IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Andy Bierman <andy@yumaworks.com> Thu, 04 May 2017 17:39 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBB221293FF for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 10:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id df0MYXtkpCol for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 10:39:37 -0700 (PDT)
Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 948D7120721 for <netconf@ietf.org>; Thu, 4 May 2017 10:39:36 -0700 (PDT)
Received: by mail-wr0-x232.google.com with SMTP id z52so11748780wrc.2 for <netconf@ietf.org>; Thu, 04 May 2017 10:39:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mPwh4YeWAfHCjeTbkaD5bCS72vRqEm8H0/70Fsu+SXs=; b=wCRXp5/zMMo+bDoGDxXSWRE09V45UAzz/oVhiHugFimJtNq703KIW3DHj+cT0WsUnt g77fT8PsxvpkTmrRGmyv30FELqm/LrIQEKenpsVt8I1wzbVkPEIPfEK5EYruOqvCFVvt MiGeoZmEraRbMVtak8OS72W+ovTsS4yWEuxUIb4si+i3WzlFcT/NE5y2Wvr+QKx1KH5g OzZpipt/5AwL2sKRe+rzAT6GP742PM6qYkiYECD6OufZ1O9qNdmqCqwUgoeL7bIn97+C eZCGrspEB6xjcjeQuMPmkm4Pb0KX0k32cwKKtY1v6t2/zQS0uwmv6EIFSPTcClo3g/ei 7w2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mPwh4YeWAfHCjeTbkaD5bCS72vRqEm8H0/70Fsu+SXs=; b=XG/y7WYnjFHuhQC45k2H8b2OZi+4glzxVy9nU8NIy7Rb9YyqzJuaUGeCLKXt51gV7l gj1+Knnh74T4SN3vq1B+kjF2MzPPid8lIpmsvpENc/TGq5AG76ryEt8mGQyhm8bm0lHl JRvOastfJ/RayxFHn4oFrGNxqix6Nf9JXIUDM2nyBnuiXJX61sPcv1R8Y5guTRbSwfrh AVM9k631SDcWr2S8HGsfljjlCWnrnMUbdZs+ssxZQtHrkhP8vhWwhurV3+cJLhUJQgDW ecvFiteTbYXxeNlQAYlxvlxp0ENg72XkeMpoWW7npQ5Pn6RF9REbB/WTJl1idO2xbggE ViAw==
X-Gm-Message-State: AN3rC/6LRPer9kgQrDM/Jtj75MEdIJ+hYg+uDSH1a6+l8cSZqepUlZ+v xYD+VwWeQffbCZR5OBstyGF9dMIFfA==
X-Received: by 10.223.162.150 with SMTP id s22mr24782526wra.88.1493919574377; Thu, 04 May 2017 10:39:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Thu, 4 May 2017 10:39:33 -0700 (PDT)
In-Reply-To: <644DA50AFA8C314EA9BDDAC83BD38A2E0DF956E8@SJCEML701-CHM.china.huawei.com>
References: <A13E62FA-AB96-4164-98D5-3CC1D04A78E8@gmail.com> <E236AC6C-4B6D-43B1-8092-0B8AA3F4D6AA@gmail.com> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF956E8@SJCEML701-CHM.china.huawei.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Thu, 04 May 2017 10:39:33 -0700
Message-ID: <CABCOCHT9fNKHn=qgFsQ0mznByArCpqsAz4m4jjjPE7M243UjeA@mail.gmail.com>
To: Alexander Clemm <alexander.clemm@huawei.com>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="f403045ec658955f0a054eb64153"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/8hghpKuydGBO9iWgbCr_MUQ4soA>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 17:39:40 -0000

Hi,

I am strongly opposed to datastore-specific access control.
I need to see a use-case that demonstrates why a particular client
needs to be denied access to a specific subtree in 1 datastore vs. another
datastore.


The NACM procedures need to be mapped to protocol operations.
It is easier to do this for actual protocols than a generic placeholder.
It may be possible.

I do not agree NACM controls the internal access.
That is an implementation detail. NACM is enforced on clients using
NETCONF of RESTCONF.

If the WG wants the NACM procedures mapping to protocols to be more generic,
I could work on some proposed text to do that.


