IETF Logo Mail Archive

Re: [Netconf] YangPush now

Robert Wilton <rwilton@cisco.com> Thu, 26 July 2018 09:15 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D03181310BC for <netconf@ietfa.amsl.com>; Thu, 26 Jul 2018 02:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVhN-IlCsM2O for <netconf@ietfa.amsl.com>; Thu, 26 Jul 2018 02:15:22 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1DE213107A for <netconf@ietf.org>; Thu, 26 Jul 2018 02:15:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33484; q=dns/txt; s=iport; t=1532596522; x=1533806122; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=8oMf1vMv1aTQOcXDweBcMniJJBrpSai9izgDfhosZfw=; b=TLDdQoEyI/GP/g6+rP79sdg2iCVcC8KxfDTpLFxgPKUSPmGkKjU2vKnx 05o4ZI0U2x1Ngb/Yv8LwBH3wzc4p8FQOojdxf0y0wPGE3tzJ3tCrdrQ6+ qb4wot8E3sEULE/l1Sp23mWdn6DQ+HL3ZWb+cbsvX2+aGhX+q0F3gupuU s=;
X-IronPort-AV: E=Sophos;i="5.51,404,1526342400"; d="scan'208,217";a="5417208"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Jul 2018 09:15:20 +0000
Received: from [10.63.23.106] (dhcp-ensft1-uk-vla370-10-63-23-106.cisco.com [10.63.23.106]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTP id w6Q9FI7k021058; Thu, 26 Jul 2018 09:15:19 GMT
To: Andy Bierman <andy@yumaworks.com>, "Eric Voit (evoit)" <evoit@cisco.com>
Cc: "Tim Jenkins (timjenki)" <timjenki@cisco.com>, "netconf@ietf.org" <netconf@ietf.org>
References: <2E1BAD12-EFF2-4E35-B232-57A4C4490989@cisco.com> <20180717055030.7bmzlychtznf3mso@anna.jacobs.jacobs-university.de> <18622ABD-DB9F-406C-836F-64649F3D8FF6@cisco.com> <20180717172036.hhuoq6fzs7ctblpf@anna.jacobs.jacobs-university.de> <CABCOCHS8cfqKLaQe9M4tu-2zkZ5=6-a2FEv+idJwZiW_btx_Zw@mail.gmail.com> <a54850668bfb4483b89f4c2b15bf5f44@XCH-RTP-013.cisco.com> <20180718133200.u7fpsv3xanb2nosr@anna.jacobs.jacobs-university.de> <6707abca9924442083ef165ce1345b7e@XCH-RTP-013.cisco.com> <20180720101419.7chri56rzgyidxmw@anna.jacobs.jacobs-university.de> <3b194cc7276b4e888c4e8b808d1c356a@XCH-RTP-013.cisco.com> <20180723141416.mdzwa53nganbadbu@anna.jacobs.jacobs-university.de> <406f2a12fdd745c18e0f11dd9fbb26eb@XCH-RTP-013.cisco.com> <CABCOCHRmuCQtkzN4u43Gi4kfLifUoAcNYZg2K1ZR5Rg60L_u9g@mail.gmail.com>
From: Robert Wilton <rwilton@cisco.com>
Message-ID: <9d2e34e6-fc40-9c4b-1be5-cbee3ff8f89c@cisco.com>
Date: Thu, 26 Jul 2018 10:15:18 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CABCOCHRmuCQtkzN4u43Gi4kfLifUoAcNYZg2K1ZR5Rg60L_u9g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------01652FE236967258144769C5"
Content-Language: en-US
X-Outbound-SMTP-Client: 10.63.23.106, dhcp-ensft1-uk-vla370-10-63-23-106.cisco.com
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3Y9zl7UrO90ECeA_6N_F7JvCbeY>
Subject: Re: [Netconf] YangPush now
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 09:15:31 -0000

I basically agree with Andy.

I appreciate from the comments that the configured subscriptions is not 
usable using standards transports yet, but it still seems that it would 
be more invasive to rip configured subscriptions out at this point in 
time.  I think as a WG we really want to get this document published 
otherwise it will be obsolete before it even has an RFC number.  We can 
fix up the configured subscriptions afterwards, and then publish a bis 
version that puts everything together.

