Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
Rohit R Ranade <rohitrranade@huawei.com> Mon, 05 February 2018 10:53 UTC
Return-Path: <rohitrranade@huawei.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0D00129C6F for <netconf@ietfa.amsl.com>; Mon, 5 Feb 2018 02:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.231
X-Spam-Level:
X-Spam-Status: No, score=-4.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71smPsqV5xyy for <netconf@ietfa.amsl.com>; Mon, 5 Feb 2018 02:53:10 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57EF129C6E for <netconf@ietf.org>; Mon, 5 Feb 2018 02:53:10 -0800 (PST)
Received: from LHREML710-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 8D541599A6723 for <netconf@ietf.org>; Mon, 5 Feb 2018 09:24:57 +0000 (GMT)
Received: from DGGEMA405-HUB.china.huawei.com (10.3.20.46) by LHREML710-CAH.china.huawei.com (10.201.108.33) with Microsoft SMTP Server (TLS) id 14.3.361.1; Mon, 5 Feb 2018 09:24:58 +0000
Received: from DGGEMA502-MBX.china.huawei.com ([169.254.2.25]) by DGGEMA405-HUB.china.huawei.com ([10.3.20.46]) with mapi id 14.03.0361.001; Mon, 5 Feb 2018 17:24:50 +0800
From: Rohit R Ranade <rohitrranade@huawei.com>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] draft-ietf-netconf-rfc6536bis Query
Thread-Index: AdObT5T3Jff3sOmISyuNQj5mNpAqs///naeA//4zjxCAAx8egP//eYqw//pnwuABWLMyAP//dfXw
Date: Mon, 05 Feb 2018 09:24:50 +0000
Message-ID: <991B70D8B4112A4699D5C00DDBBF878A6B1951BB@DGGEMA502-MBX.china.huawei.com>
References: <991B70D8B4112A4699D5C00DDBBF878A6B192C46@DGGEMA502-MBX.china.huawei.com> <20180202.104713.2160979335819511500.mbj@tail-f.com> <991B70D8B4112A4699D5C00DDBBF878A6B19504D@DGGEMA502-MBX.china.huawei.com> <20180205.094936.840887782388329626.mbj@tail-f.com>
In-Reply-To: <20180205.094936.840887782388329626.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.150.121]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3LZIYVa5qJf-LZhfgFcewHsw2AE>
Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 10:53:13 -0000
Hi Martin, Consider running data-store has below node. /top/interface[name="Ethernet0/0"]/mtu In the above case, "mtu" is a data-store node , because it is part of a running data-store ? And if I just have a path as /top/interface/mtu ==> Here mtu is just a "data node" ? The reason why I am asking these points is that RFC 6536 mentions that data-store nodes should not be shown in rpc-error. But we want to output in error-message something like "access is denied for /top/interface/mtu" to give a meaningful error-message. Whether such an error-message makes the server non-compliant ? With Regards, Rohit R -----Original Message----- From: Martin Bjorklund [mailto:mbj@tail-f.com] Sent: 05 February 2018 14:20 To: Rohit R Ranade <rohitrranade@huawei.com> Cc: netconf@ietf.org Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Hi, Rohit R Ranade <rohitrranade@huawei.com> wrote: > Hi Martin, > > There are around 6-7 places in the BIS and RFC 6536 where the term " > datastore node" is used. It is unclear what is the meaning of this > term as it is not defined in the Terminology section and it is unclear > what is the difference between this term and "data node". Please > clarify Is the term "datastore node" really unclear? Would a defintion "a node in a datastore" help (I think it would be a tautology). The term "data node" is imported from RFC 7950. /martin > For example: In section 3.2.3 > > The contents of specific restricted datastore nodes MUST NOT be > exposed in any <rpc-error> elements within the reply. > > > With Regards, > Rohit R > > -----Original Message----- > From: Rohit R Ranade > Sent: 02 February 2018 15:19 > To: 'Martin Bjorklund' <mbj@tail-f.com> > Subject: RE: [Netconf] draft-ietf-netconf-rfc6536bis Query > > Ok. > > With Regards, > Rohit R > > -----Original Message----- > From: Martin Bjorklund [mailto:mbj@tail-f.com] > Sent: 02 February 2018 15:17 > To: Rohit R Ranade <rohitrranade@huawei.com> > Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query > > Hi, > > Rohit R Ranade <rohitrranade@huawei.com> wrote: > > Hi Martin, > > > > Should we not be specific in the DRAFT about how to handle > > <create-subscription> rpc like we have done for the replay control > > notifications ? > > The control notifications are treated differently b/c they are control > notifications, not b/c they are not defined in a YANG module. > > I think you have a valid point; however, since the WG is currently > defining new operations that will replace the old > <create-subscription>, I think this problem will go away. > > Also, 6536bis is in the RFC editor queue, so changing in 6536bis this > is quite problematic. > > > /martin > > > > Else each device will have its own mechanism of access control for > > <create-subscription>. > > > > With Regards, > > Rohit R > > > > -----Original Message----- > > From: Martin Bjorklund [mailto:mbj@tail-f.com] > > Sent: 01 February 2018 19:05 > > To: Rohit R Ranade <rohitrranade@huawei.com> > > Cc: netconf@ietf.org > > Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query > > > > Hi, > > > > Rohit R Ranade <rohitrranade@huawei.com> wrote: > > > Hi All, > > > > > > Q1: > > > In the notification authorization Section 3.4.6 there is mention > > > that REPLAY notifications should be allowed by default. > > > > I think you mean <replay-complete>. Replayed notifications in > > general are not allowed by default. > > > > > But there is no mention of how to handle <create-subscription> > > > operation authorization which can trigger these Replay notifications ? > > > Since there is no module defined for it, there is no way to add a > > > rule for permitting or denying it. > > > > > > > > > 1. How do the current NACM implementations handle it ? Allow > > > <create-subscription> if exec-default is PERMIT ? or always allow > > > <create-subscription> ? > > > > I had to check, and our implementation matches create-subscription > > if the module-name in the rule is "*". > > > > I think some implementations use an internal (non-standard) YANG > > module name for the model in RFC 5277, so they presumably match if > > that internal module name is given, or "*". > > > > > Q2: If there is an error of access-denied for edit-config > > > operation, does the RFC restrict from outputting the <error-path> > > > of the data-store node for such operations ? > > > Section 3.2.5 has " The contents of specific restricted datastore > > > nodes MUST NOT be > > > > > > exposed in any <rpc-error> elements within the reply." , what is the > > > meaning of 'content' here ? the schema-name of the leaf / key-values > > > of data-store-nodes ? > > > > > > Since the user has inputted the keys for the data-store nodes is > > > there any security risk in giving back the values to the user ? > > > > 3.4.3 also has > > > > A server MUST NOT include any information the client is not allowed > > to read in any <error-info> elements within the <rpc-error> response. > > > > > > /martin > > >
- [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade