Re: [netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-subscribed-notifications-24: (with DISCUSS and COMMENT)

["Eric Voit (evoit)" <evoit@cisco.com>]

> From: Benjamin Kaduk, May 1, 2019 1:13 PM
> 
> On Wed, May 01, 2019 at 05:09:11PM +0000, Eric Voit (evoit) wrote:
> > > From: Benjamin Kaduk,  May 1, 2019 11:37 AM
> > >
> > > On Wed, May 01, 2019 at 05:48:45AM +0000, Eric Voit (evoit) wrote:
> > > > Hi Benjamin,
> > > >
> > > > > From: Benjamin Kaduk, April 30, 2019 5:11 PM
> > > > >
> > > > > Benjamin Kaduk has entered the following ballot position for
> > > > > draft-ietf-netconf-subscribed-notifications-24: Discuss
> > > > >
> > > > > ----------------------------------------------------------------
> > > > > ----
> > > > > --
> > > > > DISCUSS:
> > > > > ----------------------------------------------------------------
> > > > > ----
> > > > > --
> > > > >
> > > > > Thanks for this document; I just have a few minor "housekeeping"
> > > > > points that should get resolved before publication.  (Please
> > > > > also note the substantive comments in the COMMENT section as
> > > > > well, particularly those relating to the transport requirements
> > > > > and security considerations.)
> > > > >
> > > > > I'm not sure that we state clearly enough what is required to
> > > > > have a specification for a transport for notifications.
> > > > > Specifically (see COMMENT), in the module we seem to say that
> > > > > the specification must indicate what the default encoding is to
> > > > > be used if not otherwise specified, but that's not enumerated as
> > > > > a requirement on such a specification
> > > anywhere I see.
> > > >
> > > > I provide more info in-line below with your comment.  But here is a
> summary...
> > > >
> > > > For dynamic subscriptions, the default encoding is normally
> > > > specified by
> > > whatever is used within the establish-subscription RPC.  So there is
> > > not a need for a default here as the subscriber has already encoded
> > > in the RPC what it wants.
> > > >
> > > > For configured subscriptions, the default (and only) encoding is
> > > > often driven by
> > > the transport selection.  And this is defined by existing transport
> > > RFCs which themselves define supported encodings (e.g., "NETCONF +
> > > XML" , "RESTCONF + JSON").
> > > >
> > > > But encodings can vary (e.g., the use of CBOR within
> > > > draft-birkholz-yang-push-
> > > coap-problemstatement).  Supporting this need is the purpose of the identity
> > > "configurable-encoding" in the YANG model.   And this identity does say that
> > > "Further details for any specific configurable encoding would be
> > > explored in a transport document based on this specification."  I
> > > guess this information could be repeated as a separate requirement
> > > in Section 5.3 if you feel this is insufficiently defined.
> > >
> > > I'm mostly concerned about the case of configured subscriptions and
> > > future extensibility.  If someone wants to make a new "QUIC + CBOR"
> > > transport, do we have a clear list of what details that specification needs to
> provide?
> > > (From my reading of this document, there should be an explicit "this
> > > is the default encoding" statement, even if there is only one
> > > encoding specified in the transport specification.)
> >
> > I have added the following statement to Section 5.3...
> > "A specific transport specification MUST identity any encoding supported.
> Where a configured subscription's transport allows different encodings, the
> specification MUST identify the default       encoding."
> >
> >
> > > > > I also think that we could
> > > > > probably require (as opposed to "highly recommend" in the
> > > > > current security
> > > > > considerations) that the transport provide message
> > > > > confidentiality and integrity protection.
> > > >
> > > > I for sure like the idea of encryption. And I absolutely like the
> > > > idea of
> > > signatures too.  However several years ago on based on work with
> > > MSDC / cloud providers desiring telemetry, there were requests for
> > > deployments where the volume of telemetry generated could overwhelm the
> CPU of the host router.
> > > And as the telemetry was being delivered within a fully protected
> > > MSDC domain/environment, these MSDC providers said they wanted *all*
> > > the router data more than they needed message confidentiality and integrity
> protection.
