Hi,
On Thu, 8 Dec 2005, Sam Hartman wrote:
Netconf currently recommends that netconf over ssh be run over a
different port than the normal ssh port.
That seems like a fine idea. I think there are cases where you might
want to allow access to netconf but not allow access to the CLI
through the normal ssh port.
However I think in many cases it would not be a security problem if
the netconf subsystem were available over the normal ssh port. In
many applications the same privileges will be granted to users over
the CLI as to the same users over netconf. In many cases the
functionality available through netconf will also be available through
the CLI.
As an operator, I agree. Especially in smaller networks (say, less
than 50 routers), the set of hosts where you can log in to the routers
and the set of hosts from which network management (other than
read-only SNMP) is expected to occur are similarly trusted.
With the expectation that more fine-grained control (rather than just
IP address/port filtering) of SSH vs NETCONF access can be made as
part of router's configuration, having a separate port is not needed,
but it doesn't do much harm either.
However, I see that there may be different kinds of networks where
being able to separate SSH and NETCONF access permissions at the
IP/port filtering level may be desirable.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf