Re: [Netconf] Questions about draft-ietf-netconf-tls-04.txt
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Mon, 06 October 2008 19:40 UTC
Return-Path: <netconf-bounces@ietf.org>
X-Original-To: netconf-archive@ietf.org
Delivered-To: ietfarch-netconf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 636A028C18B; Mon, 6 Oct 2008 12:40:51 -0700 (PDT)
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2E583A6B15 for <netconf@core3.amsl.com>; Mon, 6 Oct 2008 12:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6+oZJDxazkWB for <netconf@core3.amsl.com>; Mon, 6 Oct 2008 12:40:46 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 5BCBC28C135 for <netconf@ietf.org>; Mon, 6 Oct 2008 12:40:46 -0700 (PDT)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 30620C0027; Mon, 6 Oct 2008 21:41:01 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id iwoFn0OLWI4z; Mon, 6 Oct 2008 21:40:54 +0200 (CEST)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id D27D0C0021; Mon, 6 Oct 2008 21:40:53 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id D3D2D7E8311; Mon, 6 Oct 2008 21:40:54 +0200 (CEST)
Date: Mon, 06 Oct 2008 21:40:54 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Alan Luchuk <luchuk@snmp.com>
Message-ID: <20081006194054.GA1881@elstar.local>
Mail-Followup-To: Alan Luchuk <luchuk@snmp.com>, netconf@ietf.org
References: <200810061839.OAA11535@adminfs.snmp.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <200810061839.OAA11535@adminfs.snmp.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: netconf@ietf.org
Subject: Re: [Netconf] Questions about draft-ietf-netconf-tls-04.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: j.schoenwaelder@jacobs-university.de
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: netconf-bounces@ietf.org
Errors-To: netconf-bounces@ietf.org
On Mon, Oct 06, 2008 at 02:39:49PM -0400, Alan Luchuk wrote: > Hello, > > Regarding NETCONF over TLS, I have two questions. If these questions > have been answered already, would someone kindly point me to relevant > information? > > RFC 4742 (NETCONF over SSH, Section 3.1) specifies a "framing sequence" > to be inserted after each NETCONF message. Why is this framing sequence > not needed or specified for NETCONF over TLS? It would seem that in either > case, the transport layer (SSH or SSL) is simply a "data pipe", and that > if a framing sequence is needed for SSH, it would also be needed for TLS. > Making the framing sequence mandatory over SSH but not over TLS requires > two slightly different software implementations. See the last paragraph in section 2.1 for an answer. > Second, when implementing a NETCONF server over TLS, how is a user identity > derived for the purposes of data view access control? Although not specif- > ically mentioned in RFC 4742, I believe such a user identity can be obtained > from the process environment of the NETCONF server SSH subystem (on open > systems, at least), based upon the username specified during the launch of > the SSH client. NETCONF does not (yet?) have access control and hence the question can probably be postponed (I think all NETCONF transports are silent how a name for the authenticated client is derived for authorization purposes - although for some transports the answer might be pretty obvious). Using the local user identity does not make much sense to me; you want something that is linked to the authenticated identity of the NETCONF client, e.g. a name derived from a certificate. ISMS is facing similar questions, although SNMP over TLS/DTLS is not an ISMS work item so far (but there are IDs about these transports). /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf
- [Netconf] Questions about draft-ietf-netconf-tls-… Alan Luchuk
- Re: [Netconf] Questions about draft-ietf-netconf-… Juergen Schoenwaelder