IETF Logo Mail Archive

Re: [Netconf] Yangdoctors last call review of draft-ietf-netconf-restconf-client-server-04

Andy Bierman <andy@yumaworks.com> Tue, 01 August 2017 19:32 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8407129B34 for <netconf@ietfa.amsl.com>; Tue, 1 Aug 2017 12:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTXKs1CSTus1 for <netconf@ietfa.amsl.com>; Tue, 1 Aug 2017 12:32:07 -0700 (PDT)
Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7669132302 for <netconf@ietf.org>; Tue, 1 Aug 2017 12:32:06 -0700 (PDT)
Received: by mail-wr0-x236.google.com with SMTP id 33so10651604wrz.4 for <netconf@ietf.org>; Tue, 01 Aug 2017 12:32:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G7SXuPvL4pftWCJ15+UH21dA/EqowFU/rWRMK1PInaQ=; b=t5PfH1pWamfmg2b4Nk8ZqwSGg/qcNm8Ypz9+7WJJxjU0/BuX3+fJRlXPc3We8YiLBW bNNGBJViwBIQNnw4ebkNAcEvMwaIB5eASzZiVhyXgGktJ1hi6pGckCXNXEV97fikrqJb T+d1grQwr6JPidIGbQKng2wdkmB+dwjUUeXirXhzJS5W+IcxpX9u1U3eO0AKxGG5YKWp PHK6Kx02Wo0CHjZBCCgsoziAwaZksaG5iOV4G9CnqsJ6KOAntMOKLCKc/2hdmSA2DRZ4 7ZT1eTalcMVfX5HFrS3TLiNAK7slr30i56fpzVxMRHcsleb7Z8waF3Va6D6FyPE8dit6 bYxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G7SXuPvL4pftWCJ15+UH21dA/EqowFU/rWRMK1PInaQ=; b=E9+MF7VDdHd04NN6xdeN9BfLSSW/R4amsMoy8427VlpSeCNLkF48UcF+J4Zkg1Bg5t N18CiNyJRzonDDfQKz4e8xich51M+/iczOyB/9ZRF75vxW0c9X1H3jMysKuhFKzOYh7S IptUUMsxqNt1/McN63ZlgGI8d0AlQUTrRyIQuBqu6nQKzGuEuwuS+DGQ+pPIzs8+5uYj GzstyvpbdB0wmpT4EvZglH5D7c9WSnFF7S5HbHDmP2OY/8I9DQQPyAmDnUJhudqvKf2e v2/dUIxUuwWFOi++/bGXPN0Fi8JWW+D0+E4LLbcGh3sVgX0ogCfVYe8VEbmDdpn6CvyY Jlgg==
X-Gm-Message-State: AIVw110P+Xvti+vNT1uXtfACEI8V/ux2GK/X9l94mB4qRj0AbFz0lkR6 Ghsuv9+lbfdns0gPP9ktM0DqNzgTkIU0
X-Received: by 10.223.134.39 with SMTP id 36mr16332354wrv.244.1501615925348; Tue, 01 Aug 2017 12:32:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.182.160 with HTTP; Tue, 1 Aug 2017 12:32:04 -0700 (PDT)
In-Reply-To: <A9F2ED3F-6AC5-4AEF-8EBF-1C4F89A6F0F7@juniper.net>
References: <150128020275.20726.13027423171798327745@ietfa.amsl.com> <A9F2ED3F-6AC5-4AEF-8EBF-1C4F89A6F0F7@juniper.net>
From: Andy Bierman <andy@yumaworks.com>
Date: Tue, 01 Aug 2017 12:32:04 -0700
Message-ID: <CABCOCHTmNdi7ZGPL_R8vyZTOKeVwJgtrqsT0ZNBCbMUT4Qo9tA@mail.gmail.com>
To: Kent Watsen <kwatsen@juniper.net>
Cc: "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-restconf-client-server.all@ietf.org" <draft-ietf-netconf-restconf-client-server.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="001a1146c380d1e08c0555b63322"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/2J5Gu4vrWQKodgbprCQjGFQUP3o>
Subject: Re: [Netconf] Yangdoctors last call review of draft-ietf-netconf-restconf-client-server-04
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 19:32:11 -0000

