IETF Logo Mail Archive

Re: [i2rs] draft-chen-i2rs-identifier-management-00

"Susan Hares" <shares@ndzh.com> Fri, 29 May 2015 16:40 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AB9A1ACD4F for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.855
X-Spam-Level:
X-Spam-Status: No, score=-97.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, J_CHICKENPOX_31=0.6, J_CHICKENPOX_64=0.6, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaX5Nm6JhpJd for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:40:45 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web3.hickoryhill-consulting.com [64.9.205.143]) by ietfa.amsl.com (Postfix) with ESMTP id ADEC11A8965 for <i2rs@ietf.org>; Fri, 29 May 2015 09:40:44 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=174.124.178.112;
From: Susan Hares <shares@ndzh.com>
To: 'Andy Bierman' <andy@yumaworks.com>
References: <011e01d098ae$4e254060$ea6fc120$@ndzh.com> <20150527220901.GA67473@elstar.local> <556654AB.9030206@joelhalpern.com> <CABCOCHTDRCA_T+m-waEq7MHQ4v=6E=4z33HPWQR1s4349ifkRA@mail.gmail.com> <20150528060502.GA68091@elstar.local> <CABCOCHQdfqaEJ36DktwcN_NYi_SfPT6kRMdEzB9htvkf4qzJUw@mail.gmail.com> <020101d0999d$26fe2750$74fa75f0$@ndzh.com> <CABCOCHStya+LQEPfEfEvWRqeYhccekG8_vC6EYzC5AKy2yXJCA@mail.gmail.com> <022701d099a3$b822c5f0$286851d0$@ndzh.com> <CABCOCHRSFut_ryO41WewUw97wF1KYBztReg7LSonbAwk1A6f5A@mail.gmail.com>
In-Reply-To: <CABCOCHRSFut_ryO41WewUw97wF1KYBztReg7LSonbAwk1A6f5A@mail.gmail.com>
Date: Fri, 29 May 2015 12:40:37 -0400
Message-ID: <039401d09a2e$316b40b0$9441c210$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGI6C04Ci0f96gPWxVoZalfyv/7wwJfjQnEAsEyPOABJ9tNNAHvw66tAZaM50oC52zYuQF0Do88AfI3sF8CmAVz4p2M5Fhg
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/U0E-tx9-CMOgaCYzjFbuH2rvlnE>
Cc: 'Jeff Haas' <jhaas@juniper.net>, i2rs@ietf.org, 'Alia Atlas' <akatlas@juniper.net>, 'Joel Halpern Direct' <jmh.direct@joelhalpern.com>
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 16:40:47 -0000

Andy: 

Just to clarify is this an a

  "That is an optional mode [of NACM]. There is also a local users table
that can be used."   Can you provide an example?  Is this an alternate
proposal to Jeff's proposal on NACM? 

 Sue Hares

-----Original Message-----
From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Andy Bierman
Sent: Thursday, May 28, 2015 8:23 PM
To: Susan Hares
Cc: i2rs@ietf.org; chen.ran@zte.com.cn; Juergen Schoenwaelder; Alia Atlas;
Jeffrey Haas; Joel M. Halpern
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00

On Thu, May 28, 2015 at 5:09 PM, Susan Hares <shares@ndzh.com> wrote:
> Andy:
>
> Thank you for your question.  Let me precise.
>
> Jeff proposes that clients specify the priority mechanism is an attribute
that is stored in the NACM list on the agent (see Section 5.2 as described
in the draft-haas-i2rs-ephemeral-state-reqs-00 (quoted below).   The
client-Agent identities are load in a mechanism which is out-of-band from
the I2RS protocol these values.  Into the Client, the Agent's ID is loaded.
Into the Agent, the valid client's identity is loaded along with the
client's priority.  AAA (Radius/Diameter) is an example of an out-of-band
mechanism to pass the information with.  IMU (in my understanding), the NACM
on the agent is created based on this AAA loading.  The i2rs secondary
identity is loaded via an edit-config mechanism in a config operation (see
section 5.1 of Jeff's document.).  Please let me know if my understanding of
NACM creation based on AAA input is correct.
>

That is an optional mode.
There is also a local users table that can be used.

