[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF Port Decision

To: Andy Bierman <ietf@andybierman.com>, netconf <netconf@ops.ietf.org>
Subject: Re: NETCONF Port Decision
From: Ted Goddard <ted.goddard@icesoft.com>
Date: Mon, 20 Mar 2006 14:16:32 -0700
In-reply-to: <441EE12D.7050408@andybierman.com>
References: <441EE12D.7050408@andybierman.com>


One of the original concerns with NETCONF/SOAP/HTTP and
NETCONF/SOAP/HTTPS was that the traffic might default to port 80
and 443, thereby making it extremely difficult for a firewall to
distinguish between device management (NETCONF) and other less
sensitive uses of HTTP and HTTPS.  The same concern applies to
using a generic assigned port for SOAP over HTTP (and SOAP over BEEP)
as this makes it difficult for a firewall to distinguish between
NETCONF traffic and SOAP traffic belonging to other applications.

An assigned port for NETCONF over SOAP over HTTPS answers
the first part of this concern.

NETCONF over SOAP over HTTP (not HTTPS) is an insecure configuration
and is therefore not reasonably given special status for firewalls
(why open your firewall for an insecure protocol).  Hence an
assigned port is not required for this case.

NETCONF over SOAP over BEEP can make use of TLS upgrade, hence
NETCONF over SOAP over BEEP requires only one assigned port.

This leaves us with one port for NETCONF over SOAP over HTTPS and
one port for NETCONF over SOAP over BEEP, exactly as requested.

Ted.

On 20-Mar-06, at 10:06 AM, Andy Bierman wrote:

Hi,
The WG met this morning and discussed the port assignments for theprotocol.The clear consensus in the room was that the WG should ask for wellknown
ports instead of registered ports.

If anyone wishes to strongly object to this decision,
then please send an email to the WG mailing list by 12:00AM EST3/22/06
demonstrating a "fatal flaw" in this decision.  (E.g.., why assigning
a well-known port instead of a registered port will harm theInternet).
The WG will ask for 4 ports:
  - NETCONF over SSH
  - NETCONF over BEEP
  - NETCONF over SOAP over BEEP
  - NETCONF over SOAP over HTTPS


Andy


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>




--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- NETCONF Port Decision
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: Re: NETCONF Port Decision
Next by Date: RE: Offline Netconf Notification Session - Dallas
Previous by thread: NETCONF Port Decision
Next by thread: RE: NETCONF Port Decision
Index(es):
- Date
- Thread