IETF Logo Mail Archive

Re: [L3sm] Next Step of RFC8049

"Ogaki, Kenichi" <ke-oogaki@kddi.com> Wed, 28 June 2017 11:56 UTC

Return-Path: <ke-oogaki@kddi.com>
X-Original-To: l3sm@ietfa.amsl.com
Delivered-To: l3sm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC4C1205F0 for <l3sm@ietfa.amsl.com>; Wed, 28 Jun 2017 04:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XA-RE13iJH0x for <l3sm@ietfa.amsl.com>; Wed, 28 Jun 2017 04:56:19 -0700 (PDT)
Received: from post-send.kddi.com (athena4.kddi.com [27.90.165.197]) by ietfa.amsl.com (Postfix) with ESMTP id 74FEC1204DA for <l3sm@ietf.org>; Wed, 28 Jun 2017 04:56:18 -0700 (PDT)
Received: from LTMC2121.kddi.com (LTMC2121.kddi.com [10.206.0.61]) by post-send.kddi.com (KDDI Mail) with ESMTP id 0FCF1120020; Wed, 28 Jun 2017 20:56:18 +0900 (JST)
Received: from LTMC2146.kddi.com ([10.206.0.236] [10.206.0.236]) by LTMC2121.kddi.com with ESMTP; Wed, 28 Jun 2017 20:56:18 +0900
Received: from LTMC2146.kddi.com (localhost [127.0.0.1]) by localhost.kddi.com (Postfix) with ESMTP id D3FE830005D; Wed, 28 Jun 2017 20:56:17 +0900 (JST)
Received: from LTMC2152.kddi.com (post-incheck [10.206.0.239]) by LTMC2146.kddi.com (Postfix) with ESMTP id C9099300051; Wed, 28 Jun 2017 20:56:17 +0900 (JST)
Received: from LTMC2152.kddi.com (localhost.localdomain [127.0.0.1]) by LTMC2152.kddi.com with ESMTP id v5SBuH5E030243; Wed, 28 Jun 2017 20:56:17 +0900
Received: from LTMC2152.kddi.com.mid_22453559 (localhost.localdomain [127.0.0.1]) by LTMC2152.kddi.com with ESMTP id v5SBkEqK026895; Wed, 28 Jun 2017 20:46:14 +0900
X-SA-MID: 22453559
Received: from KDDI1508PC0003 ([10.200.122.178] [10.200.122.178]) by post-smtp2.kddi.com with ESMTPA; Wed, 28 Jun 2017 20:46:14 +0900
From: "Ogaki, Kenichi" <ke-oogaki@kddi.com>
To: 'Qin Wu' <bill.wu@huawei.com>, "'stephane.litkowski'" <stephane.litkowski@orange.com>, 'l3sm' <l3sm@ietf.org>, 'daviball' <daviball@cisco.com>
References: <etPan.5911cab4.327b23c6.d3a@Qin-Wude-iPhone> <0a70dc6a-961d-66f2-d3a4-c7b9a48706ff@cisco.com> <00d301d2e00b$f0200ca0$d06025e0$@kddi.com> <48fc67df-aefe-a855-9c2a-0b8ca453149e@cisco.com> <006d01d2e4ed$f5f14ea0$e1d3ebe0$@kddi.com> <6f6fade7-1e5e-3cf0-e961-4d3f535eb3de@cisco.com> <6561_1498038981_594A42C5_6561_270_2_9E32478DFA9976438E7A22F69B08FF921E9C913F@OPEXCLILMA4.corporate.adroot.infra.ftgroup> <7caf4c4d-b132-2e07-54c8-8e9c62727293@cisco.com> <00b101d2ee2b$8ef28ab0$acd7a010$@kddi.com> <0ed5e7de-9ab3-19a9-06ba-f0ec8a83c658@cisco.com> <B8F9A780D330094D99AF023C5877DABA9A987485@nkgeml513-mbx.china.huawei.com>, <c900e6a6-cab3-cde2-ce4c-7d37eb8fddd7@cisco.com> <etPan.59539342.6b8b4567.35a@Qin-Wude-iPhone>
In-Reply-To: <etPan.59539342.6b8b4567.35a@Qin-Wude-iPhone>
Date: Wed, 28 Jun 2017 20:46:14 +0900
Message-ID: <002b01d2f004$252ce3c0$6f86ab40$@kddi.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQI8KJ/JrK2KyxsjaGJAhXNMm3Sl2gG6ddmrAczEpsMBsDkrZAKEX+92AgfRRr0BCjGOgwFvVOKzAcQOH5kCc5eLOwDFi/E/AczrG9UCWAzZS6C8u4iA
Content-Language: ja
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/l3sm/d4JYEgRi-JV0hAVy88VskM5SpdM>
Subject: Re: [L3sm] Next Step of RFC8049
X-BeenThere: l3sm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: L3VPN Service YANG Model discussion group <l3sm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l3sm>, <mailto:l3sm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/l3sm/>
List-Post: <mailto:l3sm@ietf.org>
List-Help: <mailto:l3sm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3sm>, <mailto:l3sm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2017 11:56:21 -0000

Hi Qin,

This is already covered by Section 10.

