[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Some strange text in our charter - do we have consensus?

To: <netconf@ops.ietf.org>
Subject: Some strange text in our charter - do we have consensus?
From: "Bert Wijnen - IETF" <bertietf@bwijnen.net>
Date: Tue, 15 Jan 2008 23:10:45 +0100

[explicitly bcc:-ed Bill Fenner. I am not sure if he is still on the
 mailing list, Bill can you let me know?]

The current WG charter has this text:

 - The Bill Fenner problem: Address real or perceived issue that "giving
   SSH for NETCONF gives full SSH access to the box"

It is listed as a non-goal/non-work-item of the current charter.
So we can just leave it as is. 

At the other hand, at the IETF69 meeting we did not have a lot of 
"operator" feedback on this.

Discussing it with the one of the previous WG chairs (Simon),
we got this explanation from Simon:

> 
> This seems to come from a discussion at the NEE bof at IETF 69
> (http://www3.ietf.org/proceedings/07jul/minutes/nee.txt):
> 
>     [...]
>     Bill Fenner: possible gap, about authentication and authorization.
>     Operators are fine with SNMP read access, but ssh access for
>     NETCONF?  Not sure. Perception is that NETCONF ssh access gives
>     full access to the box.
>   
>     Sharon Chisholm: Exactly what is this perception?
>   
>     Bert Wijnen: Completely in conflict with NETCONF requirements!
>   
>     Bill Fenner: Different operators have different concerns...
>   
>     David Partain: what should the WG do?
>   
>     Bill Fenner: TLS would help.  Thinks we may need an authentication
>     mechanism just for NETCONF.  SSH sounds like you can login to the
>     device which is scary.
>     [...]
> 
> Maybe Bill thought (or "thought that operators would think", since
> this is about perception) that NETCONF-over-SSH was linked with a
> normal SSH server providing access to the full CLI.  That is not the
> intent: NETCONF over SSH is specified to be served on a separate TCP
> port by default, and as a special SSH subsystem called "netconf".
> 
> Well, the operators I know all permit SSH (or even TELNET) access to
> their boxes for configuration, so why wouldn't they permit
> NETCONF-over-SSH? Anyway.  So that's why we're doing TLS!
> 
> Best regards,
> -- 
> Simon.
> 

It would be good if NetConf participants (specifically operators) could
chime in what they think about this "perceived problem".

Bert


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Some strange text in our charter - do we have consensus?
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>

Prev by Date: RE: Last Call: draft-ietf-netconf-notification (NETCONF Event Notifications) to Proposed Standard
Next by Date: Re: Some strange text in our charter - do we have consensus?
Previous by thread: Last Call: draft-ietf-netconf-notification (NETCONF Event Notifications) to Proposed Standard
Next by thread: Re: Some strange text in our charter - do we have consensus?
Index(es):
- Date
- Thread