Juergen,

On Thu, Mar 16, 2017 at 9:51 AM, Juergen Schoenwaelder <
[email protected]> wrote:

> On Thu, Mar 16, 2017 at 12:48:34PM +0000, Kent Watsen wrote:
> >
> > A couple comments:
> >
> > 1) drilling down on the mandatory-to-implement NC/RC protocols
> >    is somewhat missing the point.  The important bit is that
> >    *all* protocols transporting YANG-modeled data *only* have
> >    secure transport layers.  More specifically, YANG-modeled
> >    data may be transported over other protocols (e.g., coap),
> >    and also one of the protocols have an insecure transport
> >    protocol (e.g., it doesn't much help to talk about HTTPS
> >    being mandatory-to-implement if RESTCONF allowed HTTP).
>
> RESTCONF says MUST use TLS. Making an open ended statement about
> security properties of unknown protocols sounds risky.
>
> > 2) just stating that there are secure transport layers still
> >    isn’t sufficient, as these protocols must also require
> >    mutual authentication in order to be secure, and for
> >    statements regarding NACM to make sense.  The text I posted
> >    before had a statement like this in it.
> >
> > I'm beginning to become a fan of the idea of defining a generic
> > "Requirements for Protocols Transporting YANG-modeled Data"
> > document - that would not only discuss security aspects, but
> > also generic protocol operations, that documents like NC, RC,
> > CoAP, etc. can point to...and even YANG (RFC 7950), rather than
> > pointing directly at NETCONF as it does today...
>
> Keep in mind that I2RS believes in a requirement for cleartext
> transport protocols. Perhaps this never makes it through the IESG but
> so far it was not possible to stop this...
>

This is solely for notifications that can be sent, just as IPFIX
information may
be sent unencrypted.  Those requirements are in
draft-ietf-i2rs-protocol-security-requirements-17
<https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/>,
which is in the RFC Editor queue.

Regards,
Alia


> /js
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>
> _______________________________________________
> netmod mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/netmod
>
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod

Reply via email to