Re: [i2rs] draft-chen-i2rs-identifier-management-00
Andy Bierman <andy@yumaworks.com> Fri, 29 May 2015 16:59 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A1E61ACDD1 for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:59:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.779
X-Spam-Level:
X-Spam-Status: No, score=-0.779 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_31=0.6, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6BXWutewPEd for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:58:57 -0700 (PDT)
Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4206A1ACDEE for <i2rs@ietf.org>; Fri, 29 May 2015 09:58:14 -0700 (PDT)
Received: by lbcmx3 with SMTP id mx3so52392862lbc.1 for <i2rs@ietf.org>; Fri, 29 May 2015 09:58:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xRIMWFlOqh5Ngu+tSIrIuo6NBiUkrlFVE5M4SuatF1k=; b=AaBlNsFSHr/WLPAzty299ipbex72XZYtdMaXSIRVPd0F40Exbvb017xHYtnFk0GzE9 XUUFRiQGs7G2CAR0kGWPX00FBP7Psp/xvwdbkfMVpZRk4zW0fSR+uk5zPezKAqQ5WOHj 7bXdjVouL6wM2gGIyOsW/NuyuGn+6eLr+oX3mxij7D/ql0GvWs2ISiQ6/F2rfQptF6B3 pLwCyR+qbUDz+qj/9ZgaYJClBm5/nQ7gleDvG967Fsl26V8d5Nf7jylAGvn41BrhP3nz pgezSf8j4D8oS/lui29JoCwLHslvuMYeFu1NF5yRikJUTuy6dw+wtTrn2tcviLVO9ROo flnQ==
X-Gm-Message-State: ALoCoQmabFAyrel0Z5P35uSr5Z9S0ikquKcs1KKe/NjoOt+vi63i57hfS8Xtw1whAT0VEWjIgF6F
MIME-Version: 1.0
X-Received: by 10.152.115.207 with SMTP id jq15mr1269294lab.119.1432918692808; Fri, 29 May 2015 09:58:12 -0700 (PDT)
Received: by 10.112.200.102 with HTTP; Fri, 29 May 2015 09:58:12 -0700 (PDT)
In-Reply-To: <039401d09a2e$316b40b0$9441c210$@ndzh.com>
References: <011e01d098ae$4e254060$ea6fc120$@ndzh.com> <20150527220901.GA67473@elstar.local> <556654AB.9030206@joelhalpern.com> <CABCOCHTDRCA_T+m-waEq7MHQ4v=6E=4z33HPWQR1s4349ifkRA@mail.gmail.com> <20150528060502.GA68091@elstar.local> <CABCOCHQdfqaEJ36DktwcN_NYi_SfPT6kRMdEzB9htvkf4qzJUw@mail.gmail.com> <020101d0999d$26fe2750$74fa75f0$@ndzh.com> <CABCOCHStya+LQEPfEfEvWRqeYhccekG8_vC6EYzC5AKy2yXJCA@mail.gmail.com> <022701d099a3$b822c5f0$286851d0$@ndzh.com> <CABCOCHRSFut_ryO41WewUw97wF1KYBztReg7LSonbAwk1A6f5A@mail.gmail.com> <039401d09a2e$316b40b0$9441c210$@ndzh.com>
Date: Fri, 29 May 2015 09:58:12 -0700
Message-ID: <CABCOCHSxgkNn7U2=QdN1RezXMN1NJf+QkNRNu=pOJ3aknLTn=w@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Susan Hares <shares@ndzh.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/_0_oKLXxF1N9JEnbNpZa0-1x0HM>
Cc: Jeff Haas <jhaas@juniper.net>, "i2rs@ietf.org" <i2rs@ietf.org>, Alia Atlas <akatlas@juniper.net>, Joel Halpern Direct <jmh.direct@joelhalpern.com>
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 16:59:00 -0000
On Fri, May 29, 2015 at 9:40 AM, Susan Hares <shares@ndzh.com> wrote: > Andy: > > Just to clarify is this an a > > "That is an optional mode [of NACM]. There is also a local users table > that can be used." Can you provide an example? Is this an alternate > proposal to Jeff's proposal on NACM? > Actually the local user table is in ietf-system.yang: http://www.netconfcentral.org/modules/ietf-system/2014-08-06#user.659 The 'user-name' leaf-list in the NACM 'group' list is populated by the administrator. The actual values are irrelevant to NACM. They can be local users, Radius, or anything else. Adding a user-name to this list does not in any way enable the server to accept sessions from that user. This is outside the scope of NACM. > Sue Hares Andy > > -----Original Message----- > From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Andy Bierman > Sent: Thursday, May 28, 2015 8:23 PM > To: Susan Hares > Cc: i2rs@ietf.org; chen.ran@zte.com.cn; Juergen Schoenwaelder; Alia Atlas; > Jeffrey Haas; Joel M. Halpern > Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00 > > On Thu, May 28, 2015 at 5:09 PM, Susan Hares <shares@ndzh.com> wrote: >> Andy: >> >> Thank you for your question. Let me precise. >> >> Jeff proposes that clients specify the priority mechanism is an attribute > that is stored in the NACM list on the agent (see Section 5.2 as described > in the draft-haas-i2rs-ephemeral-state-reqs-00 (quoted below). The > client-Agent identities are load in a mechanism which is out-of-band from > the I2RS protocol these values. Into the Client, the Agent's ID is loaded. > Into the Agent, the valid client's identity is loaded along with the > client's priority. AAA (Radius/Diameter) is an example of an out-of-band > mechanism to pass the information with. IMU (in my understanding), the NACM > on the agent is created based on this AAA loading. The i2rs secondary > identity is loaded via an edit-config mechanism in a config operation (see > section 5.1 of Jeff's document.). Please let me know if my understanding of > NACM