Network Working Group M. Badra Request for Comments: 5539 CNRS/LIMOS Laboratory Category: Standards Track May 2009
Network Working Group M. Badra Request for Comments: 5539 CNRS/LIMOS Laboratory Category: Standards Track May 2009
NETCONF over Transport Layer Security (TLS)
传输层安全(TLS)上的NETCONF
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托在本文件出版之日生效的与IETF文件有关的法律规定的约束(http://trustee.ietf.org/license-info). 请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Abstract
摘要
The Network Configuration Protocol (NETCONF) provides mechanisms to install, manipulate, and delete the configuration of network devices. This document describes how to use the Transport Layer Security (TLS) protocol to secure NETCONF exchanges.
网络配置协议(NETCONF)提供了安装、操作和删除网络设备配置的机制。本文档介绍如何使用传输层安全性(TLS)协议保护NETCONF交换。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Conventions Used in This Document . . . . . . . . . . . . . 2 2. NETCONF over TLS . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Connection Initiation . . . . . . . . . . . . . . . . . . . 3 2.2. Connection Closure . . . . . . . . . . . . . . . . . . . . 4 3. Endpoint Authentication and Identification . . . . . . . . . . 4 3.1. Server Identity . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Client Identity . . . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 7. Contributor's Address . . . . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . . 7
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Conventions Used in This Document . . . . . . . . . . . . . 2 2. NETCONF over TLS . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Connection Initiation . . . . . . . . . . . . . . . . . . . 3 2.2. Connection Closure . . . . . . . . . . . . . . . . . . . . 4 3. Endpoint Authentication and Identification . . . . . . . . . . 4 3.1. Server Identity . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Client Identity . . . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 7. Contributor's Address . . . . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . . 7
The NETCONF protocol [RFC4741] defines a mechanism through which a network device can be managed. NETCONF is connection-oriented, requiring a persistent connection between peers. This connection must provide integrity, confidentiality, peer authentication, and reliable, sequenced data delivery.
NETCONF协议[RFC4741]定义了一种机制,通过该机制可以管理网络设备。NETCONF是面向连接的,需要对等方之间的持久连接。此连接必须提供完整性、机密性、对等身份验证以及可靠的顺序数据传递。
This document defines "NETCONF over TLS", which includes support for certificate-based mutual authentication and key derivation, utilizing the protected ciphersuite negotiation, mutual authentication, and key management capabilities of the TLS (Transport Layer Security) protocol, described in [RFC5246].
本文档定义了“TLS上的NETCONF”,其中包括对基于证书的相互认证和密钥派生的支持,利用TLS(传输层安全)协议的受保护密码套件协商、相互认证和密钥管理功能,如[RFC5246]所述。
Throughout this document, the terms "client" and "server" are used to refer to the two ends of the TLS connection. The client actively opens the TLS connection, and the server passively listens for the incoming TLS connection. The terms "manager" and "agent" are used to refer to the two ends of the NETCONF protocol session. The manager issues NETCONF remote procedure call (RPC) commands, and the agent replies to those commands. When NETCONF is run over TLS using the mapping defined in this document, the client is always the manager, and the server is always the agent.
在本文档中,术语“客户端”和“服务器”用于指TLS连接的两端。客户端主动打开TLS连接,服务器被动侦听传入的TLS连接。术语“管理器”和“代理”用于表示NETCONF协议会话的两端。管理器发出NETCONF远程过程调用(RPC)命令,代理对这些命令进行响应。使用本文档中定义的映射在TLS上运行NETCONF时,客户机始终是管理器,服务器始终是代理。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Since TLS is application-protocol-independent, NETCONF can operate on top of the TLS protocol transparently. This document defines how NETCONF can be used within a TLS session.
由于TLS是独立于应用程序协议的,NETCONF可以透明地在TLS协议之上运行。本文档定义了如何在TLS会话中使用NETCONF。
The peer acting as the NETCONF manager MUST also act as the TLS client. It MUST connect to the server that passively listens for the incoming TLS connection on the TCP port 6513. It MUST therefore send the TLS ClientHello message to begin the TLS handshake. Once the TLS handshake has finished, the client and the server MAY begin to exchange NETCONF data. In particular, the client will send complete XML documents to the server containing <rpc> elements, and the server will respond with complete XML documents containing <rpc-reply> elements. The client MAY indicate interest in receiving event notifications from a server by creating a subscription to receive event notifications [RFC5277]. In this case, the server replies to indicate whether the subscription request was successful and, if it was successful, the server begins sending the event notifications to the client as the events occur within the system.
