Re: [L3sm] Next Step of RFC8049
Qin Wu <bill.wu@huawei.com> Wed, 28 June 2017 11:30 UTC
Return-Path: <bill.wu@huawei.com>
X-Original-To: l3sm@ietfa.amsl.com
Delivered-To: l3sm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D678812EC0B for <l3sm@ietfa.amsl.com>; Wed, 28 Jun 2017 04:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W5-6XqXIAdEC for <l3sm@ietfa.amsl.com>; Wed, 28 Jun 2017 04:30:22 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FA5F12EC12 for <l3sm@ietf.org>; Wed, 28 Jun 2017 04:30:21 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml703-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DPZ14018; Wed, 28 Jun 2017 11:30:19 +0000 (GMT)
Received: from NKGEML414-HUB.china.huawei.com (10.98.56.75) by lhreml703-cah.china.huawei.com (10.201.108.44) with Microsoft SMTP Server (TLS) id 14.3.301.0; Wed, 28 Jun 2017 12:30:18 +0100
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.25]) by nkgeml414-hub.china.huawei.com ([10.98.56.75]) with mapi id 14.03.0235.001; Wed, 28 Jun 2017 19:30:10 +0800
From: Qin Wu <bill.wu@huawei.com>
To: "ke-oogaki@kddi.com" <ke-oogaki@kddi.com>, "stephane.litkowski" <stephane.litkowski@orange.com>, l3sm <l3sm@ietf.org>, daviball <daviball@cisco.com>
Thread-Topic: [L3sm] Next Step of RFC8049
Thread-Index: AQHS8AHmr+/QB9MzcEy31t2H4MnsWQ==
Date: Wed, 28 Jun 2017 11:30:10 +0000
Message-ID: <etPan.59539342.6b8b4567.35a@Qin-Wude-iPhone>
References: <etPan.5911cab4.327b23c6.d3a@Qin-Wude-iPhone> <0a70dc6a-961d-66f2-d3a4-c7b9a48706ff@cisco.com> <00d301d2e00b$f0200ca0$d06025e0$@kddi.com> <48fc67df-aefe-a855-9c2a-0b8ca453149e@cisco.com> <006d01d2e4ed$f5f14ea0$e1d3ebe0$@kddi.com> <6f6fade7-1e5e-3cf0-e961-4d3f535eb3de@cisco.com> <6561_1498038981_594A42C5_6561_270_2_9E32478DFA9976438E7A22F69B08FF921E9C913F@OPEXCLILMA4.corporate.adroot.infra.ftgroup> <7caf4c4d-b132-2e07-54c8-8e9c62727293@cisco.com> <00b101d2ee2b$8ef28ab0$acd7a010$@kddi.com> <0ed5e7de-9ab3-19a9-06ba-f0ec8a83c658@cisco.com> <B8F9A780D330094D99AF023C5877DABA9A987485@nkgeml513-mbx.china.huawei.com>, <c900e6a6-cab3-cde2-ce4c-7d37eb8fddd7@cisco.com>
In-Reply-To: <c900e6a6-cab3-cde2-ce4c-7d37eb8fddd7@cisco.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_etPan595393426b8b456735aQinWudeiPhone_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.5953934C.003C, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.25, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: ce0fda6ac40132574a0325c6d6ee8c80
Archived-At: <https://mailarchive.ietf.org/arch/msg/l3sm/lUf796b-CQfJnUEx10VHR_YGel4>
Subject: Re: [L3sm] Next Step of RFC8049
X-BeenThere: l3sm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: L3VPN Service YANG Model discussion group <l3sm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l3sm>, <mailto:l3sm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/l3sm/>
List-Post: <mailto:l3sm@ietf.org>
List-Help: <mailto:l3sm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3sm>, <mailto:l3sm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2017 11:30:25 -0000
Sort of,:-),how about add a few texts in security section to discuss security risk of disclosing customer name, hope this will address your comment . Thanks!
Sent from HUAWEI AnyOffice
发件人: daviball
收件人: Qin Wu; Ogaki, Kenichi; stephane.litkowski; l3sm;
主题: Re: [L3sm] Next Step of RFC8049
时间: 2017-06-28 17:36:30
Hi Qin,
You have cycled this round to the start of the thread. :) There must be some out-of-band way of identifying and authenticating the customer from whom the request is being received, otherwise customer foo could request a service for customer bar just by filling in a different value for this leaf in the model! You are right that the VPN service is a list, but a given customer should only ever be able to use the model to access their own services, they should not be able to access services for any other customer.
