IETF Logo Mail Archive

Re: [i2rs] draft-chen-i2rs-identifier-management-00

Andy Bierman <andy@yumaworks.com> Fri, 29 May 2015 16:47 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6DA1ACD7D for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93TjQclw10y6 for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:47:20 -0700 (PDT)
Received: from mail-lb0-f169.google.com (mail-lb0-f169.google.com [209.85.217.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AE651ACD7A for <i2rs@ietf.org>; Fri, 29 May 2015 09:47:20 -0700 (PDT)
Received: by lbbqq2 with SMTP id qq2so52164067lbb.3 for <i2rs@ietf.org>; Fri, 29 May 2015 09:47:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=y4+McSnmuQ0iSlC9hUTFKziYCQqdBek551RxQRwdi7s=; b=QDcQWur3G6FYtHy868Jzs9u1Io9t/SJ+crRygZYnnqg49TAyr5WS3pkJW7tXBZmG+W aAdY5sJZs+tJfhc/zNkfp5GyZJfpuG751yJrYRtlOv8sGr2Xl7h+Pb1VoSX1s0zzYYpO llpRsNedp+M5Ga9D6fuAxiCvdBIqMyUjD+NzzEygvwvI3LQ4htAvQW7Fr0EOABFdtvgz mhcJAIqU0vAk1d6gtU8OXjzrjwlWDSdoYGm/eXgfgaACZcaqwmgZt9dNn2ij57hnONc6 h6hO8azFvB/r1B3RZISwhjnU6E5mSHcdKt0thni9VvAg9HaYJKqUzh2w8l9+dgA+8mhY 32vQ==
X-Gm-Message-State: ALoCoQmHLfO9cLjc8sMzvwj0g37JpVW2MWWHK53MUitIxw/mz2S9IWYA3WZF6a4RUWSrvGxjrn+D
MIME-Version: 1.0
X-Received: by 10.152.8.231 with SMTP id u7mr8747637laa.37.1432918038525; Fri, 29 May 2015 09:47:18 -0700 (PDT)
Received: by 10.112.200.102 with HTTP; Fri, 29 May 2015 09:47:18 -0700 (PDT)
In-Reply-To: <20150529162508.GA6146@elstar.local>
References: <20150527220901.GA67473@elstar.local> <556654AB.9030206@joelhalpern.com> <CABCOCHTDRCA_T+m-waEq7MHQ4v=6E=4z33HPWQR1s4349ifkRA@mail.gmail.com> <20150528060502.GA68091@elstar.local> <CABCOCHQdfqaEJ36DktwcN_NYi_SfPT6kRMdEzB9htvkf4qzJUw@mail.gmail.com> <020101d0999d$26fe2750$74fa75f0$@ndzh.com> <CABCOCHStya+LQEPfEfEvWRqeYhccekG8_vC6EYzC5AKy2yXJCA@mail.gmail.com> <022701d099a3$b822c5f0$286851d0$@ndzh.com> <20150529061023.GB1694@elstar.local> <036601d09a28$faab15f0$f00141d0$@ndzh.com> <20150529162508.GA6146@elstar.local>
Date: Fri, 29 May 2015 09:47:18 -0700
Message-ID: <CABCOCHTnqqyZfB=7KPg-RED=PiTJDZfb8yhmqjD-ymK7vmVQFg@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Susan Hares <shares@ndzh.com>, "i2rs@ietf.org" <i2rs@ietf.org>, chen.ran@zte.com.cn, Andy Bierman <andy@yumaworks.com>, Alia Atlas <akatlas@juniper.net>, Jeffrey Haas <jhaas@pfrc.org>, "Joel M. Halpern" <jmh@joelhalpern.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/YbLOYsPxsrjpQ-bEWfpq6b7clTg>
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 16:47:23 -0000

On Fri, May 29, 2015 at 9:25 AM, Juergen Schoenwaelder
<j.schoenwaelder@jacobs-university.de> wrote:
> Thanks for all the details but I am missing an answer to my question.
> Shall I repeat it once more?

The proposal is that the priority is a property of each NACM rule.
Since NACM rules can be shared by multiple groups this design will
not actually work.  As Martin pointed out, rules common to multiple
groups will produce data with the same priority.  It should also
be noted that NACM has "default behavior" that is followed even
if no rules are actually configured.

IMO priority is associated with the client.
A client can be placed in multiple NACM groups.
When an edit request is made the client does not
indicate which group should be used.  The server will
pick the highest priority group that the user is a member,
and use that for the priority. (Therefore priority is
not the property of the group either).

It has been suggested that the client can connect multiple times,
and each transport connection will somehow convey a different
priority to the server.  I don't see how this will work.  It seems
that different client names are needed.  This is true whether NACM
or a client mapping table is used.  The system must produce a different
client name in order to use a different priority.