充当NETCONF管理器的对等方还必须充当TLS客户端。它必须连接到被动侦听TCP端口6513上传入TLS连接的服务器。因此,它必须发送TLS ClientHello消息以开始TLS握手。一旦TLS握手完成,客户端和服务器就可以开始交换NETCONF数据。特别是,客户端将向服务器发送包含<rpc>元素的完整XML文档,服务器将使用包含<rpc reply>元素的完整XML文档进行响应。客户端可以通过创建订阅以接收事件通知来表示对从服务器接收事件通知的兴趣[RFC5277]。在这种情况下,服务器会回复以指示订阅请求是否成功,如果成功,服务器会在系统内发生事件时开始向客户端发送事件通知。
All NETCONF messages MUST be sent as TLS "application data". It is possible that multiple NETCONF messages be contained in one TLS record, or that a NETCONF message be transferred in multiple TLS records.
所有NETCONF消息必须作为TLS“应用程序数据”发送。可能在一个TLS记录中包含多个NETCONF消息,或者在多个TLS记录中传输一个NETCONF消息。
This document uses the same delimiter sequence ("]]>]]>") defined in [RFC4742], which MUST be sent by both the client and the server after each XML document in the NETCONF exchange. Since this character sequence can legally appear in plain XML in attribute values, comments, and processing instructions, implementations of this document MUST ensure that this character sequence is never part of a NETCONF message.
此文档使用[RFC4742]中定义的相同分隔符序列(“]]>]]]>”),必须在NETCONF交换中的每个XML文档之后由客户端和服务器发送。由于此字符序列可以合法地以普通XML形式出现在属性值、注释和处理指令中,因此本文档的实现必须确保此字符序列决不是NETCONF消息的一部分。
Implementation of the protocol specified in this document MAY implement any TLS cipher suite that provides certificate-based mutual authentication [RFC5246]. The server MUST support certificate-based client authentication.
本文件中规定的协议的实施可实施任何提供基于证书的相互认证的TLS密码套件[RFC5246]。服务器必须支持基于证书的客户端身份验证。
Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to support the mandatory-to-implement cipher suite, which is TLS_RSA_WITH_AES_128_CBC_SHA. This document is assumed to apply to future versions of TLS; in which case, the mandatory-to-implement cipher suite for the implemented version MUST be supported.
实现必须支持TLS 1.2[RFC5246],并且必须支持强制实现密码套件,即TLS_RSA_和_AES_128_CBC_SHA。本文件假定适用于TLS的未来版本;在这种情况下,必须支持为已实现版本实现密码套件的强制命令。
A TLS client (NETCONF manager) MUST close the associated TLS connection if the connection is not expected to issue any NETCONF RPC commands later. It MUST send a TLS close_notify alert before closing the connection. The TLS client MAY choose to not wait for the TLS server (NETCONF agent) close_notify alert and simply close the connection, thus generating an incomplete close on the TLS server side. Once the TLS server gets a close_notify from the TLS client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the TLS client (e.g., the closure was indicated by TCP).
如果预期TLS客户端(NETCONF管理器)以后不会发出任何NETCONF RPC命令,则必须关闭关联的TLS连接。它必须在关闭连接之前发送TLS close_notify警报。TLS客户端可以选择不等待TLS服务器(NETCONF代理)关闭通知警报,而只是关闭连接,从而在TLS服务器端生成不完全关闭。一旦TLS服务器从TLS客户端收到关闭通知,它必须用关闭通知进行回复,除非它意识到TLS客户端已经关闭了连接(例如,关闭由TCP指示)。
When no data is received from a connection for a long time (where the application decides what "long" means), a NETCONF peer MAY close the connection. The NETCONF peer MUST attempt to initiate an exchange of close_notify alerts with the other NETCONF peer before closing the connection. The close_notify's sender that is unprepared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the close_notify's receiver side.
当长时间没有从连接接收到数据时(应用程序决定“long”的含义),NETCONF对等方可能会关闭连接。在关闭连接之前,NETCONF对等方必须尝试与其他NETCONF对等方交换close_notify警报。不准备接收更多数据的close_notify的发送方可能在发送close_notify警报后关闭连接,从而在close_notify的接收方端生成不完全关闭。
During the TLS negotiation, the client MUST carefully examine the certificate presented by the server to determine if it meets the client's expectations. Particularly, the client MUST check its understanding of the server hostname against the server's identity as presented in the server Certificate message, in order to prevent man-in-the-middle attacks.
