IETF Logo Mail Archive

Re: [i2rs] Kathleen Moriarty's No Objection on draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)

Benoit Claise <bclaise@cisco.com> Tue, 24 January 2017 22:05 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA26129408; Tue, 24 Jan 2017 14:05:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level:
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4p_NoxoUbcU; Tue, 24 Jan 2017 14:05:01 -0800 (PST)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E48A81293FE; Tue, 24 Jan 2017 14:05:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10657; q=dns/txt; s=iport; t=1485295501; x=1486505101; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=slpj2h33/gBlD52GGPxCR7uNEHtFRywhXgaRpsZoDgM=; b=Lf0jYdLFg+Cmo+nA+hYjCGaoPK60a4UKQQGQXiga+Nh6EdF36Xik1ERP nKCi8c6y47srT239QavD6StBokLypp8BjK+YXRchOipAVFR7XmCi3s8x5 S07kwzzJOqc3rYXk5QSulS/8gtOvS/gw5UaC6YP6jINlmURnyaawFhv55 U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B4AQB2zodY/xbLJq1eGQEBAQEBAQEBAQEBBwEBAQEBgzQBAQEBAX8qX4NTighykRWQA4Urgg0fAQqFeAKCYRgBAgEBAQEBAQFiKIRpAQEBBAEBIUsLDAQLDgMEAQEBJwMCAicfCQgGDQYCAQEXiH8OrhaCJSuKMwEBAQEBAQEBAQEBAQEBAQEBAQEBAR2GS4IFgmqEJoMpgl8Fm02GYosKgXdSh2cjhhuKeYd+HziBGBMIFRU6hHGBST01hT2CPAEBAQ
X-IronPort-AV: E=Sophos;i="5.33,280,1477958400"; d="scan'208,217";a="691668918"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jan 2017 22:04:58 +0000
Received: from [10.60.67.85] (ams-bclaise-8914.cisco.com [10.60.67.85]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v0OM4wvS019382; Tue, 24 Jan 2017 22:04:58 GMT
To: Thomas Nadeau <tnadeau@lucidvision.com>
References: <000701d27594$28d12350$7a7369f0$@ndzh.com> <20170123.194721.1193117831378217486.mbj@tail-f.com> <010a01d275b0$183d7360$48b85a20$@ndzh.com> <20170123.212621.119545616051737472.mbj@tail-f.com> <afdfb4d3-0901-2ee0-8d87-f8f1aeeff37e@hq.sk> <019c01d275c4$edf51f30$c9df5d90$@ndzh.com> <20170123221458.GA34192@elstar.local> <029301d27636$f2514690$d6f3d3b0$@ndzh.com> <20170124115221.GD35835@elstar.local> <87f80f69-5a3c-18a0-8f4f-e560572417e8@kot-begemot.co.uk> <008d01d2766a$5387def0$fa979cd0$@ndzh.com> <7A14208D-2046-4421-AD8A-B8D3CED74D36@lucidvision.com>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <6a06779b-fa72-c6c9-f9ea-99dc5e32e3a7@cisco.com>
Date: Tue, 24 Jan 2017 23:04:56 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <7A14208D-2046-4421-AD8A-B8D3CED74D36@lucidvision.com>
Content-Type: multipart/alternative; boundary="------------177F42CAFBEF54870A9695DD"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/nNIoIixsZPWjbHylzcFBWQpkIqQ>
Cc: i2rs@ietf.org, Anton Ivanov <anton.ivanov@kot-begemot.co.uk>, IESG IESG <iesg@ietf.org>
Subject: Re: [i2rs] Kathleen Moriarty's No Objection on draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2017 22:05:03 -0000

Dear all,

The thread that grows faster than you can read...