On Mon, Jul 31, 2017 at 3:56 PM, Kent Watsen <kwatsen@juniper.net> wrote:

> Hi Andy,
>
> Thanks for your review.  Below are my responses to your comments.
>
> Thanks,
> Kent
>
>
> --
>
> Reviewer: Andy Bierman
> Review result: Ready with Nits
>
> Review: draft-ietf-netconf-restconf-client-server-04
>
> Modules:
>  (M1) ietf-restconf-client@2017-07-03.yang
>  (M2) ietf-restconf-server@2017-07-03.yang
>
>
> YANG Usage:
>
>  I did not find anything wrong in either module.
>  pyang and yangdump-pro do not report any errors or warnings.
>
> Comments:
>
> C1:
>
>  (M1) RESTCONF does not have sessions so the term "RESTCONF session"
>  needs to be defined
>
>
> <KENT> good point, in this case, it's actually the underlying transport
> (TLS) that has a session.  Fixed.  But what about the 'max-sessions' leaf,
> under 'listen', in both modules?  - should this also be changed to talk
> about the TLS session, or removed altogether?
>
>
>

I think you can change it to "transport session" or "TLS session"
if the concept of session reconnect is is kept for RESTCONF



>
> C2:
>
>  (M1) feature tls-initiate
>  (M1) feature tls-listen
>  (M2) feature tls-listen
>  (M2) feature tls-call-home
>
>  Are these features really needed since a RESTCONF server MUST support
>  the TLS transport?
>
> <KENT> the features themselves are needed, as we don't know what
> clients/servers may support.
>


OK -- These features are nested within other features (initiate, listen).
You should add a comment somewhere that TLS is optional-to-support,
but mandatory to support if the TLS transport is implemented.
Currently RESTCONF requires TLS be supported, but future
versions could be different.

Also, recent YANG 1.1 discussions concluded (wrongly IMO) that nested
nodes do not inherit the if-feature-stmts of ancestors.  It is not clear
how one would access /foo/bar if /foo was not supported.

 So perhaps you should add if-feature-stmts:

  feature tls-listen {
     if-feature listen;
     ...
  }

  feature tls-listen {
    if-feature listen;
    ...
  }


> <KENT> the "tls" in the name of these features is likely unnecessary but
> 1) maybe, someday, there will be another transport? and, 2) these names are
> consistent with the names in the ssh modules, where there are both the
> "tls" and "ssh" based feature names, and so make more sense there.
>
>
>
> C3:
>
>  (M1)  /restconf-client/initiate/restconf-server/persistent/
>
>  RESTCONF has no session setup; It only has request and
>  response interactions. The purpose of reconnect, idle timeouts etc.
>  are completely up to the client application.
>
>
> <KENT> similar to the above, this is really meant to reflect the TLS
> layer.  It may not make too much sense for /restconf-client/initiate/restconf-server/persistent.
>  That said, I think it's okay, in the sense that a real HTTPS client might
> keep the underlying TLS session open across many HTTP-level interactions as
> a performance optimization.  What do you think?
>
>
Change it to be TLS session



> FWIW, it does *make* sense for /restconf-server/call-home/res
> tconf-client/connection-type/persistent/.  For instance, a client may
> need to keep the call-home connection open in order to send messages to the
> server when it needs to...
>
>
>
OK -- this may be more clear than hiding persistent in max-retries ==
unlimited



>
> C4:
>
>  (M1)  /restconf-client/initiate/restconf-server/persistent/max-attempts
>
>  What should the RESTCONF client do if a "Connection: close"
>  header is received from the server (indicating the server is dropping
>  the TCP connection) Should the reconnects proceed?
>
> <KENT> I don't understand the question.  The 'max-attempts' regards
> testing the aliveness of a server that the client is already connected
> to.  But, assuming the client was configured to try to maintain a
> persisted TLS connection, the client would immediately try to reconnect
> to one of the configured RESTCONF servers.
>


OK -- this is how our server works. It does not make a special case for
Connection: close.