在TLS协商期间,客户机必须仔细检查服务器提供的证书,以确定它是否满足客户机的期望。特别是,客户端必须对照服务器证书消息中显示的服务器标识检查其对服务器主机名的理解,以防止中间人攻击。
Matching is performed according to the rules below (following the example of [RFC4642]):
根据以下规则执行匹配(以[RFC4642]为例):
o The client MUST use the server hostname it used to open the connection (or the hostname specified in the TLS "server_name" extension [RFC5246]) as the value to compare against the server name as expressed in the server certificate. The client MUST NOT use any form of the server hostname derived from an insecure remote source (e.g., insecure DNS lookup). CNAME canonicalization is not done.
o 客户端必须使用用于打开连接的服务器主机名(或TLS“server_name”扩展[RFC5246]中指定的主机名)作为值,以与服务器证书中表示的服务器名称进行比较。客户端不得使用从不安全的远程源(例如,不安全的DNS查找)派生的任何形式的服务器主机名。CNAME规范化未完成。
o If a subjectAltName extension of type dNSName is present in the certificate, it MUST be used as the source of the server's identity.
o 如果证书中存在dNSName类型的subjectAltName扩展名,则必须将其用作服务器标识的源。
o Matching is case-insensitive.
o 匹配不区分大小写。
o A "*" wildcard character MAY be used as the leftmost name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc., but would not match example.com.
o “*”通配符可以用作证书中最左边的名称组件。例如,*.example.com将与a.example.com、foo.example.com等匹配,但与example.com不匹配。
o If the certificate contains multiple names (e.g., more than one dNSName field), then a match with any one of the fields is considered acceptable.
o 如果证书包含多个名称(例如,多个dNSName字段),则认为与任何一个字段的匹配都是可接受的。
If the match fails, the client MUST either ask for explicit user confirmation or terminate the connection and indicate the server's identity is suspect.
如果匹配失败,客户端必须请求明确的用户确认,或者终止连接并指出服务器的身份可疑。
Additionally, clients MUST verify the binding between the identity of the servers to which they connect and the public keys presented by those servers. Clients SHOULD implement the algorithm in Section 6 of [RFC5280] for general certificate validation, but MAY supplement that algorithm with other validation methods that achieve equivalent levels of verification (such as comparing the server certificate against a local store of already-verified certificates and identity bindings).
此外,客户端必须验证它们所连接的服务器的标识与这些服务器提供的公钥之间的绑定。客户端应实施[RFC5280]第6节中的算法进行一般证书验证,但可以使用其他验证方法来补充该算法,以实现同等级别的验证(例如将服务器证书与已验证证书和身份绑定的本地存储相比较)。
If the client has external information as to the expected identity of the server, the hostname check MAY be omitted.
如果客户机具有关于服务器预期标识的外部信息,则可以省略主机名检查。
The server MUST verify the identity of the client with certificate-based authentication according to local policy to ensure that the incoming client request is legitimate before any configuration or state data is sent to or received from the client.
服务器必须根据本地策略使用基于证书的身份验证来验证客户端的身份,以确保在向客户端发送或从客户端接收任何配置或状态数据之前,传入的客户端请求是合法的。
The security considerations described throughout [RFC5246] and [RFC4741] apply here as well.
[RFC5246]和[RFC4741]中描述的安全注意事项也适用于此处。
This document in its current version does not support third-party authentication (e.g., backend Authentication, Authorization, and Accounting (AAA) servers) due to the fact that TLS does not specify this way of authentication and that NETCONF depends on the transport protocol for the authentication service. If third-party authentication is needed, BEEP or SSH transport can be used.
当前版本的本文档不支持第三方身份验证(例如,后端身份验证、授权和记帐(AAA)服务器),因为TLS没有指定这种身份验证方式,并且NETCONF依赖于身份验证服务的传输协议。如果需要第三方身份验证,可以使用BEEP或SSH传输。
An attacker might be able to inject arbitrary NETCONF messages via some application that does not carefully check exchanged messages or deliberately insert the delimiter sequence in a NETCONF message to create a DoS attack. Hence, applications and NETCONF APIs MUST ensure that the delimiter sequence defined in Section 2.1 never appears in NETCONF messages; otherwise, those messages can be dropped, garbled, or misinterpreted. If the delimiter sequence is found in a NETCONF message by the sender side, a robust implementation of this document should warn the user that illegal characters have been discovered. If the delimiter sequence is found in a NETCONF message by the receiver side (including any XML attribute values, XML comments, or processing instructions), a robust implementation of this document must silently discard the message without further processing and then stop the NETCONF session.
