Traditionally, and by far the most popular choice, NETCONF uses SSH as a transport protocol and public/private key pairs for authenticating a new connection. RESTCONF, being a web protocol, is transported via TLS, i.e. HTTPS, and authenticated using a username and password within the encrypted HTTPS connection. However, using these authentication methods requires the configuration of user information for each device in the network. This has led the IETF NETCONF working group, which also produces the RESTCONF standards, to look at supporting easier to manage authentication methods. Their answer: X.509 certificates.
X.509 certificates have been around for quite some time across ITU standards and IETF RFCs. They have become an increasingly popular and safe way of distributing keys for mutual authentication and encryption for various applications. The IETF has produced RFCs describing how to use X.509 certificates along with NETCONF over SSH, NETCONF over TLS, and RESTCONF over TLS.
While ConfD does not have built-in support either for X.509 certificates used in this way or for NETCONF over TLS, it is possible to easily add this support around ConfD yourself. I have therefore written a ConfD application note called “X.509 Certificate-Based Authentication for NETCONF and RESTCONF” to give an overview of how X.509 certificates are used with NETCONF and RESTCONF and their SSH and TLS transport options. Additionally, the application note points to three demos that show how to use X.509 certificates with ConfD: NETCONF over SSH, NETCONF over TLS, and RESTCONF over TLS. All of these demos are available from ConfD-Developer on GitHub and can be found there in the ConfD-Demo repository. If you come up with any improvements for these demos, please, submit a pull request to the repository!
Download the “X.509 Certificate-Based Authentication for NETCONF and RESTCONF” application note today!