Re: [i2rs] topo model use of NACM
"Susan Hares" <shares@ndzh.com> Thu, 16 February 2017 19:52 UTC
Return-Path: <shares@ndzh.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 323CC128E18 for <i2rs@ietfa.amsl.com>; Thu, 16 Feb 2017 11:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.946
X-Spam-Level:
X-Spam-Status: No, score=0.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BORjY89-cs4R for <i2rs@ietfa.amsl.com>; Thu, 16 Feb 2017 11:52:13 -0800 (PST)
Received: from hickoryhill-consulting.com (50-245-122-97-static.hfc.comcastbusiness.net [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A36DA129689 for <i2rs@ietf.org>; Thu, 16 Feb 2017 11:52:12 -0800 (PST)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=70.194.20.38;
From: Susan Hares <shares@ndzh.com>
To: 'Andy Bierman' <andy@yumaworks.com>, i2rs@ietf.org
References: <CABCOCHT6E=_ojQvDp+iSd3roShFn3E1VhAyP0dFcP3Q7SLNWag@mail.gmail.com>
In-Reply-To: <CABCOCHT6E=_ojQvDp+iSd3roShFn3E1VhAyP0dFcP3Q7SLNWag@mail.gmail.com>
Date: Thu, 16 Feb 2017 14:47:16 -0500
Message-ID: <054b01d2888d$7aa8e120$6ffaa360$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_054C_01D28863.91D4D4F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQI5e8ZMvi/EETguMJznKI7RJqEheaCeHo7A
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/Lg7ODq1JWfT00rqnw0XrdtnZTag>
Subject: Re: [i2rs] topo model use of NACM
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 19:52:15 -0000
Andy: <chair hat off, individual contributor hat on> AFAIK – I believe the revised data store model is right approach. It is an important question to ask whether the ability to have a mixture of “server-provided” and “configured” is important for all topology models. I hope Xufeng and other topology models will comment on this point. Does the NETCONF data store in the revised data-store future include the control plane data stores? I thought the answer was “no” it does not. Here’s some text from draft-ietf-netconf-rfc6536bis that leads me to believe that On NACM, draft-ietf-netconf-rfc6536bis it says: It is necessary to control access to specific nodes and subtrees within the NETCONF datastore, regardless of which protocol operation, standard or proprietary, was used to access the datastore. <https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-00#section-3.2> 3.2. Datastore Access The same access control rules apply to all datastores, for example, the candidate configuration datastore or the running configuration datastore. Only the standard NETCONF datastores (candidate, running, and startup) are controlled by NACM. Local or remote files or datastores accessed via the <url> parameter are not controlled by NACM. A standalone RESTCONF server (i.e., not co-located with a NETCONF server) applies NACM rules to a conceptual datastore, since datastores are not supported in RESTCONF. =========== The I2RS security environment actually looks at 3 policies on the server Network Access ß-à server ß-à routing-system access (aka I2RS agent) |ßà System access It also looks at application access to the client Network accessßà client ßà application-access The protocol only needs to consider the NACM Access, but the routing infrastructure need to consider the server to/from routing system, and server to/from system. My understanding is that the Routing system access control module (RACM) and the system access control module (SACM) functions were not in NACM. Thanks again for posting, Sue From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Andy Bierman Sent: Thursday, February 16, 2017 2:00 PM To: i2rs@ietf.org Subject: [i2rs] topo model use of NACM Hi, The use of NACM for server-provided data is under-specified (at best) from sec. 4.1: Finally, there is an object "server-provided". This object is state that indicates how the network came into being. Network data can come into being in one of two ways. In one way, network data is configured by client applications, for example in case of overlay networks that are configured by an SDN Controller application. In annother way, it is populated by the server, in case of networks that can be discovered. If server-provided is set to false, the network was configured by a client application, for example in the case of an overlay network that is configured by a controller application. If server-provided is set to true, the network was populated by the server itself, respectively an application on the server that is able to discover the network. Client applications SHOULD NOT modify configurations of networks for which "server-provided" is true. When they do, they need to be aware that any modifications they make are subject to be reverted by the server. For servers that support NACM (Netconf Access Control Model), data node rules should ideally prevent write access by other clients to network instances for which server- provided is set to true. The SHOULD NOT above is really odd, considering is not supported by YANG or the NC/RC protocols. "data node rules should ideally prevent" s/should/SHOULD/ Ideally prevent? Is that a new engineering term? Either this new usage of NACM works or it doesn't. Also, there is no guidance or examples of the NACM config that the server is supposed to magically create for server-provided topology data. There is nothing in NACM at all about server-created data rules. This is not supported by NACM. Does the I2RS text imply that the server-provided property extends to the NACM sub-trees? They are also subject to replacement by the server? The client SHOULD NOT change these NACM rules? IMO the way this server-provided property is being done is a short-sighted point solution, but this should be a fundamental part of the revised datastores work. Is there something special about network topology such that server-provided data for a different module will require a different solution? If not, is the topo module solution reusable? Andy
- [i2rs] topo model use of NACM Andy Bierman
- Re: [i2rs] topo model use of NACM Susan Hares
- Re: [i2rs] topo model use of NACM Susan Hares
- Re: [i2rs] topo model use of NACM Andy Bierman
- Re: [i2rs] topo model use of NACM Alexander Clemm
- Re: [i2rs] topo model use of NACM Martin Bjorklund
- Re: [i2rs] topo model use of NACM Andy Bierman
- Re: [i2rs] topo model use of NACM Alexander Clemm
- Re: [i2rs] topo model use of NACM Kent Watsen
- Re: [i2rs] topo model use of NACM Robert Wilton
- Re: [i2rs] topo model use of NACM Andy Bierman