[Netconf] FW: Protocol Action: 'NETCONF Over Transport Layer Security (TLS)' to Proposed Standard
"Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com> Wed, 25 March 2009 16:44 UTC
Return-Path: <mehmet.ersue@nsn.com>
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C8AE3A6D57 for <netconf@core3.amsl.com>; Wed, 25 Mar 2009 09:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.574
X-Spam-Level:
X-Spam-Status: No, score=-3.574 tagged_above=-999 required=5 tests=[AWL=-0.975, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyEi45KdY71B for <netconf@core3.amsl.com>; Wed, 25 Mar 2009 09:44:53 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [217.115.75.234]) by core3.amsl.com (Postfix) with ESMTP id 4041B3A6D54 for <netconf@ietf.org>; Wed, 25 Mar 2009 09:44:52 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id n2PGjhWu014536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <netconf@ietf.org>; Wed, 25 Mar 2009 17:45:43 +0100
Received: from demuexc025.nsn-intra.net (demuexc025.nsn-intra.net [10.159.32.12]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id n2PGjh2d017937 for <netconf@ietf.org>; Wed, 25 Mar 2009 17:45:43 +0100
Received: from DEMUEXC005.nsn-intra.net ([10.150.128.17]) by demuexc025.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 25 Mar 2009 17:45:43 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 25 Mar 2009 17:45:38 +0100
Message-ID: <A294F5A3E722D94FBEB6D49C1506F6F7016346F0@DEMUEXC005.nsn-intra.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Protocol Action: 'NETCONF Over Transport Layer Security (TLS)' to Proposed Standard
Thread-Index: AcmtYrOwKmiY+/lhT9qrpBxhPt7WBgABfFmg
From: "Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com>
To: Netconf <netconf@ietf.org>
X-OriginalArrivalTime: 25 Mar 2009 16:45:43.0450 (UTC) FILETIME=[23703FA0:01C9AD69]
Subject: [Netconf] FW: Protocol Action: 'NETCONF Over Transport Layer Security (TLS)' to Proposed Standard
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2009 16:44:54 -0000
Thank you to the editor and all who contributed to this work for completing this milestone. Cheers, Mehmet -----Original Message----- From: ext The IESG [mailto:iesg-secretary@ietf.org] Sent: Wednesday, March 25, 2009 4:59 PM To: IETF-Announce Cc: Internet Architecture Board; RFC Editor; netconf mailing list; netconf chair Subject: Protocol Action: 'NETCONF Over Transport Layer Security (TLS)' to Proposed Standard The IESG has approved the following document: - 'NETCONF Over Transport Layer Security (TLS) ' <draft-ietf-netconf-tls-07.txt> as a Proposed Standard This document is the product of the Network Configuration Working Group. The IESG contact persons are Dan Romascanu and Ron Bonica. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-netconf-tls-07.txt Technical Summary The Network Configuration Protocol (NETCONF) provides mechanisms to install, manipulate, and delete the configuration of network devices. This document describes how to use the Transport Layer Security (TLS) protocol to provide a secure connection for the transport of NETCONF messages. The mechanisms defined in this document include the support for certificate-based mutual authentication and key derivation, utilizing the protected ciphersuite negotiation, mutual authentication and key management capabilities of the TLS (Transport Layer Security) protocol. Working Group Summary Many WG member were thinking that password-based authentication is already handled well enough by the existing NETCONF transports (SSH and BEEP), and the NETCONF-over- TLS specification does not need to handle passwords. It has been recommended to scope the document to certificate- based authentication. There was also some controversy on the use of pre-shared keys (PSKs) derived from passwords. Based on this dicussion the Working Group decided to remove the text related to PSK based- authentication. See http://www.ietf.org/mail-archive/web/netconf/current/msg03856.html There was some controversal discussion about the Connection Closure. The consensus was that the document adopts the closure mechanism from draft-ietf-syslog-transport-tls-, Section 4.4. There was also some controversy about the use of a dedicated port of NETCONF over TLS. The consensus was that a dedicated port should be requested. The summary of the last changes can be found in: http://www.ietf.org/mail-archive/web/netconf/current/msg03873.html http://www.ietf.org/mail-archive/web/netconf/current/msg03882.html There were many WG members who did not strongly support or object to the document. Nobody objected to the document during or after the WGLC. The level of review in the WG was adequate , with several independent reviews by WG members. There is WG consensus to publish the document. Document Quality No vendors have announced that they will utilize this protocol. Two implementations with independent code-base and initiated by the document author are available as open source. The author ensures that the two implementations have been tested as interoperable. Personnel The document was reviewed by Eric Rescorla, Juergen Schoenwaelder, David Harrington, the WG security advisor Charlie Kaufman, and the security ADs Pasi Eronen and Tim Polk. Mehmet Ersue is the document shepherd, and Dan Romascanu the shepherding AD. RFC Editor Note Please make the following changes to draft-07: 1. In Section 2.1: OLD: Implementation of the protocol specified in this document MAY implement any TLS cipher suite that provides certificate-based mutual authentication [RFC5246]. NEW: Implementation of the protocol specified in this document MAY implement any TLS cipher suite that provides certificate-based mutual authentication [RFC5246]. The server MUST support certificate-based client authentication. 2. In Section 3.2 OLD: The server may have no external knowledge on client's identity and identity checks might not be possible (unless the client has a certificate chain rooted in an appropriate CA). If a server has knowledge on client's identity (typically from some source external to NETCONF or TLS) it MUST check the identity as described above. NEW: The server MUST verify the identity of the client with certificate-based authentication and according to local policy to ensure that the incoming client request is legitimate before any configuration or state data is sent to or received from the client. 3. In Section 4: OLD: This document in its current version does not support third party authentication due to the fact that TLS does not specify this way of authentication and that NETCONF depends on the transport protocol for the authentication service. If third party authentication is needed, BEEP or SSH transport can be used. NEW: This document in its current version does not support third party authentication (e.g., backend AAA servers) due to the fact that TLS does not specify this way of authentication and that NETCONF depends on the transport protocol for the authentication service. If third party authentication is needed, BEEP or SSH transport can be used. 4. Please create an Informative References section and move RFC4642 and RFC5277 from the Normative References section to this new section.
- [Netconf] Protocol Action: 'NETCONF Over Transpor… The IESG
- [Netconf] FW: Protocol Action: 'NETCONF Over Tran… Ersue, Mehmet (NSN - DE/Munich)