IETF Logo Mail Archive

Re: [Netconf] netconf call home connection type

Kent Watsen <kwatsen@juniper.net> Wed, 29 August 2018 21:08 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F06F1127333 for <netconf@ietfa.amsl.com>; Wed, 29 Aug 2018 14:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fq0SZRFuCq7s for <netconf@ietfa.amsl.com>; Wed, 29 Aug 2018 14:08:23 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 507D6126CB6 for <netconf@ietf.org>; Wed, 29 Aug 2018 14:08:23 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7TL47rw024404; Wed, 29 Aug 2018 14:08:22 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=iNvjmuIXN9QPdxiQjBsIUGmDVCydQqdnvBBOrLIZb2A=; b=WQ+4bGZEGaJKO5ErvgI3WfwYy0tV7K0C10g5zxoiISLZnx67RXLthKlKkk1XA/8uVqcx QtdSKwjxgSKkTR3rddIx6pnweu+tlW5s48+Y7uI37BphJJodpITr9Xgss7V82+KJOyUS 7bpjTtYRSVXbNCXU3OUuW6u18eFEKLlSb0+IZio37JI4K7delxoxP9RuBxOjyYIOdPa0 /GPP+8wfLE6gzp3I5Nmhpzx6jLSc1uyC91xAzubPPNKpNJuGnrbt2CNaW2OhrLBKSjkt aLhpzaATaRU5ETQCeG3YcGY1b+opaOuC+ZVzdlwtKDFZtct9jTeD5oSxbUKOMT7f8y0w Xg==
Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp0120.outbound.protection.outlook.com [216.32.181.120]) by mx0b-00273201.pphosted.com with ESMTP id 2m5xjrgn8q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 29 Aug 2018 14:08:21 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4156.namprd05.prod.outlook.com (20.176.72.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1122.7; Wed, 29 Aug 2018 21:08:20 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%5]) with mapi id 15.20.1122.000; Wed, 29 Aug 2018 21:08:20 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] netconf call home connection type
Thread-Index: AQHUOUk8IdLBwLq95EWszUO4eDF4yKTKZDSAgAESIICAA7pUAIAEHU8AgADmugCAAJdjAIAAUaEAgAB3VoCAAB6KgIAAqSQAgACmc4A=
Date: Wed, 29 Aug 2018 21:08:19 +0000
Message-ID: <C735A09A-031E-44D6-B776-2551B2CE0B11@juniper.net>
References: <C2DCC92F-7382-4353-9AD4-3AC37E5A227A@juniper.net> <20180828.211749.1055874324314612702.mbj@tail-f.com> <7A1BA8A7-76E5-4961-8DE8-8794FB97AA6C@juniper.net> <20180829.091230.1123608459682664816.mbj@tail-f.com>
In-Reply-To: <20180829.091230.1123608459682664816.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4156; 6:TEps1ls2FWkZVoIzchgqr/4AF5CPHn3VhvcyYf0tNpvFq25N7zjuufp6Frhwj0+GHx2i6cicEPCa2c8dxbRMWBuzSyaQZReXY2JA1kqO4a0tjOiT1ruc0eNBRKzwmi1jHy7EmrvDevWtgrHl4GiX/hY0TBzQzXBxju16jMW858qShzh08XtKEyWsZc6j4G/z4FtV9at0YKXb07V9OfnYVcT1XLhK8qzyLWnRxyAeKZqfKUFRGlm4j3ONnLHXza8YByQFNAh50XzPWXCcus1wY6awrdLCYDVHVvcG3k8zwEoTRQc/pHddrU1W8ZiyGNHcEVAHyxon8UmG9uTsR+Bi8xchZeqFB3K8KvA0xL/cmu4xJnZBp9CY1CVAI2qbGs37ridKEfqwqp2/OZ0JZblaNI/SRBEvjJ3RmBIkBXRhHPY87BByLinMcnrsSZvzMXsG16FI3SIMZtAoBx5JBldJyA==; 5:viAWRZi6qcluWJEMF3B4I5a8smumNUD32Ex3N5PrLdqArHSvaUCXTax/11u3wMQr1z/lHaVe/c9E2gnKDQoS/BYG6DleGrVXT0oedPTJ3TkqJufOQfrSqB7rGmVTc0ZKpy4qTTV3liWA1TZorC8VOU79rlz/M4XLRbaMU/TC3fs=; 7:lTYUvNlmFiw1O7lqYaBl0uXq9f5GWIe4oBzdP3RxOugMJ2sL3XTT694b+qBad43f9gfHJINxHrxUYZNxt705PcVFXsV3PDCD4h3e+FU6FRbdS88XjbZBOYJpzwOHAr+pSRgMXfkeDF8pD1J/Z/UggCZCby1rK55hYMYxJx6+8e3TdpBFbklEnJY42Oelj0HvnSI/4pLyz3TCWKxphj8UdM70TEvOPQ3KDlAcl9hupoA6O7rBxbcSOsc81BBkMlZe
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 83bdfeaf-ecf0-40ab-789b-08d60df38c53
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4156;
x-ms-traffictypediagnostic: DM6PR05MB4156:
x-microsoft-antispam-prvs: <DM6PR05MB4156D05EF2B35B28453E9D77A5090@DM6PR05MB4156.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231311)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699016); SRVR:DM6PR05MB4156; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4156;
x-forefront-prvs: 077929D941
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(366004)(136003)(396003)(51444003)(199004)(189003)(69234005)(26005)(478600001)(82746002)(2906002)(99286004)(106356001)(105586002)(33656002)(83716003)(25786009)(5250100002)(6512007)(76176011)(6436002)(97736004)(53936002)(316002)(229853002)(5660300001)(58126008)(6486002)(14444005)(256004)(6916009)(93886005)(36756003)(476003)(14454004)(3846002)(6116002)(8936002)(6506007)(4326008)(6246003)(81166006)(186003)(102836004)(81156014)(2616005)(2900100001)(7736002)(11346002)(486006)(86362001)(68736007)(446003)(66066001)(8676002)(305945005); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4156; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 4Xx/pxqqVcV6HuWH/LF7ulFfDlknYdmebXYYFzOyIZaPSjbW5XNzMoBHMngIrcbi4hWhFUaaQPduYY8h9zgAkOzQLPwXA5f70jlJtdwpVmtlwQxbrX+2uplyJubE7D1XuV0Jq8ZH2NzlJHjv69RbZLiKKl6B1YS37GrycYb6ZF3pPXwMeRRqFoM/TE4UvH3t/VU2OvizGEFrqLLup1wbaAoR3v7aZxH+g/3hClvE6BAFvhXusHwElsVo3yJlXFSq4/5GCQgi+07UVazB43yNA073zAkdTHlq4WOUTabqHXdGrSyRY9+N1bRmCyx2bKOcxI0A4iAB2/rxmgNudgCotD4ncWfYmdEKdpPAifgCDic=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A49D2F0035798746926A9086AA53042C@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 83bdfeaf-ecf0-40ab-789b-08d60df38c53
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2018 21:08:20.1107 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4156
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-29_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808290205
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/8NYNpDyte9KZxeh7_MkhK4OHHI4>
Subject: Re: [Netconf] netconf call home connection type
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 21:08:26 -0000


