On Wed, 21 Apr 2004 17:24:29 -0400, "Kathleen M. Moriarty" <moriarty@ll.mit.edu> said:
Kathleen> I am working on a draft in the INCH working group, RID
Kathleen> http://www.ietf.org/internet-drafts/draft-ietf-inch-rid-00.txt,
Kathleen> and need to provide a hand off for mitigating or stopping traffic when
Kathleen> the source of a security incident is identified.
note: you might look into the Distributed firewall working group, as
well as the IPSP working group for further information on
accomplishing your end goals in a standardized fashion.
Kathleen> Would the idea of netconf be to allow any management system
Kathleen> to directly configure devices if they have the appropriate
Kathleen> access controls, authentication, etc.? Or would there be a
Kathleen> central server that the requests must be filtered through to
Kathleen> make sure the network configuration changes are documented
Kathleen> and a sanity check is performed?
netconf does not require a central server and devices can be directly
manipulated by anyone with proper authentication and authorization.
Authentication is defined by leveraging the transport upon which the
netconf stream is sent over. Note that netconf is in its infancy and
authorization (or even any standardized data model or data to actually
manage such as a standardized firewall control mechanism) have yet to
be defined. If you need immediate standardized results to build off
of, netconf isn't there yet (its so far only a protocol).