RE: NETCONF over TLS

["David B Harrington" <dbharrington@comcast.net>]

Hi,

BCP72 identifies TLS as the transport security mechanism of choice
when traffic is over TCP. SSH is recommended for remote login
security, for providing channel-level security directly in the
application.

Netconf is designed to do "network configuration" as a
replacement/supplement to the CLI running over a remote login session.
But when netconf starts to move into notifications and into
monitoring, then I think the argument for remote login gets weaker. 

If netconf is meant for "network configuration", i.e., configuring all
types of nodes in the network, then there are some questions to ask:
1) key distribution is important; do more network nodes already
support TLS (and thus have certificates already distributed) or
already support SSH (and already have SSH-related credentials
distributed?  

2) Will netconf provide application-level security beyond what the
secure transport provides, such as data access controls? If so, will
this be easier using TLS or SSH? What attributes need to be passed up
from the transport security to the application to provide these extra
services? 

3) Which is easier to integrate with AAA protocols, such as RADIUS and
Diameter?

4) and most important, what would the operators use if both SSH and
TLS were
available?

Badra's draft is similar to RFC2818, the informational document for
HTTPS. The Syslog WG has developed a draft for a TLS-based secure
transport, as well, with some differences from RFC2818 based on new
recommendations for TLS processing. Badra has had input from Juergen
S, Miao Fuyo (author of the syslog/tls draft), and myself. The
syslog/tls document has required some updates following security
reviews, and Badra's draft may require some updates as well, but I
think the draft will probably pass security review fairly easily. I
would recommend including a section that describes the threats
addressed by the proposal, and how those threats are mitigated.

My recommendation is to ask Badra to publish the draft as
experimental, and ask Badra to find other people willing to implement
Netconf/TLS as part of the experiment. 

David Harrington
dharrington@huawei.com 
dbharrington@comcast.net
ietfdbh@comcast.net


> -----Original Message-----
> From: owner-netconf@ops.ietf.org 
> [mailto:owner-netconf@ops.ietf.org] On Behalf Of Andy Bierman
> Sent: Friday, June 15, 2007 9:59 AM
> To: Netconf (E-mail)
> Subject: NETCONF over TLS
> 
> Hi,
> 
> I'm not sure if the WG was ever officially asked to comment
> on the draft by Mohamad Badra called "NETCONF over TLS".
> So I am asking now.
> 
> http://www.ietf.org/internet-drafts/draft-badra-tls-netconf-03.txt
> 
> Please send comments on this draft and the feature itself
> to the WG mailing list.
> 
> Are there implementations of this feature (not just this draft)?
> 
> Should this work be standardized?
> 
> If not, should it be published as Informational or Experimental?
> 
> thanks,
> Andy
> 
> 
> 
> --
> to unsubscribe send a message to netconf-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/netconf/>
> 



--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>