IETF Logo Mail Archive

Re: [i2rs] draft-chen-i2rs-identifier-management-00

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 29 May 2015 16:25 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1770C1AC424 for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.86
X-Spam-Level:
X-Spam-Status: No, score=-3.86 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLwBogCpoGlF for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:25:16 -0700 (PDT)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 479051A913D for <i2rs@ietf.org>; Fri, 29 May 2015 09:25:16 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 1593A734; Fri, 29 May 2015 18:25:15 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id 3wYSr9M8QHaq; Fri, 29 May 2015 18:25:01 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Fri, 29 May 2015 18:25:13 +0200 (CEST)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id CD23F20031; Fri, 29 May 2015 18:25:13 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id DjBnc00WBoOW; Fri, 29 May 2015 18:25:11 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 1ECCC2002C; Fri, 29 May 2015 18:25:10 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 1773D3412FB6; Fri, 29 May 2015 18:25:08 +0200 (CEST)
Date: Fri, 29 May 2015 18:25:08 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Susan Hares <shares@ndzh.com>
Message-ID: <20150529162508.GA6146@elstar.local>
Mail-Followup-To: Susan Hares <shares@ndzh.com>, i2rs@ietf.org, chen.ran@zte.com.cn, 'Andy Bierman' <andy@yumaworks.com>, 'Alia Atlas' <akatlas@juniper.net>, 'Jeffrey Haas' <jhaas@pfrc.org>, "'Joel M. Halpern'" <jmh@joelhalpern.com>
References: <20150527220901.GA67473@elstar.local> <556654AB.9030206@joelhalpern.com> <CABCOCHTDRCA_T+m-waEq7MHQ4v=6E=4z33HPWQR1s4349ifkRA@mail.gmail.com> <20150528060502.GA68091@elstar.local> <CABCOCHQdfqaEJ36DktwcN_NYi_SfPT6kRMdEzB9htvkf4qzJUw@mail.gmail.com> <020101d0999d$26fe2750$74fa75f0$@ndzh.com> <CABCOCHStya+LQEPfEfEvWRqeYhccekG8_vC6EYzC5AKy2yXJCA@mail.gmail.com> <022701d099a3$b822c5f0$286851d0$@ndzh.com> <20150529061023.GB1694@elstar.local> <036601d09a28$faab15f0$f00141d0$@ndzh.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <036601d09a28$faab15f0$f00141d0$@ndzh.com>
User-Agent: Mutt/1.4.2.3i
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/32RQPYwGd8vqTJoU5oQEOtDLmag>
Cc: i2rs@ietf.org, chen.ran@zte.com.cn, 'Andy Bierman' <andy@yumaworks.com>, 'Alia Atlas' <akatlas@juniper.net>, 'Jeffrey Haas' <jhaas@pfrc.org>, "'Joel M. Halpern'" <jmh@joelhalpern.com>
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 16:25:19 -0000

Thanks for all the details but I am missing an answer to my question.
Shall I repeat it once more?

/js

On Fri, May 29, 2015 at 12:03:18PM -0400, Susan Hares wrote:
> Juergen: 
> 
>  
> 
> Thank you for asking the question again. I appreciate your patience as I
> attempt to answer your question carefully.  
> 
>  
> 
> Short answer: I2RS strategy is re-use of other protocols rather than invent,
> and this seemed a reasonable place to put it. 
> 
>  
> 
> Context: Jeff's document is a proposal for the requirements for I2RS to the
> NETCONF/NETMOD WG on ephemeral state.  Feedback on the earlier descriptions
> from the I2RS group had been "too vague" so Jeff's document is providing
> detailed requirements.  I2RS is not designing thing for NETCONF only making
> known in detailed terms our requirements to aid the NETCONF group's response
> on whether the I2RS design requirements can be met.   
> 
>  
> 
> Longer Answer:  His proposal arises out of section 4.2 in the I2RS
> architecture document.  This section states: 
> 
>  
> 
> An approach to a similar access control problem is defined in the NetConf
> Access Control Model (NACM) [RFC6536]; it allows arbitrary access to be
> specified for a data node instance identifier while defining meaningful
> manipulable defaults.  The identity within NACM [RFC6536] can be specifying
> as either a user name or a group user name (e.g.  Root), and this name is
> linked a scope policy that contained in a set of access control rules.
> Similarly, it is expected the I2RS identity links to one role which has a
> scope policy specified by a set of access control rules.  This scope policy
> is can be provided via Local Config, exposed as an I2RS Service for
> manipulation by authorized clients, or via some other method (e.g.   AAA
> service).
> 
>  
> 
> You can see in this point that the client identity is being linked to the
> scope policy controlling read or write.  Section 7.8 points out that
> priority "ensures predictability" in write conditions between two I2RS
> Clients trying to write data in one agent, or between an I2RS client and the
> local config.   Jeff's requirements flow out of these two sections in the
> architecture document.   
> 
>  
> 
> What you can do: If you have an alternate suggestion for priority for Jeff's
> document, please make a suggestion and indicate why you think it fits within
> the I2RS architecture document (please list sections). 
> 
>  
> 
> Sue 
> 
>  
> 
> -----Original Message-----
> From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Juergen Schoenwaelder
> Sent: Friday, May 29, 2015 2:10 AM
> To: Susan Hares
> Cc: i2rs@ietf.org; chen.ran@zte.com.cn; 'Andy Bierman'; 'Alia Atlas';
> 'Jeffrey Haas'; 'Joel M. Halpern'
> Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
> 
>  
> 
> On Thu, May 28, 2015 at 08:09:23PM -0400, Susan Hares wrote:
> 
> > Andy: 
> 
> > 
> 
> > Thank you for your question.  Let me precise. 
> 
> > 
> 
> > Jeff proposes that clients specify the priority mechanism is an attribute
> that is stored in the NACM list on the agent (see Section 5.2 as described
> in the draft-haas-i2rs-ephemeral-state-reqs-00 (quoted below).   The
> client-Agent identities are load in a mechanism which is out-of-band from
> the I2RS protocol these values.  Into the Client, the Agent's ID is loaded.
> Into the Agent, the valid client's identity is loaded along with the
> client's priority.  AAA (Radius/Diameter) is an example of an out-of-band
> mechanism to pass the information with.  IMU (in my understanding), the NACM
> on the agent is created based on this AAA loading.  The i2rs secondary
> identity is loaded via an edit-config mechanism in a config operation (see
> section 5.1 of Jeff's document.).  Please let me know if my understanding of
> NACM creation based on AAA input is correct.  
> 
> > 
> 
>  
> 
> So I will ask again: If the priority is a property of the I2RS client (this
> is how I understand the I2RS architecture document), why would it be
> configured as part of a NACM rule as suggestd in section 5.2 of
> draft-haas-i2rs-ephemeral-state-reqs-00? Jeff's design makes the priority a
> property of the scope of a NACM group.
> 
>  
> 
> /js
> 
>  
> 
> -- 
> 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> 
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> 
> Fax:   +49 421 200 3103         < <http://www.jacobs-university.de/>
> http://www.jacobs-university.de/>
> 
>  
> 
> _______________________________________________
> 
> i2rs mailing list
> 
>  <mailto:i2rs@ietf.org> i2rs@ietf.org
> 
>  <https://www.ietf.org/mailman/listinfo/i2rs>
> https://www.ietf.org/mailman/listinfo/i2rs
> 

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email