Re: [Gen-art] [Netconf] Gen-art LC review: draft-ietf-netconf-restconf-15

Kent Watsen <> Mon, 01 August 2016 21:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6F01712D662; Mon, 1 Aug 2016 14:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B94CHNXm3ue1; Mon, 1 Aug 2016 14:17:59 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 078DE12D100; Mon, 1 Aug 2016 14:17:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RubuWv+/RVTiraIqRzvWBr1qnGY3+J2V4B3824mbQQE=; b=J7JGa4aFWAY3NFcZoWcxK6U0o3kNm/nE/01UHnfadIBN9S4Ht+4rfno5V8/xczvXKi15caIaaXV7B3279VStJPsYg01t1E1FktgQqqXFRWDltqrtWCyjR6OjMWk3mR5u5B9KiscRBe2ALkdGOa6+ifr7hN0OAx6XRBi1/eRHzHs=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.557.8; Mon, 1 Aug 2016 21:17:55 +0000
Received: from ([]) by ([]) with mapi id 15.01.0557.009; Mon, 1 Aug 2016 21:17:56 +0000
From: Kent Watsen <>
To: Robert Sparks <>, "t.petch" <>, Andy Bierman <>
Thread-Topic: [Netconf] Gen-art LC review: draft-ietf-netconf-restconf-15
Thread-Index: AQHR6dVxorbmwyhHuEuzEzm1dmaNxaAv3jcAgAAC9ACAAPu7QoADi6MA///1FIA=
Date: Mon, 01 Aug 2016 21:17:55 +0000
Message-ID: <>
References: <> <> <> <00bc01d1ea57$e7889f80$> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.18.0.160709
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 774488cb-ed9d-4ca1-04c7-08d3ba514e8d
x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1451; 6:3H7TM33LdDFW9M2IeNHbbqHyZ/lrjRknRAn/sspHWGIpFAz3VpFM6yunCwaLdknmbbF5NGVT1hPbboN3BQYnoqLVQbzEHTIpiR7gV0fjXy+2/gUhP5AONJsbQnTsrIe4mc3QS0e4/MPpql2SjZ5/GPIGa4zkmEafifzipKUbkXX5rlGh3hIjMe6hkmcWfxuQDDPn3hXF+hYjAsxfXjHP6VwWqIq+3fikdBM7cYfpgJ70mqoQtlhN+Ha26eFZD+iDIsBzKZprEPPF7q7tlEZhS08AenhWK9zD9htSL2D1FhOSI6CLvFDb9Cr99PIq911jYu0HeI4wDXu0xHCqq+NT6Q==; 5:gG9yAZeoIhy5Q738hYBETDnWYz5M62VwBTJ/OFmdXckLUU2VMyIAC21RNwPA5XCtpa3FQWXfAMCbVvW6bw9uS70aprd6Ai37OQQUFoG/4I0uuypFZmG+NpYLANnUpxnfKTw9d7HczeDuKNRpQCtGSw==; 24:LAu3WpUFoheVBrXv2QvvO6m08jQUH/h4p21P0LM9fFWUgaJnpS9Dz64MPERjRY3ECJQmtzOrWHopDObKWoD0md+JPw6FV73fwX/jtxbCTgM=; 7:Lo8NBnVjKwHkUap3i2kHe+dSwS+5z5Jdn6jL6SFZvQFHFH3a7Ui6jILuY05ip+//mhoMYiwdRfLYayXfhULCJ6iwn1oLBtAl1fs+BWeE4UDdR1p83VnKU7YvZfY/kqMziNwG1IhaZUyrTRFm2nyAX9t4b78A8vE5QeJP2FZM5hqGmoUai3rM90cNEM/iX/wN0SDIU4tb8/jXNwal+nev35mlNLRuuL5E6m3+T0jGzr5geEYTlgTr60U5TKvQVpq7
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1451;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(788757137089);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:CY1PR0501MB1451; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1451;
x-forefront-prvs: 0021920B5A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(24454002)(377454003)(13464003)(199003)(2906002)(54356999)(101416001)(76176999)(3846002)(102836003)(8666005)(6116002)(83716003)(83506001)(50986999)(86362001)(8936002)(19580405001)(15975445007)(19580395003)(7846002)(2950100001)(3280700002)(33656002)(2900100001)(81166006)(8676002)(66066001)(68736007)(81156014)(3660700001)(82746002)(4326007)(77096005)(7736002)(5002640100001)(5001770100001)(99286002)(97736004)(93886004)(4001350100001)(92566002)(189998001)(87936001)(105586002)(36756003)(586003)(106116001)(305945005)(230783001)(122556002)(106356001)(10400500002)(7059030)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1451;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2016 21:17:55.9891 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1451
Archived-At: <>
Cc: General Area Review Team <>, "" <>, "" <>, Netconf <>
Subject: Re: [Gen-art] [Netconf] Gen-art LC review: draft-ietf-netconf-restconf-15
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Aug 2016 21:18:02 -0000

To address the Gen-Art comment, below I replaced “as defined in [RFC5246]” with “, as described in Section 7.2.1 of [RFC5246]”.   Good now?

