[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF over TLS

To: badra@isima.fr
Subject: Re: NETCONF over TLS
From: Martin Bjorklund <mbj@tail-f.com>
Date: Sun, 17 Jun 2007 14:56:58 +0200 (CEST)
Cc: j.schoenwaelder@jacobs-university.de, ietf@andybierman.com, netconf@ops.ietf.org
In-reply-to: <63214.86.72.162.197.1182013900.squirrel@www.isima.fr>
References: <46729B3B.9090403@andybierman.com> <20070615181423.GC13774@elstar.local> <63214.86.72.162.197.1182013900.squirrel@www.isima.fr>

badra@isima.fr wrote:
> I will update the draft consequently, or send a separated document for
> <rpc-login> with NETCONF.

I think this is crucial for the TLS transport to work for NETCONF.
RFC4741 says in section 2.3:

   NETCONF connections must be authenticated.  The transport protocol is
   responsible for authentication. 

   [...]

   The authentication process should result in an identity whose
   permissions are known to the device.

I don't see how this requirement is met with the current draft.

So, adding a <login> rpc to this document is probably a good idea.
But do we want to limit TLS usage to using the <login> method?  People
are also using some field in the 'subject' of a client certificate to
get a user name (or other info) which is then mapped to access
rights.

/martin

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: �NETCONF�over�TLS
  - From: badra@isima.fr

References:
- NETCONF over TLS
  - From: Andy Bierman <ietf@andybierman.com>
- Re: NETCONF over TLS
  - From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
- Re: NETCONF over TLS
  - From: badra@isima.fr

Prev by Date: Re: NETCONF over TLS
Next by Date: Re: NETCONF over TLS
Previous by thread: Re: NETCONF over TLS
Next by thread: Re: �NETCONF�over�TLS
Index(es):
- Date
- Thread