Re: [netconf] AD review of draft-ietf-netconf-sztp-csr

Qin Wu <> Fri, 02 July 2021 02:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4D9693A0812; Thu, 1 Jul 2021 19:01:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iDS_Tplryxhz; Thu, 1 Jul 2021 19:01:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8BD163A0813; Thu, 1 Jul 2021 19:01:22 -0700 (PDT)
Received: from (unknown []) by (SkyGuard) with ESMTP id 4GGJ5M3PLxz6G8vq; Fri, 2 Jul 2021 09:53:27 +0800 (CST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2176.2; Fri, 2 Jul 2021 04:01:17 +0200
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Fri, 2 Jul 2021 10:01:16 +0800
Received: from ([]) by ([]) with mapi id 15.01.2176.012; Fri, 2 Jul 2021 10:01:15 +0800
From: Qin Wu <>
To: "Charles Eckel (eckelcu)" <>, "Rob Wilton (rwilton)" <>
CC: "" <>, "" <>
Thread-Topic: [netconf] AD review of draft-ietf-netconf-sztp-csr
Thread-Index: Addu5AFNiNMInIAwQECG9i1E+R6tMQ==
Date: Fri, 2 Jul 2021 02:01:15 +0000
Message-ID: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_c318ff6892614640b89a0eb775e9bf42huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [netconf] AD review of draft-ietf-netconf-sztp-csr
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Jul 2021 02:01:27 -0000

Hi, Rob and Charles, Kent:
I can understand we should be cautious to introduce new HTTP status code, mapping between error code and HTTP status code seems a right direction.
Such mapping helps refine HTTP status code semantics. Using 300 multi choice response seems confusing, since we didn’t see location head field is added.
I also think status codes such as 421 should be considered.

发件人: netconf [] 代表 Charles Eckel (eckelcu)
发送时间: 2021年7月2日 0:36
收件人: Rob Wilton (rwilton) <>
主题: Re: [netconf] AD review of draft-ietf-netconf-sztp-csr

I agree that defining a new status code is likely not a good way to go.
A 4xx response seems better to me than a 3xx response.


On Jul 1, 2021, at 9:27 AM, Rob Wilton (rwilton) <<>> wrote:

Hi Charles, Kent,

Thanks for the suggestion.  The problem with that 401 requires the server to return a WWW-Authenticate header field (as per section 15.5.2, of draft-ietf-httpbis-semantics-16<>)1>).

I’ve also asked Francesca (ART AD responsible for HTTP) if she has a view.  She has taken a quick look and suggested that defining a new code is probably not the right way to go, but said that she would take a proper look after today’s telechat, but if we want to get other opinions then we could also ask on the httpbis mailing list.

However, I also noticed that RFC 8040 maps from NETCONF error-codes to status-codes, and defines:
| error-tag               | status code      |
| missing-attribute       | 400    (which is what you had originally).

An alternative could be:
| data-missing            | 409              |

Which NETCONF defines as:

   error-tag:      data-missing

   error-type:     application

   error-severity: error

   error-info:     none

   Description:    Request could not be completed because the relevant

                   data model content does not exist.  For example,

                   a "delete" operation was attempted on

                   data that does not exist.

Which would go hand-in-hand with 409:

15.5.10<>10>.  409 Conflict

   The _409 (Conflict)_ status code indicates that the request could not

   be completed due to a conflict with the current state of the target

   resource.  This code is used in situations where the user might be

   able to resolve the conflict and resubmit the request.  The server

   SHOULD generate content that includes enough information for a user

   to recognize the source of the conflict.

   Conflicts are most likely to occur in response to a PUT request.  For

   example, if versioning were being used and the representation being

   PUT included changes to a resource that conflict with those made by

   an earlier (third-party) request, the origin server might use a 409

   response to indicate that it can't complete the request.  In this

   case, the response representation would likely contain information

   useful for merging the differences based on the revision history.

I don’t see any great choice here.  I now think that aligning with RESTCONF seems to be right thing to do (so not using 300).  Perhaps choose “data-missing” & 409 if you think that is slightly better, or otherwise go back to “missing-attribute” & 400.


From: Charles Eckel (eckelcu) <<>>
Sent: 01 July 2021 15:21
To: Kent Watsen <<>>
Cc: Rob Wilton (rwilton) <<>>;<>;<>
Subject: Re: [netconf] AD review of draft-ietf-netconf-sztp-csr

Hi Kent,

I have not been following this draft closely but had a thought on this thread that I thought might be helpful.

It seems to me a 401 would be more appropriate in this scenario.
If the server does not require a CSR, it returns a 2xx response.
If it does require one, it returns a 401 indicating which one it requires.


On Jun 29, 2021, at 1:54 PM, Kent Watsen <<>> wrote:

 s/Since been/I’ve been/


On Jun 29, 2021, at 4:49 PM, Kent Watsen <<>> wrote:

Hi Rob,

Since been spinning on the below thread since we had it and am wondering if if would be best to ask for an HTTP expert review?   Please advise.

The reason being is that a close reading of "300 Multiple Choices" suggests that it’s used by an HTTP-server to indicate when there are multiple choices for a resource, whereas in this exchange, the “csr-support” node in the client’s POST effectively indicates that *it* has multiple choices for the server to choose from…

I’m beginning to wonder to the document might need to define a custom HTTP status code to properly indicate the semantics of the response…

Kent // contributor

2. Section 2.2:
 Assuming the SZTP-server wishes to prompt the SZTP-client to provide
 a CSR, then it would respond with an HTTP 400 (Bad Request) error

I wonder whether returning a 400 "Bad Request" error is really the best
return code, i.e.,

it wasn't clear to me whether this requesting the capabiltiies is really an

Did you consider potentially using other return codes?  Possibly:
300 Multiple Choices,
403 Fobidden,
406 Not Acceptable

I did before look at all the 4xx codes.  I was initially drawn to 412
Precondition Failed, but noted that it is specific to HTTP request header
fields.   As for the others you mention, the semantics of 403 Forbidden is that
the request should not be repeated, which isn’t out case, and 406 Not
Acceptable regards the use of the HTTP “Accept” headers, which aren't in
play here either.  That said, 300 Multiple Choices does appear to be a better
if not perfect option, so I made that change in my local copy.

netconf mailing list<>