Using the NETCONF Configuration Protocol over Secure SHell (SSH)
RFC 4742
Document | Type |
RFC - Proposed Standard
(December 2006; Errata)
Obsoleted by RFC 6242
|
|
---|---|---|---|
Authors | Margaret Cullen , Ted Goddard | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4742 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Dan Romascanu | ||
Send notices to | simon@switch.ch, ietf@andybierman.com; rpe@juniper.net |
Network Working Group M. Wasserman Request for Comments: 4742 ThingMagic Category: Standards Track T. Goddard ICEsoft Technologies, Inc. December 2006 Using the NETCONF Configuration Protocol over Secure SHell (SSH) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2006). Abstract This document describes a method for invoking and running the Network Configuration Protocol (NETCONF) within a Secure Shell (SSH) session as an SSH subsystem. Table of Contents 1. Introduction ....................................................2 2. Requirements Terminology ........................................2 3. Starting NETCONF over SSH .......................................2 3.1. Capabilities Exchange ......................................3 4. Using NETCONF over SSH ..........................................5 5. Exiting the NETCONF Subsystem ...................................6 6. Security Considerations .........................................6 7. IANA Considerations .............................................7 8. Acknowledgements ................................................7 9. References ......................................................8 9.1. Normative References .......................................8 9.2. Informative References .....................................8 Wasserman & Goddard Standards Track [Page 1] RFC 4742 NETCONF over SSH December 2006 1. Introduction The NETCONF protocol [RFC4721] is an XML-based protocol used to manage the configuration of networking equipment. NETCONF is defined to be session-layer and transport independent, allowing mappings to be defined for multiple session-layer or transport protocols. This document defines how NETCONF can be used within a Secure Shell (SSH) session, using the SSH connection protocol [RFC4254] over the SSH transport protocol [RFC4253]. This mapping will allow NETCONF to be executed from a secure shell session by a user or application. Throughout this document, the terms "client" and "server" are used to refer to the two ends of the SSH transport connection. The client actively opens the SSH connection, and the server passively listens for the incoming SSH connection. The terms "manager" and "agent" are used to refer to the two ends of the NETCONF protocol session. The manager issues NETCONF remote procedure call (RPC) commands, and the agent replies to those commands. When NETCONF is run over SSH using the mapping defined in this document, the client is always the manager, and the server is always the agent. 2. Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Starting NETCONF over SSH To run NETCONF over SSH, the client will first establish an SSH transport connection using the SSH transport protocol, and the client and server will exchange keys for message integrity and encryption. The client will then invoke the "ssh-userauth" service to authenticate the user, as described in the SSH authentication protocol [RFC4252]. Once the user has been successfully authenticated, the client will invoke the "ssh-connection" service, also known as the SSH connection protocol. After the ssh-connection service is established, the client will open a channel of type "session", which will result in an SSH session. Once the SSH session has been established, the user (or application) will invoke NETCONF as an SSH subsystem called "netconf". Subsystem support is a feature of SSH version 2 (SSHv2) and is not included in SSHv1. Running NETCONF as an SSH subsystem avoids the need for the script to recognize shell prompts or skip over extraneous information, such as a system message that is sent at shell start-up. However, even when a subsystem is used, some extraneous messages may Wasserman & Goddard Standards Track [Page 2] RFC 4742 NETCONF over SSH December 2006 be printed by the user's start-up scripts. Implementations MUST skip over these messages by searching for an 'xml' start directive, whichShow full document text