[explicitly bcc:-ed Bill Fenner. I am not sure if he is still on the
mailing list, Bill can you let me know?]
The current WG charter has this text:
- The Bill Fenner problem: Address real or perceived issue that "giving
SSH for NETCONF gives full SSH access to the box"
It is listed as a non-goal/non-work-item of the current charter.
So we can just leave it as is.
At the other hand, at the IETF69 meeting we did not have a lot of
"operator" feedback on this.
Discussing it with the one of the previous WG chairs (Simon),
we got this explanation from Simon:
This seems to come from a discussion at the NEE bof at IETF 69
(http://www3.ietf.org/proceedings/07jul/minutes/nee.txt):
[...]
Bill Fenner: possible gap, about authentication and authorization.
Operators are fine with SNMP read access, but ssh access for
NETCONF? Not sure. Perception is that NETCONF ssh access gives
full access to the box.
Sharon Chisholm: Exactly what is this perception?
Bert Wijnen: Completely in conflict with NETCONF requirements!
Bill Fenner: Different operators have different concerns...
David Partain: what should the WG do?
Bill Fenner: TLS would help. Thinks we may need an authentication
mechanism just for NETCONF. SSH sounds like you can login to the
device which is scary.
[...]
Maybe Bill thought (or "thought that operators would think", since
this is about perception) that NETCONF-over-SSH was linked with a
normal SSH server providing access to the full CLI. That is not the
intent: NETCONF over SSH is specified to be served on a separate TCP
port by default, and as a special SSH subsystem called "netconf".
Well, the operators I know all permit SSH (or even TELNET) access to
their boxes for configuration, so why wouldn't they permit
NETCONF-over-SSH? Anyway. So that's why we're doing TLS!
Best regards,
--
Simon.
It would be good if NetConf participants (specifically operators) could
chime in what they think about this "perceived problem".
Bert
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>