Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFC 5539 Update Status draft-badra-netconf-rfc5539bis-00

Published byPia Ask Modified over 5 years ago

Similar presentations

Presentation on theme: "RFC 5539 Update Status draft-badra-netconf-rfc5539bis-00"— Presentation transcript:

1 RFC 5539 Update Status draft-badra-netconf-rfc5539bis-00
Mohamad Badra ETF 82, Taipei, Taiwan

2 Goals of RFC5539bis Update RFC 4742 based on:
How to generate a NETCONF username and how does the document fulfill the requirements in 6241 for the format of the username? How does the NETCONF transport handle the following two scenarios: both peers advertise :base:1.1 capability none or only one peer advertises :base:1.1 capability. What are the security considerations for using the EOM frame for the <hello> message or using it if one of the peers does not support :base:1.1? How to fix the EoM issues

3 Client/Server, Agent/Manager
Suggestion for global terminology changes Drop client/server, manager/agent terminology Instead, refer to the TLS client, the TLS server, the NETCONF client and the NETCONF server throughout

4 NETCONF username generation: certificate case
The document defines the ietf-netconf-tls-username YANG module defines objects for remotely configuring the mapping of TLS certificates to NETCONF usernames.

5 NETCONF username generation: certificate case
For each enumerated value listed above, the NETCONF server derives the NETCONF from the presented client certificate leaf map-type { type enumeration { enum specified { value 1; } enum rfc822Name { value 2; } enum dnsName { value 3; } enum ipAddress { value 4; } enum rfc822Name-dnsName-ipAddress { value 5; } enum rfc822Name-ipAddress-dnsName { value 6; } enum dnsName-ipAddress-rfc822Name { value 7; } enum dnsName-rfc822Name-ipAddress { value 8; } enum ipAddress-dnsName-rfc822Name { value 9; } enum ipAddress-rfc822Name-dnsName { value 10; } }

6 NETCONF username generation: PSK case
Optional PSK-based authentication is described in RFC4279 During the TLS Handshake, the client indicates which key to use by including a "PSK identity" in the TLS ClientKeyExchange message PSK identity is used as the NETCONF username. RFC4279 provides more details on how the PSK identity MAY be encoded in UTF-8

7 The requirements in 6241 for the format of the username
The username provided by the TLS implementation will be made available to the NETCONF message layer as the NETCONF user name without modification. If the username does not comply to the NETCONF requirements on usernames [RFC6241], i.e., the username is not representable in XML, the TLS session MUST be dropped.

8 EoM issues The <hello> message MUST be followed by the character sequence ]]>]]> If the :base:1.1 capability is advertised by both peers, the chunked framing mechanism defined in Section 4.2 of RFC6242 is used for the remainder of the NETCONF session. Otherwise, the old end-of-message-based mechanism (see Section 4.3 of RFC6242) is used.

9 Capability advertisement – security consideration
When the :base:1.1 capability is not advertised by both peers, an attacker might be able to deliberately insert the delimiter sequence ]]>]]> in a NETCONF message to create a DoS attack. If the :base:1.1 capability is not advertised by both peers, applications and NETCONF APIs MUST ensure that the delimiter sequence ]]>]]> never appears in NETCONF messages; otherwise, those messages can be dropped, garbled, or misinterpreted.

10 Contributors Juergen Schoenwaelder Alan Luchuk

11 Next Steps Make any agreed changes WG item?

Download ppt "RFC 5539 Update Status draft-badra-netconf-rfc5539bis-00"

Similar presentations

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
MIF API draft-ietf-mif-api-extension-05 Dapeng Liu.

MIF API draft-ietf-mif-api-extension-05 Dapeng Liu.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
draft-ietf-netconf-call-home-01

draft-ietf-netconf-call-home-01
Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman

Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.
Session Peering Protocol over SOAP I-D ( draft-ietf-drinks-spp-over-soap-01) draft-ietf-drinks-spp-over-soap-01 0 Presenter: Vikas Bhatia (On behalf of.

Session Peering Protocol over SOAP I-D ( draft-ietf-drinks-spp-over-soap-01) draft-ietf-drinks-spp-over-soap-01 0 Presenter: Vikas Bhatia (On behalf of.
1 82 nd IETF meeting NETCONF over WebSocket (http://tools.ietf.org/html/draft-iijima-netconf-websocket-ps-01 ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,

1 82 nd IETF meeting NETCONF over WebSocket ( ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,
P2P Streaming Protocol (PPSP) Requirements draft-zong-ppsp-reqs-03.

P2P Streaming Protocol (PPSP) Requirements draft-zong-ppsp-reqs-03.
Hiroyasu Kimura, Yoshifumi Atarashi, and Hidemitsu Higuchi

Hiroyasu Kimura, Yoshifumi Atarashi, and Hidemitsu Higuchi
SIP working group IETF#70 Essential corrections Keith Drage.

SIP working group IETF#70 Essential corrections Keith Drage.
Protocol for I2RS I2RS WG IETF #89 London, UK Dean Bogdanovic v0.1.

Protocol for I2RS I2RS WG IETF #89 London, UK Dean Bogdanovic v0.1.
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP draft-ietf-mmusic-rfc2396bis-10 Magnus Westerlund Co-auhtors: Henning Schulzrinne, Rob Lanphier,

Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP draft-ietf-mmusic-rfc2396bis-10 Magnus Westerlund Co-auhtors: Henning Schulzrinne, Rob Lanphier,
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
N ETWORK C ONFIGURATION Prepared by: Menna Hamza Mohamad Hesham Mona Abdel Mageed Yasmine Shaker.

N ETWORK C ONFIGURATION Prepared by: Menna Hamza Mohamad Hesham Mona Abdel Mageed Yasmine Shaker.

Similar presentations

Ads by Google