IETF Logo Mail Archive

Re: [Dots] use of restconf for the data channel?

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 23 February 2017 03:40 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75825129F99 for <dots@ietfa.amsl.com>; Wed, 22 Feb 2017 19:40:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELr-D761GGo9 for <dots@ietfa.amsl.com>; Wed, 22 Feb 2017 19:40:51 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84310129F95 for <dots@ietf.org>; Wed, 22 Feb 2017 19:40:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17623; q=dns/txt; s=iport; t=1487821251; x=1489030851; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=PbsfQCwhqiW0gFWgRNUX1KTo2b5q/ULTAbfbV5y7gFA=; b=VmtAKn+tOwSFNXyXqPDadhbhRsm+cXRr2Js1iHSx+q9wTXVkrELEJp7X WvbQbGB2e9eXFI8MsZjq47/zT/GF002zTXg7hylchZEbTuSSimwlxsbKp 8DtXW0Mz/valutqqDj0+F/MK/dCDOOBogSykgtpYP9DKWf6wCT3UMM2FC U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ATAQBmWa5Y/5xdJa1dGQEBAQEBAQEBAQEBBwEBAQEBg1BhgQkHjVyRWpU0gg0fC4V4AoMNPxgBAgEBAQEBAQFiKIRwAQEBBAEBJRM0FwQCAQgRAQMBAQENEQkHJwsUAwYIAgQBEggTh20DgWoOsHQ6i0oBAQEBAQEBAQEBAQEBAQEBAQEBAQEdhkyDZoEJijkFiRKSfgGGc4MigySEYIIEGIUEg1GGKI8JhBsBHziBAFQVPoRLHYFhdQGJCiuBA4ENAQEB
X-IronPort-AV: E=Sophos;i="5.35,197,1484006400"; d="scan'208";a="214966875"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Feb 2017 03:40:47 +0000
Received: from XCH-ALN-016.cisco.com (xch-aln-016.cisco.com [173.36.7.26]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v1N3elrg018654 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 23 Feb 2017 03:40:47 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-ALN-016.cisco.com (173.36.7.26) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 22 Feb 2017 21:40:46 -0600
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1210.000; Wed, 22 Feb 2017 21:40:46 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "Clark, Gilbert J. (GRC-LCA0)" <gilbert.j.clark@nasa.gov>, "Teague, Nik" <nteague@verisign.com>, Susan Hares <shares@ndzh.com>, "'Roman D. Danyliw'" <rdd@cert.org>, "'Mortensen, Andrew'" <amortensen@arbor.net>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] use of restconf for the data channel?
Thread-Index: AQHShUvelq2Fax0X1U+DAQQ/dairhqFqKpDAgApPffGAADEigIAAW2c4gAB5zACAAA+aAIAABGSA//+d642AAM+NIA==
Date: Thu, 23 Feb 2017 03:40:46 +0000
Message-ID: <f88e07ae9624495fa067f7081c19ec26@XCH-RCD-017.cisco.com>
References: <6AE56175-DBE7-4CD9-BA4E-5DCA88E901D8@arbor.net> <359EC4B99E040048A7131E0F4E113AFC0104F01D17@marathon> <5AE9F2D3F5799545818A4795DA145E7103BC588B@NDJSMBX201.ndc.nasa.gov> <ae1384a257014ace9ff9e722515a4f83@XCH-RCD-017.cisco.com> <5AE9F2D3F5799545818A4795DA145E7103BC595B@NDJSMBX201.ndc.nasa.gov> <00d501d28d13$3b0564f0$b1102ed0$@ndzh.com> <010a01d28d1b$0057c070$01074150$@ndzh.com>, <9BB728BF-B3D5-4A8F-8C82-0EC87B7A59AE@verisign.com> <5AE9F2D3F5799545818A4795DA145E7103BC5B30@NDJSMBX201.ndc.nasa.gov>
In-Reply-To: <5AE9F2D3F5799545818A4795DA145E7103BC5B30@NDJSMBX201.ndc.nasa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.72.86]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/HDTkTqLph3yCeGliaPBQkXZQSBU>
Subject: Re: [Dots] use of restconf for the data channel?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 03:40:54 -0000

Hi Gilbert,

RESTCONF provides a simplified interface and only supports a subset of the capabilities provided by NETCONF. 
DOTS data channel does not need all the functionality of RESTCONF only a subset of it, please
see https://tools.ietf.org/html/draft-reddy-dots-data-channel-04 for more details.