Thanks,
Rob


On 26/07/2018 04:21, Andy Bierman wrote:
> Hi,
>
> IMO there is a good enough plan in place to complete the configured 
> subscriptions.
> The co-authors have done enough revisions. It is time to finish the 
> drafts.
>
> We should let vendors experiment and also try to create a standard 
> binary protocol.
>
>
> Andy
>
>
>
> On Tue, Jul 24, 2018 at 4:56 PM, Eric Voit (evoit) <evoit@cisco.com 
> <mailto:evoit@cisco.com>> wrote:
>
>     Hi Juergen,
>
>     > From: Juergen Schoenwaelder, July 23, 2018 10:14 AM
>     >
>     > On Fri, Jul 20, 2018 at 06:47:48PM +0000, Eric Voit (evoit) wrote:
>     > > Hi Juergen,
>     > >
>     > > > From: Juergen Schoenwaelder, July 20, 2018 6:14 AM
>     > > >
>     > > > On Thu, Jul 19, 2018 at 09:41:00AM +0000, Eric Voit (evoit)
>     wrote:
>     > > >
>     > > > > That is what I was hoping would be accomplished with the text:
>     > > > >
>     > > > >    The method of identifying the targeted receiver IP
>     address, port, and
>     > > > >    security credentials are left up to implementers of this
>     > > > >    specification.  For implementation guidance and a YANG
>     model for
>     > this
>     > > > >    function, please look to
>     > > > >    [I-D.draft-ietf-netconf-netconf-client-server].
>     > > >
>     > > > I said this is to vague for me to understand. Repeating the
>     pointer
>     > > > does not help me to understand. If this I-D has a clear
>     solution,
>     > > > why not put it in place?
>     > >
>     > > The recommended solution is for vendors to augment in their own
>     > leafrefs into existing vendor specific call home configurations.
>     > Alternatively, solutions can be integrated within non-YANG based
>     > configuration structures.  This is how our configured subscription
>     > implementation works.
>     > >
>     > > To clarify the recommended solution, I have updated the
>     reference above
>     > to:
>     > >
>     > > The method of identifying the targeted receiver IP address,
>     port, and
>     > security credentials are left up to implementers of this
>     specification..  For
>     > implementation guidance on how a leafref might constructed to
>     accomplish
>     > this function, consider the following augmentation which would
>     need to be
>     > made if the necessary connection parameters are maintained with
>     ietf-
>     > netconf-client.yang as specified by
>     [I-D.draft-ietf-netconf-netconf-client-
>     > server].
>     > >
>     > >   import ietf-netconf-client { prefix ncc; }
>     > >   import ietf-subscribed-notifications { prefix sn; }
>     > >   import ietf-netconf-subscribed-notifications { prefix nsn; }
>     > >
>     > >   augment
>     "/sn:subscriptions/sn:subscription/sn:receivers/sn:receiver" {
>     > >    when 'derived-from(../../../transport, "nsn:netconf")';
>     > >    leaf netconf-endpoint {
>     > >       type leafref {
>     > >         path "/ncc:netconf-client/ncc:initiate/ncc:netconf-
>     > server/ncc:endpoints/ncc:endpoint/ncc:name";
>     > >       }
>     > >       description
>     > >         "Points to a remote NETCONF client intended to support
>     a particular
>     > configured subscription.";
>     > >     }
>     > >   }
>     >
>     > So why do we create a _standard_ that says take the other
>     standard and
>     > then roll your own non-standard module to make them work together?
>
>     My reading of your request was to make the current draft text less
>     vague.   Hopefully providing an example augmentation based on a
>     referenced standard-in-progress removes this ambiguity.
>
>     I would hope that when the other standard is ready, it doesn't
>     take something non-standard to bind them.  There are earlier
>     threads on how this might be done.
>
>     > > > > To cover this, there is the following text in Section 5 of
>     > > > > draft-ietf-netconf-
>     > > > netconf-event-notifications:
>     > > > >
>     > > > >    publisher SHOULD place the receiver into the
>     > > > >    "timeout" state after a predetermined number of either
>     failed call
>     > > > >    home attempts or NETCONF sessions remotely terminated
>     by the
>     > > > >    receiver.
>     > > > >
>     > > > >    Until NETCONF transport with a receiver has been
>     established, and a
>     > > > >    "subscription-started" state change notification has been
>     > > > >    successfully sent for a configured subscription, that
>     subscription's
>     > > > >    receiver MUST remain in either the "connecting" or the
>     "timeout"
>     > > > >    state.
>     > > >
>     > > >     <-- call home -->
>     > > >  C: <hello>
>     > > >  S: <hello>
>     > > >  S: <notification>
>     > > >     <-- session terminated -->
>     > > >
>     > > > The server believes 'notification has been successfully
>     sent'.  The
>     > > > other alternative would be a client that throws away
>     notification
>     > > > messages not
>     > > > expected:
>     > > >
>     > > >     <-- call home -->
>     > > >  C: <hello>
>     > > >  S: <hello>
>     > > >  S: <notification> // -> discarded
>     > > >  S: <notification> // -> discarded
>     > > >  S: <notification> // -> discarded
>     > > >     [...]
>     > > >
>     > > > Both scenarioes are problematic.
>     > >
>     > > Agree that there are these two scenarios.
>     > >
>     > > The first scenario isn't elegant, but I don't see it as
>     problematic.  Per SN,
>     > transport loss places all receivers back into their connecting
>     state.   And the
>     > NETCONF-Notif text quoted above shows that multiple session
>     terminations
>     > places the subscription into "timeout" so that something can
>     figure out
>     > what is wrong.
>     > >
>     > > The second scenario requires that NETCONF Call home is
>     successfully
>     > configured with the right credentials on both sides of the
>     connection, and
>     > that the receiver's NETCONF client implementation is unable to
>     terminate a
>     > session receiving unwanted notification traffic.  This is a
>     concern, but an
>     > implementer at least has some protections by controlling the
>     call home
>     > connectivity parameters tied to a specific receiver.  (See
