IETF Logo Mail Archive

[netconf] Re: Francesca Palombini's Discuss on draft-ietf-netconf-http-client-server-23: (with DISCUSS)

Kent Watsen <kent+ietf@watsen.net> Wed, 21 August 2024 01:04 UTC

Return-Path: <010001917276c9a9-61d073c7-2edc-4fb6-8397-6bf11b2cf243-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9320EC14F681; Tue, 20 Aug 2024 18:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pwZ5Owi9Rxw6; Tue, 20 Aug 2024 18:04:34 -0700 (PDT)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A270C14E513; Tue, 20 Aug 2024 18:04:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1724202273; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=Q6J0H8wguBjgsuvLsXFYeJHtzXyc8b3l0zIfBgWuCq0=; b=fqOFexcgjN/+MoGt7IeUgc0WkChkz1Ppsz8EQsp/JDYEHiq5uX3FlH+uj8nAswyU 8WVUgGDRAcHbtCS2TUHc48eoCg0OXJBi536380MFOi27bc37wWZuq5J8aUH9HRSPTqD mZlx7JpkaU76peOYjWOKKwu5QIqjEkGkbXQBBwTo=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
From: Kent Watsen <kent+ietf@watsen.net>
In-Reply-To: <B930CFB9-0827-4A04-B3DE-103253048DE1@mnot.net>
Date: Wed, 21 Aug 2024 01:04:33 +0000
Content-Transfer-Encoding: quoted-printable
Message-ID: <010001917276c9a9-61d073c7-2edc-4fb6-8397-6bf11b2cf243-000000@email.amazonses.com>
References: <172416794310.2072814.8838102958915521258@dt-datatracker-6df4c9dcf5-t2x2k> <01000191716a91f5-134569c8-7097-4beb-a83c-1e533c72cb92-000000@email.amazonses.com> <B930CFB9-0827-4A04-B3DE-103253048DE1@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: ::1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.08.21-54.240.48.90
Message-ID-Hash: EVVKJJ4BQONZ4ZYOHQAALPXEUINL44EX
X-Message-ID-Hash: EVVKJJ4BQONZ4ZYOHQAALPXEUINL44EX
X-MailFrom: 010001917276c9a9-61d073c7-2edc-4fb6-8397-6bf11b2cf243-000000@amazonses.watsen.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-netconf.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Francesca Palombini <francesca.palombini@ericsson.com>, The IESG <iesg@ietf.org>, draft-ietf-netconf-http-client-server@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [netconf] Re: Francesca Palombini's Discuss on draft-ietf-netconf-http-client-server-23: (with DISCUSS)
List-Id: NETCONF WG list <netconf.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/4ekqqWyTW6Qku-zFIPDiG1s0M1w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Owner: <mailto:netconf-owner@ietf.org>
List-Post: <mailto:netconf@ietf.org>
List-Subscribe: <mailto:netconf-join@ietf.org>
List-Unsubscribe: <mailto:netconf-leave@ietf.org>

Hi Mark,

Thanks again for your response!
Just a few comments below.

Kent


> On Aug 20, 2024, at 7:47 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> 
>> On 21 Aug 2024, at 6:11 AM, Kent Watsen <kent+ietf@watsen.net> wrote:
>> 
>>>> 
>>>> My recollection of our most recent discussions of this draft were that it
>>>> _might_ make sense to allow configuration of what version(s) of HTTP a server
>>>> supports, but not a client. Since -17, it appears the opposite has been done:
>>>> while server configuration remains the same, client configuration now allows
>>>> enumeration of supported versions.
>> 
>> The two cases are covered below:
>> 
>> 1) Regarding configuring allowed HTTP-versions for a *client*
>> 
>> I don’t recall this being discussed before.  I apologize if it is an overbite on my part.  Looking at the document’s history, the version discussed in Brisbane didn’t have any ability to configure a client to specific HTTP-versions, hence why it suspect it wasn’t discussed...
>> 
>> In any case, two comments were received since Brisbane by WG members stating that it should be possible to configure a client to use only specific HTTP-versions, hence why it was added.  Is it wrong or bad to restrict a client to specific versions?  
>> 
>> Note that `curl` has params such as "--http1.1”, "--http2”, "--http3", and "—http3-only”...
>> 
>> Please advise.
> 
> As discussed, HTTP negotiates the version of the protocol in use at runtime; constraining it to a set of versions is counter to best practice (notwithstanding what curl can and cannot do).

Negotiating version at runtime (startup handshake) is common practice.   The way it usually goes is that the client has a list of what it allows, and the server has a list of what it supports, and the latest/newest common version is selected.  This is how it works in HTTP also, yes?

Let’s say there exists an HTTP-client that requires multiplexing, so it requires at least HTTP/2.  But it connects to a server that only supports HTTP/1.1.  IMO the negotiation should fail, letting the HTTP-client to try another server.  Isn’t this proper?

The configuration -23 regards setting the client’s "list of what it allows".  It can be a list of versions, or the special wildcard value “any”.   It is expected that this “list of versions" will feed into the negotiation.  IDK, maybe you thought that the draft was always setting the client to a single version?

In case I'm completely upside down here, can you help me by saying if this "best-practice” is HTTP-specific and, if so, provide a pointer so I can understand it better?



>> 2) Regarding configuring allowed HTTP-versions for a *server*
>> 
>> Firstly note that the diff shows that it is unchanged from before.  But what is it, you ask?  The current version defines a YANG grouping called "http-server-stack-grouping” (seen in Section 3.1.2.2) that intends to support the configuration of:
>> 
>> - http over tcp
>> - http over tls
>> - http over quic
>> 
>> Technically, these are loosely connected to, but do not map exactly to HTTP versions.  If looking closely at it, you will notice “choice transport”, which means that only one of the three above (or any new ones added by other YANG modules in the future) can be defined at a time. 
>> 
>> But, of course, the intent is that a higher-level YANG module (such as the one defined in the restconf-client-server draft) will enable more than more to be configured.  For instance, for a HTTP/3 server, there would might be:
>> 
>> - one "http over tls” (i.e., tcp/443) configuration stack
>> - to present the Alt-Svc record to bounce the client to, e.g., udp/443
>> - one “http over quic” (e.g., udp/443) configuration stack
>> - to serve the HTTP requests
>> 
>> Makes sense?
> 
> Sort of. I am not confident that this will map well to actual HTTP server configurations, but don't oppose this approach from what I can understand of it.

Thanks.  FWIW, when composing my previous response, I realized that some of the text in the draft could be improved.   Once we close on the client-versioning bit, I’ll update the draft to improve this text slightly.



>>>> Additionally, support is indicated by using separate, version-specific
>>>> indicators. This is a closed list and does not accommodate future versions of
>>>> the protocol. Can this be an array of strings instead? That would also allow
>>> us > to avoid the awkward phrasing in the introduction, which leads readers to
>>>> believe the set of HTTP versions is closed (counter to BCP56).
>> 
>> 
>> The "protocol-versions” leaf is not a closed list.  The leaf uses the YANG “bits” statement that, according to RFC 7950, section 11:
>> 
>> o  A "bits" type may have new bits added
>> 
>> In configuration, the “bits” type is an array of strings.  For example, following is in an example in the draft:
>> 
>> <protocol-versions>http-11 http-2 http-3</protocol-versions>
> 
> I see. The specification still enumerates only those versions, however -- per above, versioning should be omitted from clients completely.

Happy to accommodate, once I can understand what you mean, per my response above.


> Cheers,
> 
> --
> Mark Nottingham   https://www.mnot.net/



Kent  // as author

v2.37.1 | Report a Bug | By Email | System Status