IETF Logo Mail Archive

Re: [Netconf] Comments on draft-ietf-netconf-netconf-client-server

"Dhanapal, Ramkumar (Nokia - IN/Chennai)" <ramkumar.dhanapal@nokia.com> Fri, 16 November 2018 10:51 UTC

Return-Path: <ramkumar.dhanapal@nokia.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A6D2130EF9 for <netconf@ietfa.amsl.com>; Fri, 16 Nov 2018 02:51:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.369
X-Spam-Level:
X-Spam-Status: No, score=-2.369 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o0HRcPZ1LGdg for <netconf@ietfa.amsl.com>; Fri, 16 Nov 2018 02:51:42 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0725.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::725]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BDD9130F23 for <netconf@ietf.org>; Fri, 16 Nov 2018 02:51:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ph+PUdqsDUQkvHMtKvPhxwwt9WwJNKPO5QNBAv8a3bo=; b=NchyybisHiikF3ea/0s07PBaOUNzqv7GnMafnGvVOlky2E8XHpkHj76DXpKXWUnxu7lEV4fIrHS0L7zghI2ar6JEyzzNojj7HIldz2u6ZC3V+Hb0AgHpU3cDylgv90DU/qXEgLkwt4i1QuaG8W8uF34+PLCP9GVY64lZ/iEV0v8=
Received: from HE1PR07MB4329.eurprd07.prod.outlook.com (20.176.167.14) by HE1PR07MB4218.eurprd07.prod.outlook.com (20.176.166.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1339.17; Fri, 16 Nov 2018 10:51:40 +0000
Received: from HE1PR07MB4329.eurprd07.prod.outlook.com ([fe80::c4d6:7c7:4669:8058]) by HE1PR07MB4329.eurprd07.prod.outlook.com ([fe80::c4d6:7c7:4669:8058%5]) with mapi id 15.20.1339.021; Fri, 16 Nov 2018 10:51:39 +0000
From: "Dhanapal, Ramkumar (Nokia - IN/Chennai)" <ramkumar.dhanapal@nokia.com>
To: Kent Watsen <kwatsen@juniper.net>, "netconf@ietf.org" <netconf@ietf.org>
CC: "Beauville, Yves (Nokia - BE/Antwerp)" <yves.beauville@nokia.com>, "Carey, Timothy (Nokia - US)" <timothy.carey@nokia.com>
Thread-Topic: Comments on draft-ietf-netconf-netconf-client-server
Thread-Index: AdR4HyFGnh375MLeQwOCRy8NnIuKdAE6gMoAACLXEAA=
Date: Fri, 16 Nov 2018 10:51:39 +0000
Message-ID: <HE1PR07MB432948BF1E1A79F933C1E804F8DD0@HE1PR07MB4329.eurprd07.prod.outlook.com>
References: <HE1PR07MB4329ED3FA2BA9D4E53BBE758F8C60@HE1PR07MB4329.eurprd07.prod.outlook.com> <FD4480E1-F938-4146-ABEB-FBADBEA33D43@juniper.net>
In-Reply-To: <FD4480E1-F938-4146-ABEB-FBADBEA33D43@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.245.121.17]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB4218; 6:YydLFDxB7P0sqKcfhvfNCOMvhTLpypidHp2nKBTqLfU0k4VKviBhJsRYIA1zUEDrP9GdufgXBXJXPROVXHW9WoVn3mLx9IX2tyzgi2ly2V3Juos8W/z/ha0rfmaVe7kwHb6YUIci1fkSAA2HIyeOJqjoG5afaUzRzwUp387RGzLnglgH97LMQgFe1Afjc4t2EBd5FVdVcJ1KB2RzrjMgkSNJA6xGAXsgdWJ5A5B9mcD3Sw2sKrDFh0jJnnkaCyZ+Pt/W5WSYtLv+n5Cygqt9B3+VhN1HD5KIR0e4ztmaIjInj5l5csURyoSuJ24GLsObtrLf1IPI7Rjp9QPmCYYrV2uTtTEManYmFx3piW7XudMl1RTcm60a7gBbH8VGqPs4wAg5qghpaXT8DAZ6oB11oC7r7v+CEjPylXSSiD5ULqGJYGyvdDf5Usrm6N/Kw1mkcWq+lb7p6HRw4yYclIrXRg==; 