Additionally, while looking at Section 2.3, I realized an opportunity to fix a couple more things.  First, when looking at RFC 7589, Section 5, I see the language “certificate obtained by a trusted mechanism”, which I think is better than saying it has to match a locally configured fingerprint.  Second, I found a redundant sentence which seemed misleading.  Finally, I collapsed the two paragraphs into one since they’re more connected than not.  The net result follows:


   2.3.  Certificate Validation

   The RESTCONF client MUST either use X.509 certificate path validation
   [RFC5280] to verify the integrity of the RESTCONF server's TLS
   certificate, or match the server’s TLS certificate with a certificate
   obtained by a trusted mechanism (e.g. a pinned certificate).   If X.509
   certificate path validation fails, and the presented X.509 certificate
   does not match a certificate obtained by a trusted mechanism, the
   connection MUST be terminated, as described in Section 7.2.1 of 


   2.3.  Certificate Validation

   The RESTCONF client MUST either use X.509 certificate path validation
   [RFC5280] to verify the integrity of the RESTCONF server's TLS
   certificate, or match the presented X.509 certificate with locally
   configured certificate fingerprints.

   The presented X.509 certificate MUST also be considered valid if it
   matches a locally configured certificate fingerprint.  If X.509
   certificate path validation fails and the presented X.509 certificate
   does not match a locally configured certificate fingerprint, the
   connection MUST be terminated as defined in [RFC5246].

This change will be made in a few days if no objection is raised by then.


On 8/1/16, 1:57 PM, "Netconf on behalf of Robert Sparks" < on behalf of> wrote:

