| blob | 70efb526ba3a36c437ec146e035339b1970f7f37 |
1 NETCONF Working Group Mohamad Badra
2 Internet Draft LIMOS Laboratory
3 Intended status: Standards Track February 15, 2008
4 Expires: August 2008
8 NETCONF over Transport Layer Security (TLS)
9 draft-ietf-netconf-tls-01.txt
12 Status of this Memo
14 By submitting this Internet-Draft, each author represents that any
15 applicable patent or other IPR claims of which he or she is aware
16 have been or will be disclosed, and any of which he or she becomes
17 aware will be disclosed, in accordance with Section 6 of BCP 79.
19 Internet-Drafts are working documents of the Internet Engineering
20 Task Force (IETF), its areas, and its working groups. Note that
21 other groups may also distribute working documents as Internet-
22 Drafts.
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference
27 material or to cite them other than as "work in progress."
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html
35 This Internet-Draft will expire on August 15, 2008.
37 Copyright Notice
39 Copyright (C) The IETF Trust (2008).
41 Abstract
43 The Network Configuration Protocol (NETCONF) provides mechanisms to
44 install, manipulate, and delete the configuration of network devices.
45 This document describes how to use the Transport Layer Protocol (TLS)
46 to secure NETCONF exchanges.
52 Badra Expires August 15, 2008 [Page 1]
53 \f
54 Internet-Draft NETCONF over TLS February 2008
57 Table of Contents
60 1. Introduction...................................................2
61 1.1. Conventions used in this document.........................2
62 2. NETCONF over TLS...............................................3
63 2.1. Connection Initiation.....................................3
64 2.2. Connection Closure........................................3
65 3. Endpoint Authentication and Identification.....................4
66 3.1. Server Identity...........................................4
67 3.2. Client Identity...........................................5
68 3.3. Password-Based Authentication.............................5
69 4. Cipher Suite Requirements......................................7
70 5. Security Considerations........................................7
71 6. IANA Considerations............................................7
72 7. Acknowledgments................................................7
73 8. References.....................................................7
74 8.1. Normative References......................................7
75 Author's Addresses................................................8
76 Intellectual Property Statement...................................8
77 Disclaimer of Validity............................................9
79 1. Introduction
81 The NETCONF protocol [RFC4741] defines a simple mechanism through
82 which a network device can be managed. NETCONF is connection-
83 oriented, requiring a persistent connection between peers. This
84 connection must provide reliable, sequenced data delivery, integrity
85 and confidentiality and peers authentication. This document
86 describes how to use TLS [RFC4346] to secure NETCONF connections.
88 Throughout this document, the terms "client" and "server" are used to
89 refer to the two ends of the TLS connection. The client actively
90 opens the TLS connection, and the server passively listens for the
91 incoming TLS connection. The terms "manager" and "agent" are used to
92 refer to the two ends of the NETCONF protocol session. The manager
93 issues NETCONF remote procedure call (RPC) commands, and the agent
94 replies to those commands. When NETCONF is run over TLS using the
95 mapping defined in this document, the client is always the manager,
96 and the server is always the agent.
98 1.1. Conventions used in this document
100 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
101 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
102 document are to be interpreted as described in RFC-2119 [RFC2119].
106 Badra Expires August 15, 2008 [Page 2]
107 \f
108 Internet-Draft NETCONF over TLS February 2008
111 2. NETCONF over TLS
113 Since TLS is application protocol-independent, NETCONF can operate on
114 top of the TLS protocol transparently. This document defines how
115 NETCONF can be used within a Transport Layer Security (TLS) session.
117 2.1. Connection Initiation
119 The peer acting as the NETCONF manager MUST also act as the TLS
120 client. It MUST connect to the server that passively listens for the
121 incoming TLS connection on the IANA-to-be-assigned TCP port <TBA>.