> > > I.e., the wanted to have more data rather than being constrained the
> > > host CPU doing functions which reduced the volume of data being delivered.
> > > >
> > > > So personally, I want low volume telemetry with full security
> > > > protections
> > > applied.  But by leaving it at "highly recommend" we don't
> > > unintentionally inhibit applicability to MSDC implementations in a
> > > protected domain.  They explicitly said they didn't want it.
> > >
> > > We do sometimes have cases where we leave an opening for people to
> > > assert that the physical security of their network provides
> > > "equivalent protection" to cryptographic confidentiality/integrity
> > > protection, if we want to try to wordsmith something.  But, given
> > > the above, I won't push very hard on this front.
> >
> > Ok, will leave as is.
> >
> > > > > I'm also unsure that I properly understand the use of the "reset"
> > > > > RPC -- if it has no effect when transit connectivity already
> > > > > exists, then what entity is going to call "reset" in the case of
> > > > > publisher timeout when
> > > trying to reach a receiver?
> > > > > Surely not the publisher itself, since that would just be
> > > > > publisher-internal functionality with no need for an external-facing RPC.
> > > >
> > > > The reset RPC of section 2.5.5 is YANG model exposed operational
> > > > knob based
> > > on the YANG 1.1 language construct "action":
> > > > https://tools.ietf.org/html/rfc7950#section-7.15
> > > >
> > > > An operational interface can call this action.  I.e., an entity
> > > > with the proper
> > > administrative privileges can access "reset".    This means a REST interface
> could
> > > be exposed upon a controller for that publisher.  And when somebody
> > > find that the subscription isn't responsive (for a variety of
> > > reasons) that REST interface can be called, and the publisher can
> > > start trying to make connections (such as RFC 8071 call home connections)
> to a receiver.
> > >
> > > Okay, thanks for helping me out here; consider this one resolved.
> > >
> > > >
> > > > > I'm also a little unclear on the mechanics of the list of
> > > > > subscriptions described in Section 3.3.  Does it provide a way
> > > > > for a low-privilege client (that can only access one or a
> > > > > handful of the
> > > > > subscriptions) to enumerate all subscriptions that exist,
> > > > > including subscriptions used by high-privilege clients?  If so,
> > > > > we may want to think about some security considerations text to
> > > > > that effect; if not, we may want to say that the access-control
> > > > > will limit which leafs are
> > > visible to some clients.
> > > >
> > > > Your functional requirements completely valid.  I believe they are
> > > > covered by a
> > > set of other YANG RFC which dictate who/what can access various
> > > elements of YANG data.  Good example documents to look at here are ones
> like:
> > > >
> > > > RFC-8341 - Network Configuration Access Control Model
> > > >
> > > > An understanding of these documents are assumed, and listed in
> > > > places like the
> > > security considerations in Section 5.4.
> > >
> > > I admit to having not fully absorbed the NACM, and given the number
> > > of documents I have left to ballot on this week, I'll take your word
> > > that it's covered well enough there.
> > >
> > > > > Finally, we have a few instances of "leaf filter-failure-hint"
> > > > > that's of type "string", providing
> > > > >              "Information describing where and/or why a provided filter
> > > > >               was unsupportable for a subscription."; I don't
> > > > > understand why it's a string as opposed to some form of
> > > > > machine-readable data.  Is it supposed to be human-readable?
> > > > > Does that
> > > bring in any internationalization considerations?
> > > >
> > > > There are many reasons why a filter might fail.  The authors
> > > > didn't believe that
> > > there was enough operational experience to sufficiently document the
> > > universe of failure types across the set of interested parties.  As
> > > a result, the option seemed to be to provide no guidance on the
> > > failure reason, or to let the vendors provide some guidance (albeit
> > > just a 'string').  So at this point with the specification, it would
> > > be up to the vendor to determine whether it is human readable, or whether
> internationalization considerations should be covered.