David
On 28/06/2017 03:37, Qin Wu wrote:
David:
A few thoughts and comments below.
发件人: David Ball [mailto:daviball@cisco.com]
发送时间: 2017年6月27日 19:53
收件人: Ogaki, Kenichi; stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>; Qin Wu; l3sm@ietf.org<mailto:l3sm@ietf.org>
主题: Re: [L3sm] Next Step of RFC8049
Thanks Kenichi - there is one of your answers that I'm still confused about, see below:
On 26/06/2017 04:23, Ogaki, Kenichi wrote:
4. Under the VPN service, there is a leaf for the customer name. If the model is supposed to represent the request from a customer to the SP, I would have thought the customer name would be known out-of-band, e.g. from the AAA for the request? It would be bad if one customer could request things for another customer by filling in a different customer name in the model!
[KO] A customer can only access the model instance of that customer. Please see section 10.
[DB] Yes exactly - if a customer can only access their own instance of the model, why does the customer name need to be specified within the model? You already know you are dealing with that customer's instance of the model. It seems like the customer-name leaf is unnecessary?
[KO] As common usecases, a VPN service is provided not only by Tier 1 providers, but also by Tier 2 providers or IT divisions of enterprises in order to provide their own end users by using a Tier 1 provider's VPN service. Such customers usually requires this kind of attributes for their management purposes.
[DB2]
I didn't really follow this, sorry. The module contains the
information that needs to be sent from the customer to the SP, right?
If the customer using the model (i.e. the Tier2 in your above example)
needs to track which of their own customers the service is for, that's
something that's internal to them, isn't it?
[KO3] Yes, that's internal to them, but they (i.e. our customers) really request and are currently using this. Then, we need to model this.
Perhaps I am misunderstanding the scenario.
If I understand correctly, the case is where the yang is being used between a Tier2 provider (lets call them T2-telecom) and Tier1 provider (lets call them T1-networks). In other words, from the perspective of the RFC and the yang module, T1-networks is the SP and T2-telecom is the customer.
T2-telecom has their own customers call them (foo-bank, bar-supermarket and baz-advertising). Whenever T2-telecom orders a new VPN from T1-networks, they want to record, in their internal systems, which of their end customers the new VPN is for. Of course there is probably a lot of other information they want to store in their internal systems about their customers, such as contact info, billing and invoicing info, trouble tickets, etc.
What I don't understand is why T2-telecom would want to send the name of their end-customer (foo-bank, bar-supermarket or baz-advertising) to T1-networks as part of the netconf request when they order a new VPN. What is T1-networks going to do with this information?
[Qin]:
1.With customer name,you could use it as a key to lookup detailed customer information such as contact info, billing info if needed.
2. You forget that VPN service is defined as a list of VPN Service. That is to say different VPN service could belong to different customer,
Adding customer name, we could know which customer has which VPN service.
3. customer name is just defined as an optional parameter. You don’t need to specify it in the case you don’t need it.
David
--
David Ball
<daviball@cisco.com><mailto:daviball@cisco.com>
--
David Ball
<daviball@cisco.com><mailto:daviball@cisco.com>
- [L3sm] Next Step of RFC8049 Qin Wu
- Re: [L3sm] Next Step of RFC8049 David Ball
- Re: [L3sm] Next Step of RFC8049 Ogaki, Kenichi
- Re: [L3sm] Next Step of RFC8049 David Ball
- Re: [L3sm] Next Step of RFC8049 Ogaki, Kenichi
- Re: [L3sm] Next Step of RFC8049 David Ball
- Re: [L3sm] Next Step of RFC8049 stephane.litkowski
- Re: [L3sm] Next Step of RFC8049 Qin Wu
- Re: [L3sm] Next Step of RFC8049 David Ball
- Re: [L3sm] Next Step of RFC8049 Qin Wu
- Re: [L3sm] Next Step of RFC8049 Ogaki, Kenichi
- Re: [L3sm] Next Step of RFC8049 David Ball
- Re: [L3sm] Next Step of RFC8049 David Ball
- Re: [L3sm] Next Step of RFC8049 Qin Wu
- Re: [L3sm] Next Step of RFC8049 Qin Wu
- Re: [L3sm] Next Step of RFC8049 David Ball
- Re: [L3sm] Next Step of RFC8049 Qin Wu
- Re: [L3sm] Next Step of RFC8049 Ogaki, Kenichi
- Re: [L3sm] Next Step of RFC8049 Ogaki, Kenichi
- [L3sm] 答复: Next Step of RFC8049 Qin Wu
- Re: [L3sm] Next Step of RFC8049 David Ball