And, I answered to David earlier.

4.	Under the VPN service, there is a leaf for the customer name.  If the model is supposed to represent the request from a customer to the SP, I would have thought the customer name would be known out-of-band, e.g. from the AAA for the request?  It would be bad if one customer could request things for another customer by filling in a different customer name in the model!  
	
[KO] A customer can only access the model instance of that customer. Please see section 10.

Thanks,
Kenichi
-----Original Message-----
From: Qin Wu [mailto:bill.wu@huawei.com] 
Sent: Wednesday, June 28, 2017 8:30 PM
To: ke-oogaki@kddi.com; stephane.litkowski; l3sm; daviball
Subject: RE: [L3sm] Next Step of RFC8049

Sort of,:-),how about add a few texts in security section to discuss security risk of disclosing customer name, hope this will address your comment . Thanks!

Sent from HUAWEI AnyOffice
发件人: daviball
收件人: Qin Wu; Ogaki, Kenichi; stephane.litkowski; l3sm; 
主题: Re: [L3sm] Next Step of RFC8049
时间: 2017-06-28 17:36:30


Hi Qin,

You have cycled this round to the start of the thread. :)  There must be some out-of-band way of identifying and authenticating the customer from whom the request is being received, otherwise customer foo could request a service for customer bar just by filling in a different value for this leaf in the model!  You are right that the VPN service is a list, but a given customer should only ever be able to use the model to access their own services, they should not be able to access services for any other customer.

    David


On 28/06/2017 03:37, Qin Wu wrote:


	David:

	A few thoughts and comments below.

	发件人: David Ball [mailto:daviball@cisco.com] 
	发送时间: 2017年6月27日 19:53
	收件人: Ogaki, Kenichi; stephane.litkowski@orange.com <mailto:stephane.litkowski@orange.com> ; Qin Wu; l3sm@ietf.org <mailto:l3sm@ietf.org> 
	主题: Re: [L3sm] Next Step of RFC8049

	 

	Thanks Kenichi - there is one of your answers that I'm still confused about, see below:

	 

	On 26/06/2017 04:23, Ogaki, Kenichi wrote:

				4.   Under the VPN service, there is a leaf for the customer name.  If the model is supposed to represent the request from a customer to the SP, I would have thought the customer name would be known out-of-band, e.g. from the AAA for the request?  It would be bad if one customer could request things for another customer by filling in a different customer name in the model!
				             
				     [KO] A customer can only access the model instance of that customer. Please see section 10.
				 
				 
				[DB] Yes exactly - if a customer can only access their own instance of the model, why does the customer name need to be specified within the model?  You already know you are dealing with that customer's instance of the model.  It seems like the customer-name leaf is unnecessary?
				 
				[KO] As common usecases, a VPN service is provided not only by Tier 1 providers, but also by Tier 2 providers or IT divisions of enterprises in order to provide their own end users by using a Tier 1 provider's VPN service. Such customers usually requires this kind of attributes for their management purposes.

			[DB2]
			I didn't really follow this, sorry.  The module contains the 
			information that needs to be sent from the customer to the SP, right?  
			If the customer using the model (i.e. the Tier2 in your above example) 
			needs to track which of their own customers the service is for, that's 
			something that's internal to them, isn't it?

		[KO3] Yes, that's internal to them, but they (i.e. our customers) really request and are currently using this. Then, we need to model this.

	
	Perhaps I am misunderstanding the scenario.
	
	If I understand correctly, the case is where the yang is being used between a Tier2 provider (lets call them T2-telecom) and Tier1 provider (lets call them T1-networks).  In other words, from the perspective of the RFC and the yang module, T1-networks is the SP and T2-telecom is the customer.
	
	T2-telecom has their own customers call them (foo-bank, bar-supermarket and baz-advertising).  Whenever T2-telecom orders a new VPN from T1-networks, they want to record, in their internal systems, which of their end customers the new VPN is for.  Of course there is probably a lot of other information they want to store in their internal systems about their customers, such as contact info, billing and invoicing info, trouble tickets, etc.
	
	What I don't understand is why T2-telecom would want to send the name of their end-customer (foo-bank, bar-supermarket or baz-advertising) to T1-networks as part of the netconf request when they order a new VPN.  What is T1-networks going to do with this information?
	
	[Qin]:

	1.With customer name,you could use it as a key to lookup detailed customer information such as contact info, billing info if needed.

	2. You forget that VPN service is defined as a list of VPN Service. That is to say different VPN service could belong to different customer,

	Adding customer name, we could know which customer has which VPN service.

	3. customer name is just defined as an optional parameter. You don’t need to specify it in the case you don’t need it.
	    David
	
	
	

	-- 
	David Ball
	<daviball@cisco.com> <mailto:daviball@cisco.com> 


-- 
David Ball
<daviball@cisco.com> <mailto:daviball@cisco.com>

v2.23.0 | Report a Bug | By Email