[Sue]: You mean this is an optional mode of NACM?  Can you give me a
reference for the local users table?  Is it RFC6536 in section 2.5 where a
configurable set of users can be defined, and linked to a NACM (section
3.1.1)?  Can you provide an example  how the local users table could be
used? 


> I2RS Module Nodes (E.g. I2RS RIB routes) are written within an Agent will
be annotated with meta-data with the client-id, priority, and secondary ID.
>
> The only proposed change to section 5.2 requirements is to the 
> sentence "Additionally, during commit processing, if
>    nodes are found where i2rs-priority is already present, and the
>    priority is better than the transaction's user's priority for that
>    node, the commit SHALL fail.
>
> " Additionally, during commit processing" is incorrect because there is
not commit processing.   Jeff stated we are still working with both NETCONF
and RESTCONF - so we must allow for a commit process.  In the meeting I
noted that the architecture indicates a change is possible only if the
priority is greater than (>) existing priority.  (First rather than last).
Therefore this text should read:  "Additionally, during the operation
(RESTCONF)/Commit (NETCONF) processing, if the nodes are found where
i2rs-priority is already present, and the priority is equal to or better
than the transaction's user's priority for the node, the operation/commit
SHALL fail."
>
> Do you have any suggestions for modifications to section 5 of Jeff's
document?
>
> Sue
>
> ============================
> Jeff's document 5.2 states:
>
>   To support Multi-Headed Control, I2RS requires that there be a
>    decidable means of arbitrating the correct state of data when
>    multiple clients attempt to manipulate the same piece of data.  This
>    is done via a priority mechanism with the highest priority winning.
>    This priority may vary on a per-node or sub-tree basis based for a
>    given identity.
>
>    This further implies that priority is an attribute that is stored in
>    the NETCONF Access Control Model [RFC6536] as part of a rule-list.
>    E.g.:
>
>    Ephemeral configuration state nodes that are created or altered by
>    users that match a rule carrying i2rs-priority will have those nodes
>    annotated with metadata.  Additionally, during commit processing, if
>    nodes are found where i2rs-priority is already present, and the
>    priority is better than the transaction's user's priority for that
>    node, the commit SHALL fail.  An appropriate error should be returned
>    to the user stating the nodes where the user had insufficient
>    priority to override the state.
>


The last paragraph sounds like some nodes will be accepted and others
rejected.
If any nodes are rejected, the entire edit should be rejected.

I don;t think the rule-list should store the client priority.
It should be in the 'group' list, or outside NACM completely.


