Re: [Netconf] mbj's WGLC comments on netconf-event-notifications-08

"Eric Voit (evoit)" <evoit@cisco.com> Mon, 11 June 2018 19:00 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F1A130E9D for <netconf@ietfa.amsl.com>; Mon, 11 Jun 2018 12:00:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ph2sG4Qh421I for <netconf@ietfa.amsl.com>; Mon, 11 Jun 2018 11:59:58 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E8A9130E97 for <netconf@ietf.org>; Mon, 11 Jun 2018 11:59:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17010; q=dns/txt; s=iport; t=1528743598; x=1529953198; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=K2j/KwP1KM33xMB4un+AYSgz+h1Qcx5XlRMXKged4hk=; b=Kcfr05tZ1Ozaad91f2Bm+WXulOtDzIrlXlHCQ8VjE/JSnYqWUmMBVBYN 0Y14jbeso5FJPSvyij6oEcRehreTQpe/Cs1GOkuc2pLDZ2ZJKXOKlPVz6 3QyfSIIv2Yr4QQ+QTKiCLMDyMkjl/ZM4f2zZr8FSbG8Xz9fC3Pms3WeIg g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DDAACFxR5b/5tdJa1TCRkBAQEBAQE?= =?us-ascii?q?BAQEBAQEHAQEBAQGDQ2J/KAqLcYxlgX6UUxSBZAsnhEUCgmAhNBgBAgEBAQE?= =?us-ascii?q?BAQJtHAyFKAEBAQMBJxM9AgULAgEIDgcDDREQMiUCBA4FCIMcgXcID6pUM4g?= =?us-ascii?q?/gWMFiESBVD+BD4MMggaBCwICgTQShW0ChzQQCIRogSOLJQkChW2Id4FGg3u?= =?us-ascii?q?Hb4dqFYIIhwMCERMBgSQdOIFScBU7gkOCIReDRYpRAW+OGiuBAYEaAQE?=
X-IronPort-AV: E=Sophos;i="5.51,211,1526342400"; d="scan'208";a="408692908"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Jun 2018 18:59:56 +0000
Received: from XCH-RTP-011.cisco.com (xch-rtp-011.cisco.com [64.101.220.151]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id w5BIxtwE030428 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Jun 2018 18:59:55 GMT
Received: from xch-rtp-013.cisco.com (64.101.220.153) by XCH-RTP-011.cisco.com (64.101.220.151) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 11 Jun 2018 14:59:54 -0400
Received: from xch-rtp-013.cisco.com ([64.101.220.153]) by XCH-RTP-013.cisco.com ([64.101.220.153]) with mapi id 15.00.1320.000; Mon, 11 Jun 2018 14:59:54 -0400
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "netconf@ietf.org" <netconf@ietf.org>, "alex@clemm.org" <alex@clemm.org>
Thread-Topic: [Netconf] mbj's WGLC comments on netconf-event-notifications-08
Thread-Index: AQHT/zaJm894WSf8RUqPL+4NEHDjeKRWc+XwgAR38ACAABiYQA==
Date: Mon, 11 Jun 2018 18:59:54 +0000
Message-ID: <1291de8fc27f4ed6b7507b473e2a3394@XCH-RTP-013.cisco.com>
References: <20180316.145936.984795473579499350.mbj@tail-f.com> <20180608.163924.639364006777002795.mbj@tail-f.com> <0e6e711ab209437e881335756c268e07@XCH-RTP-013.cisco.com> <20180611.091248.42505202577647987.mbj@tail-f.com>
In-Reply-To: <20180611.091248.42505202577647987.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.118.56.228]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Hw8TX_5zl9H1BXSwIGQhzFIGJjI>
Subject: Re: [Netconf] mbj's WGLC comments on netconf-event-notifications-08
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2018 19:00:02 -0000

Hi Martin,

> From: Martin Bjorklund, June 11, 2018 3:13 AM
> 
> Hi,
> 
> Thanks for addressing my comments.  Some follow-ups inline.
> 
> "Eric Voit (evoit)" <evoit@cisco.com> wrote:
> > > From: Martin Bjorklund, June 8, 2018 10:39 AM
> > >
> > > Hi,
> > >
> > > I haven't seen any reply to this WGLC review.
> >
> > Hi Martin,
> >
> > Below.  And with changes reflected in:
> > https://github.com/netconf-wg/notif-netconf/blob/master/draft-ietf-net
> > conf-netconf-event-notifications-10.txt
> 
> 
> Thanks.  I have some additional comments on this version, but I don't know if I
> should wait until you have published a new version or not.

Current version is at:
https://github.com/netconf-wg/notif-netconf/blob/master/draft-ietf-netconf-netconf-event-notifications-10.txt
I can post to IETF if it makes a difference to you.