122 It MUST therefore send the TLS ClientHello to begin the TLS
123 handshake. Once the TLS handshake has been finished, the client and
124 the server MAY then send their NETCONF exchanges. In particular, the
125 client will send complete XML documents to the server containing
126 <rpc> elements, and the server will respond with complete XML
127 documents containing <rpc-reply> elements. The client MAY indicate
128 interest in receiving event notifications from a NETCONF server by
129 creating a subscription to receive event notifications [NETNOT], in
130 which the NETCONF server replies to indicate whether the subscription
131 request was successful and, if it was successful, begins sending the
132 event notifications to the NETCONF client as the events occur within
133 the system. All these elements are encapsulated into TLS records of
134 type "application data". These records are protected using the TLS
135 material keys.
137 Current NETCONF messages don't include a message's length. This
138 document uses consequently the same delimiter sequence defined in
139 [RFC4742] and therefore the special character sequence, ]]>]]>, to
140 delimit XML documents.
142 2.2. Connection Closure
144 Either NETCONF peer MAY stop the NETCONF connection at any time and
145 therefore notify the other NETCONF peer that no more data on this
146 channel will be sent and that any data received after a closure
147 request will be ignored. This MAY happen when no data is received
148 from a connection for a long time, where the application decides what
149 "long" means.
151 TLS has the ability for secure connection closure using the Alert
152 protocol. When the NETCONF peer processes a closure request of the
153 NETCONF connection, it MUST send a TLS close_notify alert before
154 closing the connection. Any data received after a closure alert is
155 ignored.
160 Badra Expires August 15, 2008 [Page 3]
161 \f
162 Internet-Draft NETCONF over TLS February 2008
165 Unless some other fatal alert has been transmitted, each party is
166 required to send a close_notify alert before closing the write side
167 of the connection. The other party MUST respond with a close_notify
168 alert of its own and close down the connection immediately,
169 discarding any pending writes. It is not required for the initiator
170 of the close to wait for the responding close_notify alert before
171 closing the read side of the connection.
173 3. Endpoint Authentication and Identification
175 NETCONF requires that its transport provide mutual authentication of
176 client and server, so cipher suites that are anonymous or which only
177 authenticate the server to the client MUST NOT be used with NETCONF.
178 This document specifies how to use TLS with endpoint authentication
179 in TLS can be based on either preshared keys [RFC4279] or public key
180 certificates [RFC4346]. Some cipher suites (e.g.
181 TLS_RSA_PSK_WITH_AES_128_CBC_SHA) use both. Section 3.1 describes
182 how the client authenticates the server if public key certificates
183 are provided by the server, section 3.2 describes how the server
184 authenticates the client if public key certificates are provided by
185 the client, and section 3.3 describes how the client and server
186 mutually authenticate one another using a password.
188 3.1. Server Identity
190 During the TLS negotiation, the client MUST carefully examine the
191 certificate presented by the server to determine if it meets their
192 expectations. Particularly, the client MUST check its understanding
193 of the server hostname against the server's identity as presented in
194 the server Certificate message, in order to prevent man-in-the-middle
195 attacks.
197 Matching is performed according to these rules [RFC4642]:
199 - The client MUST use the server hostname it used to open the
200 connection (or the hostname specified in TLS "server_name"
201 extension [RFC4366]) as the value to compare against the server
202 name as expressed in the server certificate. The client MUST
203 NOT use any form of the server hostname derived from an
204 insecure remote source (e.g., insecure DNS lookup). CNAME
205 canonicalization is not done.
207 - If a subjectAltName extension of type dNSName is present in the
208 certificate, it MUST be used as the source of the server's
209 identity.
211 - Matching is case-insensitive.
214 Badra Expires August 15, 2008 [Page 4]
215 \f
216 Internet-Draft NETCONF over TLS February 2008
219 - A "*" wildcard character MAY be used as the left-most name
220 component in the certificate. For example, *.example.com would
221 match a.example.com, foo.example.com, etc., but would not match
222 example.com.
224 - If the certificate contains multiple names (e.g., more than one
225 dNSName field), then a match with any one of the fields is
226 considered acceptable.
228 If the match fails, the client MUST either ask for explicit user
229 confirmation or terminate the connection and indicate the server's
230 identity is suspect.
