[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on NetConf Requirements

To: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
Subject: Re: Thoughts on NetConf Requirements
From: Eliot Lear <lear@cisco.com>
Date: Wed, 04 Jun 2003 11:20:00 -0700
Cc: netconf@ops.ietf.org
In-reply-to: <200306041808.h54I8EnY019214@hansa.ibr.cs.tu-bs.de>
References: <5.2.0.9.2.20030603140800.037e66e0@127.0.0.1> <200306032211.h53MBbwe024060@hansa.ibr.cs.tu-bs.de> <3EDD2751.4010508@cisco.com> <200306040658.h546wLgc029970@hansa.ibr.cs.tu-bs.de> <3EDE0D76.3040503@cisco.com> <200306041808.h54I8EnY019214@hansa.ibr.cs.tu-bs.de>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529

Juergen Schoenwaelder wrote:

A channel exists on top of a connection and so why does the concept of
a channel make it easier to establish connections?

Because it abstracts away who connects. If a device is behind a firewall, it can connect to the manager. If the manager is behind a firewall, it can connect to the device. Similarly so for NATs. Once the connection is made, either side can initiate an appropriate profile. So, just because I've connected to you doesn't mean that I'm the manager.

I agree that authentication has to be tied into radius or something
similar. So how does BEEP help here?

It uses SASL which can be tied in on the back end to just about anything.

My understanding so far was that operators script the CLI and do not
use HTTP or other mechanisms (unless the CLI is so hard to script with
ugly menus and such things that they do not have a choice).

And that's not going away. If they want to keep doing it they can, but the things SASL provides are just those sorts of things that the operators need protection against. One of the most fragile parts of these home made scripts is the authentication component. Why? For whatever reason its behavior varies in CLIs from time to time. Part of it has to do with just getting to and beyond the password, where someone has changed the banner or motd to something that catches an expect script.

Eliot

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Re: Thoughts on NetConf Requirements
  - From: "David T. Perkins" <dperkins@dsperkins.com>
- Re: Thoughts on NetConf Requirements
  - From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
- Re: Thoughts on NetConf Requirements
  - From: Eliot Lear <lear@cisco.com>
- Re: Thoughts on NetConf Requirements
  - From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
- Re: Thoughts on NetConf Requirements
  - From: Eliot Lear <lear@cisco.com>
- Re: Thoughts on NetConf Requirements
  - From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>

Prev by Date: Re: Thoughts on NetConf Requirements
Next by Date: Re: Thoughts on NetConf Requirements
Previous by thread: Re: Thoughts on NetConf Requirements
Next by thread: Re: Thoughts on NetConf Requirements
Index(es):
- Date
- Thread