> > > Martin Bjorklund <mbj@tail-f.com> wrote:
> > > > Hi,
> > > >
> > > > Here are my WGLC comments on
> > > > draft-ietf-netconf-netconf-event-notifications-08
> > > >
> > > >
> > > > o  On p. 3, theres a missing " (which messes up the colors in the
> > > >    emacs mode I use)
> > > >
> > > >    OLD:
> > > >
> > > >      SHOULD NOT"
> > > >
> > > >    NEW:
> > > >
> > > >      "SHOULD NOT"
> >
> > Your text is reflected in git version
> >
> > > >    There's another one on p. 5:
> > > >
> > > >    OLD:
> > > >
> > > >       responses to an establish-subscription request) or "modify-
> > > >       subscription-error-datastore (for error responses to a
> > > > modify-
> > > >
> > > >    NEW:
> > > >
> > > >       responses to an establish-subscription request) or "modify-
> > > >       subscription-error-datastore" (for error responses to a
> > > > modify-
> >
> > Based on comments with Kent, this has been turned into a more
> > descriptive table format.
> >
> > > > o  Section 3
> > > >
> > > >   As I have noted before, you mustn't require the :interleave
> > > >   capability to be supported.  That capability is for 5277 only.  This
> > > >   new mechanism *requires* that rpc's can be sent while there are
> > > >   active subscriptions, so there is no need for a capability.
> > > >
> > > >   Remove this section.
> >
> > Done.
> >
> > > > o  Section 4
> > > >
> > > >   What is the reason for not allowing 5277 subscriptions on the same
> > > >   session as these new subscriptions?
> >
> > The biggest reason is that existing 5277 implementations can safely
> > assume that only one subscription can be established on a NETCONF
> > session.  And therefore all returned <notification> elements will
> > belong to that subscription.  Even if the subscriber doesn't support
> > subscribed-notifications or subsequently send an
> > <establish-subscription>, without this constraint a configured
> > subscription to the same receiver could inject notifications on the
> > RFC-5277's NETCONF transport session.  (E.g., a <subscription-started>
> > state change notification.)
> >
> > > >   AFAICT this should just work fine, and no special rule is needed.
> >
> > It likely could on a well behaved RFC-5277 implementation.  But
> > caution is needed as RFC5277 implementations hadn't previously needed
> > to worry about such co-existence.
> 
> I am ok with this.
> 
> > > > o  Section 5
> > > >
> > > >   You write:
> > > >
> > > >    A NETCONF publisher MUST support XML encoding of RPCs and
> > > >    Notifications.
> > > >
> > > >   This is already specificed in RFC 6241.  You are not changing this,
> > > >   so this sentence should be removed.
> >
> > Previously changed this text to indicate the mandatory support of the
> > "encode-xml" feature.
> 
> IMO this shows that the decoupling of transport and encoding is not ideal.  It
> seems to imply that if I implement this draft I have to
> support XML also for RESTCONF?    If the answer is "no" then the
> encoding should not be decoupled from the transport.

For dynamic subscriptions, if a platform doesn't support a transport+encoding, an RPC error is returnable.  

For configured subscriptions, where the encoding is not configurable (like with NETCONF) there is no issue.  

The hard one is for configured subscriptions where configurable encodings are supported. if people really wanted to try to enforce, we could add validations.   But the complexity adds up really fast (as you will see below)

Specifically, adding model based validations to the base YANG model would look something like:
https://github.com/netconf-wg/rfc5277bis/blob/master/ietf-subscribed-notifications%402018-06-11-complex-encoding-validation.yang

(Line 1069)
  container configurable-encodings {
    if-feature "sn:configured";
    config false;
    description
      "This container contains a list of configurable encodings
       that can be applied to transports which support more than one.";
    list transport {
      key "transport";
      leaf transport {
        type transport;
        description
          "A transport which supports more than one encoding.";
      }
      leaf-list configurable-encodings {
        type encoding;
        description
          "A list of http configurable encodings for a configured 
          subscription";
      }
    }
  }  

And a refinement to the data node definition of "encoding" in the YANG data tree which would add MUST constraints that refer to the configurable-encodings container:

(line 1124)
        refine "encoding" {
          must 'derived-from(../transport,"sn:configurable-encoding")' + 
            'or derived-from(/configurable-encodings[../transport]' +
            '/configurable-encodings,../encoding)' {
            error-message "publisher doesn't support this encoding" + 
              " for the selected transport";
          }
        }

I believe such a proposal is valid, but very much overkill.   (Also note the NETCONF draft doesn't need this as is doesn't support configurable encodings.)

