And depending on the security setup and needs, IPSEC or SSL(TLS) may also be
included (at the proper place).
...
In this case, the SSH can be used as an additional security mechanism.
While I hope you are correct, I think the above is an optimistic reading of what will get past the Security ADs/Security Directorate. For example, I would not be surprised if they perceived a need for a mechanism to sign the configuration data (and verify the signature). Ran -- to unsubscribe send a message to xmlconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/xmlconf/>