IETF Logo Mail Archive

Re: [Dots] use of restconf for the data channel?

"Teague, Nik" <nteague@verisign.com> Wed, 22 February 2017 15:06 UTC

Return-Path: <nteague@verisign.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A251299E8 for <dots@ietfa.amsl.com>; Wed, 22 Feb 2017 07:06:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKDFbYOC1fVq for <dots@ietfa.amsl.com>; Wed, 22 Feb 2017 07:06:14 -0800 (PST)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE7B51299E3 for <dots@ietf.org>; Wed, 22 Feb 2017 07:06:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=16394; q=dns/txt; s=VRSN; t=1487775974; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=BWQVGp1qPXI6QBCVpEnWJI8g1/KVUSNz+ZwSpmsOnNg=; b=PgrGTVYs8W0lmaINJqk15PeZ1n5sYaSfztrigRSCTVnKPAfVupRk4Uuk kvkBuSgmDT2P1MjuH/GVDUlof2e+VsKNeKdkYDIiXPMzJ/SKHRx1NPbUV wzlmYE01jUpXWZTpD4PjwAmwTcTfzrM8orKTGujROlIz83yiL/reMUAOE o6dUJ1l9YnCyDgdVmmTQYxe3Sev50OATmwkxz8k3w2+Jwmb84Faqlbzb0 quucORIb8dIFZOOZWMwOu8xR5fV/n1bJj/btZTae2dkZToH6KTPH3DQQy kT2FabquJ8O3aMfh5dQ4NHwxij3SNXiglz1RTPHrDLOn9AIa3N0mGjgR+ w==;
X-IronPort-AV: E=Sophos;i="5.35,194,1484006400"; d="scan'208";a="1578527"
IronPort-PHdr: 9a23:RH65hxTpF0v/6dRCJohjX5cBNdpsv+yvbD5Q0YIujvd0So/mwa67ZxeEt8tkgFKBZ4jH8fUM07OQ6PG9HzVeqsnZ+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG2oAnLq8UbgIRuJ6QtxhDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKiU0+3/LhMNukK1boQqhpx1hzI7SfIGVL+d1cqfEcd8HWWZNQsNdWipcCY2+coQPFfIMM+ZGoYfgu1sAoxiwBQeuC+zhyz9HmnD40qIh3uQ9Cg7G2RAsE84UvXnWqtj+KaccUfqyzKnN1TjPYe1Y1inn54jHbxAuv+mAVq9of8rQykkjGR7Og1KWqYz5ITyazOsNs3WF4Od7S+KglXQnqwBqojiuyccsjJPFiZ4SylDB7Ch0xps+K9O/SE5+e9GkEZ1QujmbN4RoXsMiTXtkuCEgyr0Jv5OwYSsEyIw/yhLCd/CLaZWE7xDtWeqLPDt1hHxodKihixu98UWs0vDwWtWu3FpXrCdInMPAum0N2hDN8MSKRf1w9Vq71zmVzQDc8ORELFgxlarcNpEu3KY9loEWsUTfBi/2n1j2jLOOekUk5Oeo7+Pnb639qZ+GMY94lwX+M6srmsOlAOQ4Ng8OX3WH+eigyrHv51P5T6tQjv03ianZsZ/aJcIBqqGlBA9V154v6xe5Dzi4zNQVhWQLIE5fdB6ajYXkNUvCLO34APqxmVigjjhmyvDeMr3kGJrNL3zDkLn7fbZ67k5R0AwzzcxB6J1OBbEBPez8V1TvtNPGFB85Mhe0w+foCNV7zI8RRWWPAqqBPKPIrVCI/v4vI/WLZIINpTn9LOQl5+X1gH84h1AdYaep0YEQaHCiEfRsO1+Zbmb0gtcdDWcKuRIzQ/bviF2FSz5Te2i9X6Qn5j4lDoKrFp3MRpq2j7yGxie3BJtWaX5aClqUC3fna52EW+sQaCKVOsJhiCELWqW6RoA9yx6urhP6x6BgLurO9S0SrYjj28Rt5+3PiREy8iR5D9ic02GXUW57g34HRj8t0a9joEx90UuM0a9ij/NEEtxT4utDUh0mOp7E0+x6F9fyVxrOfteITFapWcupASstTt4rwd8CeVpyG9G4gRDZ3CqnGLkVmKaQBJMu6K7c0H/xJ9hlwXbcyKYhl0UmQtdINWC+na5/9xLcB5TXnEWCjKuqc7kT3S/N9GuZ0WWOu0RYA0ZMVvD+QGsWYAP2pM70/QuWVL+nE7k8Gg1N287EIaxPPJmhxxptQP75O5CWTGO1kWqqGV6qgPvMQ7DBPkE29X2cRwJMxw8S+XyLLxR4BGGqp2vEDxRoHEnmJUzr77864Dn0ck4u0gSDa0B6yLOvsiQYifCNA7MP36gJtCsw6no+VAKh3sjbB9aRjwFgZ65bJ9g65QEDnSiWjQt4N5roA+YqqlcYYgB2oAykn0FtBolomsUwsDUt1gUkberSn3ZGbS+V24v9PPmfA2/+5h2wJOSejljb18yK96EU5fIQok/puxvvEEc+pTEvmdVSz2C055jWAkwVS527GhI78ARhj7DXfid74Jnbgy5CK66x53X+1tsmGeZhgjChfJ0XZKWYGQb9DsAyGcW0KfcrlF7vZRUBarMBvJUoNt+rIqPVkJWgO/xtyXf/1TxK
X-IPAS-Result: A2HNAQBxqK1Y//WZrQpeGgEBAQECAQEBAQgBAQEBFQEBAQECAQEBAQgBAQEBhAeBCQeDVIoIkVqVNIIJBB8LhXgCGoMqGAEBAQEBAQEBAQEBAoEHgjMiAQwmFxABAQEBAQEBAQEjAQEBAQEBIwINMSwBAQEBAwEBIQQNOhcEAgEIDQEDAQMBAQMCCRoDAgICJQsUAQIGCAIEARKKA68JgWw6i0MBAQEBAQEBAQEBAQEBAQEBAQEBAQEdgQuFQoIEgmqEVBeCby6CMQWJEpJ+AYZzjSqFHINRhiiPCYQcH4E5VBU+EQGGN3WHWSuBA4ENAQEB
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id v1MF69oX021774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 22 Feb 2017 10:06:09 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Wed, 22 Feb 2017 10:06:08 -0500
From: "Teague, Nik" <nteague@verisign.com>
To: Susan Hares <shares@ndzh.com>, "'Clark, Gilbert J. (GRC-LCA0)'" <gilbert.j.clark@nasa.gov>, "'Tirumaleswar Reddy (tireddy)'" <tireddy@cisco.com>, "'Roman D. Danyliw'" <rdd@cert.org>, "'Mortensen, Andrew'" <amortensen@arbor.net>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Dots] use of restconf for the data channel?
Thread-Index: AQHShUvelq2Fax0X1U+DAQQ/dairhqFqKpDAgApPffGAADEigIAAW2c4gABpCQCAAA+ZAIAABIqA
Date: Wed, 22 Feb 2017 15:06:07 +0000
Message-ID: <9BB728BF-B3D5-4A8F-8C82-0EC87B7A59AE@verisign.com>
References: <6AE56175-DBE7-4CD9-BA4E-5DCA88E901D8@arbor.net> <359EC4B99E040048A7131E0F4E113AFC0104F01D17@marathon> <5AE9F2D3F5799545818A4795DA145E7103BC588B@NDJSMBX201.ndc.nasa.gov> <ae1384a257014ace9ff9e722515a4f83@XCH-RCD-017.cisco.com> <5AE9F2D3F5799545818A4795DA145E7103BC595B@NDJSMBX201.ndc.nasa.gov> <00d501d28d13$3b0564f0$b1102ed0$@ndzh.com> <010a01d28d1b$0057c070$01074150$@ndzh.com>
In-Reply-To: <010a01d28d1b$0057c070$01074150$@ndzh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1c.0.161115
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <0254CF8D06D4BD46AFFE6494AB737CFF@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/bUsKzYLXkQxXEd4HFXPjya3aFn0>
Subject: Re: [Dots] use of restconf for the data channel?
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 15:06:16 -0000

