Re: NETCONF over TLS

[Andy Bierman <ietf@andybierman.com>]

badra@isima.fr wrote:
> > Phil Shafer wrote:
> > > Andy Bierman writes:
> > > > IMO, this should be handled with a different top-level element
> > > > than <rpc>, outside the scope of the NETCONF protocol.
> > > So is another scenario where the generic RPC mechanism
> > > we defined in NETCONF can't be used?
> > My interpretation of the text in RFC 4741, sec. 2.2 and 2.3
> > is that these transport services must be provided to the NETCONF layer
> > (meaning <rpc> in this case), and implies that the NETCONF layer
> > can assume that these services are established before a NETCONF
> > session is used.  IMO, using the <rpc> layer to establish the session
> > is not supported, or a good idea.
>
> Dear Andy,
>
> In this case, the mutual authentication must be then established by the
> transport layer. Currently, TLS specifies several authentication methods
> using namely certificates, preshared keys, and tokens. The password
> authentication is also possible by using some works in progress: Password
> Ciphersuites for TLS, EAP (e.g. EAP-TTLSv0), etc.

Whatever the details, they need to be handled outside of the NETCONF session
mechanisms.  Translation: Use some sort of <connect> transaction that is
finished before the session is deemed ready to receive <rpc> PDUs.
(My only objection is to the <rpc> usage).

> Best regards,
> Badra

Andy

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>