> > > > o  Section 5
> > > >
> > > >   You write:
> > > >
> > > >    A NETCONF publisher supporting
> > > >    [I-D.draft-ietf-netconf-subscribed-notifications] MUST support the
> > > >    "NETCONF" event stream identified in that draft.
> > > >
> > > >   This is already specificed in that draft. You are not changing this,
> > > >   so this sentence should be removed.
> >
> > In subscribed-notifications, the "NETCONF" stream is defined, but it
> > is not mandatory support.  Instead, just that the stream name is
> > reserved.  There will be IoT clients out there which don't need the
> > NETCONF stream.
> 
> Ok.
> 
> > > > o  Section 6.2
> > > >
> > > >   (editorial, and clarified)
> > > >
> > > >   OLD:
> > > >
> > > >    For a configured subscription, there is no guarantee a transport
> > > >    session is currently in place with each associated receiver.  In
> > > >    cases where a configured subscription has a receiver in the
> > > >    connecting state and the protocol configured as NETCONF, but no
> > > >    NETCONF transport session exists to that receiver, the publisher MUST
> > > >    initiate a transport session via NETCONF call home [RFC8071], section
> > > >    4.1 to that receiver.  Until NETCONF connectivity is established and
> > > >    a subscription-started state change notification is successfully
> > > >    sent, that receiver MUST remain in a status of either "connecting" or
> > > >    "timeout".
> > > >
> > > >   NEW:
> > > >
> > > >    For a configured subscription, there is no guarantee a transport
> > > >    session is currently in place with each associated receiver.  In
> > > >    cases where a configured subscription has a receiver in the
> > > >    "connecting" state (see section 2.5.1 of [RFCXXXX] and the protocol
> > > >    is configured as NETCONF, but no
> > > >    NETCONF transport session exists to that receiver, the publisher MUST
> > > >    initiate a transport session via NETCONF call home [RFC8071], section
> > > >    4.1 to that receiver.  Until NETCONF connectivity is established and
> > > >    a "subscription-started" state change notification is successfully
> > > >    sent, that receiver MUST remain in either the "connecting" or the
> > > >    "timeout" state.
> >
> > The git version is now...
> >
> > For a configured subscription, there is no guarantee a transport
> > session is currently in place with each associated receiver. In cases
> > where a configured subscription has a receiver in the "connecting"
> > state as described in
> > [I-D.draft-ietf-netconf-subscribed-notifications], section 2.5.1, and
> > the "transport" for that subscription is "NETCONF", but no NETCONF
>                                            ^^^^^^^^^
> 
> This should be "nsn:netconf" (an identity defined in this draft).

Updated
 
> > transport session exists to that receiver (or all existing NETCONF
> > transport sessions are currently supporting [RFC5277] subscriptions),
> > then the publisher MUST initiate a transport session via NETCONF call
> > home [RFC8071], section 4.1 to that receiver.  Until NETCONF
> > connectivity is established and a "subscription-started" state change
> > notification is successfully sent, that receiver MUST remain in either
> > the "connecting" or the "timeout" state.
> >
> >
> > > >   OLD:
> > > >
> > > >    If the call home fails because the publisher receives receiver
> > > >    credentials which are subsequently declined per [RFC8071],
> > > >    Section 4.1, step S5 authentication, then that receiver MUST be
> > > >    assigned a "timeout" status.
> > > >
> > > >   NEW:
> > > >
> > > >    If the call home fails because the publisher receives receiver
> > > >    credentials which are subsequently declined per [RFC8071],
> > > >    Section 4.1, step S5 authentication, then that receiver MUST be
> > > >    placed in the "timeout" state.
> >
> > Your text is reflected in git version
> >
> > > >   OLD:
> > > >
> > > >    If the call home fails to establish for any other reason, the
> > > >    publisher MUST NOT progress the receiver to the "active" state.
> > > >    Additionally, the publisher SHOULD place the receiver into a
> > > >    "timeout" status after a predetermined number of either failed call
> > > >    home attempts or NETCONF sessions remotely terminated by the
> > > >    receiver.
> > > >
> > > >   NEW:
> > > >
> > > >    If the call home fails to establish for any other reason, the
> > > >    publisher MUST NOT progress the receiver to the "active" state.
> > > >    Additionally, the publisher SHOULD place the receiver into the
> > > >    "timeout" state after a predetermined number of either failed call
> > > >    home attempts or NETCONF sessions remotely terminated by the
> > > >    receiver.
> >
> > Your text is reflected in git version
> >
> > > >   OLD:
> > > >
> > > >    NETCONF Transport session connectivity SHOULD be verified via
> > > >    Section 4.1, step S7.
> > > >
> > > >   NEW:
> > > >
> > > >    NETCONF Transport session connectivity SHOULD be verified as
> > > >    described in [RFC8071], Section 4.1, step S7.
> >
> > Update made
> >
> > > > o  Section 7
> > > >
> > > >   You write:
> > > >
> > > >    Notification messages transported over NETCONF will be identical in
> > > >    format and content to those encoded using one-way operations defined
> > > >    within [RFC5277], section 4.
> > > >
> > > >   "identical in content"?  What does this section tell me?
> >
> > Tweaked the words to:
> >
> > Notification messages transported over the NETCONF protocol will use
> > the one-way operations defined within [RFC5277], section 4.
> 
> I would prefer to be more explicit:
> 
>   Notification messages transported over the NETCONF protocol will use
>   the "notification" message defined in [RFC5277], section 4.