Let me repeat what I mentioned already on the I2RS mailing list:

    This document contains a YANG model, a generic YANG model that could be accessed by NETCONF, RESTCONF, or the future I2RS protocol.
    This document doesn't say (and that would be a mistake IMO if it would) that this YANG model can only be accessed by the I2RS protocol.
    Hence I'm advocating that the security considerations diligently followhttps://trac.ietf.org/trac/ops/wiki/yang-security-guidelines, and that they don't go in the I2RS protocol specific details.

This comment was made for draft-ietf-i2rs-yang-network-topo, but is 
equally applicable to this draft-ietf-i2rs-yang-l3-topology draft.
I still maintain this point of view: it would be a mistake to limit a 
data model usage to a particular protocol. These topology documents are 
not I2RS YANG models, these are YANG models, which can be used in 
different contexts. I'm very concerned if we start having per-WG or per 
context data models in the IETF.
Btw, I haven't seen a RFC specifying what the I2RS protocol is, only the 
requirements.
We can't modify the current generic YANG security considerations for an 
I2RS control plane and a new datastore that are not yet specified. If 
you want to describe how I2RS will be using those topology YANG models 
(and any YANG models btw), then it's suitable to include this part of 
the I2RS protocol spec or part of an I2RS applicability statement. This 
is typically where you would describe some protocol specific information 
such as "write contention for two clients writing a node using I2RS 
priority (linked to I2RS User-ID)".

Let me make my point differently. Let's assume for a moment that I2RS 
needs to use the IETF interface YANG model, does it mean that you will 
require RFC 7223bis with an updated security considerations? This can't be.

I still think the generic YANG security guidelines is suitable, as it 
relates to IETF specified protocols NETCONF and RESTCONF. Addition of 
some generic information about the data model (not I2RS protocol) might 
be useful though. For example, text around "there is a risk that a write 
to a topology may create a looping topology or overload a particular 
node". Note that I don't think the the security considerations is the 
best section for this though.

Regards, Benoit
> 	Sue:
>
> 	The implication of that statement is that actual implementations (like ODL etc) now
> need to copy/paste this model without the I2RS text to use them in other ways. This seems
> strange and just about the most inefficient way to use these that I can think of.
>
> 	—Tom
>
>
>
>> On Jan 24, 2017:12:50 PM, at 12:50 PM, Susan Hares <shares@ndzh.com> wrote:
>>
>> Anton:
>>
>> See earlier message to Martin.  Topology models are I2RS YANG Models
>> designed for ephemeral state with specific security concerns.  This is not
>> your basic YANG model no matter which data store ephemeral gets linked to.
>> Where is ephemeral state?  By IESG Design of charter, I2RS is not in charge
>> of defining ephemeral state solution.  NETMOD/NETCONF are.  Go ask them.
>>
>> Do not blame the messenger echoing NETMOD results,
>>
>> Sue
>>
>> -----Original Message-----
>> From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Anton Ivanov
>> Sent: Tuesday, January 24, 2017 8:30 AM
>> To: i2rs@ietf.org
>> Subject: Re: [i2rs] Kathleen Moriarty's No Objection on
>> draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)
>>
>> On 24/01/17 11:52, Juergen Schoenwaelder wrote:
>>> Susan,
>>>
>>> so are these YANG models regular YANG models or are these YANG models
>>> specific to the yet to be defined I2RS protocol and yet to be defined
>>> datastores?
>>>
>>> I think this is the core of Martin's and my question. A simple clear
>>> and concise answer would be nice.
>> +1.
>>
>> A.
>>
>>
>> _______________________________________________
>> i2rs mailing list
>> i2rs@ietf.org
>> https://www.ietf.org/mailman/listinfo/i2rs
>>
>> _______________________________________________
>> i2rs mailing list
>> i2rs@ietf.org
>> https://www.ietf.org/mailman/listinfo/i2rs
> _______________________________________________
> i2rs mailing list
> i2rs@ietf.org
> https://www.ietf.org/mailman/listinfo/i2rs

v2.23.0 | Report a Bug | By Email