Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-netconf-event-notifications-20: (with DISCUSS)

"Eric Voit (evoit)" <evoit@cisco.com> Wed, 15 May 2019 20:34 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9DCC12010F; Wed, 15 May 2019 13:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JM4_0dBR_os; Wed, 15 May 2019 13:34:14 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD7671200FE; Wed, 15 May 2019 13:34:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2460; q=dns/txt; s=iport; t=1557952454; x=1559162054; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=B8otPxR6Ng6tectGuKNzEn5PnjXbP9ugjOHTrIqTfLA=; b=PdQXX5SV1WjZCbgMsDdXqsTZO3eVMwTWgUfWOZ+ZLltNdo9m/ad1mCGQ KEn1u4X4tTgVmwVOmmTPGAmjuQ/CM6FlW1WxMxC3wLPhAbrODVw+S3JwQ jVeIVF9E8gy/iAfqE0mVb7AGP17hELS8Z2PrElRMBGuH8+A996ANelkJ2 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AnAABrdtxc/5pdJa1kHAEBAQQBAQc?= =?us-ascii?q?EAQGBUQcBAQsBgWYqgT0wMoQHiByMd5hTgXsJAQEBDAEBLwEBhEACF4IUIzQ?= =?us-ascii?q?JDgEDAQEEAQECAQRtKIVKAQEBAwEjEUMCBQsCAQgOBwUCCR0CAgIwFRACBAE?= =?us-ascii?q?NDYJPS4F8D6wvgS+KMYELKAGJe4FTF4FAP4QjPodOglgEiyGCO5l9CQKCCZJ?= =?us-ascii?q?WI4IUhkyNDoMgiRSVCgIRFYEwHziBV3AVgyiCRY4KAUGPf4EhAQE?=
X-IronPort-AV: E=Sophos;i="5.60,474,1549929600"; d="scan'208";a="277195446"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 May 2019 20:34:12 +0000
Received: from XCH-RTP-013.cisco.com (xch-rtp-013.cisco.com [64.101.220.153]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x4FKYCLj031781 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 15 May 2019 20:34:12 GMT
Received: from xch-rtp-013.cisco.com (64.101.220.153) by XCH-RTP-013.cisco.com (64.101.220.153) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 15 May 2019 16:34:11 -0400
Received: from xch-rtp-013.cisco.com ([64.101.220.153]) by XCH-RTP-013.cisco.com ([64.101.220.153]) with mapi id 15.00.1473.003; Wed, 15 May 2019 16:34:11 -0400
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-netconf-netconf-event-notifications@ietf.org" <draft-ietf-netconf-netconf-event-notifications@ietf.org>, Kent Watsen <kent+ietf@watsen.net>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-netconf-netconf-event-notifications-20: (with DISCUSS)
Thread-Index: AQHVC1UKCmTTd5q9QEOBEyxiozCk46ZsoLCg
Date: Wed, 15 May 2019 20:34:11 +0000
Message-ID: <e6ad880c702c4084a68da513c1a93982@XCH-RTP-013.cisco.com>
References: <155794878921.30587.14812046146231301278.idtracker@ietfa.amsl.com>
In-Reply-To: <155794878921.30587.14812046146231301278.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.118.56.226]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.153, xch-rtp-013.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/02ViZS5oHNeIpN7rLs9TmsJovVw>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-netconf-event-notifications-20: (with DISCUSS)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 20:34:16 -0000

Hi Roman,

Thanks for the review.   A thought in-line...

> From: Roman Danyliw, May 15, 2019 3:33 PM
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> An easy to fix issue.
> 
> Section 8.  I agree with the brevity of this section as the more detailed
> considerations can be found in [draft-ietf-netconf-subscribed-notifications].
> [draft-ietf-netconf-subscribed-notifications] has a similar statement about
> buggy subscribers, but also makes a SHOULD statement about operators
> monitoring for odd behavior.  This text doesn’t include this monitoring
> recommendation but does explicitly discuss terminating sessions.  Could the text
> in these two sections please be reconciled. Perhaps with a reference such as:
> 
> “This document does not introduce additional Security Considerations for
> dynamic subscriptions beyond those discussed in [draft-ietf-netconf-subscribed-
> notifications].  In particular for NETCONF subscribers …<use the current text> ”

I think what you are looking for is something like:
"This document does not introduce additional Security Considerations for dynamic subscriptions beyond those discussed in [draft-ietf-netconf-subscribed-notifications].  But there is one consideration worthy of more refinement based on the connection oriented nature of the NETCONF protocol.  Specifically, if a buggy or compromised NETCONF subscriber sends a number of "establish-subscription" requests, then these subscriptions accumulate and may use up system resources. In such a situation, subscriptions MAY be terminated by terminating the underlying NETCONF session... "

If this text works for you, I will add it in.

Eric