> Duh.  Of course.  

Well, I have had to correct people before.


> Ok, but this doesn't really change anything, except
> if that if the server wants to start two sessions, it will use two TCP
> connections.

Yes.


> As has been mentioned before, it would have been nice if the server
> calling home had some way of informing the client of *why* it called
> home.  This could possibly be done (in NETCONF) with a special
> capability:
>
>  urn:ietf:...:calling-home?have-notifications
>  urn:ietf:...:calling-home?by-config
>  urn:ietf:...:calling-home?have-alarms

Perhaps.  We'd need a registry to enable mappings, etc.  I generally
like the idea and, if this can be solved, then a lot my objection goes
away.  The biggest issue is that it wouldn't work for RESTCONF.  Maybe
RFC 8071 can be updated to add:

 - the server MUST (SHOULD?) implement some "ietf-call-home" module 
   that defines an RPC called "call-home-reason" that returns an 
   identifier (a base identity) that indicates the reason for the
   call-home connection.

 - the client SHOULD (MUST?), as a first step, use said RPC to 
   determine the reason the server initiated the call-home
   connection.



>> What if there are different
>> "triggers" all pointing to the same netconf-server instance and
>> all using "coap"; the server can't use the transport alone to
>> know what to push to each.  It seems that the client has to send
>> an RPC of some sort in each to bind the transport to a purpose.
>
> This is related to the question of when the server can send the
> notifs, 

No, my point is that, even before that, the client needs to know
the reason for the call home connection (foo, bar, baz) and, for
each trigger, there may be a different RPC needed to get the data.
How would the client know which RPC to send to collect each type
of data?



> but I think that this also can be handled w/ capabilitites
> rather than requiring an extra rpc; if the client adervtises the
> capability "urn:ietf:...:call-home-notifications", then the server can
> start to send the notifications immediately.

In keeping with foo, bar, baz, I suppose that the client would advertise
a capability for each, and the data sent must be self-typing, such that
even a binary coap session could distinguish between a foo and a bar 
being sent.

That might work for NETCONF.  I don't know what the RESTCONF equivalent
might be.  Maybe a NETCONF-only solution is okay, but I'd rather seek
solutions that work for both (hence the above suggestion for an RPC).



>> All this trouble is because we want to repurpose a NC/RC call-home
>> connection, so that there is only a single TCP connection (is this
>> the goal?
>
> No, I think the goal is to let the server and clients have the same
> roles as they do in the normal case, using the same authentication and
> authorization mechanisms.

Yes, maintaining roles is goodness, but it's not so important when
configuring "push" flows, where it's okay to let the device be the
protocol-client because it's a secondary purpose (fault-monitoring
is secondary to provisioning).