232 Additionally, clients MUST verify the binding between the identity of
233 the servers to which they connect and the public keys presented by
234 those servers. Clients SHOULD implement the algorithm in Section 6
235 of [RFC3280] for general certificate validation, but MAY supplement
236 that algorithm with other validation methods that achieve equivalent
237 levels of verification (such as comparing the server certificate
238 against a local store of already-verified certificates and identity
239 bindings).
241 If the client has external information as to the expected identity of
242 the server, the hostname check MAY be omitted.
244 3.2. Client Identity
246 Typically, the server has no external knowledge of what the client's
247 identity ought to be and so checks (other than that the client has a
248 certificate chain rooted in an appropriate CA) are not possible. If
249 a server has such knowledge (typically from some source external to
250 NETCONF or TLS) it MUST check the identity as described above.
252 3.3. Password-Based Authentication
254 [RFC4279] supports authentication based on pre-shared keys (PSKs).
255 These pre-shared keys are symmetric keys, shared in advance among the
256 communicating parties.
258 The PSK can be generated in many ways and its length is variable.
259 Implementation of this document MAY rely on [RFC4279] to enable
260 password based user authentication. In this case, the password is
261 used to generate the PSK. It is RECOMMENDED that implementations
262 that allow the administrator to manually configure the password also
263 provide functionality for generating a new random password, taking
264 [RFC4086] into account.
268 Badra Expires August 15, 2008 [Page 5]
269 \f
270 Internet-Draft NETCONF over TLS February 2008
273 This document generates the PSK from the password as follow:
275 PSK = SHA-1(SHA-1(password + psk_identity + "Key Pad for Netconf") +
276 psk_identity_hint)
278 Where + means concatenation.
280 The label "Key Pad for Netconf" is an ASCII string.
282 The psk_identity_hint is initially defined in section 5.1 of
283 [RFC4279]. The psk_identity_hint can do double duty and also provide
284 a form of server authentication in the case where the user has the
285 same password on a number of NETCONF servers. If a hint is provided,
286 the psk_identity_hint is encoded in the same way as in [RFC4279] and
287 should be a string representation of the name of the server
288 recognizable to the administrator or his software. In the case where
289 the user types a server name to connect to, it should be that string.
290 If the string the user enters differs from the one returned as
291 psk_identity_hint, the software could display the server's name and
292 ask the user to confirm. For automated scripts, the names could be
293 expected to match. It is highly recommended that implementations set
294 the psk_identity_hint to the DNS name of the NETCONF server (i.e.,
295 the TLS server).
297 It is RECOMMENDED that users choose different passwords for the
298 different servers they manage.
300 Note 1: The NETCONF over TLS implementation need not store the
301 password in clear text, but rather can store the value of SHA-
302 1(SHA-1(password + psk_identity + "Key Pad for Netconf") +
303 psk_identity_hint), which could not be used as a password
304 equivalent for applications other than NETCONF. Deriving the PSK
305 from a password is not secure. This construction is used because
306 it is anticipated that people will do it anyway.
308 Note 2: [RFC4279] defines some conformance requirements for the
309 PSK, for the PSK identity encoding and for the identity hint. The
310 same requirements apply here as well; in particular on the
311 password. Moreover, the management interface by which the
312 password is provided MUST accept ASCII strings of at least 64
313 octets and MUST NOT add a null terminator before using them as
314 shared secrets. It MUST also accept a HEX encoding of the
315 password. The management interface MAY accept other encodings if
316 the algorithm for translating the encoding to a binary string is
317 specified.
322 Badra Expires August 15, 2008 [Page 6]
323 \f
324 Internet-Draft NETCONF over TLS February 2008
327 4. Cipher Suite Requirements
329 A compliant implementation of the protocol specified in this document
330 MUST implement the cipher suite TLS_DHE_PSK_WITH_AES_128_CBC_SHA and
331 MAY implement any TLS cipher suite that provides mutual
332 authentication.
334 5. Security Considerations
336 The security considerations described throughout [RFC4346] and
337 [RFC4279] apply here as well.
339 As with all schemes involving shared keys and passwords, special care
340 should be taken to protect the shared values and passwords as well as
341 to limit their exposure over time. Alternatively, using certificates
342 would provide better protection.