> > > Hopefully with enough deployments this might be revisited at a future date.
> > >
> > > We should probably think about saying something about how its syntax
> > > and semantics are implementation-specific, then -- there doesn't
> > > seem to be real guidance for how to use it, at present.
> >
> > Added text in leaf to clarify this approach...
> >
> >       leaf filter-failure-hint {
> >         type string;
> >           description
> >             "Information describing where and/or why a provided filter
> >              was unsupportable for a subscription. The syntax and
> >              semantics of this hint are implementation-specific.";
> >       }
> >
> > > > > ----------------------------------------------------------------
> > > > > ----
> > > > > --
> > > > > COMMENT:
> > > > > ----------------------------------------------------------------
> > > > > ----
> > > > > --
> > > > >
> > > > > Section 1.3
> > > > >
> > > > >    Also note that transport specific transport drafts based on this
> > > > >    specification MUST detail the life cycle of dynamic subscriptions, as
> > > > >    well as the lifecycle of configured subscriptions (if supported).
> > > > >
> > > > > I'm not sure I understand what additional specification is
> > > > > needed for the lifecycle of configured subscriptions -- doesn't
> > > > > the previous text tightly tie their lifecycle to the presence of
> > > > > configuration in the
> > > configuration datastore?
> > > >
> > > > For the most part it does.  However there is a relationship for
> > > > exactly when to
> > > establish transport connectivity based on the state of each receiver
> > > of a configured subscription.
> > > >
> > > > As an example of what should be specified, see Section 5.2 of
> > > > https://datatracker.ietf.org/doc/draft-ietf-netconf-netconf-event-
> > > > noti fications/10/ Here you can see how NETCONF call home is
> > > > invoked at the proper points in the configured subscription state
> > > > machine.
> > >
> > > Ah, thanks for the pointer.
> > >
> > > > > nit: please be consistent about "life cycle" vs. "lifecycle" throughout.
> > > >
> > > > Fixed nit to "lifecycle".
> > > >
> > > > > Section 2.1
> > > > >
> > > > >    An event stream is a named entity on a publisher which exposes a
> > > > >    continuously updating set of YANG encoded event records.
> > > > > [...]
> > > > >
> > > > > nit: I don't think "YANG encoded" is well-defined (here and
> > > > > below), in that YANG structures generate data models but can be
> > > > > encoded into various formats (like XML and JSON).
> > > >
> > > > This is true.  I made the two occurrences of "YANG encoded" into
> > > > "YANG
> > > defined".
> > > >
> > > > > Section 2.3
> > > > >
> > > > >    If the publisher supports the "dscp" feature, then a subscription
> > > > >    with a "dscp" leaf MUST result in a corresponding [RFC2474] DSCP
> > > > >    marking being placed within the IP header of any resulting
> > > > >    notification messages and subscription state change notifications.
> > > > >    Where TCP is used, a publisher which supports the "dscp" feature
> > > > >    SHOULD ensure that a subscription's notification messages are
> > > > >    returned within a single TCP transport session where all traffic
> > > > >    shares the subscription's "dscp" leaf value.  Where this cannot be
> > > > >    guaranteed, any "establish subscription" RPC request SHOULD be
> > > > >    rejected with a "dscp-unavailable" error
> > > > >
> > > > > I can't decide whether we need to be more explicit in the second
> > > > > and/or third sentences that this remains contingent on the
> > > > > subscription in question having a "dscp" leaf.
> > > >
> > > > The sentences were already long, it feels to me like it would be
> > > > more
> > > confusing to put in more words here.
> > > >
> > > > > nit: end sentence with a full stop
> > > >
> > > > Period added.
> > > >
> > > > > I share the TSV-ART reviewer's confusion about how the weighting
> > > > > (as well as
> > > > > DSCP) functionality is intended to work.
> > > >
> > > > Short answer:  Earlier versions of this draft made explicit
> > > > parallels of the
> > > weighting method to HTTP2 RFC-7450 section 5.3.2.  The operation of
> > > weighting is exactly the same HTTP2 dependency weighting.  There is
> > > additional definition of how this is supposed to work in Section 4
> > > of draft-ietf-netconf-restconf-notif (which is also currently up for review).