Sue hi,

Are you detailing this still in the context of the DOTS data channel?  You mention DOTS signaling

Thanks,

-Nik

On 22/02/2017, 14:50, "Dots on behalf of Susan Hares" <dots-bounces@ietf.org on behalf of shares@ndzh.com> wrote:

    Gilbert and Tirumaleswar: 
    
    Here are a few advanced on NETCONF/RESTCONF stack related to upcoming
    changes. 
    
    ----------------------------------------------------------------------------
    ------------
    Content (data models) ---> data stores (config, control plane, dynamic
    configuration) 
    ----------------------------------------------------------------------------
    --------------
    Operations: NETCONF, RESTCONF 
       config + events + pub/sub 
      Upcoming  operations:  control plane state +  dynamic config (dhcp)  
    ----------------------------------------------------------------------------
    ---------------
    CoAP (proposed for light-weight config/events, or streams) 
    ---------------
    |TLS| DLTS |
    --------------
    |TCP|UDP |
    --------------
    | IP            |
    ---------------
    
    The NETCONF/RESTCONF events are NETCONF and NETMOD Working Documents.  The
    signaling of events or publication streams may range from light weight (I'm
    here, I'm attacked) to large streams.  The  events +
    publication/subscription streams requirements come from I2RS work which
    desires these to be used for configuration and for control plane protocols
    such as I2RS protocol.  DOTS signaling could be another control plane
    protocol.  CoAPs does not yet support these events, but it could be added.
    
