Re: NETCONF over TLS

[badra@isima.fr]

> Phil Shafer wrote:
>> Andy Bierman writes:
>>> IMO, this should be handled with a different top-level element
>>> than <rpc>, outside the scope of the NETCONF protocol.
>>
>> So is another scenario where the generic RPC mechanism
>> we defined in NETCONF can't be used?
>>
>
> My interpretation of the text in RFC 4741, sec. 2.2 and 2.3
> is that these transport services must be provided to the NETCONF layer
> (meaning <rpc> in this case), and implies that the NETCONF layer
> can assume that these services are established before a NETCONF
> session is used.  IMO, using the <rpc> layer to establish the session
> is not supported, or a good idea.

Dear Andy,

In this case, the mutual authentication must be then established by the
transport layer. Currently, TLS specifies several authentication methods
using namely certificates, preshared keys, and tokens. The password
authentication is also possible by using some works in progress: Password
Ciphersuites for TLS, EAP (e.g. EAP-TTLSv0), etc.

Best regards,
Badra

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>