5:XGzWrbmm7M6zDGyhxtPMGIRKJ0Z0lrpvdCT5Qu8ssz0nDeuw+ZRBsK7+giLxTmRP4yCIx2WCz/1mZmP9jp9I81LhIkIGuqB+92GROcAlQgxlowPSH93lw9DficmYotsoSxHIt4zbUZH9G//d4Cf35+suNqCOkx+XGk9MHyFvaYQ=; 7:Se0eyfkthz1aQufdyXzQVf+jkEYVKppi5LACKmIxEfcoWt0RBSy7+KmK+h9067zySYo9NhZPHPLjxl0eojqSCpAL2VIIFyW1w1yafIpyS7RY3etos5Jv5/UBLLTPVEbMxLDjLLY2Y4Pl1eRdA/z7BQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10019020)(136003)(39860400002)(366004)(396003)(346002)(376002)(189003)(199004)(99286004)(68736007)(11346002)(229853002)(54906003)(5660300001)(2501003)(110136005)(4326008)(9326002)(476003)(486006)(53936002)(790700001)(71190400001)(71200400001)(6116002)(3846002)(107886003)(53546011)(6506007)(256004)(6436002)(1941001)(9686003)(66066001)(74316002)(33656002)(26005)(186003)(7736002)(25786009)(81156014)(102836004)(7696005)(105586002)(97736004)(106356001)(316002)(446003)(76176011)(54896002)(6306002)(8676002)(2900100001)(2906002)(478600001)(55016002)(81166006)(86362001)(14454004)(8936002)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR07MB4218; H:HE1PR07MB4329.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-office365-filtering-correlation-id: 557e9b5d-3fc2-4ba0-0bc4-08d64bb17cd0
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB4218;
x-ms-traffictypediagnostic: HE1PR07MB4218:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ramkumar.dhanapal@nokia.com;
x-microsoft-antispam-prvs: <HE1PR07MB42187E16D57D2F3D9F5BB36AF8DD0@HE1PR07MB4218.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231415)(11241501184)(806099)(944501410)(52105112)(6055026)(148016)(149066)(150057)(6041310)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB4218; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB4218;
x-forefront-prvs: 0858FF8026
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: J2AscXKkgVuEpjr9387aTsf+A/7yLBeYK1f0N+VyeGPjL2TsJ8r+tg01haztKgyX8tnGknrU6qHrsQkHb9lmI3cSWwDIL5F/rrnq2MmrovkPkPKOzougL//bIHuD+YIWo15xtsc5fSVKz9OlyZzJ8SA1FTypvMEBY31aj2JbkQXDxakwJc3yjFH1QQ6ozxz6phxG5H3s0N/+MZMn1QgI0g370HMxfgoV4kv+M8aq5/T1Dr8/ys6BmPKj5BtqZFoEWMBgPwWHvxBCmv1Z4jrLRxdMhruladq03lhlx01CCXAHrZRu8CW5Yl8xfAqFLlDQg9QNrsCZGjTuultleAXxuJNUNlzUkFwD1TmcOgnQsdk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB432948BF1E1A79F933C1E804F8DD0HE1PR07MB4329eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 557e9b5d-3fc2-4ba0-0bc4-08d64bb17cd0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2018 10:51:39.3776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4218
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Vgp7yeufpAtxmEIM7aoaZbu68MQ>
Subject: Re: [Netconf] Comments on draft-ietf-netconf-netconf-client-server
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2018 10:51:52 -0000