>     continue reasoning
>     > below)
>     >
>     > There is nothing in NETCONF that requires a client to terminate
>     a session if
>     > the client receives an unexpected message. The control of call home
>     > parameters is no answer (first this is out of hands for the
>     implementor and
>     > second the problem is likely a misconfiguration in the first
>     place that leads
>     > to something not useful). I do not think your answers provide a
>     solution - I
>     > am not interested in justifications.
>
>     A solution based on the correct call home parameter configuration
>     does work..  But other than that, I agree with you: the current
>     NETCONF configured subscription solution does take some valid
>     error conditions out of the hands of implementers, and places them
>     in the hands of operators.
>
>     The biggest question I see is whether implementers want to do the
>     leg-work needed to building out the client capability
>     advertisement capability to protect against these failure
>     scenarios.   It would be great if NETCONF implementers signaled
>     they are ready to pick this up.
>
>     > > > This is why I suggested that there needs to be some
>     mechanism that
>     > > > tells the server that the client is willing to receive
>     configured
>     > > > subscriptions before the server throws <notification>
>     messages at
>     > > > the client. You will find differnet ideas in the mailing
>     list archive.
>     > >
>     > > In talking about this issue in the past, suggestions were made
>     that the
>     > NETCONF client could advertise its capabilities for supporting
>     configured
>     > subscriptions as part of the hello exchange.  And that can be a
>     partial(*)
>     > solution to the problem.  However there was pushback to this
>     based on
>     > NETCONF client to server implementations not typically
>     exchanging and
>     > interpreting the results of NETCONF client asserted capabilities.
>     > >
>     > > (*) the reason it is partial is that even if the client
>     advertises support for
>     > NETCONF configured subscriptions, there is still the possibility
>     that
>     > something goes wrong with the receiver's receiving process with
>     the second
>     > scenario above.  In which case you still need to have a way to
>     terminate the
>     > incoming notification stream by pulling down the NETCONF
>     session.  Still,
>     > there are obviously benefits of client capability signaling as
>     an extra layer of
>     > misconfiguration protections included.
>     >
>     > Simply pushing data to a receiver before checking that the
>     receiver is willing
>     > and able to consume the data is in my view not good protocol
>     design. There
>     > are cases where this is unavoidable but here we do have a client
>     and server
>     > talking to each other that can do better.
>     >
>     > > Looking at what is in the v10 draft, there are some
>     protections for both
>     > your scenarios above.  But certainly it is not robust.  And
>     certainly having
>     > the client advertise configured receiver support would be nice,
>     but this
>     > would require more development.   As based on the amount of
>     > development,  we used the design philosophy of "it is better to
>     start with
>     > an 80% solution than a 120% solution :-)."
>     >
>     > There was also another proposal, namely to have the client
>     request the
>     > start of notifications (like you would do with RC and SSE). I do
>     not buy the
>     > 80% solution argument for an excuse of poor protocol design.
>
>     The other proposal is absolutely a valid way to do this. And as
>     Andy and others have pointed out, the current dynamic
>     <establish-subscription> RPC can be kicked off by such a process.
>
>     However the call flow has more error conditions.   As a result,
>     three years ago during scoping of the current suite of IETF
>     subscription drafts, this proposal was determined to be
>     out-of-scope.  This decision was not necessarily a bad choice as I
>     have seen proprietary non-NETCONF configured subscription
>     deployments thrive without a publisher requesting that a client
>     invoke the <establish-subscription>.
>
>     As a result of the decision several years ago, no one has proposed
>     an IETF standards based call flow to invoke a client based
>     <establish-subscription>.  It would be excellent if someone wanted
>     to propose a draft for this.
>
>     > > I agree that the current protection could have an improved
>     description.
>     > So I have placed the following text into the NETCONF-Notif security
>     > considerations section:
>     > >
>     > > " For a configured subscription, if NETCONF call home has been
>     configured
>     > with the working credentials, yet that the receiver's NETCONF client
>     > implementation is both unable to process inbound notifications
>     and unable
>     > to terminate a session receiving unwanted traffic, then the
>     receiver may
>     > receive unwanted event records.  To minimize this risk, a publisher
>     > implementation should use dedicated call home connectivity port
>     numbers
>     > and credentials specific to configured subscriptions. This will
>     minimize the
>     > chance that an unplanned NETCONF receiver will receive configured
>     > subscription notifications unexpectedly."
>     >
>     > Well, I would rather fix the issue than pushing the problem
>     ultimately to
>     > operators.
>
>     Your position is a valid one for sure.   I have not yet heard of
>     operator wanting to attempt these more robust configuration
>     protection mechanisms yet.  And as noted above, this is not a key
>     use case for the deployments I am seeing yet.
>
>     Eric
>
>     > /js
>     > 
>     > --
>     > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>     > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen |
>     Germany
>     > Fax:   +49 421 200 3103       
>      <https://www.jacobs-university.de/
>     <https://www.jacobs-university.de/>>
>
>
>
>
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email