Juergen, On Thu, Mar 16, 2017 at 9:51 AM, Juergen Schoenwaelder < [email protected]> wrote:
> On Thu, Mar 16, 2017 at 12:48:34PM +0000, Kent Watsen wrote: > > > > A couple comments: > > > > 1) drilling down on the mandatory-to-implement NC/RC protocols > > is somewhat missing the point. The important bit is that > > *all* protocols transporting YANG-modeled data *only* have > > secure transport layers. More specifically, YANG-modeled > > data may be transported over other protocols (e.g., coap), > > and also one of the protocols have an insecure transport > > protocol (e.g., it doesn't much help to talk about HTTPS > > being mandatory-to-implement if RESTCONF allowed HTTP). > > RESTCONF says MUST use TLS. Making an open ended statement about > security properties of unknown protocols sounds risky. > > > 2) just stating that there are secure transport layers still > > isn’t sufficient, as these protocols must also require > > mutual authentication in order to be secure, and for > > statements regarding NACM to make sense. The text I posted > > before had a statement like this in it. > > > > I'm beginning to become a fan of the idea of defining a generic > > "Requirements for Protocols Transporting YANG-modeled Data" > > document - that would not only discuss security aspects, but > > also generic protocol operations, that documents like NC, RC, > > CoAP, etc. can point to...and even YANG (RFC 7950), rather than > > pointing directly at NETCONF as it does today... > > Keep in mind that I2RS believes in a requirement for cleartext > transport protocols. Perhaps this never makes it through the IESG but > so far it was not possible to stop this... > This is solely for notifications that can be sent, just as IPFIX information may be sent unencrypted. Those requirements are in draft-ietf-i2rs-protocol-security-requirements-17 <https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/>, which is in the RFC Editor queue. Regards, Alia > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > > _______________________________________________ > netmod mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/netmod >
_______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