    
    Why use this?  The event notification and publication/subscription stream
    have many of the same base mechanisms. ID, lifetime, policy-id, sequencing
    numbers, and timeouts plus additional features to tune the level of data
    transmission.  Mitigation request/signaling requires status updates at
    period intervals which could use the publication/subscription channel that
    sends this information to multiple clients.    A binary encoding of the
    event/signal mechanism via CoAP would this efficient. 
    
    One other thing to consider is the mixture of configuration/control plane
    protocols.   The NETMOD revised data stores
    (https://datatracker.ietf.org/doc/draft-ietf-netmod-revised-datastores/)
    describes the NETMOD architecture for the mixture of configuration and
    control plane.   The  control plane protocol does not need to follow the
    netconf/restconf operational rules -  but can set their own rules for
    validation of data.   NETMOD plans to support Yang modification for this
    point.
    
    I hope this helps.   We'll talk in a few minutes. 
    
    Sue Hares 
    
    -----Original Message-----
    From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Susan Hares
    Sent: Wednesday, February 22, 2017 8:55 AM
    To: 'Clark, Gilbert J. (GRC-LCA0)'; 'Tirumaleswar Reddy (tireddy)'; 'Roman
    D. Danyliw'; 'Mortensen, Andrew'; dots@ietf.org
    Subject: Re: [Dots] use of restconf for the data channel?
    
    Gilbert: 
    
    Can you provide a bit more unpacking of the message here?    NETCONF or
    RESTCONF + Yang data models was the initial suggestion to allow stable
    protocol plus the ability to rapidly change data models that form the
    content of the bulk data channel. I sent a longish message to the list
    around IETF 97 since you have questions, I will reformat this message as an
    internet-draft and send it to the list this week. 
    
    The Data channel requirements are:  reliable transport, data privacy and
    integrity, resource configuration (described in OP-07), data-004 black-white
    list management.  These are the basic design requirements for
    NETCONF/RESTCONF functionality.   The specific resources, black-list, or
    white-list management can be data models.   
    
    There are four parts to NETCONF/RESTCONF protocol: 
    
    Content  --   data models 
    Messaging method  (NETCONF: edit-config, get-config, RESTCONF/ PUT, GET)  
                                    + new Event and publication/subscription
    streams information  
    Messaging protocol (rpc/rpc-reply / secure http)   
    =============
    Secure transport (TLS with X.509 certifications, DTLS + add ons)   
    Transport (TCP or UDP) 
    
    Since all of the requirements for the secure transport are the same (peer
    mutual authentication, message confidentiality, integrity and authenticity,
    and message replay protection are the same as the DOTS requirements.   You
    may wish to change the messaging protocol (rpc/rpc-reply or RESTCONF http)
    to protobufs.  If so, I suggest you make that suggestion to the I2NSF WG
    that will include it in its general changes suggested to NETCONF WG and I2RS
    WG .   The WGs would consider protobufs if there is a real use case.  
    
    If you want to change the message method to edit configuration, what your
    alternative would be?  If you are read, write, or updating you configuration
    or white lists, this is what these protocols are built for.   The yang data
    models are tailored for user-readability.   If you want to change the new
    event publication and subscription,  exactly what do you want to change.
    As I will rapidly turn around a draft to answer your questions, please let
    me know exactly what your concerns are. 
    
    If you are looking for the a secure shim layer, 
    
    Content  --   data models 
    Messaging method  (NETCONF: edit-config, get-config, RESTCONF/ PUT, GET)  
                                    + new Event and publication/subscription
    streams information  
    Messaging protocol (rpc/rpc-reply / secure http) (proposed: protobufs)   
    =============
    Secure session layer (for attack scenarios) 
    Secure transport (TLS with X.509 certifications, DTLS + add ons)   
    Transport (TCP or UDP
    
    Bob Moskowitz and I have proposed one.  If you use this, you may be able to
    utilize a lighter weight upper layer. 
    
    
    Thanks for your comments, 
    
    Sue Hares 
    
    -----Original Message-----
    From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Clark, Gilbert J.
    (GRC-LCA0)
    Sent: Wednesday, February 22, 2017 8:16 AM
    To: Tirumaleswar Reddy (tireddy); Roman D. Danyliw; Mortensen, Andrew;
    dots@ietf.org
    Subject: Re: [Dots] use of restconf for the data channel?
    
