A couple comments: 1) drilling down on the mandatory-to-implement NC/RC protocols is somewhat missing the point. The important bit is that *all* protocols transporting YANG-modeled data *only* have secure transport layers. More specifically, YANG-modeled data may be transported over other protocols (e.g., coap), and also one of the protocols have an insecure transport protocol (e.g., it doesn't much help to talk about HTTPS being mandatory-to-implement if RESTCONF allowed HTTP).
2) just stating that there are secure transport layers still isn’t sufficient, as these protocols must also require mutual authentication in order to be secure, and for statements regarding NACM to make sense. The text I posted before had a statement like this in it. I'm beginning to become a fan of the idea of defining a generic "Requirements for Protocols Transporting YANG-modeled Data" document - that would not only discuss security aspects, but also generic protocol operations, that documents like NC, RC, CoAP, etc. can point to...and even YANG (RFC 7950), rather than pointing directly at NETCONF as it does today... Kent // contributor On 3/16/2017 8:56 AM, Juergen Schoenwaelder wrote: > On Thu, Mar 16, 2017 at 08:37:39AM +0100, Benoit Claise wrote: >> Latest proposal: >> >> The YANG module defined in this document is designed to be accessed >> via network management protocols such as NETCONF [RFC6241] or >> RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport >> layer, >> and mandatory-to-implement secure transport is Secure Shell (SSH) >> [RFC6242], >> while the lowest RESTCONF layer is HTTP, and the mandatory-to-implement >> secure >> transport is Transport Layer Security (TLS) [RFC5246]. > Picking wording from Section 12 of RFC 8040 to replace your second > sentence I get this: > > The YANG module defined in this document is designed to be > accessed via network management protocols such as NETCONF > [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the > secure transport layer, and the mandatory-to-implement secure > transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF > layer is HTTPS, and the mandatory-to-implement secure transport is > TLS [RFC5246]. > > The NETCONF access control model [RFC6536] provides the means to > restrict access for particular NETCONF or RESTCONF users to a > pre-configured subset of all available NETCONF or RESTCONF > protocol operations and content. Yes, thank you. Regards, B. > > /js > _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