攻击者可以通过某些应用程序注入任意NETCONF消息,这些应用程序不仔细检查交换的消息,或故意在NETCONF消息中插入分隔符序列以创建DoS攻击。因此,应用程序和NETCONF API必须确保第2.1节中定义的分隔符序列不会出现在NETCONF消息中;否则,这些消息可能会被丢弃、篡改或误解。如果发送方在NETCONF消息中发现了分隔符序列,则此文档的健壮实现应警告用户已发现非法字符。如果接收方在NETCONF消息中发现分隔符序列(包括任何XML属性值、XML注释或处理指令),则此文档的健壮实现必须在不进行进一步处理的情况下自动丢弃该消息,然后停止NETCONF会话。
Finally, this document does not introduce any new security considerations compared to [RFC4742].
最后,与[RFC4742]相比,本文档没有引入任何新的安全注意事项。
IANA has assigned a TCP port number (6513) in the "Registered Port Numbers" range with the name "netconf-tls". This port will be the default port for NETCONF over TLS, as defined in this document.
IANA在“注册端口号”范围内分配了一个名为“netconf tls”的TCP端口号(6513)。此端口将是本文档中定义的NETCONF over TLS的默认端口。
Registration Contact: Mohamad Badra, badra@isima.fr. Transport Protocol: TCP. Port Number: 6513 Broadcast, Multicast or Anycast: No. Port Name: netconf-tls. Service Name: netconf. Reference: RFC 5539
注册联系人:Mohamad Badra,badra@isima.fr. 传输协议:TCP。端口号:6513广播、多播或选播:否。端口名:netconf tls。服务名称:netconf。参考:RFC5539
A significant amount of the text in Section 3 was lifted from [RFC4642].
第3节中的大量文本取自[RFC4642]。
The author would like to acknowledge David Harrington, Miao Fuyou, Eric Rescorla, Juergen Schoenwaelder, Simon Josefsson, Olivier Coupelon, Alfred Hoenes, and the NETCONF mailing list members for their comments on the document. The author also appreciates Bert Wijnen, Mehmet Ersue, and Dan Romascanu for their efforts on issues resolving discussion; and Charlie Kaufman, Pasi Eronen, and Tim Polk for the thorough review of this document.
作者感谢David Harrington、Miao Fuyou、Eric Rescorla、Juergen Schoenwaeld、Simon Josefsson、Olivier Coupelon、Alfred Hoenes和NETCONF邮件列表成员对本文件的评论。作者还感谢Bert Wijnen、Mehmet Ersue和Dan Romascanu在解决讨论问题方面所做的努力;和Charlie Kaufman、Pasi Eronen和Tim Polk对本文件进行了全面审查。
Ibrahim Hajjeh Ineovation France
易卜拉欣·哈杰伊法国
EMail: ibrahim.hajjeh@ineovation.fr
EMail: ibrahim.hajjeh@ineovation.fr
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741, December 2006.
[RFC4741]Enns,R.,“网络配置协议”,RFC 47412006年12月。
[RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF Configuration Protocol over Secure SHell (SSH)", RFC 4742, December 2006.
[RFC4742]Wasserman,M.和T.Goddard,“在安全外壳(SSH)上使用NETCONF配置协议”,RFC 4742,2006年12月。
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。
[RFC4642] Murchison, K., Vinocur, J., and C. Newman, "Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)", RFC 4642, October 2006.
[RFC4642]Murchison,K.,Vinocur,J.,和C.Newman,“将传输层安全(TLS)与网络新闻传输协议(NNTP)结合使用”,RFC 4642,2006年10月。
[RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event Notifications", RFC 5277, July 2008.
[RFC5277]Chisholm,S.和H.Trevino,“NETCONF事件通知”,RFC 5277,2008年7月。
Author's Address
作者地址
Mohamad Badra CNRS/LIMOS Laboratory Campus de cezeaux, Bat. ISIMA Aubiere 63170 France
马哈茂德·巴德拉中央研究院/利莫斯实验室,蝙蝠塞泽奥校区。ISIMA Aubiere 63170法国
EMail: badra@isima.fr
EMail: badra@isima.fr