Changes since the last IETF meeting

  • As per comments received at the last IETF metting, we’ve made following changes.
    • Changed description about NETCONF username.
      • We propose extracting information about NETCONF username from TLS. Websocket needs TLS for ensuring security. Thus, using information is TLS is necessary in order to ensure that NETCONF user is very person who is authenticate by TLS(certificate).
      • We think, for this purpose, complying with Mr.Badra’s ID is the best approach since reinventing the wheel is not welcomed. -

NETCONF username from TLS

  • I haven't implemented all of the Mr.Badra's algorithms yet. But l've confirmed that it's possible for a NETCONF server supporting WebSocket to get TLS Certificate during TLS handshake by, for example, using HTTP server's API, or seeing SSL_Context through SSL_socket.
  • NETCONF server example.

    public class NetconfWebSocketServlet extends WebSocketServlet{
      void doGet(HttpServletRequest req, HttpServletResponse res){
          X509Certificate[] certificates = (X509Certificate[])req.getAttribute("...X509Certificate");
          // NETCONF server can see client's TLS certificate sent during TLS handshake here.
      public WebSocket doWebSocketConnect(HttpServletRequest req, String protocol){
          //NETCONF server can see messages sent over WebSocket here.

NETCONF message

netconf message


  • We proposed a way of sending NETCONF over WebSocket protocol.
  • We proposed extracting NetconfWebSocketServlet username from TLS, that is complying with Mr.Badra's algorithms.
  • Does WG have interests?
  • If YES, should this I-D move forward as an Experimental I-D?