Re: [netconf] I-D Action: draft-ietf-netconf-https-notif-04.txt

"Eric Voit (evoit)" <evoit@cisco.com> Tue, 28 July 2020 12:01 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90E373A0BD7 for <netconf@ietfa.amsl.com>; Tue, 28 Jul 2020 05:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.61
X-Spam-Level:
X-Spam-Status: No, score=-9.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hvjqMab1; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=LbgmBZE6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibS9iwx-wGYe for <netconf@ietfa.amsl.com>; Tue, 28 Jul 2020 05:01:30 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C49063A0B9B for <netconf@ietf.org>; Tue, 28 Jul 2020 05:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26990; q=dns/txt; s=iport; t=1595937689; x=1597147289; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=gyC4Wii3t+6YMNQTwdrW/nl+SGHKT7GZ3cU5Je21cb8=; b=hvjqMab1hok/xyOS70CrjMUEX6UHaxESLmz0uhsZwVn1LetLxDEHNdk7 XMcz/wlDpXeqsu7Pxt5PgyKC07b2+3NZWXoNLpW59nGdoR4UEpLRiStEV ipRycflAhXZz2amyvn+A9IZXG28cx/xNnZ9DHoQCbkg6gFF88f8Fvl7RG E=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3AwZFqZR3Q5lbHIogJsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWGuadiiVbIWcPQ7PcXw+bVsqW1X2sG7N7BtX0Za5VDWl?= =?us-ascii?q?cDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoPk1cGcK4bFrX8TW+6DcIEU?= =?us-ascii?q?D5Mgx4bu3+Bo/ViZGx0Oa/s53eaglFnnyze7R3eR63tg7W8MIRhNhv?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CiBQAqEyBf/4oNJK1gHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgUqBIy9RB28rLS8sCodwA41Xh1iCKo5fglMDVQQHAQEBCQM?= =?us-ascii?q?BARgBCgoCBAEBhAhEAoIeAiQ4EwIDAQELAQEFAQEBAgEGBG2FXAyFcQEBAQM?= =?us-ascii?q?BAQEQGxMBASwLAQQHBAIBCA4DBAEBDhoHAh8GCxQJCAIEDgUIBhSDBYF+TQM?= =?us-ascii?q?OEQ8BDqNXAoE5iGF0gTSDAQEBBYE3Ag5Bgx8NC4IHBwmBOIFTgRqKEBqBQT+?= =?us-ascii?q?BVIJNPoIaQgEBAgEBFYFIFRYRgwuCLZp+mitOCoJfhDWCWIFLjCOFFoJ7gSK?= =?us-ascii?q?IJ5MlnEWCYZILAgQCBAUCDgEBBYFqI4FXcBUaIYJpCUcXAg2OHoNxhRSFQnQ?= =?us-ascii?q?3AgYIAQEDCXyNNiuBCgGBEAEB?=
X-IronPort-AV: E=Sophos;i="5.75,406,1589241600"; d="p7s'?scan'208,217";a="795071151"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Jul 2020 12:00:55 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 06SC0tu0008938 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 28 Jul 2020 12:00:55 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 28 Jul 2020 07:00:55 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 28 Jul 2020 08:00:54 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 28 Jul 2020 08:00:54 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XEbQ9jOuJZakQaY21xo5yq0hWh2GguqnCbv6WT8oyvB1gCBD2ZFJ/xrItSdgeRqQEQRhBI81lTVW15HJch6tNAcmn89DA+tkVY6lwZ12KySAKLNqKUWPnMLQNWoYBvOZDZshJ8nH5m2ch2MZxBc83sNP42fyPpe8lZEJN8CCBeYNpz1oKvBwJRhXRSd2KBw11DIMg46EtxTOtrmwXg5yuPlui9xkJZlroAG4+u3bZ79GrC9miyWJrGkEb3vrP4dMbUSSVbnknMKYiXOy4Dm6d9ZP/gmiVD7iMpXTvNmbWDk5jhgAJ4MV6j8mHdzKVaeI+eAB4qLF/puOOYoUDHR6YQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/5LoLIf2C/aXhtrPAzEz0naCWTktfpKzlZg/w4KtMZ4=; b=oKFPifAc7Qv592/mYHCs8LwzHzZJkI++I44UsQIX401VfPvenlAeyHpM8OU9iP0G4YDsebiTsqa5fytm/UOm0cPr4XS2b490PZCD5tNsFV0eWEN4X49pI4pwhLxiGWdY5JbTyRl0TzefFeaUdxLNL1eO+01dFy0L7levbVIPt/n8PE65gP3qHVAZkGmagAHOoJIalk1X7Q/IqBATQKGIIl6+AnEOZfizLNOcWCCD1wts7QGOZylQK/SyJUt0uh34XbW55DZZQLx5udKivikKkoBap+ri9IsSjNLzQ43WkoQWIlaZQ59kWRX2oB3aVaHjhC8j/Wril5Atcx7NYm9eeQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/5LoLIf2C/aXhtrPAzEz0naCWTktfpKzlZg/w4KtMZ4=; b=LbgmBZE6MZ54uwiEI4hTqcnFK9DMI8Qcc6FghMWpkYK/X9CAbcuYEhPj5ZJnNyYDroi2iilE1pDkRa2CXYBtp9BYyGrgdSnpTcxCuh8jFDNTxIBB4FAQdQeJLTa4bevWbLdO8+QnxZLkykmEQSJMQ8e4TuwyMPBitvQTNbTVIcA=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL0PR11MB3316.namprd11.prod.outlook.com (2603:10b6:208:68::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.24; Tue, 28 Jul 2020 12:00:53 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::3496:c7b1:6ba3:ace2]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::3496:c7b1:6ba3:ace2%5]) with mapi id 15.20.3216.034; Tue, 28 Jul 2020 12:00:53 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] I-D Action: draft-ietf-netconf-https-notif-04.txt
Thread-Index: AQHWZC0s4rGn4H8SgEeN9NnhYjeTUKkboLwggAE/rOA=
Date: Tue, 28 Jul 2020 12:00:53 +0000
Message-ID: <BL0PR11MB31223C050B53484D6B01E5A4A1730@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <159586435098.29591.15728904593699090813@ietfa.amsl.com> <D6AD44FA-48E9-4534-8629-21E7513F43F2@gmail.com> <BL0PR11MB3122445CC5157131583366E1A1720@BL0PR11MB3122.namprd11.prod.outlook.com>
In-Reply-To: <BL0PR11MB3122445CC5157131583366E1A1720@BL0PR11MB3122.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.78]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 849a6a9a-3b84-470a-bd03-08d832ede0e6
x-ms-traffictypediagnostic: BL0PR11MB3316:
x-microsoft-antispam-prvs: <BL0PR11MB331634FF0205F3798FFB5D54A1730@BL0PR11MB3316.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: P2U7hmHtarBF+oWNaKFNGkGDJw3G8zWmEgv/d/4EbmG5mdRxyipBHA/3/R20CfinaBP1CGhNEuPIIw7iEyjQXSWOfDXgSFPupffHiTRjQHdxwGNGOw76Xn3Fifms+E0/o1q/JQYocL7B3UrM811FoO82Bc6fGAI4f2VWEfWYYHMhYg1uoIdHr3gb4asmmn6Ug0No4zdBQ7muB4rwrjsRE1mbSFwPrGVgnc/I4rKf1nFCIUjMrCwEyTW10CCrr/ZJvMQ7ykyxmrviT0mIz8HBaw9kxUZpbAqEMgwA8dZEQDpDU++fLDPswdESB8jZ8/B/rPXqxPr3PuujnziDXDgkQ692SQpA+WZ4pdbC1hGh5i8P4MajSC3oDXsmU2g6rNY6BfLFqqz/UKgmfBmsO6RKNw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(376002)(346002)(39860400002)(366004)(52536014)(9686003)(5660300002)(33656002)(478600001)(83380400001)(4326008)(2906002)(71200400001)(8936002)(55016002)(7696005)(166002)(66574015)(966005)(26005)(99936003)(86362001)(6916009)(64756008)(76116006)(66946007)(66616009)(53546011)(8676002)(186003)(6506007)(316002)(66556008)(66446008)(66476007)(9326002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: LJVEcz/g+qz+A7ukh/VozQrcna3FZxHytIvWgy0Thq6xl9cP6jH6My0u7jduHkJswLGnRnhhOaUr+/5aKqOuP22zwu/UMajwbv7HDBRNVsJp5ajwMgA9cGL/oK17XFQfgfdB7vy9l0kHwKPucK/TUAYqdQq1o8nDMlyS2NN6Ffl2fFqjcT+afIlAKcUlFnXoh51SzcCuqLJY5/B1aYQgPc4M54rBw2OP0vD4EfacHJ6gZrImEsRH/eVU9MB42tgKrXGsL00VhAC83Ot7sgB16pHAi7i/1Wf+znS8Tq04YBq9eqW78T9112R0QxSLsA5cXpl92ONy0prR34y3o7ostdjLjfZXy9lXu4DSQAPxoU7Z+XiT2LQ6+dqRA9xIFTOdpCnvFvSYsfdxe6Usbi6+M4xngVT4a7czsVX+SMKJgcSfIYaQO06/kPbn/GSd0siHFZ+cXaH7R06NanbR6NVOHG+V0unIVXoK/giBMGVv014QLpoKNt3xLY5dGNtNpnl7
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0BB2_01D664B5.3520F9A0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 849a6a9a-3b84-470a-bd03-08d832ede0e6
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2020 12:00:53.3683 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fRZ9VI/q6spIkb80dXXZ0JdcJDnqZQFnJFnvgp7q/Jj6Bf9hdufgoF6cIUYog0p5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3316
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/CYOosxZy_-tKKsrCCoLmQeFvEuI>
Subject: Re: [netconf] I-D Action: draft-ietf-netconf-https-notif-04.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 12:01:42 -0000

