NETCONF over Transport Layer Security (TLS)
draft-ietf-netconf-tls-07

[Ballot comment]
Couple of minor comments/suggestions:

Section 4 should explain what "third party authentication" means,
since it's not obvious from the context, and the term is not used in
any of the listed references either.

To me, references RFC4642 and and RFC5277 don't look normative, so
they probably should be in the Informative References section.

[Ballot comment]
I support Jari and Tim's discuss positions.

If there is a need for authentication mechanisms other than TLS client
certificates for this transport, a simple protocol design pattern would
be to write a SASL profile for netconf for use in conjunction with TLS.
That's a rather simple project (a couple pages) and I'd be glad to assist
if needed.

[Ballot discuss]
I agree with Jari's discuss (and confusion) concerning client authentication.

Specifically, I had expected to find that this specification required servers to check the
clients identity by either (1) mutually authenticated TLS using certificates (with the same
checks identified in 3.1) or (2) by some other mechanism that satisfied local policy.  I had
also expected to see that certificate-based client authentication was a MUST implement.

Note that section 2.1 seems to limit implementations of this protocol to TLS cipher suites
that provide certificate-based mutual authentication.    This seems inconsistent with
section 3.2 permitting connections without verifying the client identity at all...

[Ballot discuss]
I expected to ballot Yes on this but at the end I found I was missing
some fundamental information. My understanding of RFC 4741 is that
authentication/authorization is something left to the protocol that
carries NETCONF messages. RFC 4742 (NETCONF over SSH) for instance says:

  The identity of the server MUST be verified and authenticated by the
  client according to local policy ...

  The identity of the client MUST also be verified and
  authenticated by the server according to local policy ...

However, the current document has explicit guidance about server side
authentication, but not much about clients:

  The server may have no external knowledge on client's identity and
  identity checks might not be possible (unless the client has a
  certificate chain rooted in an appropriate CA).  If a server has
  knowledge on client's identity (typically from some source external
  to NETCONF or TLS) it MUST check the identity as described above.

This seems to be in violation of RFC 4741 thinking:

  It is further
  expected that the identity of each end of a NETCONF session will be
  available to the other in order to determine authorization for any
  given request.

But I can't think that the authors would have missed client side
authentication; its so fundamental to configuration operations
to network devices. What am I missing? Is there some other authentication
layer for client/user side somewhere? If there is not, I cannot see
how you can allow one-side TLS authentication except maybe for reading
information.

IANA Last Call comments:

Upon approval of this document, IANA will make the following
assignment in the port numbers registry at
http://www.iana.org/assignments/port-numbers

Keyword Decimal Description References
------- ------- ----------- ----------
Netconf-tls TBD/tcp Netconf over TLS [RFC-netconf-tls-06]

Note: Port 6513 will be assigned if it is still available.

We understand the above to be the only IANA Action for this document.

AD Review by Dan Romascanu:

1. I believe that there is a need for more clarity in defining the usage of the delimiter sequence ]]>]]> after each XML document. The text in RFC 4742 seems to me more clear and I suggest to take inspiration from
it:

  [The] special character sequence,
  ]]>]]>, MUST be sent by both the client and the server after each XML
  document in the NETCONF exchange.  This character sequence cannot
  legally appear in an XML document, so it can be unambiguously used to
  identify the end of the current document, allowing resynchronization
  of the NETCONF exchange in the event of an XML syntax or parsing
  error.

2. In section 3.2: 'Typically, the server has no external knowledge of what the client's identity ought to be'. I question if this is really true in the 'typical' case. I would actually imagine that the case where network devices would be preconfigured with information about the identity of their managers would be quite common.

3.  Id-nits complains about the obsolete normative reference: RFC 4366
(Obsoleted by RFC 5246). I assume this does not change anything wrt. the content of the document, but please check.

4. The header should say Intended Status: Proposed Standard rather than Standards Track

PROTO write-up by Mehmet Ersue:

(1.a) Who is the Document Shepherd for this document? Has the 
      Document Shepherd personally reviewed this version of the 
      document and, in particular, does he or she believe this 
      version is ready for forwarding to the IESG for publication?

     
Mehmet Ersue
I believe the document is ready for publication.
     
(1.b) Has the document had adequate review both from key WG members 
      and from key non-WG members? Does the Document Shepherd have 
      any concerns about the depth or breadth of the reviews that 
      have been performed?
     
The document had adequate review by key WG members.
I have no concerns on the level of review that we had in the WG sofar.
The issues raised in these reviews have been discussed on the mailing
list and solved with subsequent versions of the document.

The document has been especially reviewed by Eric Rescorla,
Juergen Schoenwaelder, David Harrington, the security advisor
Charlie Kaufman, and the security ADs Pasi Eronen and Tim Polk.


(1.c) Does the Document Shepherd have concerns that the document 
      needs more review from a particular or broader perspective, 
      e.g., security, operational complexity, someone familiar with 
      AAA, internationalization or XML?

No concerns.

(1.d) Does the Document Shepherd have any specific concerns or 
      issues with this document that the Responsible Area Director 
      and/or the IESG should be aware of? For example, perhaps he 
      or she is uncomfortable with certain parts of the document, or 
      has concerns whether there really is a need for it. In any 
      event, if the WG has discussed those issues and has indicated 
      that it still wishes to advance the document, detail those 
      concerns here. Has an IPR disclosure related to this document 
      been filed? If so, please include a reference to the 
      disclosure and summarize the WG discussion and conclusion on 
      this issue.