    On 7/30/16 6:45 AM, t.petch wrote:
    > Robert
    > Picking up on the point about terminating the connection when a
    > certificate validation fails,  this is a straight lift from 'Netconf
    > over TLS', RFC7589, where the reference is also in Section 4 which makes
    > it clear (to me:-) that the reference is to how the connection is
    > terminated, as per RFC5246 s.7.2.1, and nothing to do with the
    > certificate validation, which is as per RFC5280.
    Perhaps having the s.7.2.1 reference in the text in this document (that 
    part wasn't
    included in the lift from 7589)  would have let me to interpret the 
    sentence that way,
    after following the reference. I suggest a light touch to the sentence 
    to make it clear
    that you are talking about "how to terminate the connection" 
    not"terminating the
    connection because the cert check failed" with the reference.
    (And this should be moved to a nit since it's an editorial clarification).
    > Tom Petch
    > ----- Original Message -----
    > From: "Robert Sparks" <>
    > To: "Andy Bierman" <>
    > Cc: "General Area Review Team" <>;
    > <>; <>; "Netconf"
    > <>
    > Sent: Friday, July 29, 2016 9:47 PM
    > Subject: Re: [Netconf] Gen-art LC review: draft-ietf-netconf-restconf-15
    >> On 7/29/16 3:36 PM, Andy Bierman wrote:
    >>> Hi,
    >>> I will add this review to the list.
    >>> A new version in in progress.
    >>> Some comments inline
    >>> On Fri, Jul 29, 2016 at 1:11 PM, Robert Sparks <
    >>> <>> wrote:
    >>>      I am the assigned Gen-ART reviewer for this draft. The General
    > Area
    >>>      Review Team (Gen-ART) reviews all IETF documents being processed
    >>>      by the IESG for the IETF Chair.  Please treat these comments
    > just
    >>>      like any other last call comments.
    >>>      For more information, please see the FAQ at
    >>>      <>.
    >>>      Document: draft-ietf-netconf-restconf-15
    >>>      Reviewer: Robert Sparks
    >>>      Review Date: 28Jul2016
    >>>      IETF LC End Date: 3Aug2016
    >>>      IESG Telechat date: not yet scheduled
    >>>      Summary:
    >>>      Major issues:
    >>>      * I am not finding any discussion in the Security Considerations
    >>>      or in the text around what a server's options are if a client is
    >>>      asking it to keep more state than it is willing or capable of
    >>>      holding. The possible values of the "depth" query parameter
    >>>      (particularly "unbounded") points out that a misconfigured or
    >>>      compromised client might start creating arbitrarily deep trees.
    >>>      Should a server have the ability to say no?
    >>> I guess we need more text somewhere explaining the "depth" parameter
    > is
    >>> a retrieval filter.
    >> I got that. It's existence, however, caused me to think about the fact
    >> that what is stored at the server can be arbitrarily deep. Clients
    > using
    >> POST can build trees that are arbitrarily deep, with bits at the node
    >> that are arbitrarily large (subject to the constraints the YANG models
    >> put on the node). There should be some discussion acknowledging that
    >> this can happen, and discussion of what the server can do if some
    > client
    >> starts asking it to store more than it is willing to store.
    >>> It is not used to create anything in the server.
    >>> The server does not maintain any state except during the processing
    > of
    >>> the retrieval request
    >>>      * The third paragraph of 3.7 paraphrases to "SHOULD NOT delete
    >>>      more than one instance unless a proprietary query parameter says
    >>>      it's ok". This isn't really helpful in a specification.
    >>>      Proprietary things are proprietary. The SHOULD NOT already
    > allows
    >>>      proprietary things to do something different without
    > trainwrecking
    >>>      the protocol. Please just delete the 2nd and 3rd sentence from
    > the
    >>>      paragraph.
    >>> OK
    >>>      * Section 2.3 says "If X.509 certificate path validation fails
    > and
    >>>      the presented X.509 certificate does not match a locally
    >>>      configured certificate fingerprint, the connection MUST be
    >>>      terminated as defined in [RFC5246]." RFC5246 doesn't really talk
    >>>      about certificate validation, and it certainly doesn't say "the
    >>>      connection MUST be terminated" when certificates fail to
    > validate.
    >>>      What are you trying to point to in RFC5246 here? Should you be
    >>>      pointing somewhere else? (It's perfectly reasonable for the
    >>>      document to reference RFC5246, and it does so elsewhere without
    >>>      problem).
    >>> Please suggest replacement text if we are citing the wrong RFC.
    >>> I will ask Kent to look into this issue
    >>>      Minor issues:
    >>>      * "A server MUST support XML or JSON encoding." is ambiguous.
    > (2nd
    >>>      paragraph of 5.2). Did you mean the server MUST support at least
    >>>      one of XML or JSON but not necessarily both? I think you really
    >>>      intended that the server support BOTH types of encoding.
    >>> No -- it will be clarified that the server must support at least 1
    > of
    >>> the 2
    >>>      * I _think_ I can infer that PUT can't be used with datastore
    >>>      resources. Section 3.4 only speaks of POST and PATCH. Section
    > 4.5
    >>>      speaks about "target data resource" and is silent about
    > datastore
    >>>      resources. If I've understood the intent, please be explicit
    > about
    >>>      datastore resources in 4.5. If I've misunderstood then more
    >>>      clarity is needed in both 3.4 and 4.5.
    >>> The  next draft will be clarified to allow PUT on a datastore
    > resource
    >> Hrmm - that makes me less comfortable that you are actually aligned
    > with
    >> 7231. It may just be that you need to be more precise with your
    >> description, but per 7231, PUT never creates resources - it can create
    >> or replace the state of a resource.
    >>>      * In you restrict identifiers with "MUST NOT start with
    >>>      'xml' (or any case variant of that string). Please call out why
    >>>      (or point to an existing document that explains why).
    >>> OK
    >>>      * The text in 5.3 about access control interacting with caching
    >>>      (added based on my early review I think) doesn't mesh well with
    >>>      paragraph 3 of section 5.5. There you tell the client to use
    > Etag
    >>>      and Last-Modified, but in 5.3 you say it won't work reliably
    > when
    >>>      access permissions change. At the very least 5.5 should point
    > back
    >>>      into the paragraph in 5.3.
    >>>      Nits/editorial comments:
    >>>      * Introduction, 4th paragraph - please change "MAY provide" to
    >>>      "provides". Section 3.6 explains the cases where there is choice
    >>>      in what to provide.
    >>>      * Section 2.3 paragraphs 1 and 2. There is edit-itis here left
    > (I
    >>>      suspect) from working in matching fingerprints. Consider
    > combining
    >>>      and simplifying these two paragraphs after improving the
    > reference
    >>>      issue called out above.
    >>>      * Section 4 says "Access control mechanisms MUST be used to
    >>>      limit..." This is not a good use of a 2119 MUST. I suggest
    >>>      replacing "MUST be" with "are". The subsequent text already
    >>>      captures the actual normative requirements on the server.
    >>>      * Section 12 says "this protocol SHOULD be implemented
    > carefully".
    >>>      That is not a good use of a 2119 SHOULD. It is not a protocol
    >>>      requirement. I suggest reformulating this into something like
    >>>      "There are many patterns of attack that have been observed
    > through
    >>>      operational practice with existing management interfaces. It
    > would
    >>>      be wise for implementers to research them, and take them into
    >>>      account when implementing this protocol." It would be far better
    >>>      to provide a pointer to where the implementer should start this
    >>>      research.
    >>>      * (micronit) Lots of examples are internally inconsistent wrt
    >>>      dates. For instance, look at the 200 OK in section 3.3.3 - it
    > says
    >>>      that back in 2012, a server returned something talking about a
    >>>      library versioned in 2016.
    >>> Andy
    > ------------------------------------------------------------------------
    > --------
    >> _______________________________________________
    >> Netconf mailing list
    Netconf mailing list