Using the NETCONF Configuration Protocol over Secure SHell (SSH)
RFC 4742
| Document | Type |
RFC - Proposed Standard
(December 2006; Errata)
Obsoleted by RFC 6242
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4742 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Dan Romascanu | ||
| Send notices to | simon@switch.ch, ietf@andybierman.com; rpe@juniper.net | ||
Network Working Group M. Wasserman
Request for Comments: 4742 ThingMagic
Category: Standards Track T. Goddard
ICEsoft Technologies, Inc.
December 2006
Using the NETCONF Configuration Protocol over Secure SHell (SSH)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2006).
Abstract
This document describes a method for invoking and running the Network
Configuration Protocol (NETCONF) within a Secure Shell (SSH) session
as an SSH subsystem.
Table of Contents
1. Introduction ....................................................2
2. Requirements Terminology ........................................2
3. Starting NETCONF over SSH .......................................2
3.1. Capabilities Exchange ......................................3
4. Using NETCONF over SSH ..........................................5
5. Exiting the NETCONF Subsystem ...................................6
6. Security Considerations .........................................6
7. IANA Considerations .............................................7
8. Acknowledgements ................................................7
9. References ......................................................8
9.1. Normative References .......................................8
9.2. Informative References .....................................8
Wasserman & Goddard Standards Track [Page 1]
RFC 4742 NETCONF over SSH December 2006
1. Introduction
The NETCONF protocol [RFC4721] is an XML-based protocol used to
manage the configuration of networking equipment. NETCONF is defined
to be session-layer and transport independent, allowing mappings to
be defined for multiple session-layer or transport protocols. This
document defines how NETCONF can be used within a Secure Shell (SSH)
session, using the SSH connection protocol [RFC4254] over the SSH
transport protocol [RFC4253]. This mapping will allow NETCONF to be
executed from a secure shell session by a user or application.
Throughout this document, the terms "client" and "server" are used to
refer to the two ends of the SSH transport connection. The client
actively opens the SSH connection, and the server passively listens
for the incoming SSH connection. The terms "manager" and "agent" are
used to refer to the two ends of the NETCONF protocol session. The
manager issues NETCONF remote procedure call (RPC) commands, and the
agent replies to those commands. When NETCONF is run over SSH using
the mapping defined in this document, the client is always the
manager, and the server is always the agent.
2. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Starting NETCONF over SSH
To run NETCONF over SSH, the client will first establish an SSH
transport connection using the SSH transport protocol, and the client
and server will exchange keys for message integrity and encryption.
The client will then invoke the "ssh-userauth" service to
authenticate the user, as described in the SSH authentication
protocol [RFC4252]. Once the user has been successfully
authenticated, the client will invoke the "ssh-connection" service,
also known as the SSH connection protocol.
After the ssh-connection service is established, the client will open
a channel of type "session", which will result in an SSH session.
Once the SSH session has been established, the user (or application)
will invoke NETCONF as an SSH subsystem called "netconf". Subsystem
support is a feature of SSH version 2 (SSHv2) and is not included in
SSHv1. Running NETCONF as an SSH subsystem avoids the need for the
script to recognize shell prompts or skip over extraneous
information, such as a system message that is sent at shell start-up.
However, even when a subsystem is used, some extraneous messages may
Wasserman & Goddard Standards Track [Page 2]
RFC 4742 NETCONF over SSH December 2006
be printed by the user's start-up scripts. Implementations MUST skip
over these messages by searching for an 'xml' start directive, which
Show full document text