There are no specific concerns.
No IPR claims have been filed as far as I know.


(1.e) How solid is the WG consensus behind this document? Does it 
      represent the strong concurrence of a few individuals, with 
      others being silent, or does the WG as a whole understand and 
      agree with it?

A few independent WG members have been involved in the reviews. 
There are many WG members who did not strongly support or object
to the document. Nobody objected to the document during or after
the WGLC. There is WG consensus to publish the document.


(1.f) Has anyone threatened an appeal or otherwise indicated extreme 
      discontent? If so, please summarise the areas of conflict in 
      separate email messages to the Responsible Area Director. (It 
      should be in a separate email because this questionnaire is 
      entered into the ID Tracker.)

No appeals have been threatened.


(1.g) Has the Document Shepherd personally verified that the 
      document satisfies all ID nits? (See 
      http://www.ietf.org/ID-Checklist.html and 
      http://tools.ietf.org/tools/idnits/). Boilerplate checks are 
      not enough; this check needs to be thorough. Has the document 
      met all formal review criteria it needs to, such as the MIB 
      Doctor, media type and URI type reviews?
     
Yes. IDnits shows one single issue which will be fixed with the next
version (normative reference RFC4366 has been obseleted by RFC5246).
 

(1.h) Has the document split its references into normative and 
      informative? Are there normative references to documents that 
      are not ready for advancement or are otherwise in an unclear 
      state? If such normative references exist, what is the 
      strategy for their completion? Are there normative references 
      that are downward references, as described in [RFC3967]? If 
      so, list these downward references to support the Area 
      Director in the Last Call procedure for them [RFC3967].
     
The document has split references.
There are only normative references, and all IETF-related references are already published.


(1.i) Has the Document Shepherd verified that the document IANA 
      consideration section exists and is consistent with the body 
      of the document? If the document specifies protocol 
      extensions, are reservations requested in appropriate IANA 
      registries? Are the IANA registries clearly identified? If 
      the document creates a new registry, does it define the 
      proposed initial contents of the registry and an allocation 
      procedure for future registrations? Does it suggest a 
      reasonable name for the new registry? See [RFC5226]. If the 
      document describes an Expert Review process has Shepherd 
      conferred with the Responsible Area Director so that the IESG 
      can appoint the needed Expert during the IESG Evaluation?

The document IANA section is complete. IANA is requested to
assign a TCP port number in the Registered Port Numbers range.


(1.j) Has the Document Shepherd verified that sections of the 
      document that are written in a formal language, such as XML 
      code, BNF rules, MIB definitions, etc., validate correctly in 
      an automated checker?

Not Applicable.


(1.k) The IESG approval announcement includes a Document 
      Announcement Write-Up. Please provide such a Document 
      Announcement Write-Up? Recent examples can be found in the
      "Action" announcements for approved documents. The approval 
      announcement contains the following sections:           

      Technical Summary 
        Relevant content can frequently be found in the abstract
        and/or introduction of the document. If not, this may be an
        indication that there are deficiencies in the abstract or
        introduction.

      Working Group Summary 
        Was there anything in WG process that is worth noting? For
        example, was there controversy about particular points or
        were there decisions where the consensus was particularly
        rough?

      Document Quality
        Are there existing implementations of the protocol? Have a
        significant number of vendors indicated their plan to
        implement the specification? Are there any reviewers that
        merit special mention as having done a thorough review,
        e.g., one that resulted in important changes or a conclusion
        that the document had no substantive issues? If there was a
        MIB Doctor, Media Type or other expert review, what was its
        course (briefly)? In the case of a Media Type review, on
        what date was the request posted?

       
Technical Summary 

The Network Configuration Protocol (NETCONF) provides
mechanisms to install, manipulate, and delete the
configuration of network devices.  This document describes
how to use the Transport Layer Security (TLS) protocol to
provide a secure connection for the transport of NETCONF
messages. The mechanisms defined in this document include
the support for certificate-based mutual authentication and key
derivation, utilizing the protected ciphersuite negotiation,
mutual authentication and key management capabilities of
the TLS (Transport Layer Security) protocol.

Working Group Summary 

Many WG member were thinking that password-based
authentication is already handled well enough by the existing
NETCONF transports (SSH and BEEP), and the NETCONF-over-
TLS specification does not need to handle passwords.
It has been recommended to scope the document to certificate-
based authentication.

There was also some controversy on the use of pre-shared keys
(PSKs) derived from passwords. Based on this dicussion the
Working Group decided to remove the text related to PSK based-
authentication. See
http://www.ietf.org/mail-archive/web/netconf/current/msg03856.html
       
There was some controversal discussion about the Connection
Closure. The consensus was that the document adopts the closure
mechanism from draft-ietf-syslog-transport-tls-, Section 4.4.
   
There was also some controversy about the use of a dedicated
port of NETCONF over TLS. The consensus was that a dedicated
port should be requested.
       
The summary of the last changes can be found in:
http://www.ietf.org/mail-archive/web/netconf/current/msg03873.html
http://www.ietf.org/mail-archive/web/netconf/current/msg03882.html

Document Quality

No vendors have announced that they will utilize this protocol.
Two implementations with independent code-base and initiated by the
document author are available as open source. The author ensures
that the two implementations have been tested as interoperable.