X.509 Certificate-Based Authentication for NETCONF and RESTCONF : Design Evaluation between Native and External Implementation / X.509 Certifikatbaserad autentisering för NETCONF och RESTCONF : Designutvärdering mellan inhemsk och extern implementering

Li, Qi

January 2023

The Network Service Ochestrator (NSO) is a network automation system provided by Cisco that is used to automate large network changes with the ability to roll back in case of errors. It provides a rich northbound interface to communicate with the user and a southbound interface to orchestrate network devices securely. On these northbound and southbound interfaces, NSO supports NETCONF and RESTCONF, which is an IETF standard for network automation. NSO native implementation of NETCONF and RESTCONF lacks support for Public-Key Infrastructure (X.509) (PKIX) infrastructure and SSH and SSL/TLS as transport. Instead, Cisco suggests that customers use external relay agents such as PKIX-SSH for SSH and GNUTLS for TLS for NETCONF. The certificates and keys are saved on the hard drive and loaded for every connection via RESTCONF. This workaround solution provides authentication and authorization without audit logging within NSO. In this work, a native implementation of the X509 certification with PKIX infrastructure on SSH and SSL/TLS for NETCONF and RESTCONF is investigated. The project evaluates design alternatives with respect to security, computational complexity, maintainability, and user-friendliness, and concludes by highlighting the pros and cons of both native and workaround implementation. / Ciscos NSO är en nätverksorkestreringsplatform som används för att automatisera stora ändringar i nätverk med egenheten att ändringarna kan backas tillbaka om inte samtliga kan kan utföras. NSO tillhandahåller användare gränssnitt (northbound) för att säkert kommunicera (southbound) med nätverksenheterna. Gränssnitten stödjer de standardiserade protokollen Netconf och Restconf. Båda dessa protokoll saknar inbyggts stöd för PKIX över SSH, SSL och TSL. När detta önskas rekommenderar Cisco sina kunder att externa klienter som PKIX-SSH eller GNUTLS. När detta görs sparas certifikat och nyklar lokalt för varje Restconf koppel och ingen läggning av flödet kommer att ske i NSO. I detta arbete presenteras ett inbyggt stöd för X509 certifiering med PKIX för SSH, SSL, och TLS. Stödet kan användas för Netconf och Restconf. Olikheter mellan dagens tillgängliga stöd och det inbyggda stödet med avseende på säkerhet, komplexitet, underhållbarhet, och användarvänlighet jämförs. Avslutningsvis belyses för- respektive nackdelar med de olika implementateringarna.

NETCONF

RESTCONF

x509 over SSH

Erlang

Network Automation

PKIX

Public Key Infrastructure (X.509)

NETCONF

RESTCONF

x509 over SSH

Erlang

Nätverksautomatiserng

PKIX

Public Key Infrastructure (X.509)

Computer and Information Sciences

Data- och informationsvetenskap

Transcriptional regulation and physiological importance of the kdp-system from the halophilic archaeon Halobacterium salinarum

Kixmüller, Dorthe

03 April 2012

The high affinity, ATP-dependent K+ uptake system KdpFABC of Halobacterium salinarum, is highly induced under K+ limitation. In contrast to the well-characterized Kdp system in Escherichia coli, in which the kdpFABC genes are transcriptionally regulated by the sensor kinase/response regulator system KdpD/KdpE, transcriptional regulation of the kdp genes in H. salinarum was unknown due to the absence of halobacterial homologues of KdpD/KdpE. Furthermore, the physiological relevance of the KdpFABC K+ uptake system of H. salinarum was puzzling, since hypersaline habitats usually comprise K+ concentrations which do not induce kdp expression. In order to analyze the regulation of kdp gene expression, it was essential to gain information about the transcriptional unit(s) involved. Northern blotting, primer extension analysis and real-time RT-PCR revealed the presence of a polycistronic leaderless kdpFABCQ transcript with a putative kdp terminator or at least a potential mRNA processing site downstream of kdpQ. Furthermore, promoter truncation studies verified the so far only predicted basal transcription elements together with an upstream-located operator sequence. Since deletions of this putative operator sequence did not lead to a constitutive expression, a further component has to be involved in the regulation of the kdpFABCQ genes. However, truncation and scanning mutagenesis analyses of the kdp promoter as well as translational fusions of a halophilic beta-galactosidase to the kdp promoter excluded an additional regulatory element up- or downstream of the basal transcription elements and in the kdp-coding region. These results lead to speculations of multiple basal transcription factors to be involved. Furthermore, an inducible expression vector (shuttle vector) was constructed based on the promoter of the kdpFABCQ operon due to its, K+-sensitive features. Inducible expression systems are yet not available for H. salinarum. The resulting, replicating vector pKIX is functional and enables a K+-dependent expression from the kdp promoter with rather high induction ratios of 50-fold. Expression levels could further be improved by plasmid- and additional chromosomally encoded kdpQ and mutations generated in the kdp promoter. Since transcript levels from pKIX were found to be independent of differential target genes, the general application of pKIX as an inducible expression system is strongly supported and pKIX could, thus, be made accessible to the scientific community. To decipher the physiological relevance of the halobacterial Kdp system, H. salinarum was encountered to desiccation stress and salt crystal (halite) entombment. Halite crystals grown under non-inducing K+ concentrations with entombed strains of H. salinarum and H. salinarum deleted in the kdpFABCQ genes revealed a significantly reduced survival rate of the deletion strain upon recultivation. Additionally, a kdpFABCQ-inducing desiccation stress could already be determined on agar plates under non-limiting K+ concentrations. Furthermore, the cell morphology of H. salinarum entrapped in halite crystals resembled that of H. salinarum grown under K+-limiting conditions. Therefore, the Kdp system promotes survival of H. salinarum under desiccation stress. Furthermore, the Kdp system could be identified as at least one of the systems important for long-term survival of H. salinarum in halite.

Halobacterium

Halobacterium salinarum

H. salinarum

halophile

halophil

archaea

archaeon

kdp

kdpFABC

kdpFABCQ

kdp-System

ATP

Kalium

Kaliumaufnahme

K+

Halit

Salzkristall

Austrocknung

Trockenstress

transkriptionelle Regulation

Genexpression

pKIX

induzierbarer Expressionsvektor

Expressionsvektor

kdpQ

Kdp Komplex

halobacterial

halophilic

kdpFABC genes

kdp-system

high-affinity

ATP-dependent

potassium

potassium pump

K+ uptake

desiccation

desiccation stress

halite

salt crystal

long-term survival

transcriptional regulation

gene expression

inducible expression vector

expression vector

Kdp complex

ddc:570