Re: Central point for configuration management using netconf?

["Kathleen M. Moriarty" <moriarty@ll.mit.edu>]

Hello Juergen,

Juergen Schoenwaelder wrote:

> On Wed, Apr 21, 2004 at 05:24:29PM -0400, Kathleen M. Moriarty wrote:
>  
>
> > I am working on a draft in the INCH working group, RID
> > http://www.ietf.org/internet-drafts/draft-ietf-inch-rid-00.txt,
> > and need to provide a hand off for mitigating or stopping traffic when 
> > the source of a security incident is identified.
> >
> > So far, I have only been able to locate protocols that allow this to be 
> > automated like netconf or SNMP, but no central point that one would need 
> > to go through in order to make this happen for change control, etc.  I 
> > have been asked by folks implementing my draft what this hand off will 
> > be and am trying to determine what the best solution would be.  The 
> > ideas I have had so far include either SNMP or netconf for device 
> > configuration, but this leaves things very open ended in my mind.  Would 
> > the idea of netconf be to allow any management system to directly 
> > configure devices if they have the appropriate access controls, 
> > authentication, etc.?  Or would there be a central server that the 
> > requests must be filtered through to make sure the network configuration 
> > changes are documented and a sanity check is performed?
>
>
> I would not like to give you direct access to my devices. So I agree
> that you would have to go through a filtering system which is under
> my control (an element manager in telco terms). The first thing to
> check is probably whether there is general agreement on this model.

We are in agreement :-)  I was hoping to find that other would also like 
to see a similar model to ensure change control management.  The draft I 
am working on integrates with many aspects of the network including 
possibly IDS, trace mechanisms, and filtering capabilities while keeping 
in mind that the network provider has final say on what their network 
resources can do at that point in time.  When RID traces to the source 
of an attack and the network provider closest to the source wants to 
block or mitigate the traffic, I would like to have some guidance in how 
to do that in the draft.  I will look into the working group Wes 
suggests and may have to leave this open ended with guidance on the need 
for change control management to prevent inadvertent problems if no 
standard solution exists or is in development right now.
> If there is agreement on this model, the next question is to ask which
> communication mechanism is useful for this purpose. Traditionally, the
> IETF did not much work on defining protocols for communication between
> element managers. Perhaps this is something where web services make 
> sense or where perhaps EPP (RFC 3730) can be used. You can of course
> solve this problem by talking SNMP or netconf to the element manager,
> but I have some doubts that this will be very practical.

I will look at RFC 3730, thanks for the pointer.  I wanted to find out 
if there was some IETF work that I was unaware of to make sure the draft 
followed standard practices.  I may be able to leave this part for later 
specification to make sure the proper answer is determined.

Thank you,
Kathleen
> /js


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>