Hi Mahesh,

 

What I was trying to ask during the IETF session was the following:

 

There are many downsides to *not* including the Subscription State Change
Notifications, including the DOS attacks listed below.   As several people
mentioned during the session, the draft isn't clear on which elements of
https-notif require SN, and which do not.  Additionally, the intro section
of https-notif isn't clear here: 

     This document defines two YANG 1.1 [RFC7950] data

    modules, one for augmenting the Subscription to YANG Notifications

     [RFC8639] to add a transport type, and another for configuring and

    managing HTTPS based receivers for the notifications.

The first time I understand all of SN isn't mandatory is Section 8.2.

 

If there are mandatory SN elements which are sometimes optional, could you
explicitly list these in the draft?   Also could you list what the potential
downsides of excluding mandatory might be, and when these potential
downsides can be safely discounted?

 

Thanks,

Eric

 

> -----Original Message-----

> From: netconf <netconf-bounces@ietf.org> On Behalf Of Eric Voit (evoit)

> Sent: Monday, July 27, 2020 12:53 PM

> To: Mahesh Jethanandani <mjethanandani@gmail.com>om>; netconf@ietf.org

> Subject: Re: [netconf] I-D Action: draft-ietf-netconf-https-notif-04.txt

> 

> Hi Mahesh,

> 

> Thanks for updating the text.  One question, are you sure you need the

> statement:

> 

>                  This example shows the flow assuming that

>                Subscribed Notifications is used and therefore a
<subscription-

> 

>                started> notification is sent before sending the first

> notification.

>                The example would be the same for when Subscribed
Notification

> is

> not

>                used by removing the first POST message for <subscription-

> started>.

> 

> I am guessing that you mean "Subscription State Change Notifications" here

> rather than "Subscribed Notifications".   As RFC-8639 Subscription State

> Change Notifications are mandatory, is this statement necessary here?

