[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Some strange text in our charter - do we have consensus?
[explicitly bcc:-ed Bill Fenner. I am not sure if he is still on the
mailing list, Bill can you let me know?]
The current WG charter has this text:
- The Bill Fenner problem: Address real or perceived issue that "giving
SSH for NETCONF gives full SSH access to the box"
It is listed as a non-goal/non-work-item of the current charter.
So we can just leave it as is.
At the other hand, at the IETF69 meeting we did not have a lot of
"operator" feedback on this.
Discussing it with the one of the previous WG chairs (Simon),
we got this explanation from Simon:
>
> This seems to come from a discussion at the NEE bof at IETF 69
> (http://www3.ietf.org/proceedings/07jul/minutes/nee.txt):
>
> [...]
> Bill Fenner: possible gap, about authentication and authorization.
> Operators are fine with SNMP read access, but ssh access for
> NETCONF? Not sure. Perception is that NETCONF ssh access gives
> full access to the box.
>
> Sharon Chisholm: Exactly what is this perception?
>
> Bert Wijnen: Completely in conflict with NETCONF requirements!
>
> Bill Fenner: Different operators have different concerns...
>
> David Partain: what should the WG do?
>
> Bill Fenner: TLS would help. Thinks we may need an authentication
> mechanism just for NETCONF. SSH sounds like you can login to the
> device which is scary.
> [...]
>
> Maybe Bill thought (or "thought that operators would think", since
> this is about perception) that NETCONF-over-SSH was linked with a
> normal SSH server providing access to the full CLI. That is not the
> intent: NETCONF over SSH is specified to be served on a separate TCP
> port by default, and as a special SSH subsystem called "netconf".
>
> Well, the operators I know all permit SSH (or even TELNET) access to
> their boxes for configuration, so why wouldn't they permit
> NETCONF-over-SSH? Anyway. So that's why we're doing TLS!
>
> Best regards,
> --
> Simon.
>
It would be good if NetConf participants (specifically operators) could
chime in what they think about this "perceived problem".
Bert
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>