Re: NETCONF over TLS

[badra@isima.fr]

Dear Andy,

Thank you for your request to the WG review.

>>Are there implementations of this feature (not just this draft)?
>
> Haven't read the draft, but we've had JUNOScript over SSL/TLS since
> 2001.  The only difference between this and normal JUNOScript is
> an initial RPC that gives a user and password (<request-login>).
> We use certificates as host-verification, but didn't go very
> far down this path (user certs, etc).

You are right, Phil. The draft says:

   When public key is used for authentication, TLS supports three
   authentication modes: authentication of both parties, server
   authentication with an unauthenticated client, and total anonymity.
   User authentication in unauthenticated or authenticated client mode
   is outside the scope of this document. User authentication should be
   handled by either an extension of TLS (such as the TLS Inner
   Application Extension [IATLS]) or an authentication extension of
   NETCONF.

So, the peer acting as the NETCONF agent (acting also as TLS server) may
be configured to authenticate the NETCONF manager at the TLS layer, at the
NETCONF layer, or at both of these two layers.

In last two cases, we need a NETCONF-specific mechanism ofr manager
authentication and therefore an initial RPC is needed to convey the
username and password, as in JUNOScript

I will update the draft consequently, or send a separated document for
<rpc-login> with NETCONF.

> Thanks,
>  Phil


Best regard,
Badra

> On Fri, Jun 15, 2007 at 06:59:23AM -0700, Andy Bierman wrote:
>
>> I'm not sure if the WG was ever officially asked to comment
>> on the draft by Mohamad Badra called "NETCONF over TLS".
>> So I am asking now.
>>
>> http://www.ietf.org/internet-drafts/draft-badra-tls-netconf-03.txt
>>
>> Please send comments on this draft and the feature itself
>> to the WG mailing list.
>>
>> Are there implementations of this feature (not just this draft)?
>
> I know that early implementations from INRIA were running over TLS
> instead of SSH. They then switched over to SSH after I told them that
> TLS is a non-defined transport mapping. Not sure what this means; at
> least there were people implementing something like NETCONF over TLS.
>
>> Should this work be standardized?
>>
>> If not, should it be published as Informational or Experimental?
>
> I don't care so much about the political implications of this
> question. In practice, I believe a NETCONF over TLS mapping has at
> least the same changes of implementation and deployment than some of
> the other transport we have put on the standards track and hence I
> would vote for a fair treatment of all the transports and then in
> three-five years we can decide which ones to declare historic when the
> others go for Draft Standard.
>
> /js
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>
> --
> to unsubscribe send a message to netconf-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/netconf/>
>


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>