creation based on AAA input is correct. >> > > That is an optional mode. > There is also a local users table that can be used. > > [Sue]: You mean this is an optional mode of NACM? Can you give me a > reference for the local users table? Is it RFC6536 in section 2.5 where a > configurable set of users can be defined, and linked to a NACM (section > 3.1.1)? Can you provide an example how the local users table could be > used? > > >> I2RS Module Nodes (E.g. I2RS RIB routes) are written within an Agent will > be annotated with meta-data with the client-id, priority, and secondary ID. >> >> The only proposed change to section 5.2 requirements is to the >> sentence "Additionally, during commit processing, if >> nodes are found where i2rs-priority is already present, and the >> priority is better than the transaction's user's priority for that >> node, the commit SHALL fail. >> >> " Additionally, during commit processing" is incorrect because there is > not commit processing. Jeff stated we are still working with both NETCONF > and RESTCONF - so we must allow for a commit process. In the meeting I > noted that the architecture indicates a change is possible only if the > priority is greater than (>) existing priority. (First rather than last). > Therefore this text should read: "Additionally, during the operation > (RESTCONF)/Commit (NETCONF) processing, if the nodes are found where > i2rs-priority is already present, and the priority is equal to or better > than the transaction's user's priority for the node, the operation/commit > SHALL fail." >> >> Do you have any suggestions for modifications to section 5 of Jeff's > document? >> >> Sue >> >> ============================ >> Jeff's document 5.2 states: >> >> To support Multi-Headed Control, I2RS requires that there be a >> decidable means of arbitrating the correct state of data when >> multiple clients attempt to manipulate the same piece of data. This >> is done via a priority mechanism with the highest priority winning. >> This priority may vary on a per-node or sub-tree basis based for a >> given identity. >> >> This further implies that priority is an attribute that is stored in >> the NETCONF Access Control Model [RFC6536] as part of a rule-list. >> E.g.: >> >> Ephemeral configuration state nodes that are created or altered by >> users that match a rule carrying i2rs-priority will have those nodes >> annotated with metadata. Additionally, during commit processing, if >> nodes are found where i2rs-priority is already present, and the >> priority is better than the transaction's user's priority for that >> node, the commit SHALL fail. An appropriate error should be returned >> to the user stating the nodes where the user had insufficient >> priority to override the state. >> > > > The last paragraph sounds like some nodes will be accepted and others > rejected. > If any nodes are rejected, the entire edit should be rejected. > > I don;t think the rule-list should store the client priority. > It should be in the 'group' list, or outside NACM completely. > > > Andy > >> >> >> -----Original Message----- >> From: Andy Bierman [mailto:andy@yumaworks.com] >> Sent: Thursday, May 28, 2015 7:40 PM >> To: Susan Hares >> Cc: Juergen Schoenwaelder; Joel M. Halpern; Jeffrey Haas; >> i2rs@ietf.org; chen.ran@zte.com.cn; Alia Atlas >> Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00 >> >> On Thu, May 28, 2015 at 4:22 PM, Susan Hares <shares@ndzh.com> wrote: >>> Andy: >>> >>> Yes - the client with priority and secondary identity are inherently > simple additions. Can you confirm my understanding below based on Jeff's > document? >>> >> >> Not sure what you mean. >> i don't think the client should provide the priority in request messages. >> This is configured on the agent, not requested by the client. >> >> >>> Can you explain your statement "I do not want to change NETCONF or > RESTCONF to use client priority?" What are you proposing that you do not > want to add the NACM list the priority? >> >> I don't want to change NETCONF and RESTCONF so that config=true objects > use priority. Only I2RS should use it. >> >>> >>> Sue >> >> Andy >> >>> =============== >>> >>> Example >>> ------------------------ >>> 1) any multiple TCP sessions from a client application will use a > different ID if they want a different priority for write of an object >>> Application 1: TCP session 1 - priority 1, > secondary-identity "pub-sub monitor" >>> Application 1: TCP session 2 - priority 10, > secondary-identity "tracing monitor" >>> Application 1: TCP session 3 - priority 20, opaque "Weekly > config" >>> Application 1: TCP session 4 - priority 55, opaque "Emergency > config" >>> >>> Jeff's