draft-ietf-netconf-reverse-ssh

Slides:

Advertisements

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Advertisements

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)

COS 420 DAY 25. Agenda Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due May 10 Latest version of Protocol.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Circuit & Application Level Gateways CS-431 Dick Steflik.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov Jeb Linton, EarthLink

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Computation for Physics 計算物理概論 Introduction to Linux.

Enabling Embedded Systems to access Internet Resources.

70-411: Administering Windows Server 2012

draft-kwatsen-netconf-zerotouch-01

User Authentication By Eric Sita. Message Security Privacy: To expect confidentiality from a sender. Authentication: To be sure of someone's identity.

Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.

draft-ietf-netconf-call-home-01

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

draft-ietf-netconf-zerotouch

CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP 2.0 TLS handling Magnus Westerlund draft-ietf-mmusic-rfc2326bis-12.

Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic.

Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.

Protocol for I2RS I2RS WG IETF #89 London, UK Dean Bogdanovic v0.1.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

XWN740 X-Windows Configuring and Using Remote Access (Chapter 13: Pages )‏

Chap 35 Remote Procedure Calls RPC allows one host to make a procedure call that appears to be part of a local process (fig 35.1), but is really executed.

Chapter 38 Initialization & Configuration. Bootstrapping occurs during boot up to obtain boot program which may then load operating system may use network.

A Sneak Peak of What’s New in Globus GridFTP John Bresnahan Michael Link Raj Kettimuthu (Presenting) Argonne National Laboratory and The University of.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Application Layer instructors at St. Clair College in Windsor, Ontario for their slides. Special thanks to instructors at St. Clair College in Windsor,

1 RFC 4247 Update Status draft-ietf-netconf-rfc4742bis-01.txt Margaret Wasserman IETF 78, Maastricht July 26, 2010.

Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.

Draft-ietf-netconf-server-model-04 NETCONF Server Configuration Model

Bootstrapping Key Infrastructures

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

Securing your network But still be able to access it Hugh Mahon.

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

Network Programming 10- SMTP-POP3

Ssh: secure shell.

Convergence of Network Management Protocols

Installing TMG & Choosing a Client Type

Instructor Materials Chapter 5 Providing Network Services

Working at a Small-to-Medium Business or ISP – Chapter 8

Instructor & Todd Lammle

draft-ietf-simple-message-sessions-00 Ben Campbell

Network Wiring and Reference

StratusLab Tutorial (Bordeaux, France)

Security Tips for James Eyrich Manager Security Operations and Incident Response

XWN740 X-Windows Configuring and Using Remote Access

SSSD and OpenSSH Integration

NETCONF Configuration I/F Advertisement by WSDL and XSD

The Tunneled Extensible Authentication Method (TEAM)

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

SSH – the practical solution

TELNET BY , S.AISHWARYA III-IT.

APACHE WEB SERVER.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

Presentation transcript:

draft-ietf-netconf-reverse-ssh Call Home using SSH

Motivation Proactive device-initiated discovery Manage devices deployed behind firewalls SSH is NETCONF’s mandatory transport protocol

Normal SSH SSH client initiates the TCP connection… 830 Device NMS NMS initiates TCP connection 830 Device NMS

SSH on top of TCP connection Normal SSH SSH client initiates the TCP connection… NMS initiates TCP connection SSH on top of TCP connection 830 Device NMS

Reverse SSH Device initiates the TCP connection… TBD Device NMS Device initiates TCP connection TBD Device NMS

SSH on top of TCP connection Reverse SSH Device initiates the TCP connection… Device initiates TCP connection SSH on top of TCP connection TBD Device NMS

SSH Roles are Always the Same! Regardless which side initiates the TCP connection: NMS is the SSH client Device is the SSH Server Security wise: NMS authenticates device’s SSH host key Device authenticates NMS’s “user” credentials RFC 6242 Compliant NETCONF server extracts username from ssh-userauth service NETCONF client opens session channel and invokes “netconf” subsystem

Very Easy to Implement Normal SSH `inetd` listens on a port 830 Accepts TCP connection Forks/execs “sshd -i” Reverse SSH Agent on device initiates TCP connection to NMS on port TBD Forks/execs “sshd –i” Reference implementation will be posted - using OpenSSH and J2SSH Maverick

Bootstrap Parameters Devices must be configured the IP/port of the NMS to initiate connection to A user account and credentials for the NMS to use NMS should be configured Identities for expected device connections Device SSH Host Keys or an ability to authenticate devices (e.g. PKI)

Zero-Touch Bootstrap Automated configuration of Bootstrap Parameters from previous slide A highly-requested feature Device bootstrap procedure Device placed on isolated network Device configures its network stack via DHCP Device fetches Bootstrap Parameters from network Security Recommendations NMS’s “user” credentials SHOULD be an asymmetric key Device’s Host-Key SHOULD be a X.509 certificate

Regarding X.509 Based Keys RFC 6187 defines X.509v3 Certificates for Secure Shell Authentication March 2011 Currently no known implementations some implementations of draft-saarenmaa-ssh-x509-00 Following are planning to support The OpenSSH patch by Roumen Petrov J2SSH Maverick by SSHTOOLS Limited

Questions / Concerns ?

Alternative Strategy Device is SSH Client TBD Device NMS Device initiates TCP connection TBD Device NMS

SSH on top of TCP connection Alternative Strategy Device is SSH Client Device initiates TCP connection SSH on top of TCP connection TBD Device NMS

Alternative Strategy Device is SSH Client Device initiates TCP connection SSH on top of TCP connection TBD NMS opens channel on device Device NMS

Bootstrap Parameters Devices must be configured the IP/port of the NMS to initiate connection to NMS’s SSH Host Key or an ability to authenticate it (e.g. PKI) A user account and credentials to log into the NMS A local user account to bind session to