[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ever onward

To: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
Subject: Re: Ever onward
From: Margaret Wasserman <margaret@thingmagic.com>
Date: Sat, 07 Feb 2004 10:39:07 -0500
Cc: netconf@ops.ietf.org
In-reply-to: <200402052111.i15LBd6p008272@hansa.ibr.cs.tu-bs.de>
References: <5.1.0.14.2.20040205153247.03ce8d38@ms101.mail1.com> <sd4qu62wzz.fsf@wes.hardakers.net> <200401300758.i0U7wmBE030236@idle.juniper.net> <200401300758.i0U7wmBE030236@idle.juniper.net> <5.1.0.14.2.20040204144303.03c71598@ms101.mail1.com> <sdk732ts0k.fsf@wes.hardakers.net> <40217AA6.3070706@cisco.com> <sd4qu62wzz.fsf@wes.hardakers.net> <5.1.0.14.2.20040205153247.03ce8d38@ms101.mail1.com>

Hi Juergen,

At 10:11 PM 2/5/2004 +0100, Juergen Schoenwaelder wrote:

In my view, however, netconf after all is a programmatic interface and
so you will have special programs (perhaps just scripts) to talk
netconf.  And then using a special netconf port is more a feature and
has virtually no costs since I expect that every reasonable
implementations allows to specify the port to connect to.


I agree that there is little/no cost to using a different port
on the management and agent sides of the netconf connection.

My concern is that, in an effort to make it easier for operators
to administratively control management access to their devices,
we would actually make it harder.  If we have separate ports for
CLI/SSH and NETCONF/SSH, then the an administrator would have to
poke two holes through his firewall to enable both types of
external management access.  Alternatively, he would have to
block two types of traffic to block external management access.

I guess that Wes and I are operating under opposite assumptions...

I'm assuming that operators already have appropriate (by their
definition) access control mechanisms in place to block/allow
SSH-based management access to their networking equipment (for
CLI).  So, by using the same port, we would make it easy for
NETCONF/SSH to piggy-back on the same ACL configuration, etc.

Wes is, I guess, assuming that there are operators who might
like to distinguish between allowing CLI/SSH access to the device
and allowing NETCONF/SSH access to the device...  I'm not sure
why, because I am picturing a world in which both interfaces
can do the same things for the same users -- one just provides
a good human interface and the other a good programmatic
interface.

Margaret


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Ever onward
  - From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>

References:
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- Re: Ever onward
  - From: Wes Hardaker <wjhns1@hardakers.net>
- Ever onward
  - From: Phil Shafer <phil@juniper.net>
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- Re: Ever onward
  - From: Wes Hardaker <wjhns1@hardakers.net>
- Re: Ever onward
  - From: Eliot Lear <lear@cisco.com>
- Re: Ever onward
  - From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>

Prev by Date: Re: Issue 13.3.1 -- I say "go for it"
Next by Date: Re: Issue 13.3.1 -- I say "go for it"
Previous by thread: Re: Ever onward
Next by thread: Re: Ever onward
Index(es):
- Date
- Thread