I just have a general comment, I'm happy with the direction and objective of the new text. It looks like you are down to editorial nits and I'll stay out of that now that secure transport for RESTCONF is covered in the considerations.
Thank you for the updated boilerplate! Kathleen On Thu, Mar 16, 2017 at 9:22 AM, Kent Watsen <[email protected]> wrote: > typo: > > new: one of the protocols *may* have an insecure protocol > > K. > > -----ORIGINAL MESSAGE----- > > A couple comments: > > 1) drilling down on the mandatory-to-implement NC/RC protocols > is somewhat missing the point. The important bit is that > *all* protocols transporting YANG-modeled data *only* have > secure transport layers. More specifically, YANG-modeled > data may be transported over other protocols (e.g., coap), > and also one of the protocols have an insecure transport > protocol (e.g., it doesn't much help to talk about HTTPS > being mandatory-to-implement if RESTCONF allowed HTTP). > > 2) just stating that there are secure transport layers still > isn’t sufficient, as these protocols must also require > mutual authentication in order to be secure, and for > statements regarding NACM to make sense. The text I posted > before had a statement like this in it. > > I'm beginning to become a fan of the idea of defining a generic > "Requirements for Protocols Transporting YANG-modeled Data" > document - that would not only discuss security aspects, but > also generic protocol operations, that documents like NC, RC, > CoAP, etc. can point to...and even YANG (RFC 7950), rather than > pointing directly at NETCONF as it does today... > > Kent // contributor > > > On 3/16/2017 8:56 AM, Juergen Schoenwaelder wrote: >> On Thu, Mar 16, 2017 at 08:37:39AM +0100, Benoit Claise wrote: >>> Latest proposal: >>> >>> The YANG module defined in this document is designed to be accessed >>> via network management protocols such as NETCONF [RFC6241] or >>> RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport >>> layer, >>> and mandatory-to-implement secure transport is Secure Shell (SSH) >>> [RFC6242], >>> while the lowest RESTCONF layer is HTTP, and the mandatory-to-implement >>> secure >>> transport is Transport Layer Security (TLS) [RFC5246]. >> Picking wording from Section 12 of RFC 8040 to replace your second >> sentence I get this: >> >> The YANG module defined in this document is designed to be >> accessed via network management protocols such as NETCONF >> [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the >> secure transport layer, and the mandatory-to-implement secure >> transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF >> layer is HTTPS, and the mandatory-to-implement secure transport is >> TLS [RFC5246]. >> >> The NETCONF access control model [RFC6536] provides the means to >> restrict access for particular NETCONF or RESTCONF users to a >> pre-configured subset of all available NETCONF or RESTCONF >> protocol operations and content. > Yes, thank you. > > Regards, B. >> >> /js >> > > > > _______________________________________________ > netmod mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/netmod > > -- Best regards, Kathleen _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
