[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF over TLS

To: Balazs Lengyel <balazs.lengyel@ericsson.com>
Subject: Re: NETCONF over TLS
From: Mohamad Badra <badra@isima.fr>
Date: Tue, 19 Jun 2007 13:28:43 +0200
Cc: netconf@ops.ietf.org
In-reply-to: <46779BC8.9070505@ericsson.com>
References: <46729B3B.9090403@andybierman.com> <20070615181423.GC13774@elstar.local> <63214.86.72.162.197.1182013900.squirrel@www.isima.fr> <46779BC8.9070505@ericsson.com>
User-agent: Thunderbird 1.5.0.12 (Windows/20070509)

Balazs Lengyel writes:

Hello,
Why do you feel we need a new transport mapping? What would that giveus, why is it better then SSH and BEEP?You describe in your document what you intend to do, but pleasemotivate us by stating why is this a good idea?
regards Balazs


Hi Lengyel,

It is not so easy to make a comparison between available securityprotocols for a specific application and to recommend a single one. Itis easier to define a model threat for that application and then lookingfor a security solution. It is right that BEEP, SSH and other securityprotocols are able to meet the Netconf security requirements, but TLScould be a good alternative; even if other protocols could be able togive the same services.

There are several reasons why one might want to do Netconf over TLS, butplease don't consider them as an XOR to the available solutions. some ofthese reasons:

- People are interesting to adopt TLS to become the unifying transportfor, especially, SYSLOG, IPFIX, SNMP. And I think it is a good idea todo that for Netconf too. One argument is the following text posted outby David Harrington: [BCP72 identifies TLS as the transport securitymechanism of choice when traffic is over TCP. SSH is recommended forremote login security, for providing channel-level security directly inthe application. Netconf is designed to do "network configuration" as areplacement/supplement to the CLI running over a remote login session].

- TLS natively integrates key distribution and mutual authenticationbased on certificates, preshared keys, tokens, passwords and othercredential types. If you are going to distribute vendor-certificates foryour network's devices, TLS will be able to integrate the PKI use in afashion way.

- TLS can provide a user-based access-control model (RFC 4681) and byits design it provides a facility for secure connection closure(close_notify alert) as well as a flexible way to encapsulate andprotect EAP (for OTP, PLAIN, CHAP, etc.), AAA and RADIUS attributes.

- As Juergen Schoenwaelder pointed out, the implementors at that timedid not want NETCONF/BEEP+TLS nor NETCONF/SOAP+HTTPS+TLS.



Best regards

--
Mohamad Badra
CNRS - LIMOS Laboratory



--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- NETCONF over TLS
  - From: Andy Bierman <ietf@andybierman.com>
- Re: NETCONF over TLS
  - From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
- Re: NETCONF over TLS
  - From: badra@isima.fr
- Re: NETCONF over TLS
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>

Prev by Date: RE: NETCONF over TLS
Next by Date: Re: NETCONF over TLS
Previous by thread: Re: NETCONF over TLS
Next by thread: Re: NETCONF over TLS
Index(es):
- Date
- Thread