NetConf Over Transport Layer Security

Transport Layer Security (TLS) is a cryptographic protocol that uses mutual certificate-based authentication and provides a secure and reliable connection between two devices. It is a successor to the Secure Sockets Layer (SSL) protocol. When a NetConf session is established over TLS, the NetConf server acts as the TLS server, and the NetConf client must act as the TLS client.

NetConf sessions over TLS provide some advantages over sessions that use SSH. Whereas SSH authenticates a client by using credentials (username and password) or keys, TLS uses certificates to mutually authenticate both the client and the server. Certificates can provide additional information about a client and can be used to securely authenticate one device to another. Thus, while NetConf sessions over SSH work well for manually managing individual devices, NetConf sessions that use TLS enable secure device-to-device communication for more effectively managing and automating devices in large-scale networks.

TLS subsystem logs are integrated with the system logger (syslog) and appear (along with other OcNOS logs) in /var/log/message with the tag TLS_SUBSYS.

The NetConf server uses TCP port number 6513 to listen for TCP connections established by NetConf over TLS clients.

A maximum of 3 NETCONF sessions over TLS are supported.

Topology

Figure 2. Netconf over TLS Topology