IETF Logo Mail Archive

Re: [i2rs] draft-chen-i2rs-identifier-management-00

"Susan Hares" <shares@ndzh.com> Fri, 29 May 2015 16:03 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E0F1ACD87 for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.054
X-Spam-Level:
X-Spam-Status: No, score=-99.054 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5Pe5EN4w96J for <i2rs@ietfa.amsl.com>; Fri, 29 May 2015 09:03:35 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web3.hickoryhill-consulting.com [64.9.205.143]) by ietfa.amsl.com (Postfix) with ESMTP id 447291ACDB9 for <i2rs@ietf.org>; Fri, 29 May 2015 09:03:35 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=174.124.178.112;
From: Susan Hares <shares@ndzh.com>
To: 'Juergen Schoenwaelder' <j.schoenwaelder@jacobs-university.de>
References: <011e01d098ae$4e254060$ea6fc120$@ndzh.com> <20150527220901.GA67473@elstar.local> <556654AB.9030206@joelhalpern.com> <CABCOCHTDRCA_T+m-waEq7MHQ4v=6E=4z33HPWQR1s4349ifkRA@mail.gmail.com> <20150528060502.GA68091@elstar.local> <CABCOCHQdfqaEJ36DktwcN_NYi_SfPT6kRMdEzB9htvkf4qzJUw@mail.gmail.com> <020101d0999d$26fe2750$74fa75f0$@ndzh.com> <CABCOCHStya+LQEPfEfEvWRqeYhccekG8_vC6EYzC5AKy2yXJCA@mail.gmail.com> <022701d099a3$b822c5f0$286851d0$@ndzh.com> <20150529061023.GB1694@elstar.local>
In-Reply-To: <20150529061023.GB1694@elstar.local>
Date: Fri, 29 May 2015 12:03:18 -0400
Message-ID: <036601d09a28$faab15f0$f00141d0$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0367_01D09A07.739C8330"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGI6C04Ci0f96gPWxVoZalfyv/7wwJfjQnEAsEyPOABJ9tNNAHvw66tAZaM50oC52zYuQF0Do88AfI3sF8BuHT/cJ2T2AOg
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/ulL-gYV0jNyiys_T7K47h_mMoyA>
Cc: i2rs@ietf.org, chen.ran@zte.com.cn, 'Andy Bierman' <andy@yumaworks.com>, 'Alia Atlas' <akatlas@juniper.net>, 'Jeffrey Haas' <jhaas@pfrc.org>, "'Joel M. Halpern'" <jmh@joelhalpern.com>
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 16:03:39 -0000

Juergen: 

 

Thank you for asking the question again. I appreciate your patience as I
attempt to answer your question carefully.  

 

Short answer: I2RS strategy is re-use of other protocols rather than invent,
and this seemed a reasonable place to put it. 

 

Context: Jeff's document is a proposal for the requirements for I2RS to the
NETCONF/NETMOD WG on ephemeral state.  Feedback on the earlier descriptions
from the I2RS group had been "too vague" so Jeff's document is providing
detailed requirements.  I2RS is not designing thing for NETCONF only making
known in detailed terms our requirements to aid the NETCONF group's response
on whether the I2RS design requirements can be met.   

 

Longer Answer:  His proposal arises out of section 4.2 in the I2RS
architecture document.  This section states: 

 

An approach to a similar access control problem is defined in the NetConf
Access Control Model (NACM) [RFC6536]; it allows arbitrary access to be
specified for a data node instance identifier while defining meaningful
manipulable defaults.  The identity within NACM [RFC6536] can be specifying
as either a user name or a group user name (e.g.  Root), and this name is
linked a scope policy that contained in a set of access control rules.
Similarly, it is expected the I2RS identity links to one role which has a
scope policy specified by a set of access control rules.  This scope policy
is can be provided via Local Config, exposed as an I2RS Service for
manipulation by authorized clients, or via some other method (e.g.   AAA
service).

 

You can see in this point that the client identity is being linked to the
scope policy controlling read or write.  Section 7.8 points out that
priority "ensures predictability" in write conditions between two I2RS
Clients trying to write data in one agent, or between an I2RS client and the
local config.   Jeff's requirements flow out of these two sections in the
architecture document.   

 

What you can do: If you have an alternate suggestion for priority for Jeff's
document, please make a suggestion and indicate why you think it fits within
the I2RS architecture document (please list sections). 

 

Sue 

 

-----Original Message-----
From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Juergen Schoenwaelder
Sent: Friday, May 29, 2015 2:10 AM
To: Susan Hares
Cc: i2rs@ietf.org; chen.ran@zte.com.cn; 'Andy Bierman'; 'Alia Atlas';
'Jeffrey Haas'; 'Joel M. Halpern'
Subject: Re: [i2rs] draft-chen-i2rs-identifier-management-00

 

On Thu, May 28, 2015 at 08:09:23PM -0400, Susan Hares wrote:

> Andy: 

> 

> Thank you for your question.  Let me precise. 

> 

> Jeff proposes that clients specify the priority mechanism is an attribute
that is stored in the NACM list on the agent (see Section 5.2 as described
in the draft-haas-i2rs-ephemeral-state-reqs-00 (quoted below).   The
client-Agent identities are load in a mechanism which is out-of-band from
the I2RS protocol these values.  Into the Client, the Agent's ID is loaded.
Into the Agent, the valid client's identity is loaded along with the
client's priority.  AAA (Radius/Diameter) is an example of an out-of-band
mechanism to pass the information with.  IMU (in my understanding), the NACM
on the agent is created based on this AAA loading.  The i2rs secondary
identity is loaded via an edit-config mechanism in a config operation (see
section 5.1 of Jeff's document.).  Please let me know if my understanding of
NACM creation based on AAA input is correct.  

> 

 

So I will ask again: If the priority is a property of the I2RS client (this
is how I understand the I2RS architecture document), why would it be
configured as part of a NACM rule as suggestd in section 5.2 of
draft-haas-i2rs-ephemeral-state-reqs-00? Jeff's design makes the priority a
property of the scope of a NACM group.

 

/js

 

-- 

Juergen Schoenwaelder           Jacobs University Bremen gGmbH

Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany

Fax:   +49 421 200 3103         < <http://www.jacobs-university.de/>
http://www.jacobs-university.de/>

 

_______________________________________________

i2rs mailing list

 <mailto:i2rs@ietf.org> i2rs@ietf.org

 <https://www.ietf.org/mailman/listinfo/i2rs>
https://www.ietf.org/mailman/listinfo/i2rs

v2.23.0 | Report a Bug | By Email