idnits 2.17.1 

draft-ietf-netconf-beep-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There are 28 instances of lines with control characters in the document.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (October 7, 2003) is 7507 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '7' is defined on line 415, but no explicit reference
     was found in the text

  == Unused Reference: '8' is defined on line 419, but no explicit reference
     was found in the text

  == Outdated reference: A later version (-12) exists of
     draft-ietf-netconf-prot-00

  ** Obsolete normative reference: RFC 2222 (ref. '4') (Obsoleted by RFC
     4422, RFC 4752)

  ** Obsolete normative reference: RFC 2246 (ref. '5') (Obsoleted by RFC 4346)


     Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                            E. Lear
3	Internet-Draft                                                K. Crozier
4	Expires: April 6, 2004                                     Cisco Systems
5	                                                         October 7, 2003

7	             BEEP Application Protocol Mapping for NETCONF
8	                       draft-ietf-netconf-beep-00

10	Status of this Memo

12	   This document is an Internet-Draft and is in full conformance with
13	   all provisions of Section 10 of RFC2026.

15	   Internet-Drafts are working documents of the Internet Engineering
16	   Task Force (IETF), its areas, and its working groups. Note that other
17	   groups may also distribute working documents as Internet-Drafts.

19	   Internet-Drafts are draft documents valid for a maximum of six months
20	   and may be updated, replaced, or obsoleted by other documents at any
21	   time. It is inappropriate to use Internet-Drafts as reference
22	   material or to cite them other than as "work in progress."

24	   The list of current Internet-Drafts can be accessed at http://
25	   www.ietf.org/ietf/1id-abstracts.txt.

27	   The list of Internet-Draft Shadow Directories can be accessed at
28	   http://www.ietf.org/shadow.html.

30	   This Internet-Draft will expire on April 6, 2004.

32	Copyright Notice

34	   Copyright (C) The Internet Society (2003). All Rights Reserved.

36	Abstract

38	   This document specifies an application protocol mapping for the
39	   NETCONF protocol over the Blocks Extensible Exchange Protocol (BEEP).

41	Table of Contents

43	   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
44	   1.1   Why BEEP?  . . . . . . . . . . . . . . . . . . . . . . . . .  3
45	   2.    BEEP Transport Mapping . . . . . . . . . . . . . . . . . . .  4
46	   2.1   NETCONF Session Initiation . . . . . . . . . . . . . . . . .  4
47	   2.2   NETCONF RPC Execution  . . . . . . . . . . . . . . . . . . .  4
48	   2.3   NETCONF <rpc-abort> and <rpc-progress> . . . . . . . . . . .  5
49	   2.4   NETCONF Session Teardown . . . . . . . . . . . . . . . . . .  5
50	   2.5   BEEP Profiles for NETCONF Channels . . . . . . . . . . . . .  5
51	   2.5.1 Management Channel Profile . . . . . . . . . . . . . . . . .  5
52	   2.5.2 Operations Channel Profile . . . . . . . . . . . . . . . . .  7
53	   2.5.3 Notification Channel Profile . . . . . . . . . . . . . . . .  9
54	   3.    Security Considerations  . . . . . . . . . . . . . . . . . . 10
55	   4.    IANA Considerations  . . . . . . . . . . . . . . . . . . . . 11
56	   5.    Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . 12
57	         Normative References . . . . . . . . . . . . . . . . . . . . 13
58	         Informative References . . . . . . . . . . . . . . . . . . . 14
59	         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14
60	         Intellectual Property and Copyright Statements . . . . . . . 15

62	1. Introduction

64	   The NETCONF protocol [1] defines a simple mechanism through which a
65	   network device can be managed. NETCONF is designed to be usable over
66	   a variety of application protocols. This document specifies an
67	   application protocol mapping for NETCONF over the Blocks Extensible
68	   Exchange Protocol (BEEP) [2] .

70	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
71	   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
72	   document are to be interpreted as described in RFC 2119 [3].

74	1.1 Why BEEP?

76	   Use of BEEP is natural as an application protocol for transport of
77	   XML.  As a peer to peer protocol, BEEP provides an easy way to
78	   implement NETCONF, no matter which side of the connection was the
79	   initiator.  This "bidirectionality" allows for either side to play
80	   the role of the manager with no protocol changes. Either side can
81	   open a channel.  Either side could initiate an RPC.  This is
82	   particularly important to support operational models that involve
83	   small devices connecting to a manager, and those devices that must
84	   reverse the management connection in the face of firewalls and NATs.

