[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF over TLS

To: "Andy Bierman" <ietf@andybierman.com>
Subject: Re: NETCONF over TLS
From: "tom.petch" <cfinss@dial.pipex.com>
Date: Tue, 19 Jun 2007 16:04:31 +0200
Cc: "Mohamad Badra" <badra@isima.fr>, "Simon Leinen" <simon.leinen@switch.ch>, <netconf@ops.ietf.org>
References: <200706162025.l5GKOxjw055055@idle.juniper.net> <aafy4pv61z.fsf@switch.ch> <467675BB.3000105@isima.fr> <46768F81.5050405@cisco.com> <4676A24D.5040105@isima.fr> <4676A509.5000008@cisco.com> <4676B6AD.4060800@andybierman.com>
Reply-to: "tom.petch" <cfinss@dial.pipex.com>

----- Original Message -----
From: "Andy Bierman" <ietf@andybierman.com>
To: "Eliot Lear" <lear@cisco.com>
Cc: "Mohamad Badra" <badra@isima.fr>; "Simon Leinen" <simon.leinen@switch.ch>;
<netconf@ops.ietf.org>
Sent: Monday, June 18, 2007 6:45 PM
Subject: Re: NETCONF over TLS

> Eliot Lear wrote:
> > Mohamad Badra wrote:
> >> Between, could you please tell what "far less functionally" does mean?
> >
> > The whole point of SASL is to provide for multiple profiles so that if
> > you want to use the GSSAPI or PLAIN or OTP or something else, you can do
> > so.  In fact this is a battle we keep fighting *and* losing in network
> > management.  Shall we some day plan to have an ISMS equivalent for
> > netconf?  I surely hope not.
> >
> > And of course, you get all of this for free with the BEEP spec.
> >
>
> I have heard comments From Juergen that there are several foo-over-TLS
> drafts out there, and perhaps one specification for NM-over-TLS
> might be better.  I heard concerns about 'vertical silos' from Dave H
> along the same lines.  I also respect Eliot's concerns about reinventing
> things.
>
> The details are always messier than the "idea".
>
> So, with this new 'special' <request-login> RPC (that creates
> a layer violation in itself) the agent needs to send 'operation-failed'
> errors for any other RPC received before this one?  A special mode is needed
> in the RPC handler, based on, and coupled to, the transport protocol
> used to establish the session -- just to support this special RPC method.
>
> Yuch.
>
My reaction is stronger than that.  There are several warnings around that
working groups should not attempt to design there own security mechanisms.
There are too many pitfalls for those not experienced in the field and we should
not go down that road.

NETCONF allows you to change configurations so strong authentication of the
'manager' is a must.  We need one security mechanism that is a MUST to implement
to ensure interworking.  As others have pointed out, there is a plethora of
existing methods, to which I would add PSK and SRP for TLS, and several RFC
reviewing authentication.  Go choose.

Tom Petch
>
> > Eliot
>
> Andy
>
> --
> to unsubscribe send a message to netconf-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/netconf/>


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Re: Re: NETCONF over TLS
  - From: Phil Shafer <phil@juniper.net>
- Re: NETCONF over TLS
  - From: Simon Leinen <simon.leinen@switch.ch>
- Re: NETCONF over TLS
  - From: Mohamad Badra <badra@isima.fr>
- Re: NETCONF over TLS
  - From: Eliot Lear <lear@cisco.com>
- Re: NETCONF over TLS
  - From: Mohamad Badra <badra@isima.fr>
- Re: NETCONF over TLS
  - From: Eliot Lear <lear@cisco.com>
- Re: NETCONF over TLS
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: Re: NETCONF over TLS
Next by Date: Call for volunteer authors (was Re: NETCONF over TLS)
Previous by thread: Re: NETCONF over TLS
Next by thread: Re: NETCONF over TLS
Index(es):
- Date
- Thread