As you may already know, the REST-like API provided by RESTCONF is not intended to replace NETCONF, but rather provide a 
simplified interface, thereby meeting a need of application developers.

I will add more details to the draft to discuss the reasons behind using RESTCONF.

-Tiru


> -----Original Message-----
> From: Clark, Gilbert J. (GRC-LCA0) [mailto:gilbert.j.clark@nasa.gov]
> Sent: Wednesday, February 22, 2017 9:40 PM
> To: Teague, Nik <nteague@verisign.com>; Susan Hares <shares@ndzh.com>;
> Tirumaleswar Reddy (tireddy) <tireddy@cisco.com>; 'Roman D. Danyliw'
> <rdd@cert.org>; 'Mortensen, Andrew' <amortensen@arbor.net>;
> dots@ietf.org
> Subject: RE: [Dots] use of restconf for the data channel?
> 
> Hi:
> 
> Just as an addendum, I unfortunately can't make the meeting.
> 
> I don't notice a notable distinction between RESTCONF and NETCONF in this
> discussion thus far, which I find to be concerning to an extent.  The two are
> not the same, and should therefore be considered separately based on the
> merits and suitability of each.  I also think that upcoming features in NETCONF
> is really orthogonal to the conversation here: I'm sure NETCONF has a number
> of features that could possibly be useful.  Instead, my question is whether
> NETCONF's implementation, configuration, and runtime complexity justify its
> use.
> 
> Also: revisiting the idea of using RESTCONF and / or NETCONF in the signaling
> channel should really be a separate conversation, in my opinion.
> 
> I would also point out that the WG in general isn't going to be the primary
> audience for a generalized DDoS solution.  Instead, the challenge will be
> twofold:
> 
> * Convincing vendors that it's worth their while to implement what's
> developed here as part of a generalized DDoS mitigation strategy.  If people
> don't like it, they'll go standardize their own ... and while two generalized
> DDoS mitigation protocols would still probably be an improvement to what
> exists today, I also doubt that such would be the ideal outcome in the case of
> DOTS.
> 
> * Convincing operators that it's worth their while to use what the vendors
> have developed.  NETCONF has a unique set of connotations for the operators
> I know (which are not necessarily always entirely positive), which means that
> including it as a requirement for DOTS could immediately alienate anyone who
> doesn't like NETCONF.  RESTCONF sounds close enough to NETCONF that it
> would, in all likelihood, have a similar effect.  The way these things are named
> might also beg the question of why a configuration protocol is a good choice
> for something billed as a data channel, which seems like it could be a point of
> confusion to those reading through the specification.
> 
> With this in mind, minimizing both implementation / configuration complexity
> and runtime requirements strike me as essential, especially for the signaling
> aspects of the protocol.  I'd be concerned with NETCONF, in particular,
> because it has a few elements that can make it tricky to implement
> (configuration locking, transaction support, an ability to parse XML, stuff like
> that) and can lead to relatively high runtime requirements (for some definition
> of relatively high).  To my understanding, RESTCONF relaxes many of these
> requirements, and operates in a manner that is widely understood, so it seems
> like a better choice to me than NETCONF does.    It does, however, still require
> the folks implementing the draft to first understand RESTCONF before they
> can implement DOTS, which will add additional implementation cost to the
> vendor writing the implementation, and could *possibly* make things more
> difficult for the operators to both initially configure the system and
> troubleshoot issues when they come up.
> 
> Really though, all I'm suggesting here is a little text to the data channel draft in
> order to make the RESTCONF decision appear to be a little less arbitrary than I
> perceive it to be at the moment.  Whether or not the authors agree and
> choose to add said text is, of course, entirely up to them :)
> 
> Cheers,
> Gilbert