BTW, while I enjoy the entertaining the idea, you should know that 
I don't support NC or RC based configured subscriptions (and I can
hardly think of another reason for why a device might want to call
home "on-demand").  There was a message I sent when you were sailing
(bet you're missing it now) where I said that we instead focus our
limited resources on defining 1) something easy (pushing XML/JSON 
over a device-initiated HTTP connection, where the device  is the 
HTTP-client), and/or 2) something fast (pushing binary over a 
device-initiated coap connection, where the device is the COAP-
client).



>> why would two device-->NMS connections not be as good?).
>
> This is fine imo.

Great.  Then let's take SSH channels off the table.  It difficult
to figure out, notwithstanding it muddies the "reason" for why 
the device called home.  E.g., it calls home for "persistent-
connection" reason but, then, in the middle of it, it opens an
SSH channel for reason=yang-push?  This seems to conflate too 
much.  Simpler is for the device to make a new on-demand
connection, for each on-demand connection it wants to make. 
The biggest downside is potentially some redundancy in the 
configuration data (e.g., same SSH-level credentials configured).



>> But, in my view, YP+SN is better served as a client: the publisher
>> connects and pushes content to the receiver.
>
> Do you mean that the publisher would be a NETCONF client and the
> receiver a NETCONF server?

Yes.


>  But see below!  This should be discussed in another thread.
>
>
>> Back to the subject line, my suggestion (for this one issue) is:
>> 
>>    - persistent (unchanged)
>>    - periodic   (unchanged, keep the on-demand language)
>
> I think we have identified four possible connection types.  It would
> be good to check with thee WG which of the four people think are
> useful.  (probably start a fresh thread, not sure people follow
> this...?)
>
>  - persistent

yes.

>  - on-demand

maybe, but 1) many open issues, 2) a "notifications" connection-type
augmented in might be better (more meaningful, etc.), and 3) I think
client-initiated connections are generally better suited than call-home
for YP+SN.

>  - periodic-with-on-demand

I don't understand this.  I'm sure your thinking that it will call home
sometimes with reason=scheduled (or whatever) and then other times with
reason=yang-push (or whatever), but what happens when the YANG-push is
suppose to happen at the same time there is already a periodic connection?
Assuming this connection-type presumes the existence of the "on-demand"
connection type, why not instead configure a dedicated on-demand 
connection type?

>  - strictly-periodic

I generally like the idea of removing the "The NETCONF/RESTCONF server/client
MAY initiate additional connections to the NETCONF client/server if needed 
for reasons not described here." sentence from the various "periodic"
descriptions, but...

I'm okay (can live with) leaving it in, from a future-proofing perspective,
more so than for anything that we plan on doing now.



>>    - let the "notif" drafts, for configured subscriptions:
>>       - use <protocol>-client connections (recommended)
>>       - use <protocol>-server call-home connections (not recommended)
>>           - augment in an "subscribed-notifications" call-home 
>>             connection type and leafref that connection-type
>>           - and/or resolve what it means to point to (repurpose) a 
>>             persistent or periodic connection
>
> I think we should move this discussion to another thread - if/when we
> define protocol bindings for configured subscriptions.

Sure, but I'm trying to give you a peek now so we can see how this might
play out.



>> I'm unsure if this is needed.  Either case, the standard call-home 
>> interaction occurs, even for the unexpected "on-demand" connections 
>> and, if the operator, in its config, leafref-ed a call-home connection
>> for yang-push also, then they did it on purpose.  If the operator
>> wants strictly-periodic, don't configure anything that might cause
>> an on-demand connection. Right?
>
> So how would an operator configure YP then, if the only connection
> types available are "persistent" and "periodic-with-on-demand"?

I would have the corresponding notif draft augment in a new connection-
type (e.g. "notifications") and that the notif data model's leafref 
would only point to connections having that connection-type.  No 
conflation of purpose, each connection definition has a specific
purpose.



>> Maybe.  I'm not yet buying the need to repurpose a call-home 
>> connection for yang-push.
>
> It is not just YP, but notifications in general.

I know that this is the idea, but we have no other examples at hand,
and so it reduces to just YP for me.



>> FYI, another niggle I'm getting is how all repurposed call-home 
>> connections might be supported by generic server frameworks like 
>> NCS.  Would NCS examine the device config, determine how many
>> triggers might have caused this and then, how each, start the
>> trigger-specific action to see if it was the reason why the 
>> device called home?>
>
> Why do you call then "repurposed"?  This is a problem in general 
> with call-home; how does the client know what to do?  An indication
> of why the server called home might help.

yes, this a rehash of the "reason" topic above.  I'm using the 
word "repurpose" because, the primary-purpose is to establish a 
NC/RC session that the client can then do whatever it wants with
(including starting a dynamic subscription in a separate SSH
channel).  The "repurpose" part is having other triggers using
the same connection for their purposes, in which case the purpose
is most definitely not the same as the normal purpose.


Kent // contributor

v2.23.0 | Report a Bug | By Email