86	   The SASL profile used by BEEP allows for a simple and direct mapping
87	   to the existing security model for CLI.

89	2. BEEP Transport Mapping

91	   All NETCONF over BEEP implementations MUST implement the profile and
92	   functional mapping between NETCONF and BEEP as described below.

94	2.1 NETCONF Session Initiation

96	   Managers may be either BEEP listeners or initiators.  Similarly,
97	   agents may be either listeners or initiators.  Thus the initial
98	   exchange takes place without regard to whether a manager or the agent
99	   is the initiator.  After the transport connection is established, as
100	   greetings are exchanged, they should each announce their support for
101	   TLS [5] and optionally SASL [4] (see below), as well as for the
102	   SYSLOG profile [6]. Once greetings are exchanged, if TLS is to be
103	   used and available by both parties, the listener STARTs a channel
104	   with the TLS profile.

106	   Once TLS has been started, a new greeting is sent by both initiator
107	   and listener, as required by the BEEP RFC.

109	   At this point, if SASL is desired, the initiator starts BEEP channel
110	   1 to perform a SASL exchange to authenticate itself.  When SASL is
111	   completed, the channel MUST be closed.

113	   Once authentication has occurred, there is no need to distinguish
114	   between initiator and listener.  We now distinguish between manager
115	   and agent.

117	   The manager now establishes an NETCONF management channel for the
118	   purpose of exchanging capabilities, monitoring progress, and aborting
119	   remote procedure calls.  As initiators assign odd channels and
120	   listeners assign even channels, the management channel is BEEP
121	   channel 1 or 2, depending on whether the manager is the initiator or
122	   the listener.

124	   The manager next establishes the NETCONF operational channel for the
125	   purpose of issuing RPC requests.  This channel is BEEP channel 3 or
126	   4.

128	   Finally, if either manager or agent wishes to send or receive
129	   notifications, it may issue a start on the next available channel if
130	   the other side has sent the send or receive NETCONF capability.

132	   At this point, the NETCONF session is established.

134	2.2 NETCONF RPC Execution

136	   To issue an RPC, the manager transmits on the operational channel a
137	   BEEP MSG containing the RPC and its arguments.  In accordance with
138	   the BEEP standard, RPC requests may be split across multiple BEEP
139	   frames.

141	   Once received and processed, the agent responds with BEEP RPYs on the
142	   same channel with the response to the RPC.  In accordance with the
143	   BEEP standard, responses may be split across multiple BEEP frames.

145	2.3 NETCONF <rpc-abort> and <rpc-progress>

147	   <rpc-abort> and <rpc-progress> requests are issued by the manager on
148	   the NETCONF management channel, and the agent responds with BEEP RPYs
149	   on that same channel.

151	2.4 NETCONF Session Teardown

153	   Either side may initiate the termination of an NETCONF session.  In
154	   This is done by issuing a BEEP close on the operational channel after
155	   the current RPC has completed.  The same is done with any
156	   notification channels by the end that transmits notifications.
157	   Finally, BEEP channel 0 is closed.

159	2.5 BEEP Profiles for NETCONF Channels

161	   There are two profiles, the management channel profile and the
162	   operations channel profile. These are not to be confused with the
163	   BEEP control channel.

165	   The operations channel will have two commands, <rpc> and <rpc-reply>.
166	   The management channel will have one additional operation with
167	   <rpc-progress>.

169	2.5.1 Management Channel Profile

171	      <!-- DTD for netconf management over BEEP

173	        Refer to this DTD as:

175	          <!ENTITY % NETCONF PUBLIC "netconf/management/1.0" "">
176	          %NETCONF;
177	        -->

179	      <!--   Contents

181	          Overview

183	          Includes
184	          Profile Summaries
185	          Entity Definitions

187	          Operations
188	   	   rpc
189	   	   rpc-reply
190	    	   rpc-progress
191	        -->

193	      <!--  Overview   NETCONF Management channel  -->

195	      <!-- Includes -->

197	             <!ENTITY % BEEP PUBLIC "-//Blocks//DTD BEEP//EN"
198	                        "">
199	             %BEEP;

201	      <!--  Profile summaries

203	          BEEP profile NETCONF-MANAGEMENT

205	          role        MSG        		RPY        ERR
206	          ====        ===        		===        ===
207	          I or L      rpc			ok         error
208	          I or L      rpc-reply		ok         error
209	          I or L      rpc-progress		ok         error

211	      -->

213	      <!--
214	        Entity Definitions

216	              entity        syntax/reference     example
217	              ======        ================     =======

219	   	a PRC
220	   	   RPC-DATA	  Alpha
221	   	a RPC reply number
222	              RPC-REPLY      1*3DIGIT
223	   	a RPC progress number
224	              RPC-PROGRESS   1*3DIGIT