> ________________________________________
> From: Teague, Nik [nteague@verisign.com]
> Sent: Wednesday, February 22, 2017 10:06 AM
> To: Susan Hares; Clark, Gilbert J. (GRC-LCA0); 'Tirumaleswar Reddy (tireddy)';
> 'Roman D. Danyliw'; 'Mortensen, Andrew'; dots@ietf.org
> Subject: Re:  [Dots] use of restconf for the data channel?
> 
> Sue hi,
> 
> Are you detailing this still in the context of the DOTS data channel?  You
> mention DOTS signaling
> 
> Thanks,
> 
> -Nik
> 
> On 22/02/2017, 14:50, "Dots on behalf of Susan Hares" <dots-
> bounces@ietf.org on behalf of shares@ndzh.com> wrote:
> 
>     Gilbert and Tirumaleswar:
> 
>     Here are a few advanced on NETCONF/RESTCONF stack related to upcoming
>     changes.
> 
>     ----------------------------------------------------------------------------
>     ------------
>     Content (data models) ---> data stores (config, control plane, dynamic
>     configuration)
>     ----------------------------------------------------------------------------
>     --------------
>     Operations: NETCONF, RESTCONF
>        config + events + pub/sub
>       Upcoming  operations:  control plane state +  dynamic config (dhcp)
>     ----------------------------------------------------------------------------
>     ---------------
>     CoAP (proposed for light-weight config/events, or streams)
>     ---------------
>     |TLS| DLTS |
>     --------------
>     |TCP|UDP |
>     --------------
>     | IP            |
>     ---------------
> 
>     The NETCONF/RESTCONF events are NETCONF and NETMOD Working
> Documents.  The
>     signaling of events or publication streams may range from light weight (I'm
>     here, I'm attacked) to large streams.  The  events +
>     publication/subscription streams requirements come from I2RS work which
>     desires these to be used for configuration and for control plane protocols
>     such as I2RS protocol.  DOTS signaling could be another control plane
>     protocol.  CoAPs does not yet support these events, but it could be added.
> 
> 
>     Why use this?  The event notification and publication/subscription stream
>     have many of the same base mechanisms. ID, lifetime, policy-id, sequencing
>     numbers, and timeouts plus additional features to tune the level of data
>     transmission.  Mitigation request/signaling requires status updates at
>     period intervals which could use the publication/subscription channel that
>     sends this information to multiple clients.    A binary encoding of the
>     event/signal mechanism via CoAP would this efficient.
> 
>     One other thing to consider is the mixture of configuration/control plane
>     protocols.   The NETMOD revised data stores
>     (https://datatracker.ietf.org/doc/draft-ietf-netmod-revised-datastores/)
>     describes the NETMOD architecture for the mixture of configuration and
>     control plane.   The  control plane protocol does not need to follow the
>     netconf/restconf operational rules -  but can set their own rules for
>     validation of data.   NETMOD plans to support Yang modification for this
>     point.
> 
>     I hope this helps.   We'll talk in a few minutes.
> 
>     Sue Hares
> 
>     -----Original Message-----
>     From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Susan Hares
>     Sent: Wednesday, February 22, 2017 8:55 AM
>     To: 'Clark, Gilbert J. (GRC-LCA0)'; 'Tirumaleswar Reddy (tireddy)'; 'Roman
>     D. Danyliw'; 'Mortensen, Andrew'; dots@ietf.org
>     Subject: Re: [Dots] use of restconf for the data channel?
> 
>     Gilbert:
> 
>     Can you provide a bit more unpacking of the message here?    NETCONF or
>     RESTCONF + Yang data models was the initial suggestion to allow stable
>     protocol plus the ability to rapidly change data models that form the
>     content of the bulk data channel. I sent a longish message to the list
>     around IETF 97 since you have questions, I will reformat this message as an
>     internet-draft and send it to the list this week.
> 
>     The Data channel requirements are:  reliable transport, data privacy and
>     integrity, resource configuration (described in OP-07), data-004 black-white