Hi Kent,
Comments in-line.
Regards,
Ramkumar

From: Kent Watsen <kwatsen@juniper.net>
Sent: Friday, November 16, 2018 4:02 AM
To: Dhanapal, Ramkumar (Nokia - IN/Chennai) <ramkumar.dhanapal@nokia.com>; netconf@ietf.org
Cc: Beauville, Yves (Nokia - BE/Antwerp) <yves.beauville@nokia.com>; Carey, Timothy (Nokia - US) <timothy.carey@nokia.com>
Subject: Re: Comments on draft-ietf-netconf-netconf-client-server

[just back from travels]

Hi Ramkumar,


> Comment 1:
> We are using the ‘ietf-netconf-server’ module for configuration of call home parameters
> like netconf client endpoint IP/port, keys/certificates etc..  For static configuration from
> northbound, this works fine.
>
> Our use case is that the netconf client endpoint IP/port are learnt dynamically through
> DHCP process inline with BBF TR301_Issue2.  These dynamically learnt endpoints also
> need to be modelled in the yang.  These dynamic endpoints should also support the
> configuration of keys/certificates.

I just read TR301 Issue2, which is similar to work I do both in and out of the IETF.

What is your question specifically?  Is it how to configure the ietf-netconf-server
data model given the PMA Offer message described in Section 16.5.2.2?  or is
it how the PMA can configure these values after it establishes a NETCONF
connection (via NETCONF Call Home) to the DPU after the discovery process
completes?

[BTW, please notify the editor about the typo in R-191: s/Identified/Identifying/.]

[Ram]  The DPU gets the PMA IP in the DHCP Offer message from DHCP server in option 125.
The question is where to store these dynamically learnt IP addresses in the ietf-netconf-server data-model (the data-model seems to be pertaining to static user configuration)?
Regarding the typo in R-191, we will notify the author.

> Comment 2: The server keys/certificates/ca-certs are configurable per endpoint per
> netconf-client. We understand pinned-ca-certs/ pinned-client-certs can be per endpoint.
> But for the device acting as the netconf server, we see only one set of keys/certificates
> is enough and need not be per endpoint.

As I understand TR301, the DPU will perform standard certificate path validation
of the PMA’s end-entity certificate to a per-configured trust-anchor certificate,
presumably one provided by a public CA such as Verisign or Comodo, such as
might be found in, e.g., /etc/ssl/certs.  Thusly, these certs are, in effect, the
“pinned-ca-certs” that would be used.  For absolute correctness, the DPU could
auto-populate /ietf-trust-anchors:pinned-certificates with these certs, or it could
do “backend magic” to achieve the same result.

[Ram]  We are in-line with you on the “pinned-ca-certs”.
The comment is on the keys/certificate of the DPU i.e. ‘server-identity’.
As per the data-model, this is configurable per endpoint per netconf-client.
Since the DPU is acting as netconf server, we use only one set of keys/certificates and is not be per endpoint.
Our view is that this set is applicable for all endpoints (both statically configured and dynamically learnt scenarios).
Since it is configurable per endpoint now, if the user configures one set for each endpoint, which set shall the DPU use for the TLS authentication?

> Comment 3: The description of ‘netconf-server/listen/endpoint/transport/ssh/address’
> is mentioned as “The NETCONF server will listen on all configured interfaces if no value is
> specified”.  When no value is specified, we are unable to configure ‘ss:ssh-server-grouping’
> parameters.

Good catch, the mandatory true requires a value.  This was discussed on the list a
while back with the result of wanting to instead have the address always specified,
using INADDR_ANY or INADDR6_ANY when needed.  The description statement is
wrong.  I have removed the 2nd sentence from the description statement in six
locations in the four modules ietf-[netconf|restconf]-[client|server] in my local
copy.

BTW, you mention “listen” and “ssh” but, for TR301, it should be “call-home” and
“tls”, right?

[Ram] Yes, we use Call-Home over TLS for DPUs but we also support listen over SSH for some other platforms

Regards,
Kent

v2.23.0 | Report a Bug | By Email