>
> /js

Andy

>
> On Fri, May 29, 2015 at 12:03:18PM -0400, Susan Hares wrote:
>> Juergen:
>>
>>
>>
>> Thank you for asking the question again. I appreciate your patience as I
>> attempt to answer your question carefully.
>>
>>
>>
>> Short answer: I2RS strategy is re-use of other protocols rather than invent,
>> and this seemed a reasonable place to put it.
>>
>>
>>
>> Context: Jeff's document is a proposal for the requirements for I2RS to the
>> NETCONF/NETMOD WG on ephemeral state.  Feedback on the earlier descriptions
>> from the I2RS group had been "too vague" so Jeff's document is providing
>> detailed requirements.  I2RS is not designing thing for NETCONF only making
>> known in detailed terms our requirements to aid the NETCONF group's response
>> on whether the I2RS design requirements can be met.
>>
>>
>>
>> Longer Answer:  His proposal arises out of section 4.2 in the I2RS
>> architecture document.  This section states:
>>
>>
>>
>> An approach to a similar access control problem is defined in the NetConf
>> Access Control Model (NACM) [RFC6536]; it allows arbitrary access to be
>> specified for a data node instance identifier while defining meaningful
>> manipulable defaults.  The identity within NACM [RFC6536] can be specifying
>> as either a user name or a group user name (e.g.  Root), and this name is
>> linked a scope policy that contained in a set of access control rules.
>> Similarly, it is expected the I2RS identity links to one role which has a
>> scope policy specified by a set of access control rules.  This scope policy
>> is can be provided via Local Config, exposed as an I2RS Service for
>> manipulation by authorized clients, or via some other method (e.g.   AAA
>> service).
>>
>>
>>
>> You can see in this point that the client identity is being linked to the
>> scope policy controlling read or write.  Section 7.8 points out that
>> priority "ensures predictability" in write conditions between two I2RS
>> Clients trying to write data in one agent, or between an I2RS client and the
>> local config.   Jeff's requirements flow out of these two sections in the
>> architecture document.
>>
>>
>>
>> What you can do: If you have an alternate suggestion for priority for Jeff's
>> document, please make a suggestion and indicate why you think it fits within
>> the I2RS architecture document (please list sections).
>>
>>
>>
>> Sue
>>
>>
>>
>> -----Original Message-----
>> From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Juergen Schoenwaelder
>> Sent: Friday, May 29, 2015 2:10 AM
>> To: Susan Hares
>> Cc: i2rs@ietf.org; chen.ran@zte.com.cn; 'Andy Bierman'; 'Alia Atlas';
>> 'Jeffrey Haas'; 'Joel M. Halpern'
>> Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
>>
>>
>>
>> On Thu, May 28, 2015 at 08:09:23PM -0400, Susan Hares wrote:
>>
>> > Andy:
>>
>> >
>>
>> > Thank you for your question.  Let me precise.
>>
>> >
>>
>> > Jeff proposes that clients specify the priority mechanism is an attribute
>> that is stored in the NACM list on the agent (see Section 5.2 as described
>> in the draft-haas-i2rs-ephemeral-state-reqs-00 (quoted below).   The
>> client-Agent identities are load in a mechanism which is out-of-band from
>> the I2RS protocol these values.  Into the Client, the Agent's ID is loaded.
>> Into the Agent, the valid client's identity is loaded along with the
>> client's priority.  AAA (Radius/Diameter) is an example of an out-of-band
>> mechanism to pass the information with.  IMU (in my understanding), the NACM
>> on the agent is created based on this AAA loading.  The i2rs secondary
>> identity is loaded via an edit-config mechanism in a config operation (see
>> section 5.1 of Jeff's document.).  Please let me know if my understanding of
>> NACM creation based on AAA input is correct.
>>
>> >
>>
>>
>>
>> So I will ask again: If the priority is a property of the I2RS client (this
>> is how I understand the I2RS architecture document), why would it be
>> configured as part of a NACM rule as suggestd in section 5.2 of
>> draft-haas-i2rs-ephemeral-state-reqs-00? Jeff's design makes the priority a
>> property of the scope of a NACM group.
>>
>>
>>
>> /js
>>
>>
>>
>> --
>>
>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>
>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>>
>> Fax:   +49 421 200 3103         < <http://www.jacobs-university.de/>
>> http://www.jacobs-university.de/>
>>
>>
>>
>> _______________________________________________
>>
>> i2rs mailing list
>>
>>  <mailto:i2rs@ietf.org> i2rs@ietf.org
>>
>>  <https://www.ietf.org/mailman/listinfo/i2rs>
>> https://www.ietf.org/mailman/listinfo/i2rs
>>
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email