Re: [netconf] why did we breakout the groupings?
Balázs Kovács <balazs.kovacs@ericsson.com> Fri, 22 March 2019 13:01 UTC
Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BD4E12798E for <netconf@ietfa.amsl.com>; Fri, 22 Mar 2019 06:01:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=QJOmwfFd; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=ericsson.com header.b=eh/H6/0B
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id biM_Dn3IdEd2 for <netconf@ietfa.amsl.com>; Fri, 22 Mar 2019 06:01:14 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E1FD126D00 for <netconf@ietf.org>; Fri, 22 Mar 2019 06:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553259671; x=1555851671; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=doGHDwatR0KQhybPJJTjabfbcnlUEwHHpRbAPomGfe0=; b=QJOmwfFdyZhQ/lVRkabRMXwjrlInGY7I+7coWxFNz+aZst1eQxhAaoVBsxRKPSGD Qv0/gMBngvzCI+v/DKftzTT2/qOaFcn+flKnrVi6Hyme9p/IWsF3Dj4JKyDrksPO CO+dcWugr1J3rU/7iEnmRJQdRiXgGVI0nTj5QRGYmwk=;
X-AuditID: c1b4fb30-307ff70000007fec-7c-5c94dc977a32
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 6F.1B.32748.79CD49C5; Fri, 22 Mar 2019 14:01:11 +0100 (CET)
Received: from ESESSMB505.ericsson.se (153.88.183.166) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Fri, 22 Mar 2019 14:01:10 +0100
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB505.ericsson.se (153.88.183.166) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5 via Frontend Transport; Fri, 22 Mar 2019 14:01:10 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jotXTweACwBRehfjOC8EclSZ3z9YRIqj2RuJmiFNajo=; b=eh/H6/0BL/02kqtYkJYiw5ovMyn/dQDFFGQD9nD0vO8C4GY7OWud3s16A9htgmgr0gAo3vgaoG35pwA3bdUSE+xBeW3h2YGF5Kp04ZKQRqWz3UnhCsclHBQ/uyvOiyAP+/16ngJUndraJC9+78DuXXJqPiNqZ0VzvoJBNBjUMUM=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB4142.eurprd07.prod.outlook.com (52.134.26.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.16; Fri, 22 Mar 2019 13:01:09 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::807b:cd48:c48:cf03]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::807b:cd48:c48:cf03%4]) with mapi id 15.20.1730.013; Fri, 22 Mar 2019 13:01:09 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: why did we breakout the groupings?
Thread-Index: AQHU3/X4xmErv8wo/EC4fyn8MoXRlKYXmz6w
Date: Fri, 22 Mar 2019 13:01:09 +0000
Message-ID: <VI1PR07MB4735B4C1AF014281AB693E5E83430@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <01000169a0becf2a-5f004be0-a74d-4f9b-b456-f8c3309fac94-000000@email.amazonses.com>
In-Reply-To: <01000169a0becf2a-5f004be0-a74d-4f9b-b456-f8c3309fac94-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 94cfa7b8-becc-400d-6489-08d6aec67450
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:VI1PR07MB4142;
x-ms-traffictypediagnostic: VI1PR07MB4142:
x-microsoft-antispam-prvs: <VI1PR07MB4142F701E0A5D604EA5807CB83430@VI1PR07MB4142.eurprd07.prod.outlook.com>
x-forefront-prvs: 09840A4839
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(39860400002)(376002)(396003)(136003)(189003)(199004)(186003)(53546011)(4326008)(102836004)(26005)(476003)(99286004)(99936001)(446003)(486006)(6246003)(66066001)(105586002)(9686003)(53936002)(71190400001)(76176011)(55016002)(54896002)(7696005)(6306002)(316002)(66574012)(2906002)(86362001)(478600001)(229853002)(97736004)(81166006)(8936002)(6506007)(33656002)(11346002)(14454004)(6436002)(106356001)(790700001)(5660300002)(71200400001)(7736002)(3846002)(74316002)(14444005)(256004)(5024004)(25786009)(8676002)(68736007)(6116002)(52536014)(81156014)(9326002)(16333001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4142; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Lew6a9+h8WxEA4IF/0fPhA0h+mWT65YJN1JabJtke6Ll5lkLnjtK9L1DHb5iXZ1uFoKv78E/HZ5c6t94T1+arU1G78ebBf2cUMfv8reXvsx+/zVqe5qAmfJ2KKVwyo0DfbCzD8RguK/ErNxLzGfIMuD59pCVWpNQ+ycTIbJ9fYclXRhWrCvU1t4d1itemLLC5kmKVmeeUEJzg+CFoSrZc4Jk2ScUCZx/qNyK4N/EIsWIXpc6LpX4Ng9kWpcXsdNRaFcF2+gQlF3sSkli+S1aMs3TbwwvdRWk4XJa1paFuARApuyvOAfnaZZW9U145ROKiFsjb9+U1PwM4M/6YBbMOSm2vyliEStFU54v3S6ys8GRg8KiNSSV506nAbcqm4K+AP1htHkSYBCl7GnLVxW9O4J2WHxY59nfDvyPHJJ+KfY=