>     list management.  These are the basic design requirements for
>     NETCONF/RESTCONF functionality.   The specific resources, black-list, or
>     white-list management can be data models.
> 
>     There are four parts to NETCONF/RESTCONF protocol:
> 
>     Content  --   data models
>     Messaging method  (NETCONF: edit-config, get-config, RESTCONF/ PUT,
> GET)
>                                     + new Event and publication/subscription
>     streams information
>     Messaging protocol (rpc/rpc-reply / secure http)
>     =============
>     Secure transport (TLS with X.509 certifications, DTLS + add ons)
>     Transport (TCP or UDP)
> 
>     Since all of the requirements for the secure transport are the same (peer
>     mutual authentication, message confidentiality, integrity and authenticity,
>     and message replay protection are the same as the DOTS requirements.
> You
>     may wish to change the messaging protocol (rpc/rpc-reply or RESTCONF
> http)
>     to protobufs.  If so, I suggest you make that suggestion to the I2NSF WG
>     that will include it in its general changes suggested to NETCONF WG and
> I2RS
>     WG .   The WGs would consider protobufs if there is a real use case.
> 
>     If you want to change the message method to edit configuration, what your
>     alternative would be?  If you are read, write, or updating you configuration
>     or white lists, this is what these protocols are built for.   The yang data
>     models are tailored for user-readability.   If you want to change the new
>     event publication and subscription,  exactly what do you want to change.
>     As I will rapidly turn around a draft to answer your questions, please let
>     me know exactly what your concerns are.
> 
>     If you are looking for the a secure shim layer,
> 
>     Content  --   data models
>     Messaging method  (NETCONF: edit-config, get-config, RESTCONF/ PUT,
> GET)
>                                     + new Event and publication/subscription
>     streams information
>     Messaging protocol (rpc/rpc-reply / secure http) (proposed: protobufs)
>     =============
>     Secure session layer (for attack scenarios)
>     Secure transport (TLS with X.509 certifications, DTLS + add ons)
>     Transport (TCP or UDP
> 
>     Bob Moskowitz and I have proposed one.  If you use this, you may be able to
>     utilize a lighter weight upper layer.
> 
> 
>     Thanks for your comments,
> 
>     Sue Hares
> 
>     -----Original Message-----
>     From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Clark, Gilbert J.
>     (GRC-LCA0)
>     Sent: Wednesday, February 22, 2017 8:16 AM
>     To: Tirumaleswar Reddy (tireddy); Roman D. Danyliw; Mortensen, Andrew;
>     dots@ietf.org
>     Subject: Re: [Dots] use of restconf for the data channel?
> 
>     Oh, neat: didn't realize RESTCONF graduated to an RFC.  Looks like it was
>     pretty recent, but that is still a good thing and does alleviate one of my
>     concerns to an extent :)
> 
>     "But for DOTS data channel RESTCONF is suitable"
> 
>     Why is RESTCONF suitable for the data channel?  Why was RESTCONF,
>     specifically, chosen?  What does it offer that might justify the
>     implementation burden that it brings, and would therefore make it a
>     compelling choice when compared to just building and documenting a REST
>     interface?  If there are reasons to use it that justify the complexity, then
>     okay.  I haven't seen these elements documented on the mailing list, though
>     (apologies if I missed them?), and I also didn't see them documented
>     anywhere in the current draft.
> 
>     With this in mind, including text to explain what benefits RESTCONF offers
>     and explains *why* its adoption is important to the data channel would go a
>     long way to alleviate the concerns I have in this instance :)
> 
>     I would also point out that the data-channel-04 draft still references the
>     restconf draft instead of the RFC [1] - that's something that should
>     probably be corrected for a future revision of the draft, if it hasn't