226	      -->

228	      <!ENTITY % RPC-REPLY    "CDATA">
229	      <!ENTITY % RPC-DATA     "CDATA">
230	      <!ENTITY % RPC-PROGRESS "CDATA">
231	       -->

233	      <!--
234	        RPC command
235	        -->

237	      <!ELEMENT rpc        (#PCDATA)>
238	      <!ATTLIST rpc
239	                rpc-data	%RPC_DATA;	           #REQUIRED>

241	   <!--
242	        Result of RPC.
243	        -->

245	      <!ELEMENT rpc-reply    (#PCDATA)>
246	      <!ATTLIST rpc-reply
247	                rpc-reply	%RPC-REPLY;	           #REQUIRED
248	   	     rpc-data    %rpc-data		   #REQUIRED>

250	   <!--
251	        Progress of RPC operation.
252	        -->

254	      <!ELEMENT rpc-progress   (#PCDATA)>
255	      <!ATTLIST rpc-progress
256	                rpc-progress %RPC-PROGRESS;	           #REQUIRED>

258	      <!-- End of DTD -->

260	2.5.2 Operations Channel Profile

262	      <!-- DTD for netconf operations over BEEP

264	        Refer to this DTD as:

266	          <!ENTITY % NETCONF PUBLIC "netconf/Operation/1.0" "">
267	          %NETCONF;
268	        -->

270	      <!--   Contents

272	          Overview

274	          Includes
275	          Profile Summaries
276	          Entity Definitions

278	          Operations

280	   	   rpc
281	   	   rpc-reply
282	        -->

284	      <!--  Overview   NETCONF operation channel  -->

286	      <!-- Includes -->

288	             <!ENTITY % BEEP PUBLIC "-//Blocks//DTD BEEP//EN"
289	                        "">
290	             %BEEP;

292	      <!--  Profile summaries

294	          BEEP profile NETCONF-MANAGEMENT

296	          role        MSG        		RPY        ERR
297	          ====        ===        		===        ===
298	          I or L      rpc				ok         error
299	          I or L      rpc-reply			ok         error

301	      -->

303	      <!--
304	        Entity Definitions

306	              entity        syntax/reference     example
307	              ======        ================     =======

309	   	a PRC
310	   	   RPC-DATA	  Alpha
311	   	a RPC reply number
312	              RPC-REPLY      1*3DIGIT

314	      -->

316	      <!ENTITY % RPC-REPLY    "CDATA">
317	      <!ENTITY % RPC-DATA     "CDATA">

319	       -->

321	      <!--
322	        RPC command
323	        -->

325	      <!ELEMENT RPC        (#PCDATA)>
326	      <!ATTLIST RPC
327	                RPC-DATA	%RPC_DATA;	           #REQUIRED>

329	   <!--
330	        Result of RPC.
331	        -->

333	      <!ELEMENT RPC-REPLY    (#PCDATA)>
334	      <!ATTLIST RPC-REPLY
335	                RPC-REPLY	%RPC-REPLY;	           #REQUIRED
336	   	     	RPC-DATA    %RPC-DATA		   #REQUIRED>

338	      <!-- End of DTD -->

340	2.5.3 Notification Channel Profile

342	   The NETCONF notification channel profile is defined in RFC 3195 [6].

344	3. Security Considerations

346	   Configuration information is by its very nature sensitive.  Its
347	   transmission in the clear and without integrity checking leaves
348	   devices open to classic so-called "person in the middle" attacks.
349	   Configuration information often times contains passwords, user names,
350	   service descriptions, and topological information, all of which are
351	   sensitive. A NETCONF application protocol, therefore, must minimally
352	   support options for both confidentiality and authentication.

354	   BEEP makes use of both transport layer security and SASL.  We require
355	   that TLS be used in BEEP as described by the BEEP standard.
356	   Client-side certificates are strongly desirable, but an SASL
357	   authentication is the bare minimum.  SASL allows for the use of
358	   protocols such as RADIUS [9], so that authentication can occur off
359	   the box.

361	   SASL authentication will occur on the first channel creation, and
362	   prior to issuance of any protocol operations. No further
363	   authentication may occur during the same session.  This avoids a
364	   situation where rights are different between different channels.  If
365	   an implementation wishes to support multiple accesses by different
366	   individuals with different rights, then multiple sessions are
367	   required.

369	   Different environments may well allow different rights prior to and
370	   then after authentication.  Thus, an authorization model is not
371	   specified in this document.  When an operation is not properly
372	   authorized then a simple "permission denied" is sufficient. Note that
373	   authorization information may be exchanged in the form of
374	   configuration information, which is all the more reason to ensure the
375	   security of the connection.