Content-Type: multipart/mixed; boundary="_004_VI1PR07MB4735B4C1AF014281AB693E5E83430VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 94cfa7b8-becc-400d-6489-08d6aec67450
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2019 13:01:09.5845 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4142
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA2WTa0xTZxjH855zenpabfJS63iGbJmNU0ApSEyEZEGcLnFB3D74wcyqVD3B BmjNOQynyRIwNOGiCULZaGNHp4ix2uC0BkSJctF4wQCdGqBgLKAVcF5gjji5rD3vcdnl2+88 z/99/8/lPRytHVbGcGZLAS9YTHl6Vs04tjUdSPxx0G5MbvSoU1+MzqPUmgsBRQa1qb7+LbVp 5Fa58mvqG/Vne/k8cyEvJKVnq/d1P83a/6SX/q63ZIguQp2tdDlScYDXwCX7n0w5UnNa3Img aKaViSS0+A8E7lvLSaKegsO/zrORDwZX0nCtNcQSVRUFAz/EE9VjBFOuPinB4i/gieOtMsI6 vByCPR0owjSOB+/sa8l7EU4Cn62aJZpkOFZSpCCcAqeO35HKYPCnUDLdIp3VYCO8C3gQMd4J VR1HJI0K74JgaFjyQvgDmL5zjiJe0TAwWkeRPnUQ7L3LEl4MYyNzCqLfAc0Tg0oS10Pt+ICC 8Efgr6tAhLOg6siYItIk4JFwk/ddsigBLk/6GMK5MHeyWjaIhcNttfKBYhaGui4qSNU8nPba 5Fs/Bs/RIFOJVjr/USxhM1yavKJ0Sk1HwW3HKEPiVngzOyizAfpq7CzhldDw8wRNOBFq59qZ /8dj4WJNGXKGa6KxDUF/8ITCKW1qA3Q/G5GMdXgz+KecUnwRzoQmt+fveFdFMUt4CzwsvRm+ iJO283K6gNSZDcW/zDBO6SU8pOBmqFEyVuF1MPhbGfXfJgFjqL/aTTvlyR8NvJDjZDuEV8PE +DNZkwGzFQGW8Hp4dMUp61MhdPcc9X5A/slp9t+D46RX19iSRCRLwV4RVBKOA9txl9KNlnrQ YpEXd+fnpKQYeMG8RxStFoOFL7iAwn9bm+9dcjMaC61vR5hD+oWa7Ot2o1ZhKhQP5rejZeF7 hs+f7UExjMVq4fU6Tcv2aqNWs9d08BAvWHcJ3+bxYjtawjH6aM2MNsqoxTmmAj6X5/fzwvss xaliilB+uuteL133iXKP9/ueG7aE3N2dQ2KTf5RpW1FpXVB47MS80JEmtsT52Q+ff9ncaAhs PON79dO2AL1s1QbHKZXrq/6N69LdDWm5UbqzGWtSN/tODpkNAUNdYvGKtUL051WGifhxt3Vn 6YMFb2J/1zQ8tnqzEjMcXk2tPjMuc8varXpG3GdanUALoukv/QrHQHUEAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/DZn2Ufsyy-9lU5okictvQXG2x5s>
Subject: Re: [netconf] why did we breakout the groupings?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 13:01:18 -0000
Hi Kent, We had the attached conversation. Since we had this change, I admit I refrained from using the client-identity-grouping separately from an endpoint configuration (see attached mail). Allowing the option for interactive selection of client identity did not seem to be that good idea after all. I cannot say now I have any intention to use them separately in the close future. >From your feedback I so far understood that these sub-grouping do not harm much since the client-server models can use the original grouping, such as the 'ssh-client-grouping'. All in all, I think I do not mind if you collapse this back into a single grouping if there is no other need to keep them separate. Br, Balazs From: Kent Watsen <kent+ietf@watsen.net> Sent: Thursday, March 21, 2019 3:54 PM To: Balázs Kovács <balazs.kovacs@ericsson.com> Cc: netconf@ietf.org Subject: why did we breakout the groupings? Hi Balazs, I'm in the middle of answering your other question when I was reminded that I've been meaning to follow up with you on this issue... Can you please help me recall why several months back we made the decision to redefine the ietf-ssh-[client/server]-grouping statements to use other groupings? For instance, here's the current definition: grouping ssh-client-grouping { uses client-identity-grouping; uses server-auth-grouping; uses transport-params-grouping; uses keepalives-grouping; } Obviously it was because you (I think it was you) wanted to be able to "use" the inner grouping in another context, but why? I ask because this strategy is percolating into all of the client/server models and it seems weird, if not wrong. I currently have it as an "open issue" in my presentation for Monday, but I'd rather resolve it offline/now if possible. Kent // contributor