344 6. IANA Considerations
346 IANA is requested to assign a TCP port number that will be the
347 default port for NETCONF over TLS sessions as defined in this
348 document.
350 IANA has assigned port <TBA> for this purpose.
352 7. Acknowledgments
354 A significant amount of the text in this document was lifted from
355 [RFC4642].
357 The author would like to acknowledge David Harrington, Miao Fuyou,
358 Eric Rescorla, Juergen Schoenwaelder and the NETCONF mailing list
359 members for their comments on the document. The author appreciates
360 also Bert Wijnen and Dan Romascanu for their efforts on issues
361 resolving discussion, and Charlie Kaufman for the thorough review of
362 this document and for the helpful comments on the password-based
363 authentication.
365 8. References
367 8.1. Normative References
369 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
370 Requirement Levels", BCP 14, RFC 2119, March 1997.
376 Badra Expires August 15, 2008 [Page 7]
377 \f
378 Internet-Draft NETCONF over TLS February 2008
381 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
382 X.509 Public Key Infrastructure Certificate and Certificate
383 Revocation List (CRL) Profile", RFC 3280, April 2002.
385 [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
386 "Randomness Requirements for Security", BCP 106, RFC 4086,
387 June 2005.
389 [RFC4279] Eronen, P. and H. Tschofenig., "Pre-Shared Key Ciphersuites
390 for Transport Layer Security (TLS)", RFC 4279, December
391 2005.
393 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
394 (TLS) Protocol 1.1", RFC 4346, April 2006.
396 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
397 and T. Wright, "Transport Layer Security (TLS) Extensions",
398 RFC 4366, April 2006.
400 [RFC4642] Murchison, K., Vinocur, J., Newman, C., "Using Transport
401 Layer Security (TLS) with Network News Transfer Protocol
402 (NNTP)", RFC 4642, October 2006
404 [RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741,
405 December 2006.
407 [RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF
408 Configuration Protocol over Secure Shell (SSH)", RFC 4742,
409 December 2006.
411 [NETNOT] Chisholm, S. and H. Trevino, "NETCONF Event Notifications",
412 draft-ietf-netconf-notification-11.txt, (work in progress),
413 November 2007.
415 Author's Addresses
417 Mohamad Badra
418 LIMOS Laboratory - UMR6158, CNRS
419 France
421 Email: badra@isima.fr
424 Intellectual Property Statement
426 The IETF takes no position regarding the validity or scope of any
427 Intellectual Property Rights or other rights that might be claimed to
430 Badra Expires August 15, 2008 [Page 8]
431 \f
432 Internet-Draft NETCONF over TLS February 2008
435 pertain to the implementation or use of the technology described in
436 this document or the extent to which any license under such rights
437 might or might not be available; nor does it represent that it has
438 made any independent effort to identify any such rights. Information
439 on the procedures with respect to rights in RFC documents can be
440 found in BCP 78 and BCP 79.
442 Copies of IPR disclosures made to the IETF Secretariat and any
443 assurances of licenses to be made available, or the result of an
444 attempt made to obtain a general license or permission for the use of
445 such proprietary rights by implementers or users of this
446 specification can be obtained from the IETF on-line IPR repository at
447 http://www.ietf.org/ipr.
449 The IETF invites any interested party to bring to its attention any
450 copyrights, patents or patent applications, or other proprietary
451 rights that may cover technology that may be required to implement
452 this standard. Please address the information to the IETF at
453 ietf-ipr@ietf.org.
455 Disclaimer of Validity
457 This document and the information contained herein are provided on an
458 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
459 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
460 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
461 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
462 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
463 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
465 Copyright Statement
467 Copyright (C) The IETF Trust (2008).
469 This document is subject to the rights, licenses and restrictions
470 contained in BCP 78, and except as set forth therein, the authors
471 retain all their rights.
473 Acknowledgment
475 Funding for the RFC Editor function is currently provided by the
476 Internet Society.
484 Badra Expires August 15, 2008 [Page 9]
485 \f