[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: Last Call: 'NETCONF Configuration Protocol' to Proposed Stand ard
- To: "Netconf (E-mail)" <netconf@ops.ietf.org>
- Subject: FW: Last Call: 'NETCONF Configuration Protocol' to Proposed Stand ard
- From: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
- Date: Wed, 14 Dec 2005 01:50:31 +0100
FYI
-----Original Message-----
From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org]On Behalf Of
Pekka Savola
Sent: Friday, December 09, 2005 07:56
To: Sam Hartman
Cc: iesg@ietf.org; ietf@ietf.org
Subject: Re: Last Call: 'NETCONF Configuration Protocol' to Proposed
Standard
Hi,
On Thu, 8 Dec 2005, Sam Hartman wrote:
> Netconf currently recommends that netconf over ssh be run over a
> different port than the normal ssh port.
>
> That seems like a fine idea. I think there are cases where you might
> want to allow access to netconf but not allow access to the CLI
> through the normal ssh port.
>
> However I think in many cases it would not be a security problem if
> the netconf subsystem were available over the normal ssh port. In
> many applications the same privileges will be granted to users over
> the CLI as to the same users over netconf. In many cases the
> functionality available through netconf will also be available through
> the CLI.
As an operator, I agree. Especially in smaller networks (say, less
than 50 routers), the set of hosts where you can log in to the routers
and the set of hosts from which network management (other than
read-only SNMP) is expected to occur are similarly trusted.
With the expectation that more fine-grained control (rather than just
IP address/port filtering) of SSH vs NETCONF access can be made as
part of router's configuration, having a separate port is not needed,
but it doesn't do much harm either.
However, I see that there may be different kinds of networks where
being able to separate SSH and NETCONF access permissions at the
IP/port filtering level may be desirable.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>