--- Begin Message ---Hi Kent, Looks good and it is also good that you added the same structure to all four of those ssh/tls groupings. Br, Balazs From: Kent Watsen <kwatsen@juniper.net> Sent: Thursday, August 30, 2018 1:59 AM To: Balázs Kovács <balazs.kovacs@ericsson.com>; netconf@ietf.org Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping Hi Balazs, All, I made the change in my local copy, but note that I also separated server-auth and transport-params. Below is an example, is it okay? grouping ssh-client-grouping { description "A reusable grouping for configuring a SSH client without any consideration for how an underlying TCP session is established."; uses client-identity-grouping; uses server-auth-grouping; uses transport-params-grouping; } I made the change to all four of the groupings: [ssh|tls]-[client|server]-grouping. PS: soon I'll be posting an update to all these drafts so folks can see the updates made since the IETF 102 presentation. Kent On 8/28/18, 5:42 AM, "Balázs Kovács" <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote: Hi Kent, Yes, this would be my proposal. Would similar change to ietf-tls-client would be applicable? I don’t have the same interactive use case for TLS, but maybe having this flexibility (the 2 new groupings) could be beneficial for TLS too. Br, Balazs From: Kent Watsen <kwatsen@juniper.net<mailto:kwatsen@juniper.net>> Sent: Monday, August 27, 2018 9:42 PM To: Balázs Kovács <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>>; netconf@ietf.org<mailto:netconf@ietf.org> Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping Assuming your two groupings below, or something close to them, we could redefine the existing "ssh-client-grouping" to the following: grouping ssh-client-grouping { uses ssh-client-client-identity-grouping; uses ssh-client-server-auth-transport-params-grouping; } The net-result is no change to the model, but now the inner groupings can be repurposed. Is this your proposal? Kent // contributor On 8/27/18, 3:49 AM, "Balázs Kovács" <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote: Hi Kent, It is as you say, an app that can launch an interactive connection using previously configured client credentials, host authentication, and transport params. My request or question would be if the current single grouping called ‘ssh-client-grouping’ could be split into two: one that only includes the ‘client-identity’ definition, and another which includes ‘server-auth’ and ‘transport-params’. I think this change would enable better flexibility for re-use in case of any SSH-based applications, and the only impact on the existing modules using ssh-client-grouping would be to use two groupings from now on instead of one. Just to recap the use case, my intention would be to be able to mount a client identity into a list and into a container that is independent of the actual endpoint (for example, as defined in netconf-client /netconf-client/netconf-server/endpoints/endpoint) being used. Which identity is to be used is selected by interaction with the SSH client (e.g., via action parameter). What do you think? Br, Balazs From: Kent Watsen <kwatsen@juniper.net<mailto:kwatsen@juniper.net>> Sent: Saturday, August 25, 2018 12:39 AM To: Balázs Kovács <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>>; netconf@ietf.org<mailto:netconf@ietf.org> Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping Hi Balazs, Why have configuration for an "interactive client" at all? Is this an app that can launch an interactive connection using previously configured client credentials? If so, then I think I understand the problem; the use case seems rather different than the use case that is currently being solved. I understand the desire to have a YANG module to capture your config, and I understand the desire for that module to be able to make use of groupings defined in the ietf-ssh-client. If the request is to expose a couple groupings, but otherwise leave the model unchanged, then I can see how that might be done. But if the request is to change e.g., ssh-client-grouping, to support a decoupling of client credentials, then I don't see how to do that. Kent // contributor On 8/24/18, 