasserman <margaret@thingmagic.com>

Prev by Date: Re: On SSH ports
Next by Date: Re: Ever onward
Previous by thread: Re: On SSH ports
Next by thread: Re: Ever onward
Index(es):
- Date
- Thread