Kent Watsen <[email protected]> writes: > A couple comments: > > 1) drilling down on the mandatory-to-implement NC/RC protocols > is somewhat missing the point. The important bit is that > *all* protocols transporting YANG-modeled data *only* have > secure transport layers. More specifically, YANG-modeledq > data may be transported over other protocols (e.g., coap), > and also one of the protocols have an insecure transport > protocol (e.g., it doesn't much help to talk about HTTPS > being mandatory-to-implement if RESTCONF allowed HTTP).
I agree, and it will become even more relevant if we make YANG protocol-independent. In fact, data models may be useful even without any network transport involved, e.g. for a local CLI implementation. > > 2) just stating that there are secure transport layers still > isn’t sufficient, as these protocols must also require > mutual authentication in order to be secure, and for > statements regarding NACM to make sense. The text I posted > before had a statement like this in it. Right, security considerations attached to data models should deal with security aspects of the static data (which items are security-sensitive etc.) and not with transport security. Lada > > I'm beginning to become a fan of the idea of defining a generic > "Requirements for Protocols Transporting YANG-modeled Data" > document - that would not only discuss security aspects, but > also generic protocol operations, that documents like NC, RC, > CoAP, etc. can point to...and even YANG (RFC 7950), rather than > pointing directly at NETCONF as it does today... > > Kent // contributor > > > On 3/16/2017 8:56 AM, Juergen Schoenwaelder wrote: >> On Thu, Mar 16, 2017 at 08:37:39AM +0100, Benoit Claise wrote: >>> Latest proposal: >>> >>> The YANG module defined in this document is designed to be accessed >>> via network management protocols such as NETCONF [RFC6241] or >>> RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport >>> layer, >>> and mandatory-to-implement secure transport is Secure Shell (SSH) >>> [RFC6242], >>> while the lowest RESTCONF layer is HTTP, and the mandatory-to-implement >>> secure >>> transport is Transport Layer Security (TLS) [RFC5246]. >> Picking wording from Section 12 of RFC 8040 to replace your second >> sentence I get this: >> >> The YANG module defined in this document is designed to be >> accessed via network management protocols such as NETCONF >> [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the >> secure transport layer, and the mandatory-to-implement secure >> transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF >> layer is HTTPS, and the mandatory-to-implement secure transport is >> TLS [RFC5246]. >> >> The NETCONF access control model [RFC6536] provides the means to >> restrict access for particular NETCONF or RESTCONF users to a >> pre-configured subset of all available NETCONF or RESTCONF >> protocol operations and content. > Yes, thank you. > > Regards, B. >> >> /js >> > > > > _______________________________________________ > netmod mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/netmod -- Ladislav Lhotka, CZ.NIC Labs PGP Key ID: 0xB8F92B08A9F76C67 _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