10:14 AM, "Netconf on behalf of Balázs Kovács" <netconf-bounces@ietf.org<mailto:netconf-bounces@ietf.org> on behalf of balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote: Hi All, I made an attempt to make use of the ietf-ssh-client@2018-06-04 module to configure an interactive ssh client, and I found some obstacles. The current ietf-ssh-client model has the following structure: module: ietf-ssh-client +--rw client +--rw client-identity | +--rw username? string | +--rw (auth-type) | +--:(password) | | +--rw password? string | +--:(public-key) | | +--rw public-key | +--:(certificate) | +--rw certificate {sshcmn:ssh-x509-certs}? +--rw server-auth | +--rw pinned-ssh-host-keys? ta:pinned-host-keys-ref | +--rw pinned-ca-certs? ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}? | +--rw pinned-server-certs? ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}? +--rw transport-params {ssh-client-transport-params-config}? In the netconf-client module, which I took as example it is mounted to the ‘ssh’ container and preceded by: module: ietf-netconf-client +--rw netconf-client +--rw initiate! {initiate}? | +--rw netconf-server* [name] | +--rw name string | +--rw endpoints | | +--rw endpoint* [name] | | +--rw name string | | +--rw (transport) | | +--:(ssh) {ssh-initiate}? | | | +--rw ssh | | | +--rw address? inet:host | | | +--rw port? inet:port-number\ In the case of the interactive client, I want some limited parameters to be provided by the invoking user, which is at least the target user, target address, and target port, so I would not need all the data nodes present in the netconf-client, but I need a subset of them, including the user credentials. The problem I face, is that for one target address, the user can select multiple target users, and for one target user, it should be able to select multiple target addresses. With the above model, if I want to set up a second client identity, I would basically need to create a complete endpoint with the same data in all the rest of the data nodes. Equally, if I want to set up a different endpoint, I need to copy all the possible client identities to be able to use them at other target addresses. My thinking is that the endpoint related configuration (address, port, server-auth, transport-params) should be decoupled from client identities, so I can set them up and mount them independently. However, I think this would effect the ssh-client grouping a bit heavily, basically breaking it up into two pieces. One that caters for the client identity, and another for the endpoint/server security. One looking like this (temp name ‘ssh-client-client-identity-grouping’): grouping ssh-client-client-identity-grouping +-- client-identity +-- username? string +-- (auth-type) +--:(password) | +-- password? string +--:(public-key) | +-- public-key | +---u ks:local-or-keystore-asymmetric-key-grouping +--:(certificate) +-- certificate {sshcmn:ssh-x509-certs}? +---u ks:local-or-keystore-end-entity-certificate-grouping And another (temp name ‘ssh-server-auth-transport-params-grouping’): grouping ssh-client-server-auth-transport-params-grouping +-- server-auth | +-- pinned-ssh-host-keys? ta:pinned-host-keys-ref | +-- pinned-ca-certs? ta:pinned-certificates-ref | | {sshcmn:ssh-x509-certs}? | +-- pinned-server-certs? ta:pinned-certificates-ref | {sshcmn:ssh-x509-certs}? +-- transport-params {ssh-client-transport-params-config}? +---u sshcmn:transport-params-grouping I also wonder if this would effect the similar module of tls-client. In TLS case, the client identity used is more bound to actual server and is rarely selectable by interaction, but splitting the current single grouping into two may probably not harm either. Best Regards, Balazs--- End Message ---
- [netconf] why did we breakout the groupings? Kent Watsen
- Re: [netconf] why did we breakout the groupings? Balázs Kovács
- Re: [netconf] why did we breakout the groupings? Kent Watsen