[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF over TLS

To: Andy Bierman <ietf@andybierman.com>
Subject: Re: NETCONF over TLS
From: Phil Shafer <phil@juniper.net>
Date: Mon, 18 Jun 2007 14:32:25 -0400
Cc: Eliot Lear <lear@cisco.com>, Mohamad Badra <badra@isima.fr>, Simon Leinen <simon.leinen@switch.ch>, netconf@ops.ietf.org
In-reply-to: Your message of "Mon, 18 Jun 2007 09:45:33 PDT." <4676B6AD.4060800@andybierman.com>

Andy Bierman writes:
>So, with this new 'special' <request-login> RPC (that creates
>a layer violation in itself) the agent needs to send 'operation-failed'
>errors for any other RPC received before this one?  A special mode is needed
>in the RPC handler, based on, and coupled to, the transport protocol
>used to establish the session -- just to support this special RPC method.

The rules to handle this were pretty simple:

- The <request-login> RPC could only be performed if the session wasn't
  authenicated.
- No other RPCs could be performed if the session wasn't authenicated
- The transport protocol can authenticate the session (internally)

So over ssh, the session is authenticated by the transport protocol,
which calls a function to pass this information up to the netconf layer.

Over ssl/tls, the session starts with no authentication, leaving the
<request-login> RPC as the only valid RPC.  Anything else is an error.

Thanks,
 Phil

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: NETCONF over TLS
  - From: Andy Bierman <ietf@andybierman.com>

References:
- Re: NETCONF over TLS
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: Re: NETCONF over TLS
Next by Date: Submission cut-off dates before Chicago
Previous by thread: Re: NETCONF over TLS
Next by thread: Re: NETCONF over TLS
Index(es):
- Date
- Thread