Re: [i2rs] draft-chen-i2rs-identifier-management-00
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 29 May 2015 16:25 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1770C1AC424 for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.86
X-Spam-Level:
X-Spam-Status: No, score=-3.86 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLwBogCpoGlF for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:25:16 -0700 (PDT)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 479051A913D for <i2rs@ietf.org>; Fri, 29 May 2015 09:25:16 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 1593A734; Fri, 29 May 2015 18:25:15 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id 3wYSr9M8QHaq; Fri, 29 May 2015 18:25:01 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Fri, 29 May 2015 18:25:13 +0200 (CEST)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id CD23F20031; Fri, 29 May 2015 18:25:13 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id DjBnc00WBoOW; Fri, 29 May 2015 18:25:11 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 1ECCC2002C; Fri, 29 May 2015 18:25:10 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 1773D3412FB6; Fri, 29 May 2015 18:25:08 +0200 (CEST)
Date: Fri, 29 May 2015 18:25:08 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Susan Hares <shares@ndzh.com>
Message-ID: <20150529162508.GA6146@elstar.local>
Mail-Followup-To: Susan Hares <shares@ndzh.com>, i2rs@ietf.org, chen.ran@zte.com.cn, 'Andy Bierman' <andy@yumaworks.com>, 'Alia Atlas' <akatlas@juniper.net>, 'Jeffrey Haas' <jhaas@pfrc.org>, "'Joel M. Halpern'" <jmh@joelhalpern.com>
References: <20150527220901.GA67473@elstar.local> <556654AB.9030206@joelhalpern.com> <CABCOCHTDRCA_T+m-waEq7MHQ4v=6E=4z33HPWQR1s4349ifkRA@mail.gmail.com> <20150528060502.GA68091@elstar.local> <CABCOCHQdfqaEJ36DktwcN_NYi_SfPT6kRMdEzB9htvkf4qzJUw@mail.gmail.com> <020101d0999d$26fe2750$74fa75f0$@ndzh.com> <CABCOCHStya+LQEPfEfEvWRqeYhccekG8_vC6EYzC5AKy2yXJCA@mail.gmail.com> <022701d099a3$b822c5f0$286851d0$@ndzh.com> <20150529061023.GB1694@elstar.local> <036601d09a28$faab15f0$f00141d0$@ndzh.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <036601d09a28$faab15f0$f00141d0$@ndzh.com>
User-Agent: Mutt/1.4.2.3i
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/32RQPYwGd8vqTJoU5oQEOtDLmag>
Cc: i2rs@ietf.org, chen.ran@zte.com.cn, 'Andy Bierman' <andy@yumaworks.com>, 'Alia Atlas' <akatlas@juniper.net>, 'Jeffrey Haas' <jhaas@pfrc.org>, "'Joel M. Halpern'" <jmh@joelhalpern.com>
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 16:25:19 -0000
Thanks for all the details but I am missing an answer to my question. Shall I repeat it once more? /js On Fri, May 29, 2015 at 12:03:18PM -0400, Susan Hares wrote: > Juergen: > > > > Thank you for asking the question again. I appreciate your patience as I > attempt to answer your question carefully. > > > > Short answer: I2RS strategy is re-use of other protocols rather than invent, > and this seemed a reasonable place to put it. > > > > Context: Jeff's document is a proposal for the requirements for I2RS to the > NETCONF/NETMOD WG on ephemeral state. Feedback on the earlier descriptions > from the I2RS group had been "too vague" so Jeff's document is providing > detailed requirements. I2RS is not designing thing for NETCONF only making > known in detailed terms our requirements to aid the NETCONF group's response > on whether the I2RS design requirements can be met. > > > > Longer Answer: His proposal arises out of section 4.2 in the I2RS > architecture document. This section states: > > > > An approach to a similar access control problem is defined in the NetConf > Access Control Model (NACM) [RFC6536]; it allows arbitrary access to be > specified for a data node instance identifier while defining meaningful > manipulable defaults. The identity within NACM [RFC6536] can be specifying > as either a user name or a group user name (e.g. Root), and this name is > linked a scope policy that contained in a set of access control rules. > Similarly, it is expected the I2RS identity links to one role which has a > scope policy specified by a set of access control rules. This scope policy > is can be provided via Local Config, exposed as an I2RS Service for > manipulation by authorized clients, or via some other method (e.g. AAA > service). > > > > You can see in this point that the client identity is being linked to the > scope policy controlling read or write. Section 7.8 points out that > priority "ensures predictability" in write conditions between two I2RS > Clients trying to write data in one agent, or between an I2RS client and the > local config. Jeff's requirements flow out of these two sections in the > architecture document. > > > > What you can do: If you have an alternate suggestion for priority for Jeff's > document, please make a suggestion and indicate why you think it fits within > the I2RS architecture document (please list sections). > > > > Sue > > > > -----Original Message----- > From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Juergen Schoenwaelder > Sent: Friday, May 29, 2015 2:10 AM > To: Susan Hares > Cc: i2rs@ietf.org; chen.ran@zte.com.cn; 'Andy Bierman'; 'Alia Atlas'; > 'Jeffrey Haas'; 'Joel M. Halpern' > Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00 > > > > On Thu, May 28, 2015 at 08:09:23PM -0400, Susan Hares wrote: > > > Andy: > > > > > > Thank you for your question. Let me precise. > > > > > > Jeff proposes that clients specify the priority mechanism is an attribute > that is stored in the NACM list on the agent (see Section 5.2 as described > in the draft-haas-i2rs-ephemeral-state-reqs-00 (quoted below). The > client-Agent identities are load in a mechanism which is out-of-band from > the I2RS protocol these values. Into the Client, the Agent's ID is loaded. > Into the Agent, the valid client's identity is loaded along with the > client's priority. AAA (Radius/Diameter) is an example of an out-of-band > mechanism to pass the information with. IMU (in my understanding), the NACM > on the agent is created based on this AAA loading. The i2rs secondary > identity is loaded via an edit-config mechanism in a config operation (see > section 5.1 of Jeff's document.). Please let me know if my understanding of > NACM creation based on AAA input is correct. > > > > > > > So I will ask again: If the priority is a property of the I2RS client (this > is how I understand the I2RS architecture document), why would it be > configured as part of a NACM rule as suggestd in section 5.2 of > draft-haas-i2rs-ephemeral-state-reqs-00? Jeff's design makes the priority a > property of the scope of a NACM group. > > > > /js > > > > -- > > Juergen Schoenwaelder Jacobs University Bremen gGmbH > > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > > Fax: +49 421 200 3103 < <http://www.jacobs-university.de/> > http://www.jacobs-university.de/> > > > > _______________________________________________ > > i2rs mailing list > > <mailto:i2rs@ietf.org> i2rs@ietf.org > > <https://www.ietf.org/mailman/listinfo/i2rs> > https://www.ietf.org/mailman/listinfo/i2rs > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [i2rs] draft-chen-i2rs-identifier-management-00 Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] I2RS priority location Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Martin Bjorklund
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Alia Atlas
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Alia Atlas
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Jeffrey Haas