[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF over TLS

To: David B Harrington <dbharrington@comcast.net>
Subject: Re: NETCONF over TLS
From: Eliot Lear <lear@cisco.com>
Date: Wed, 20 Jun 2007 09:27:19 +0200
Cc: "'Netconf (E-mail)'" <netconf@ops.ietf.org>
In-reply-to: <05e501c7b28d$18f4d5a0$0600a8c0@china.huawei.com>
References: Your message of "Tue, 19 Jun 2007 13:50:46 +0200." <4677C316.3080707@cisco.com> <200706191441.l5JEfwjw065141@idle.juniper.net> <05dd01c7b285$33665f10$0600a8c0@china.huawei.com> <4677F796.6070507@cisco.com> <05e501c7b28d$18f4d5a0$0600a8c0@china.huawei.com>
User-agent: Thunderbird 2.0.0.4 (Macintosh/20070604)

David B Harrington wrote:

If BEEP is just TLS + SASL + framing, why can't we just use TLS + SASL
+ framing? Where is the value-add for using BEEP instead of using the
independent components? How does BEEP make it easier for an operator
to operate their network than if they simply used TLS + SASL + a
standardized framing approach?

I think these are good and fair questions. First, I didn't say thatBEEP is *only* that. BEEP has a couple of what I would call frills,like the ability eliminate directionality to ease "call home". That'sgoing to valuable to operators who need to manage hundreds of thousandsof devices. Again, think along the lines of DOCSIS. A management modelwhere the manager connects to hundreds of thousands of devices is just anon-starter. In addition, the framing allows interspersing of different(presumably related) applications. This would simplify operatoraccess-lists, not to mention AAA operations (one versus N). SSH offersthis sort of functionality, as you correctly pointed out elsewhereyesterday.

But beyond that, I'd tend to agree with your sentiment. If you wantedto do what I would call a "BEEP light" that does TLS + user login, thenI implement SASL first, and then a very simple framing protocol thatNETCONF sits above, particularly one that doesn't require funky tags inthe data, making parsing a pain.


And so before you start NETCONF you add some gook along the lines of:

C: start-netconf

S: 354-authenticate first
S: 354-SASL/PLAIN
S: 354-SASL/OTP
(...)
S: 354 SASL/GSS-API
C: SASL PLAIN username=foo password=bar
S: 250 OK
C: start-netconf
S: 350 228 greeting follows
<greeting>
...
C: 278
<greeting>
...

(where 228 and 278 are byte counts)

What this gets you is integrated authentication and out of the byte counting
business.  You might even be able to steel the byte count code from either SMTP
CHUNKING or IMAP (although IMAP is a bit weird).


Eliot


Eliot

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: NETCONF over TLS
  - From: Tomoyuki Iijima <tomoyuki.iijima.fg@hitachi.com>

References:
- Re: NETCONF over TLS
  - From: Eliot Lear <lear@cisco.com>
- Re: NETCONF over TLS
  - From: Phil Shafer <phil@juniper.net>
- RE: NETCONF over TLS
  - From: "David B Harrington" <dbharrington@comcast.net>
- Re: NETCONF over TLS
  - From: Eliot Lear <lear@cisco.com>
- RE: NETCONF over TLS
  - From: "David B Harrington" <dbharrington@comcast.net>

Prev by Date: Re: NETCONF over TLS
Next by Date: Re: NETCONF over TLS
Previous by thread: Re: NETCONF over TLS
Next by thread: Re: NETCONF over TLS
Index(es):
- Date
- Thread