datatracker.ietf.org
Sign in
Version 5.6.3, 2014-09-19
Report a bug

NETCONF over Transport Layer Security (TLS)
RFC 5539

Network Working Group                                           M. Badra
Request for Comments: 5539                         CNRS/LIMOS Laboratory
Category: Standards Track                                       May 2009

              NETCONF over Transport Layer Security (TLS)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Abstract

   The Network Configuration Protocol (NETCONF) provides mechanisms to
   install, manipulate, and delete the configuration of network devices.
   This document describes how to use the Transport Layer Security (TLS)
   protocol to secure NETCONF exchanges.

Badra                       Standards Track                     [Page 1]
RFC 5539                    NETCONF over TLS                    May 2009

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
     1.1.  Conventions Used in This Document . . . . . . . . . . . . . 2
   2.  NETCONF over TLS  . . . . . . . . . . . . . . . . . . . . . . . 3
     2.1.  Connection Initiation . . . . . . . . . . . . . . . . . . . 3
     2.2.  Connection Closure  . . . . . . . . . . . . . . . . . . . . 4
   3.  Endpoint Authentication and Identification  . . . . . . . . . . 4
     3.1.  Server Identity . . . . . . . . . . . . . . . . . . . . . . 4
     3.2.  Client Identity . . . . . . . . . . . . . . . . . . . . . . 5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 6
   7.  Contributor's Address . . . . . . . . . . . . . . . . . . . . . 7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 7

1.  Introduction

   The NETCONF protocol [RFC4741] defines a mechanism through which a
   network device can be managed.  NETCONF is connection-oriented,
   requiring a persistent connection between peers.  This connection
   must provide integrity, confidentiality, peer authentication, and
   reliable, sequenced data delivery.

   This document defines "NETCONF over TLS", which includes support for
   certificate-based mutual authentication and key derivation, utilizing
   the protected ciphersuite negotiation, mutual authentication, and key
   management capabilities of the TLS (Transport Layer Security)
   protocol, described in [RFC5246].

   Throughout this document, the terms "client" and "server" are used to
   refer to the two ends of the TLS connection.  The client actively
   opens the TLS connection, and the server passively listens for the
   incoming TLS connection.  The terms "manager" and "agent" are used to
   refer to the two ends of the NETCONF protocol session.  The manager
   issues NETCONF remote procedure call (RPC) commands, and the agent
   replies to those commands.  When NETCONF is run over TLS using the
   mapping defined in this document, the client is always the manager,
   and the server is always the agent.

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

[include full document text]