Follow-up on draft-ietf-netconf-http-client-server

Thank you all for your earlier comments regarding draft-ietf-netconf-http-client-server <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server>.

The draft is now almost ready for WGLC (which will be CC-ed here as well), but there remains one item for which your guidance is needed (see bottom).

First, as a recap, one of the primarily takeaways from before was that proxies can be supported both at the TCP-level (i.e., via SOCKS) and at the HTTP-level (i.e. via a Web Proxy).

In order to support TCP-level proxies, the “tcp-client-grouping”, which is defined in another draft (draft-ietf-netconf-tcp-client-server <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server>), now defines optional configuration enabling any TCP-client to initiate a connection via a proxy.  FWIW, here is a direct link to the "tree diagram” <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server-07#section-3.1.2.1>  illustrating this.

In order to support HTTP-level proxies, *this* draft was modified to introduce a new “proxy-connect” configuration stanza that, in effect, is the complete configuration for another HTTP-client connection.  Here’s a direct link to the “tree diagram” <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.1.2.2> and here is a fully-populated example <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.2> (see 2nd example).

Does everything appear to be in order so far?

Now, for the question, do Web Proxies require client-auth?  More specifically:
when an HTTP client is connecting to a Web Proxy via HTTP, is HTTP-level auth (i.e. Basic) mandatory or optional?
when an HTTP client is connecting to a Web Proxy via HTTPS, is TLS-level and/or HTTP-level auth mandatory or optional?

Thanks,
Kent

Received on Tuesday, 21 July 2020 16:40:39 UTC