META-data example: >>> >>> <foo xmlns:i2rs="https://ietf.example.com/i2rs" >>> i2rs:i2rs-secondary-identity="user1" i2rs:i2rs-priority="47"> >>> ... >>> </foo> >>> >>> For my example TCP session 1 >>> <foo xmlns:i2rs="http:s//ietf.example.com/i2rs" >>> I2rs:i2rs-secondary-identity="pub-sub montior" >>> i2rs:i2rs-priority="1"> >>> >>> Juergen's client example: >>> >>> list i2rs-client { >>> key name; >>> leaf name { >>> description "The client name"; >>> type i2rs:client-name; >>> } >>> leaf priority { >>> description "The priority value assigned to this client."; >>> type i2rs:client-priority; >>> } >>> } >>> >>> +--rw rule-list [name] >>> +--rw name string >>> +--rw group* union >>> +--rw rule [name] >>> +--rw name string >>> +--rw module-name? union >>> +--rw (rule-type)? >>> | +--:(protocol-operation) >>> | | +--rw rpc-name? union >>> | +--:(notification) >>> | | +--rw notification-name? union >>> | +--:(data-node) >>> | +--rw path node-instance-identifier >>> +--rw access-operations? union >>> +--rw action action-type >>> +--rw comment? string >>> +--rw i2rs:i2rs-priority i2rs-priority-type >>> >>> Are you proposing something different than Jeff's proposal? >>> >>> Sue >>> >>> -----Original Message----- >>> From: Andy Bierman [mailto:andy@yumaworks.com] >>> Sent: Thursday, May 28, 2015 11:17 AM >>> To: Juergen Schoenwaelder; Andy Bierman; Joel M. Halpern; Jeffrey >>> Haas; i2rs@ietf.org; chen.ran@zte.com.cn; Alia Atlas; Susan Hares >>> Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00 >>> >>> On Wed, May 27, 2015 at 11:05 PM, Juergen Schoenwaelder > <j.schoenwaelder@jacobs-university.de> wrote: >>>> On Wed, May 27, 2015 at 06:04:58PM -0700, Andy Bierman wrote: >>>>> >>>>> Although I should be promoting use of NACM, I am not so sure it >>>>> should be mandatory for I2RS or required to configure I2RS client > priority. >>>>> >>>>> list i2rs-client { >>>>> key name; >>>>> leaf name { >>>>> description "The client name"; >>>>> type i2rs:client-name; >>>>> } >>>>> leaf priority { >>>>> description "The priority value assigned to this client."; >>>>> type i2rs:client-priority; >>>>> } >>>>> } >>>> >>>> So what is i2rs:client-name - is it any different from a >>>> NETCONF/RESTCONF username? >>>> >>> >>> Is is probably not different. >>> >>> >>>> NACM maps user names into groups and NACM allows to have the mapping >>>> supplied by an external source (e.g. RADIUS). If this priority >>>> mapping is kept separate from NACM, would we need to provision means >>>> to get the priority from AAA as well? >>>> >>> >>> My point showing the 2 item list is that the information needed to > implement I2RS client priority is rather trivial. >>> It can certainly be made really complicated by the IETF, but it is an > inherently trivial configuration. >>> >>>> And the bigger question: Do we create something specific for I2RS or >>>> are we going to extend the generic YANG/NC/RC framework to provide >>>> the tools I2RS needs? This is probably a question the NETCONF WG has >>>> to answer. >>> >>> It is good to make reusable features. >>> I don't want to change NETCONF or RESTCONF to use client priority. >>> Let I2RS prove it is useful first. I am not convinced it will really > help. >>> It seems like an implementation detail that is being turned into ad > administrative task. If multiple clients from multiple vendors are stepping > on each other, then the likely outcome of a priority change by the > administrator will be to select which clients should continue working and > which should be broken. >>> >>> >>>> >>>> /js >>>> >>> >>> Andy >>> >>>> -- >>>> Juergen Schoenwaelder Jacobs University Bremen gGmbH >>>> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany >>>> Fax: +49 421 200 3103 <http://www.jacobs-university.de/> >>> >>> _______________________________________________ >>> i2rs mailing list >>> i2rs@ietf.org >>> https://www.ietf.org/mailman/listinfo/i2rs >> > > _______________________________________________ > i2rs mailing list > i2rs@ietf.org > https://www.ietf.org/mailman/listinfo/i2rs >
- [i2rs] draft-chen-i2rs-identifier-management-00 Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Juergen Schoenwaelder
- Re: [i2rs] I2RS priority location Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Joel M. Halpern
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Martin Bjorklund
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Alia Atlas
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Alia Atlas
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Andy Bierman
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Susan Hares
- Re: [i2rs] draft-chen-i2rs-identifier-management-… Jeffrey Haas