Re: [Netconf] draft-ietf-netconf-rfc6536bis Query

[Martin Bjorklund <mbj@tail-f.com>]

Hi,

Rohit R Ranade <rohitrranade@huawei.com> wrote:
> Hi All,
> 
> Q1:
> In the notification authorization Section 3.4.6 there is mention that
> REPLAY notifications should be allowed by default.

I think you mean <replay-complete>.   Replayed notifications in
general are not allowed by default.

> But there is no mention of how to handle <create-subscription>
> operation authorization which can trigger these Replay notifications ?
> Since there is no module defined for it, there is no way to add a rule
> for permitting or denying it.
> 
> 
> 1.  How do the current NACM implementations handle it ? Allow
> <create-subscription> if exec-default is PERMIT ? or always allow
> <create-subscription> ?

I had to check, and our implementation matches create-subscription if
the module-name in the rule is "*".

I think some implementations use an internal (non-standard) YANG
module name for the model in RFC 5277, so they presumably match if
that internal module name is given, or "*".

> Q2: If there is an error of access-denied for edit-config operation,
> does the RFC restrict from outputting the <error-path> of the
> data-store node for such operations ?
> Section 3.2.5 has " The contents of specific restricted datastore
> nodes MUST NOT be
> 
>    exposed in any <rpc-error> elements within the reply." , what is the
>    meaning of 'content' here ? the schema-name of the leaf / key-values
>    of data-store-nodes ?
> 
> Since the user has inputted the keys for the data-store nodes is there
> any security risk in giving back the values to the user ?

3.4.3 also has

   A server MUST NOT include any information the client is not allowed
   to read in any <error-info> elements within the <rpc-error> response.


/martin