> 

> Perhaps you could add a non-normative appendix which shows the

> implications of dropping specific Subscription State Change Notifications
If

> an implementation desires this simplification?  E.g., issues with
supporting

> replay, issues with understanding what subscription is sending traffic, no

> ability to see if the terms of the subscription changed, no awareness of

> subscription suspend, no way to signal the end/termination of a

> subscription, etc.

> 

> All of these might be absolutely ok in an implementation, but it might be

> worth addressing in aggregate in a place which is outside the bounds of
the

> normative text.

> 

> Eric

> 

> 

> > -----Original Message-----

> > From: netconf < <mailto:netconf-bounces@ietf.org>
netconf-bounces@ietf.org> On Behalf Of Mahesh

> > Jethanandani

> > Sent: Monday, July 27, 2020 11:46 AM

> > To:  <mailto:netconf@ietf.org> netconf@ietf.org

> > Subject: Re: [netconf] I-D Action:

> > draft-ietf-netconf-https-notif-04.txt

> >

> > This version of the document addresses comments received from Eric,

> > and updates to the ietf-truststore module.

> >

> > > On Jul 27, 2020, at 8:39 AM,  <mailto:internet-drafts@ietf.org>
internet-drafts@ietf.org wrote:

> > >

> > >

> > > A New Internet-Draft is available from the on-line Internet-Drafts

> > directories.

> > > This draft is a work item of the Network Configuration WG of the IETF.

> > >

> > >        Title           : An HTTPS-based Transport for Configured

> Subscriptions

> > >        Authors         : Mahesh Jethanandani

> > >                          Kent Watsen

> > >      Filename        : draft-ietf-netconf-https-notif-04.txt

> > >      Pages           : 27

> > >      Date            : 2020-07-27

> > >

> > > Abstract:

> > >   This document defines a YANG data module for configuring HTTPS

> based

> > >   configured subscription, as defined in RFC 8639.  The use of HTTPS

> > >   maximizes transport-level interoperability, while allowing for

> > >   encoding selection from text, e.g.  XML or JSON, to binary.

> > >

> > >

> > > The IETF datatracker status page for this draft is:

> > >  <https://datatracker.ietf.org/doc/draft-ietf-netconf-https-notif/>
https://datatracker.ietf.org/doc/draft-ietf-netconf-https-notif/

> > >

> > > There are also htmlized versions available at:

> > >  <https://tools.ietf.org/html/draft-ietf-netconf-https-notif-04>
https://tools.ietf.org/html/draft-ietf-netconf-https-notif-04

> > >
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf-https-notif>
https://datatracker.ietf.org/doc/html/draft-ietf-netconf-https-notif

> > > -0

> > > 4

> > >

> > > A diff from the previous version is available at:

> > >  <https://www.ietf.org/rfcdiff?url2=draft-ietf-netconf-https-notif-04>
https://www.ietf.org/rfcdiff?url2=draft-ietf-netconf-https-notif-04

> > >

> > >

> > > Please note that it may take a couple of minutes from the time of

> > > submission until the htmlized version and diff are available at

> > tools.ietf.org.

> > >

> > > Internet-Drafts are also available by anonymous FTP at:

> > >  <ftp://ftp.ietf.org/internet-drafts/>
ftp://ftp.ietf.org/internet-drafts/

> > >

> > >

> > > _______________________________________________

> > > netconf mailing list

> > >  <mailto:netconf@ietf.org> netconf@ietf.org

> > >  <https://www.ietf.org/mailman/listinfo/netconf>
https://www.ietf.org/mailman/listinfo/netconf

> >

> > Mahesh Jethanandani (as co-author)

> >  <mailto:mjethanandani@gmail.com> mjethanandani@gmail.com

> >

> >

> >

> > _______________________________________________

> > netconf mailing list

> >  <mailto:netconf@ietf.org> netconf@ietf.org

> >  <https://www.ietf.org/mailman/listinfo/netconf>
https://www.ietf.org/mailman/listinfo/netconf