NETCONF over WebSocket
(https://tools.ietf.org/html/draft-iijima-netconf-websocket-ps-04)
Tony Deng
Github @tonydeng
Twitter @wolfdeng
Blog TonyDeng's Blog
Changes since the last IETF meeting
- As per comments received at the last IETF metting, we’ve made following changes.
- Changed description about NETCONF username.
- We propose extracting information about NETCONF username from TLS. Websocket needs TLS for ensuring security. Thus, using information is TLS is necessary in order to ensure that NETCONF user is very person who is authenticate by TLS(certificate).
- We think, for this purpose, complying with Mr.Badra’s ID is the best approach since reinventing the wheel is not welcomed. -
- Changed description about NETCONF username.
NETCONF username from TLS
- I haven't implemented all of the Mr.Badra's algorithms yet. But l've confirmed that it's possible for a NETCONF server supporting WebSocket to get TLS Certificate during TLS handshake by, for example, using HTTP server's API, or seeing SSL_Context through SSL_socket.
NETCONF server example.
public class NetconfWebSocketServlet extends WebSocketServlet{ @Override void doGet(HttpServletRequest req, HttpServletResponse res){ X509Certificate[] certificates = (X509Certificate[])req.getAttribute("...X509Certificate"); // NETCONF server can see client's TLS certificate sent during TLS handshake here. } @Override public WebSocket doWebSocketConnect(HttpServletRequest req, String protocol){ //NETCONF server can see messages sent over WebSocket here. } }
NETCONF message
Conclusions
- We proposed a way of sending NETCONF over WebSocket protocol.
- We proposed extracting NetconfWebSocketServlet username from TLS, that is complying with Mr.Badra's algorithms.
- Does WG have interests?
- If YES, should this I-D move forward as an Experimental I-D?