Re: [Netconf] configured subscriptions over netconf and restconf
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 20 July 2018 13:17 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69ACF131185 for <netconf@ietfa.amsl.com>; Fri, 20 Jul 2018 06:17:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sznWM8x6lzFp for <netconf@ietfa.amsl.com>; Fri, 20 Jul 2018 06:17:16 -0700 (PDT)
Received: from anna.localdomain (firewallix.jacobs-university.de [212.201.44.247]) by ietfa.amsl.com (Postfix) with ESMTP id 17B7113115C for <netconf@ietf.org>; Fri, 20 Jul 2018 06:17:16 -0700 (PDT)
Received: by anna.localdomain (Postfix, from userid 501) id 6B12223604F1; Fri, 20 Jul 2018 15:17:14 +0200 (CEST)
Date: Fri, 20 Jul 2018 15:17:14 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kwatsen@juniper.net>
Cc: "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20180720131714.eiv6kgivbswb4xnl@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kwatsen@juniper.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <20180720100229.7ndhp74ylb53tmgh@anna.jacobs.jacobs-university.de> <C7718019-56B1-4F8F-9D19-9EDA7D1A17C6@juniper.net> <20180720123929.uuvkqpqqktxccuvr@anna.jacobs.jacobs-university.de> <90BBBBD1-671D-43AC-BE9F-936E90AE530A@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <90BBBBD1-671D-43AC-BE9F-936E90AE530A@juniper.net>
User-Agent: NeoMutt/20180622
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/7OIJxYI_4_u9HHZqLVhTKF5QUpI>
Subject: Re: [Netconf] configured subscriptions over netconf and restconf
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 13:17:25 -0000
On Fri, Jul 20, 2018 at 01:02:55PM +0000, Kent Watsen wrote: > > >> I believe the draft correctly explains the need for a client of a configured subscription to issue dynamic subscriptions. > >> > > > > Not sure what you mean with this. Which section do you refer to? > > I’m not looking at it right now, but I know that there’s a statement in the Security Considerations section. > draft-ietf-netconf-netconf-event-notifications-10.txt: 10. Security Considerations Notification messages (including state change notifications) are never sent before the NETCONF capabilities exchange has completed. If a malicious or buggy NETCONF subscriber sends a number of establish-subscription requests, then these subscriptions accumulate and may use up system resources. In such a situation, subscriptions MAY be terminated by terminating the underlying NETCONF session. The publisher MAY also suspend or terminate a subset of the active subscriptions on that NETCONF session. This draft has a YANG module which consists of a single identity. As a result additional security concerns beyond those of the imported modules are not introduced. The first paragraph is interesting but it is not clear why it is in the security considerations. The second paragraph talks about a thread but leaves out what happens to configured subscriptions created by a malicious client. The last one says that the identity defined in the YANG module has no security issues. The completeness of the security considerations can perhaps be debated but anyway I see nothing concerning "the need for a client of a configured subscription to issue dynamic subscriptions". Let me try draft-ietf-netconf-subscribed-notifications-14.txt. I find: With configured subscriptions, one or more publishers could be used to overwhelm a receiver. Notification messages SHOULD NOT be sent to any receiver which does not support this specification. Receivers that do not want notification messages need only terminate or refuse any transport sessions from the publisher. So a notification receiver must implement draft-ietf-netconf-subscribed-notifications-14.txt? How does the server determine that the client did implement draft-ietf-netconf-subscribed-notifications-14.txt? When a receiver of a configured subscription gets a new "subscription-started" message for a known subscription where it is already consuming events, the receiver SHOULD retrieve any event records generated since the last event record was received. This can be accomplish by establishing a separate dynamic replay subscription with the same filtering criteria with the publisher", assuming the publisher supports the "replay" feature. This is perhaps what you mean. But I wonder how this works for transports that can't establish dynamic subscriptions. Note that this is a SHOULD. Hence any transport SHOULD be able to create dynamic subscriptions. The more I look at these documents, the more questions pop up... /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [Netconf] configured subscriptions over netconf a… Juergen Schoenwaelder
- Re: [Netconf] configured subscriptions over netco… Juergen Schoenwaelder
- Re: [Netconf] configured subscriptions over netco… Kent Watsen
- Re: [Netconf] configured subscriptions over netco… Juergen Schoenwaelder
- Re: [Netconf] configured subscriptions over netco… Kent Watsen
- Re: [Netconf] configured subscriptions over netco… Eric Voit (evoit)