[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF over TLS

To: David B Harrington <dbharrington@comcast.net>
Subject: Re: NETCONF over TLS
From: Eliot Lear <lear@cisco.com>
Date: Tue, 19 Jun 2007 13:50:46 +0200
Cc: "'Andy Bierman'" <ietf@andybierman.com>, "'Netconf (E-mail)'" <netconf@ops.ietf.org>
In-reply-to: <056601c7b1ee$785bbf80$0600a8c0@china.huawei.com>
References: <46729B3B.9090403@andybierman.com> <056601c7b1ee$785bbf80$0600a8c0@china.huawei.com>
User-agent: Thunderbird 2.0.0.4 (Macintosh/20070604)

David B Harrington wrote:

1) key distribution is important; do more network nodes already
support TLS (and thus have certificates already distributed) or
already support SSH (and already have SSH-related credentials
distributed?

I think you have to start by asking who is trusting whom and for what?Take for instance DOCSIS. Here the cable modems aren't really all thattrusted, and yet they receive a configuration. But they have to trustthe DOCSIS controller. If one uses NETCONF over BEEP in this way, thenthe clients don't need to log in at all, but they assuredly want somereason to trust their configuration server. TLS and the X.509infrastructure is well suited for this, as it is fairly easy toconfigure a small number of DNs that are signed by well known CAs thatcan be trusted. And so to answer your question, certainly the CAs aremore well known than SSH will key pairs will ever be. That leaves theconfiguring of which DN you want to trust.

Oh and for good measure, a manufacturers cert could be demanded for*some* sort of authentication.

2) Will netconf provide application-level security beyond what the
secure transport provides, such as data access controls? If so, will
this be easier using TLS or SSH? What attributes need to be passed up
from the transport security to the application to provide these extra
services?

I think an example of what you have in mind would help. I don'timmediately see relevance between the difference in secure transport andwhat happens above it.

3) Which is easier to integrate with AAA protocols, such as RADIUS and
Diameter?

This is where BEEP does its thing. You do both TLS *and* SASL, andvoila: you can mix and match, even, based on deployment needs.

4) and most important, what would the operators use if both SSH and
TLS were
available?


Operators need to answer this question.

My recommendation is to ask Badra to publish the draft as
experimental, and ask Badra to find other people willing to implement

Netconf/TLS as part of the experiment.

I would first like to understand from Badra why TLS+SASL/BEEP is notsufficient?


Eliot

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: NETCONF over TLS
  - From: Phil Shafer <phil@juniper.net>

References:
- NETCONF over TLS
  - From: Andy Bierman <ietf@andybierman.com>
- RE: NETCONF over TLS
  - From: "David B Harrington" <dbharrington@comcast.net>

Prev by Date: FW: I-D ACTION:draft-schoenw-sming-lessons-00.txt
Next by Date: Re: NETCONF over TLS
Previous by thread: Re: NETCONF over TLS
Next by thread: Re: NETCONF over TLS
Index(es):
- Date
- Thread