Re: [i2rs] Kathleen Moriarty's No Objection on draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)

["Susan Hares" <shares@ndzh.com>]

Juergen and Martin: 

Your question is appropriate at this point.   These Yang Modules are I2RS
Yang Modules.   Knowing whether these are attached to the configuration data
store or a control plane data store is important.   For that answer, I must
await Benoit and the NETMOD Chairs.  

However, the security involved in these data models still has the same
security issues whether it is ephemeral state attached to the configuration
data store or the control plane data store.  The solution is just different.
The 6 issues for I2RS security considerations are:  1) different
mandatory-to-implement transport for NETCONF, 2) priority resolving multiple
client writes,  3) non-secure transport, 4 ) different validations with rpc
actions, 5) different NACM, RACM, and SACM policy, 6) different data store
behavior (ephemeral/configuration or ephemeral/Control Plane data store).
Only #6 would operate different between the two data store choices.   

To recap our discussion:  Any I2RS YANG module MUST have security comments
on #1 and #2 if it contains writes.   The topology modules particular module
does not use #3  and #4 beyond the regular YANG module section.  #5 - The
NACM policy may be the same, but the policy toward the routing system (RACM)
or system information (SACM) is different as the L3 topology models may load
information from routing protocols.   The proposal for I2RS Yang module
security considerations has 3 parts:  A) Basic Yang  Security
considerations,  B) I2RS Security considerations for secure transport, and
C) non-secure security considerations .  A+B are all that is needed for
these drafts.  

Cheerily, 

Sue Hares 

-----Original Message-----
From: Juergen Schoenwaelder [mailto:j.schoenwaelder@jacobs-university.de] 
Sent: Tuesday, January 24, 2017 6:52 AM
To: Susan Hares
Cc: i2rs@ietf.org; 'Martin Bjorklund';
draft-ietf-i2rs-yang-l3-topology@ietf.org; i2rs-chairs@ietf.org; 'Robert
Varga'; Kathleen.Moriarty.ietf@gmail.com; iesg@ietf.org
Subject: Re: [i2rs] Kathleen Moriarty's No Objection on
draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)

Susan,

so are these YANG models regular YANG models or are these YANG models
specific to the yet to be defined I2RS protocol and yet to be defined
datastores?

I think this is the core of Martin's and my question. A simple clear and
concise answer would be nice.

/js

On Tue, Jan 24, 2017 at 06:42:30AM -0500, Susan Hares wrote:
> Juergen: 
> 
> Yep.  That's the charter.  draft-ietf-i2rs-yang-network-topo-10.txt is 
> a generic topology model.  draft-ietf-i2rs-yang-l3-topology-08.txt is a
> generic topology for L3 unicast.   These support topology extension for
> non-I2RS user.  We met the milestone and deliver the YANG Modules to the
> IESG.    We discussed the "write" feature during WG LC and in the WG.   We
> passed this by AD Benoit Claise who agreed to the reasons present by 
> the draft authors.
> 
> Kinda' missed your comments in the normal comment period (WG LC, IETF LC).

> 
> Sue
> 
> -----Original Message-----
> From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Juergen 
> Schoenwaelder
> Sent: Monday, January 23, 2017 5:15 PM
> To: Susan Hares
> Cc: i2rs@ietf.org; 'Martin Bjorklund'; 
> draft-ietf-i2rs-yang-l3-topology@ietf.org; i2rs-chairs@ietf.org; 
> 'Robert Varga'; Kathleen.Moriarty.ietf@gmail.com; iesg@ietf.org
> Subject: Re: [i2rs] Kathleen Moriarty's No Objection on
> draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)
> 
> Perhaps just adding to the confusion, here is what the WG charter
> says:
> 
>     o The ability to extract information about topology from the network.
>       Injection and creation of topology will not be considered as a work
>       item. Such topology-related models will be based on a generic
>       topology model to support multiple uses; the generic topology model
>       should support topology extension for non-I2RS uses.
> 
> And as a milestone:
> 
>   Dec 2016 - Request Publication of Protocol Independent Topology Data 
> Models
> 
> /js
> 
> On Mon, Jan 23, 2017 at 05:06:04PM -0500, Susan Hares wrote:
> > Robert and Martin: 
> > 
> > I agree with Robert that the current implementations of the ODL 
> > topology models are handled as part of the configuration data store 
> > with
> ephemeral
> > state.   I will point out that these implementation are pre-standards
> > implementations of the I2RS YANG Data model.  
> > 
> > While standardizing the topology data models, the I2RS WG have been 
> > asked to align with the draft-ietf-netmod-revised-datastores-00.txt
> > NETMOD WG document.  This NETMOD WG document moves the I2RS 
> > ephemeral data
> store from
> > configuration data store to a Control Plane data store.   If we follow
> this
> > draft, the I2RS Topology models are part of the I2RS ephemeral data
store.
> > If you disagree with the placement of the Topology data models, 
> > please indicate this to the NETMOD WG and to Benoit.  Could you 
> > propose a way that you would see the ephemeral state working with 
> > the configuration data
> store
> > to the NETMOD WG?   
> > 
> > Quite frankly, I feel a bit of whip-lash on this topic.   NETMOD WG asks
> for
> > Control Plane Data store.  You ask for configuration data store (which
was
> > the I2RS initial proposal).   It is possible for either one to work for
> I2RS
> > Topology models - if the right details are taken care of.   How do we
make
> > progress on choosing one method so we can write the I2RS Topology 
> > Models security considerations.?
> > 
> > Sue
> >   
> > -----Original Message-----
> > From: Robert Varga [mailto:nite@hq.sk]
> > Sent: Monday, January 23, 2017 4:11 PM
> > To: Martin Bjorklund; shares@ndzh.com
> > Cc: i2rs@ietf.org; draft-ietf-i2rs-yang-l3-topology@ietf.org;
> > j.schoenwaelder@jacobs-university.de; i2rs-chairs@ietf.org; 
> > Kathleen.Moriarty.ietf@gmail.com; iesg@ietf.org
> > Subject: Re: [i2rs] Kathleen Moriarty's No Objection on
> > draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)
> > 
> > On 01/23/2017 09:26 PM, Martin Bjorklund wrote:
> > >> I'm pulling your questions to the top of this email. 
> > >>
> > >>  
> > >>
> > >> Question 1: Ok.  Just to make sure I understand this correctly - 
> > >> these topology models are intended to be I2RS-specific, and they 
> > >> cannot be used for any other purpose.  If anyone needs a general 
> > >> topology model outside of the I2RS protocol, they will have to 
> > >> design their own model.  Is this correct?
> > >>
> > >>  
> > >>
> > >> Response 1:  Not really.  
> > > Ok, so are you saying that the models are in fact generic, and can 
> > > be used outside of I2RS?  I.e., they *can* be used with the normal 
> > > configuration datastores?
> > > 
> > 
> > From implementation experience, yes, they can be used for storing 
> > configuration. OpenDaylight uses (an ancient predecessor of) 
> > yang-network-topo to store configure details about devices in its 
> > managed networks.
> > 
> > Regards,
> > Robert
> > 
> > 
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> 
> _______________________________________________
> i2rs mailing list
> i2rs@ietf.org
> https://www.ietf.org/mailman/listinfo/i2rs
> 

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>