    Oh, neat: didn't realize RESTCONF graduated to an RFC.  Looks like it was
    pretty recent, but that is still a good thing and does alleviate one of my
    concerns to an extent :)
    
    "But for DOTS data channel RESTCONF is suitable"
    
    Why is RESTCONF suitable for the data channel?  Why was RESTCONF,
    specifically, chosen?  What does it offer that might justify the
    implementation burden that it brings, and would therefore make it a
    compelling choice when compared to just building and documenting a REST
    interface?  If there are reasons to use it that justify the complexity, then
    okay.  I haven't seen these elements documented on the mailing list, though
    (apologies if I missed them?), and I also didn't see them documented
    anywhere in the current draft.  
    
    With this in mind, including text to explain what benefits RESTCONF offers
    and explains *why* its adoption is important to the data channel would go a
    long way to alleviate the concerns I have in this instance :)
    
    I would also point out that the data-channel-04 draft still references the
    restconf draft instead of the RFC [1] - that's something that should
    probably be corrected for a future revision of the draft, if it hasn't
    already.
    
    Cheers,
    Gilbert
    
    [1]    [I-D.ietf-netconf-restconf]
                  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
                  Protocol", draft-ietf-netconf-restconf-18 (work in
                  progress), October 2016.
    ________________________________________
    From: Tirumaleswar Reddy (tireddy) [tireddy@cisco.com]
    Sent: Wednesday, February 22, 2017 2:17 AM
    To: Clark, Gilbert J. (GRC-LCA0); Roman D. Danyliw; Mortensen, Andrew;
    dots@ietf.org
    Subject: RE: use of restconf for the data channel?
    
    NETCONF and RESTCONF are not both suitable for DOTS signal channel.
    But for DOTS data channel RESTCONF is suitable and RESTCONF is already an
    RFC https://tools.ietf.org/html/rfc8040.
    Various products in the market already use RESTCONF (e.g. confd 6.3
    http://www.tail-f.com/management-agent/)
    
    -Tiru
    
    > -----Original Message-----
    > From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Clark, Gilbert 
    > J. (GRC-
    > LCA0)
    > Sent: Wednesday, February 22, 2017 11:26 AM
    > To: Roman D. Danyliw <rdd@cert.org>; Mortensen, Andrew 
    > <amortensen@arbor.net>; dots@ietf.org
    > Subject: Re: [Dots] use of restconf for the data channel?
    >
    > Hi:
    >
    > My strongest objection to both NETCONF and RESTCONF were in the 
    > context of their consideration for use in the signal channel.
    >
    > I wouldn't personally vote to see NETCONF, specifically, used in 
    > either
    channel.
    > NETCONF can involve substantial implementation complexity to support 
    > capabilities that, in the case of DOTS, seem to me to be of marginal 
    > utility at best.
    >
    > The use of RESTCONF seems a little more reasonable to me here since 
    > many of those implementation requirements are relaxed.
    >
    > I will note that adoption of RESTCONF will inflict a 100+ page 
    > not-yet-RFC as
    > (additional) required reading for anyone who wishes to implement a 
    > DOTS data channel from scratch.  Also, note that the use of RESTCONF 
    > would introduce a dependency on something that is still in 
    > development, and that therefore most likely hasn't yet been very well 
    > tested and / or may be subject to change.
    >
    > Just offering some clarification on my original opinion(s), for what 
    > that's worth.
    >
    > -Gilbert
    > _________________________________
    > From: Dots [dots-bounces@ietf.org] on behalf of Roman D. Danyliw 
    > [rdd@cert.org]
    > Sent: Wednesday, February 15, 2017 9:51 AM
    > To: Mortensen, Andrew; dots@ietf.org
    > Subject: Re: [Dots] use of restconf for the data channel?
    >
    > > Subject: [Dots] use of restconf for the data channel?
    > > [snip]
    > >
    > > Since RESTCONF is now a concrete proposal, it seems worthwhile 
    > > continuing the debate ahead of the interim meeting.  Are there 
    > > specific concerns in the WG regarding the use ...
    >
    > This discussion topic is one we need to resolve.  We can start here on 
    > the list but I'll also add a slot to the interim meeting to continue 
    > the
    conversation.
    >
    > Roman
    >
    > _______________________________________________
    > Dots mailing list
    > Dots@ietf.org
    > https://www.ietf.org/mailman/listinfo/dots
    >
    > _______________________________________________
    > Dots mailing list
    > Dots@ietf.org
    > https://www.ietf.org/mailman/listinfo/dots
    
    _______________________________________________
    Dots mailing list
    Dots@ietf.org
    https://www.ietf.org/mailman/listinfo/dots
    
    _______________________________________________
    Dots mailing list
    Dots@ietf.org
    https://www.ietf.org/mailman/listinfo/dots
    
    _______________________________________________
    Dots mailing list
    Dots@ietf.org
    https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email