>     already.
> 
>     Cheers,
>     Gilbert
> 
>     [1]    [I-D.ietf-netconf-restconf]
>                   Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
>                   Protocol", draft-ietf-netconf-restconf-18 (work in
>                   progress), October 2016.
>     ________________________________________
>     From: Tirumaleswar Reddy (tireddy) [tireddy@cisco.com]
>     Sent: Wednesday, February 22, 2017 2:17 AM
>     To: Clark, Gilbert J. (GRC-LCA0); Roman D. Danyliw; Mortensen, Andrew;
>     dots@ietf.org
>     Subject: RE: use of restconf for the data channel?
> 
>     NETCONF and RESTCONF are not both suitable for DOTS signal channel.
>     But for DOTS data channel RESTCONF is suitable and RESTCONF is already an
>     RFC https://tools.ietf.org/html/rfc8040.
>     Various products in the market already use RESTCONF (e.g. confd 6.3
>     http://www.tail-f.com/management-agent/)
> 
>     -Tiru
> 
>     > -----Original Message-----
>     > From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Clark, Gilbert
>     > J. (GRC-
>     > LCA0)
>     > Sent: Wednesday, February 22, 2017 11:26 AM
>     > To: Roman D. Danyliw <rdd@cert.org>; Mortensen, Andrew
>     > <amortensen@arbor.net>; dots@ietf.org
>     > Subject: Re: [Dots] use of restconf for the data channel?
>     >
>     > Hi:
>     >
>     > My strongest objection to both NETCONF and RESTCONF were in the
>     > context of their consideration for use in the signal channel.
>     >
>     > I wouldn't personally vote to see NETCONF, specifically, used in
>     > either
>     channel.
>     > NETCONF can involve substantial implementation complexity to support
>     > capabilities that, in the case of DOTS, seem to me to be of marginal
>     > utility at best.
>     >
>     > The use of RESTCONF seems a little more reasonable to me here since
>     > many of those implementation requirements are relaxed.
>     >
>     > I will note that adoption of RESTCONF will inflict a 100+ page
>     > not-yet-RFC as
>     > (additional) required reading for anyone who wishes to implement a
>     > DOTS data channel from scratch.  Also, note that the use of RESTCONF
>     > would introduce a dependency on something that is still in
>     > development, and that therefore most likely hasn't yet been very well
>     > tested and / or may be subject to change.
>     >
>     > Just offering some clarification on my original opinion(s), for what
>     > that's worth.
>     >
>     > -Gilbert
>     > _________________________________
>     > From: Dots [dots-bounces@ietf.org] on behalf of Roman D. Danyliw
>     > [rdd@cert.org]
>     > Sent: Wednesday, February 15, 2017 9:51 AM
>     > To: Mortensen, Andrew; dots@ietf.org
>     > Subject: Re: [Dots] use of restconf for the data channel?
>     >
>     > > Subject: [Dots] use of restconf for the data channel?
>     > > [snip]
>     > >
>     > > Since RESTCONF is now a concrete proposal, it seems worthwhile
>     > > continuing the debate ahead of the interim meeting.  Are there
>     > > specific concerns in the WG regarding the use ...
>     >
>     > This discussion topic is one we need to resolve.  We can start here on
>     > the list but I'll also add a slot to the interim meeting to continue
>     > the
>     conversation.
>     >
>     > Roman
>     >
>     > _______________________________________________
>     > Dots mailing list
>     > Dots@ietf.org
>     > https://www.ietf.org/mailman/listinfo/dots
>     >
>     > _______________________________________________
>     > Dots mailing list
>     > Dots@ietf.org
>     > https://www.ietf.org/mailman/listinfo/dots
> 
>     _______________________________________________
>     Dots mailing list
>     Dots@ietf.org
>     https://www.ietf.org/mailman/listinfo/dots
> 
>     _______________________________________________
>     Dots mailing list
>     Dots@ietf.org
>     https://www.ietf.org/mailman/listinfo/dots
> 
>     _______________________________________________
>     Dots mailing list
>     Dots@ietf.org
>     https://www.ietf.org/mailman/listinfo/dots
>

v2.23.0 | Report a Bug | By Email