>
> C5:
>
>  (M1)  /restconf-client/initiate/restconf-server/periodic/
>
>
>       "Periodically connect to the RESTCONF server, so that
>        the RESTCONF server may deliver messages pending for
>        the RESTCONF client.  The RESTCONF server must close
>        the connection when it is ready to release it.
>
> This is not how RESTCONF works.
> The RESTCONF server requires a request message in order to
> send content to a client.  I do not understand the use-case
> for periodic RESTCONF sessions.
>
> <KENT> Right, the server might be buffering data to send to
> the client (e.g., logs).  Maybe it's a wording issue?
>
> OLD
>
>   server may deliver messages pending for the RESTCONF client
>
> NEW
>
>   client can collect data (e.g., logs) from the RESTCONF server
>
> What do you think?
>


It should be clear that the client would have to issue a GET or maybe POST
to initiate the sending of stored data like logs



>
>
>
>
> C6:
>
>  (M1)  /restconf-client/initiate/restconf-server/periodic/
>  (M2)  /restconf-server/call-home/restconf-client/connection-type/
> periodic/
>
>  The RESTCONF notifications via SSE should be exempt from timeouts.
>  The RESTCONF client should terminate an SSE request. The server should
>  not timeout an SSE response connection
>
>
> <KENT> Agreed, and the description statement for the 'idle-timeout' leaf
> says "Sessions that have a notification subscription active are never
> dropped.  But here, under 'periodic', the whole point is to shed idle
> connections.  For instance, imagine a client that wants to collect logs
> from a low-powered server once a day.  What do you think?
>
>

Notification replay has a mode where it is terminated (i.e,., end-time
provided)
I think this would have to be used by the client.  This tells the server to
drop
the connection when the replay is complete.

This is 1 exception -- another is close-session.

   POST /restconf/operations/ietf-netconf:close-session

Is this supposed to do anything in RESTCONF?



>
> C7:
>
> Sec 1.2 Tree Diagrams
>
> Old text should be replaced with reference to
> draft-ietf-netmod-yang-tree-diagrams-01
>
> <KENT> same comment as before.
>
>
>

OK -- wait for tree draft to be stable


>
> C8:
>
>  (M1) IETF copyright says 2014; change to 2017
>  (M2) IETF copyright says 2014; change to 2017
>
> <KENT> fixed.
>
>
>
> Nits:
>
> Some descriptions mention SSH. This should be removed from
> this document.
>
> <KENT> done.
>
>
> The descriptions for choices that have only 1 case should
> explain why a choice is being used.
>
> <KENT> done.
>
>
> The tree diagram shows the fully expanded groupings,
> even many objects are in other drafts. I needed all 5 drafts
> open in windows for searching, plus pyang tree output,
> to really follow the data model structure.
>
> <KENT> I know.  Do you have a proposal?
>
>
The external nodes cannot really use a prefix because they
are pulled in from groupings, and technically in the same module namespace.
I don't know if any changes to the tree diagram should be made for
uses external-grouping.




>
>
> The examples do not show any usage of the hello-params.
> This would be useful because the namespace for the
> identityref objects (tls-version, cipher-suite) is not
> the same as the module that uses the grouping.
>
> <KENT> Point taken.  I sent Gary an email on this also.
>
>
>
> Note that the 'map-type' identityref is shown correctly encoded
> in examples on page 19 and 20.
>
> <KENT> not sure which draft you mean, but it's okay, I know how to prefex
> identities.
>
>
>
>


Andy

v2.23.0 | Report a Bug | By Email