Andy

>
>
> -----Original Message-----
> From: Andy Bierman [mailto:andy@yumaworks.com]
> Sent: Thursday, May 28, 2015 7:40 PM
> To: Susan Hares
> Cc: Juergen Schoenwaelder; Joel M. Halpern; Jeffrey Haas; 
> i2rs@ietf.org; chen.ran@zte.com.cn; Alia Atlas
> Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
>
> On Thu, May 28, 2015 at 4:22 PM, Susan Hares <shares@ndzh.com> wrote:
>> Andy:
>>
>> Yes - the client with priority and secondary identity are inherently
simple additions.   Can you confirm my understanding below based on Jeff's
document?
>>
>
> Not sure what you mean.
> i don't think the client should provide the priority in request messages.
> This is configured on the agent, not requested by the client.
>
>
>> Can you explain  your statement "I do not want to change NETCONF or
RESTCONF to use client priority?"  What are you proposing that you do not
want to add the NACM list the priority?
>
> I don't want to change NETCONF and RESTCONF so that config=true objects
use priority.  Only I2RS should use it.
>
>>
>> Sue
>
> Andy
>
>> ===============
>>
>> Example
>> ------------------------
>> 1) any multiple TCP sessions from a client application will use a
different ID if they want a different priority for write of an object
>>              Application 1:  TCP session 1 -  priority 1,
secondary-identity  "pub-sub monitor"
>>              Application 1:  TCP session 2 - priority 10,
secondary-identity "tracing monitor"
>>         Application 1:  TCP session 3 -  priority 20, opaque "Weekly
config"
>>         Application 1:  TCP session 4 -  priority 55, opaque "Emergency
config"
>>
>> Jeff's META-data  example:
>>
>>   <foo xmlns:i2rs="https://ietf.example.com/i2rs"
>>         i2rs:i2rs-secondary-identity="user1" i2rs:i2rs-priority="47">
>>        ...
>>    </foo>
>>
>> For my example TCP session 1
>>    <foo xmlns:i2rs="http:s//ietf.example.com/i2rs"
>>         I2rs:i2rs-secondary-identity="pub-sub montior"
>> i2rs:i2rs-priority="1">
>>
>> Juergen's client example:
>>
>>     list i2rs-client {
>>        key name;
>>       leaf name {
>>          description "The client name";
>>          type i2rs:client-name;
>>        }
>>        leaf priority {
>>           description "The priority value assigned to this client.";
>>          type i2rs:client-priority;
>>       }
>>     }
>>
>>    +--rw rule-list [name]
>>       +--rw name     string
>>       +--rw group*   union
>>       +--rw rule [name]
>>          +--rw name string
>>          +--rw module-name?  union
>>          +--rw (rule-type)?
>>          |  +--:(protocol-operation)
>>          |  |  +--rw rpc-name?  union
>>          |  +--:(notification)
>>          |  |  +--rw notification-name?  union
>>          |  +--:(data-node)
>>          |     +--rw path node-instance-identifier
>>          +--rw access-operations?  union
>>          +--rw action action-type
>>          +--rw comment?  string
>>          +--rw i2rs:i2rs-priority i2rs-priority-type
>>
>> Are you proposing something different than Jeff's proposal?
>>
>> Sue
>>
>> -----Original Message-----
>> From: Andy Bierman [mailto:andy@yumaworks.com]
>> Sent: Thursday, May 28, 2015 11:17 AM
>> To: Juergen Schoenwaelder; Andy Bierman; Joel M. Halpern; Jeffrey 
>> Haas; i2rs@ietf.org; chen.ran@zte.com.cn; Alia Atlas; Susan Hares
>> Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
>>
>> On Wed, May 27, 2015 at 11:05 PM, Juergen Schoenwaelder
<j.schoenwaelder@jacobs-university.de> wrote:
>>> On Wed, May 27, 2015 at 06:04:58PM -0700, Andy Bierman wrote:
>>>>
>>>> Although I should be promoting use of NACM, I am not so sure it 
>>>> should be mandatory for I2RS or required to configure I2RS client
priority.
>>>>
>>>>    list i2rs-client {
>>>>       key name;
>>>>       leaf name {
>>>>          description "The client name";
>>>>          type i2rs:client-name;
>>>>       }
>>>>       leaf priority {
>>>>         description "The priority value assigned to this client.";
>>>>         type i2rs:client-priority;
>>>>      }
>>>>   }
>>>
>>> So what is i2rs:client-name - is it any different from a 
>>> NETCONF/RESTCONF username?
>>>
>>
>> Is is probably not different.
>>
>>
>>> NACM maps user names into groups and NACM allows to have the mapping 
>>> supplied by an external source (e.g. RADIUS). If this priority 
>>> mapping is kept separate from NACM, would we need to provision means 
>>> to get the priority from AAA as well?
>>>
>>
>> My point showing the 2 item list is that the information needed to
implement I2RS client priority is rather trivial.
>> It can certainly be made really complicated by the IETF, but it is an
inherently trivial configuration.
>>
>>> And the bigger question: Do we create something specific for I2RS or 
>>> are we going to extend the generic YANG/NC/RC framework to provide 
>>> the tools I2RS needs? This is probably a question the NETCONF WG has 
>>> to answer.
>>
>> It is good to make reusable features.
>> I don't want to change NETCONF or RESTCONF to use client priority.
>> Let I2RS prove it is useful first.  I am not convinced it will really
help.
>> It seems like an implementation detail that is being turned into ad
administrative task.  If multiple clients from multiple vendors are stepping
on each other, then the likely outcome of a priority change by the
administrator will be to select which clients should continue working and
which should be broken.
>>
>>
>>>
>>> /js
>>>
>>
>> Andy
>>
>>> --
>>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>>> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>>
>> _______________________________________________
>> i2rs mailing list
>> i2rs@ietf.org
>> https://www.ietf.org/mailman/listinfo/i2rs
>

_______________________________________________
i2rs mailing list
i2rs@ietf.org
https://www.ietf.org/mailman/listinfo/i2rs

v2.23.0 | Report a Bug | By Email