[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NETCONF over TLS
Hi,
Mohamad Badra <badra@isima.fr> wrote:
> Let's start with the following. Comments are very welcome..
>
> (The peer acting as NETCONF manager acts also as TLS client.)
>
> Upon the successful run of protocol's standard authentication mechanism
> (e.g. TLS), the agent may submit an authentication request to have more
> authentication and authorization information from the manager. The agent
> begins the authentication process by emitting the <request-login> tag
> element within an <rpc> tag element:
>
> <rpc-reply message-id="101"
> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
> <username>Username:</username>
> <challenge>Password:</challenge>
> </rpc-reply>
I don't get this. Is this the first message the agent sends after a
<hello>? A spurious <rpc-reply>??
IMO, the agent has to decide if more authentication is needed or not.
For example:
manager agent
------- -----
<hello> <---------> <hello>
<!-- this is if the manager tries to do an rpc w/o login -->
<rpc>
<get/> ---------->
<rpc>
<---------- <rpc-error> authentication-needed
<rpc>
<request-login/> ----->
</rpc>
and then the agent sends the message you wrote:
<rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data>
<authentication-response xmlns="new ns">
<username>Username:</username>
<challenge>Password:</challenge>
</authentication-response>
</data>
</rpc-reply>
etc.
Maybe the agent can signal that authentication is needed in the hello
message, by including the new capability for 'request-login'. Then
the manager can do <request-login> directly, if needed.
/martin
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>