On Thu, Mar 16, 2017 at 12:48:34PM +0000, Kent Watsen wrote: > > A couple comments: > > 1) drilling down on the mandatory-to-implement NC/RC protocols > is somewhat missing the point. The important bit is that > *all* protocols transporting YANG-modeled data *only* have > secure transport layers. More specifically, YANG-modeled > data may be transported over other protocols (e.g., coap), > and also one of the protocols have an insecure transport > protocol (e.g., it doesn't much help to talk about HTTPS > being mandatory-to-implement if RESTCONF allowed HTTP).
RESTCONF says MUST use TLS. Making an open ended statement about security properties of unknown protocols sounds risky. > 2) just stating that there are secure transport layers still > isn’t sufficient, as these protocols must also require > mutual authentication in order to be secure, and for > statements regarding NACM to make sense. The text I posted > before had a statement like this in it. > > I'm beginning to become a fan of the idea of defining a generic > "Requirements for Protocols Transporting YANG-modeled Data" > document - that would not only discuss security aspects, but > also generic protocol operations, that documents like NC, RC, > CoAP, etc. can point to...and even YANG (RFC 7950), rather than > pointing directly at NETCONF as it does today... Keep in mind that I2RS believes in a requirement for cleartext transport protocols. Perhaps this never makes it through the IESG but so far it was not possible to stop this... /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