377	4. IANA Considerations

379	   The IANA will assign a TCP port for NETCONF.

381	5. Acknowledgments

383	   This work is the product of the NETCONF IETF working group, and many
384	   people have contributed to the NETCONF discussion.  Most notably, Rob
385	   Ens, Phil Schafer, Andy Bierman, Wes Hardiger, Ted Goddard, and
386	   Margaret Wasserman all contributed in some fashion to this work,
387	   which was originally to be found in the NETCONF base protocol
388	   specification. Thanks also to Weijing Chen, Keith Allen, Juergen
389	   Schoenwaelder, and Eamon O'Tuathail for their very constructive
390	   participation.

392	Normative References

394	   [1]  Enns, R., "NETCONF Configuration Protocol",
395	        draft-ietf-netconf-prot-00 (work in progress), August 2003.

397	   [2]  Rose, M., "The Blocks Extensible Exchange Protocol Core", RFC
398	        3080, March 2001.

400	   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
401	        Levels", BCP 14, RFC 2119, March 1997.

403	   [4]  Myers, J., "Simple Authentication and Security Layer (SASL)",
404	        RFC 2222, October 1997.

406	   [5]  Dierks, T., Allen, C., Treese, W., Karlton, P., Freier, A. and
407	        P. Kocher, "The TLS Protocol Version 1.0", RFC 2246, January
408	        1999.

410	   [6]  New, D. and M. Rose, "Reliable Delivery for syslog", RFC 3195,
411	        November 2001.

413	Informative References

415	   [7]  Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler,
416	        "Extensible Markup Language (XML) 1.0 (Second Edition)", W3C REC
417	        REC-xml-20001006, October 2000.

419	   [8]  Hollenbeck, S., Rose, M. and L. Masinter, "Guidelines for the
420	        Use of Extensible Markup Language (XML) within IETF Protocols",
421	        BCP 70, RFC 3470, January 2003.

423	   [9]  Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
424	        Authentication Dial In User Service (RADIUS)", RFC 2865, June
425	        2000.

427	Authors' Addresses

429	   Eliot Lear
430	   Cisco Systems
431	   170 W. Tasman Dr.
432	   San Jose, CA  95134-1706
433	   US

435	   EMail: lear@cisco.com

437	   Ken Crozier
438	   Cisco Systems
439	   170 W. Tasman Dr.
440	   San Jose, CA  95134-1706
441	   US

443	   EMail: kcrozier@cisco.com

445	Intellectual Property Statement

447	   The IETF takes no position regarding the validity or scope of any
448	   intellectual property or other rights that might be claimed to
449	   pertain to the implementation or use of the technology described in
450	   this document or the extent to which any license under such rights
451	   might or might not be available; neither does it represent that it
452	   has made any effort to identify any such rights. Information on the
453	   IETF's procedures with respect to rights in standards-track and
454	   standards-related documentation can be found in BCP-11. Copies of
455	   claims of rights made available for publication and any assurances of
456	   licenses to be made available, or the result of an attempt made to
457	   obtain a general license or permission for the use of such
458	   proprietary rights by implementors or users of this specification can
459	   be obtained from the IETF Secretariat.

461	   The IETF invites any interested party to bring to its attention any
462	   copyrights, patents or patent applications, or other proprietary
463	   rights which may cover technology that may be required to practice
464	   this standard. Please address the information to the IETF Executive
465	   Director.

467	Full Copyright Statement

469	   Copyright (C) The Internet Society (2003). All Rights Reserved.

471	   This document and translations of it may be copied and furnished to
472	   others, and derivative works that comment on or otherwise explain it
473	   or assist in its implementation may be prepared, copied, published
474	   and distributed, in whole or in part, without restriction of any
475	   kind, provided that the above copyright notice and this paragraph are
476	   included on all such copies and derivative works. However, this
477	   document itself may not be modified in any way, such as by removing
478	   the copyright notice or references to the Internet Society or other
479	   Internet organizations, except as needed for the purpose of
480	   developing Internet standards in which case the procedures for
481	   copyrights defined in the Internet Standards process must be
482	   followed, or as required to translate it into languages other than
483	   English.

485	   The limited permissions granted above are perpetual and will not be
486	   revoked by the Internet Society or its successors or assignees.

488	   This document and the information contained herein is provided on an
489	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
490	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
491	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
492	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
493	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

495	Acknowledgment

497	   Funding for the RFC Editor function is currently provided by the
498	   Internet Society.