Re: [Netconf] Reminder: WG Last Call for draft-ietf-netconf-access-control-04.txt

["Bert (IETF) Wijnen" <bertietf@bwijnen.net>]

On 8/3/11 4:55 PM, Kent Watsen wrote:
> Next I question the utility of the I-D.  IMO, the purpose for common data-models is so an off-box tool (NMS) can interoperate with many devices.  As I wrote before (see above link), this typically results in the NMS logging into*all*  the devices with root-like permissions and then itself presenting its own RBAC model to its users.  With this in mind, it seems that this I-D only impacts tools that talk to one device at a time, such that when it is interacting with the device, it can use the device-provided NACM model to restrict access to stuff in its UI.  This use-case is weak as it seems customers would more likely use a device's native management interfaces (Web, CLI, etc.)
>
> I understand that this I-D is chartered work and my comments aren't very helpful towards reaching that goal, but I can't support this I-D in its current form either knowing that it won't be picked up by Juniper.

Thanks for repeating (and explaining) your statement that you made earlier (as pointed to
by your email) as well. On that earlier note, nobody picked up on that, so my personal
conclusion there is that nobody had similar strong feelings.
At the same time, I guess I can conclude that not many people really object too
strongly either. The latter could be for several reasons:
- they did not see the need to express objection (to your note) because
   they figured the support FOR doing this work was/is much bigger
   than the objections AGAINST this work.
- they do not strongly object and will let the market decide once the
   standard has been approved.
- they certainly do not agree strongly, because if they oppose this work, then
   they SHOULD have made objections at the time we asked if the WG wants to
   be chartered or not.

Personally, I can see the Juniper approach that you describe. And for controlling
user access to the configurations, I think it makes sense. Nonetheless, you want
some access control at every box to make sure that people with sll sorts of client
NETCONF tools do not accidentally access your box.
I also wonder how your/a multi-vendor NMS then deals with getting access to all
boxes of different vendors? Are you going to qwork with all their proprietary
access control mechanisms? Or would you rather prefer one single standard access control
mechanism? I would prefer a standard.

And if I have a multi-vendor NMS station that controls end-user access through the
UI as you suggest, then I will put very strict access control on my managed devices.
I will use the standardized NACM for that. And at the same time, we allow for
people who do not use these fancy (possibly expensive) multi-vendor NMSes to
still do their own thing.

The above was my personal opinion.
The below is my view as co-chair of the WG:

So, unless other people strongly support your view, we will mark your comments
as one viewpoint that has been expressed, and we will (as a WG) continue
to work towards finalizing this WG work item.

Bert