Update made
 
> > > > o  Section 8
> > > >
> > > >    o  "error-app-tag" with the value being a string that corresponds to
> > > >       an identity associated with the error, as defined in
> > > >       [I-D.draft-ietf-netconf-subscribed-notifications] section
> > > > 2.4.6
> > > >
> > > >   This needs to explained better.  See also my WGLC comments on the
> > > >   other drafts.
> >
> > Current git version includes your requested updates, such as which
> > base identity to use for each RPC, and the JSON encoding format for
> > the identities.
> 
> Hmm, I think I probably have to see updated versions of all three drafts to see
> that it is consistently explained.

Current git versions for subscribed-notifications and netconf-event-notifications are current

https://github.com/netconf-wg/rfc5277bis/blob/master/draft-ietf-netconf-subscribed-notifications-13.txt 

https://github.com/netconf-wg/notif-netconf/blob/master/draft-ietf-netconf-netconf-event-notifications-10.txt

Alex is pulling out the error stuff out.  This need not impact reviews of the two documents above.

> But wasn't the idea to have a "reason" leaf in each error-info structure that
> contains this identity?  If so, shouldn't we remove this "error-app-tag"
> handling?

That was the original proposal.   Several people in the WG argued to reapply the NETCONF error constructs and error handling so as not to mess with existing implementations.  I.e., by moving the reason when the transport is NETCONF, continuity is maintained.   This way, the only time error-info is needed with NETCONF is when hints are returned (as there is no existing for those in NETCONF).   For other transports, the "reason" will be used as there is not a transport dependency.

Eric

> > > >   Also, I don't think the 5th bullet is complete; it doesn't mention
> > > >   "establish-subscription-error-stream" for example.
> >
> > There is a whole table on this is the current git version.
> >
> > > >   What is this section trying to tell me that isn't already said, e.g.
> > > >   in section 3.8 of the push draft.  Maybe the other drafts should be
> > > >   less specific and all such text moved here.  As it is now it is not
> > > >   quite clear.
> >
> > Alex is removing the text from the yang-push draft.
> >
> > > > o  Section 8
> > > >
> > > >   You write:
> > > >
> > > >    Note that "error-path" does not need to be included with the "rpc-
> > > >    error" element, as subscription errors are generally not associated
> > > >    with nodes in the datastore but with the choice of RPC input
> > > >    parameters.
> > > >
> > > >   This is a misconception how error-path works.  Please remove this
> > > >   sentence.  For info, check RFC 6241.
> >
> > Removed
> >
> > > > o  Appendix A.2.1
> > > >
> > > >   I think it is useful to show an example of something that is easily
> > > >   missed; that notifications can be sent at any time:
> > > >
> > > >   I suggest:
> > > >
> > > >   OLD:
> > > >
> > > >             |    establish-subscription    |
> > > >             |----------------------------->|
> > > >             | RPC Reply: OK, id = 23       |
> > > >             |<-----------------------------|
> > > >             |                              |
> > > >             |                              |
> > > >             | notification message (for 22)|
> > > >             |<-----------------------------|
> > > >
> > > >   NEW:
> > > >
> > > >             |    establish-subscription    |
> > > >             |----------------------------->|
> > > >             | notification message (for 22)|
> > > >             |<-----------------------------|
> > > >             | RPC Reply: OK, id = 23       |
> > > >             |<-----------------------------|
> > > >             |                              |
> > > >             |                              |
> > > >             | notification message (for 22)|
> > > >             |<-----------------------------|
> >
> > Added
> >
> > > > o   Appendix A.2.1
> > > >
> > > >   The example in Figure 3 is not correct.
> > > >
> > > >   The example in Fixgure 5 is not correct wrt namespace.
> > > >
> > > >   Hmm, it seems many examples are wrong.  I strongly suggest that you
> > > >   set up automatic testing of all your examples.  If you for some
> > > >   reason don't do that, please let me (and the WG) know so that we can
> > > >   validate all examples in detail manually.  Meanwhile, I will not
> > > >   check all examples.
> >
> > Einar has since built an automated testbed for the examples.  Results
> > are included in independent directories in the git repository:
> >
> > https://github.com/netconf-wg/notif-netconf
> >
> > Eric
> 
> 
> 
> /martin