Andy


On Thu, May 4, 2017 at 10:22 AM, Alexander Clemm <alexander.clemm@huawei.com
> wrote:

> Hi,
>
>
>
> FWIW, I do have a few comments.  Overall the document is in good shape,
> but there are a few items where I think it can be made even better:-)
>
>
>
> -          I think it would be good to include a section on how the
> revised datastores will impact requirements on NACM.  I don’t think
> anything major is required, but there are a few places where some updates
> could be made, and/or perhaps a brief section could be added somewhere
> discussing this.  For example, in Figure 1 (Section 2.1) where it says
> “datastore or state data access” (technically, this remains correct, but
> this seems to have the previous model in mind), also fig 3 assuming RPCs
> will always be against config datastore).   It might also mention which
> datastore NACM rules apply to when the same data is contained in multiple
> datastores.  Technically, I don’t think there will be a distinction (any
> differentiation would apply to read operations, and I cannot think of a
> good example where such differentiation would be needed), still it might be
> good to be explicit about it.
>
> -          In section 3.4.6 (outgoing <notification> authorization), it
> states that access control is applied only to notification as a whole, not
> to any data it contains.  This is clear enough; however, it is a
> limitation.  Specifically, in YANG-Push there is a requirement to be able
> to apply a security filter to not push data that the receiver is not
> authorized to receive (or not accept/terminate a subscription which
> contains such data altogether).  If NACM does not provide this, another
> mechanism or a NACM extension will be needed (that will still need to use
> the privileges configured in NACM).  At a minimum, this needs to be clearly
> called out.
>
> -          I wonder why NACM is restricted to NETCONF or RESTCONF.
> Really, this restricts access to data in YANG datastores; while NETCONF and
> RESTCONF do need to be called out specifically and the document does need
> to spell out how it is applied in this context, it would probably be good
> to clarify that NACM should apply to other protocol access.
>
> -          It would be good to indicate that the source of access control
> rules is not restricted to external clients, but that they could originate
> from the server itself.  This is the same config/operational state
> discussion that has come up in other contexts (e.g. the topology models),
> and I think it applies here as well.  Again, this is where the revised
> datastores model is intended to provide a solution – i.e. the NACM rules in
> the config datastore may be only a subset of the ones in the operational
> datastore, etc – but I think it is important enough to be called.
>
>
>
> Thanks
>
> --- Alex
>
>
>
> *From:* Netconf [mailto:netconf-bounces@ietf.org] *On Behalf Of *Mahesh
> Jethanandani
> *Sent:* Wednesday, May 03, 2017 2:18 PM
> *To:* Netconf <netconf@ietf.org>
> *Subject:* Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
>
>
>
> Folks,
>
>
>
> There has been literally no feedback on this document, either to say they
> have read the document and support it, or to express concerns about the
> document. Silence, unfortunately is not a good guide for us. To move the
> document forward, we need to hear from folks, including those who were in
> IETF 98.
>
>
>
> Thanks.
>
>
>
> On Apr 18, 2017, at 5:34 PM, Mahesh Jethanandani <mjethanandani@gmail.com>
> wrote:
>
>
>
> NETCONF WG,
>
> In IETF 98, the authors indicated that the above draft was ready for Last
> Call, and the consensus in the room indicated as much.
>
>
>
> This is a start of a 2 week WG Last Call for
> draft-ietf-netconf-rfc6536bis. After two weeks, the document will be
> assigned a shepherd, and the document will be prepared for IESG.
>
> The latest version of the draft can be found at:
> https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-01
>
> Please review and send any comments to the WG mailing list or by
> responding to this e-mail. Comments can be statements such as, I
> read/reviewed the document and believe it is ready for publication, or I
> have concerns about the document. For the latter, please indicate what your
> concerns are.
>
> Any reports on implementation status or plans to implement are also very
> useful.
>
>
>
> Authors, please indicate if you are aware of any IPRs related to the draft.
>
>
>
> Thanks.
>
> Mahesh and Mehmet
>
>
>
>
>
>
>
> Mahesh & Mehmet
>
>
>
>
>
>
>
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>
>

v2.23.0 | Report a Bug | By Email