> > > >
> > > > Long answer: TSV-ART is absolutely correct that a publisher might
> > > > generate a
> > > lot of traffic.  In many ways, high traffic volumes would be a successful
> outcome
> > > for this work.   As a result, mitigating different dimensions of this volume risk
> has
> > > been a design goal since this effort’s inception.  And this is the
> > > reason robust QoS mechanisms were included.  This includes both DSCP and
> weighting.
> > > >
> > > > Here is a quick summary of some QoS mechanisms available in this draft...
> > > >
> > > > 1. The publisher is allowed to decline a dynamic subscription.
> > > > One of these
> > > reasons is that the incremental traffic generated by a particular
> > > incremental subscription will be too high.  There are errors back to
> > > the subscriber indicating this condition exist.
> > > > 2. A publisher can suspend any subscription for capacity reasons,
> > > > and a
> > > receiver must be able to gracefully accept this suspension.
> > > > 3. Much like with HTTP2 streams, higher priority subscriptions
> > > > intended for a
> > > particular receiver can be dequeued first from a publisher.
> > > > 4. Much like with HTTP2 streams, proportional subscription
> > > > dequeuing
> > > intended for a particular receiver can be performed a publisher.
> > > > 5. DSCP markings can be placed on subscribed data.
> > > > 6. Mechanisms for detecting and reacting to different types of
> > > > subscribed data
> > > loss have been embedded.
> > > > 7. Methods have been included to ensure a configured receiver “ok’s”
> > > > information push before subscribed data is sent. (This should
> > > > reduce one DDoS
> > > vector.) 8. Keep alive mechanisms are established for different
> > > transport types, so that subscribed data isn’t being sent when the is no
> receiver listening.
> > > >
> > > > Mechanism (4) is in question here.   As defined by draft-ietf-netconf-
> restconf-
> > > notif, this is supposed to work identically to HTTP2 RFC-7450 section 5.3.2.
> > > However there were WG members who did not want to include a
> > > functional requirement normative reference to that HTTP2 transport
> > > in this document however.  Therefore the reference to HTP2 was removed.
> > > >
> > > > In the end, I don't think we can afford to get rid of support for
> > > > (4) from the
> > > specification.   This weighting capability is quite powerful, and can easily be
> > > added to GRPC based subscription alternatives.
> > >
> > > I don't think I was trying to suggest removing the mechanism entirely.
> > > What you've written here includes a mental model of having local
> > > queues of messages that get dequeued according to a specific
> > > algorithm, and the weights influencing the rate of dequeuing across
> > > queues; that mental model (combined with the knowledge that larger
> > > weight values get more traffic
> > > faster) gives me the picture I wanted for "how it's supposed to work".
> > > Maybe we could distill that down a bit and put it in the draft, as
> > > the current text had some level of "magic occurs here", to me.
> >
> > I am hoping to leave things as they are for now.  Basically the magic that
> occurs can be gleaned from Section 4 of draft-ietf-netconf-restconf-notif.   And
> nobody in the NETCONF world is likely to implement this type of Dequeuing, so
> they shouldn't have the extra text in the base specification trip them up..
> >
> > > > > Section 2.4.2.1
> > > > >
> > > > >    Replay provides the ability to establish a subscription which is also
> > > > >    capable of passing recently generated event records.  In
> > > > > other words,
> > > > >
> > > > > nit/editorial: this language could probably be more clear about
> > > > > "recently generated" meaning "in the past", that is, records for
> > > > > events that have already happened when the subscription is established.
> > > >
> > > > Tweaked to "event records generated in the recent past"
> > > >
> > > > > Section 2.4.3
> > > > >
> > > > >    any number of times.  Dynamic subscriptions can only be modified via
> > > > >    this RPC using a transport session connecting to the subscriber.
> > > > > If
> > > > >
> > > > > nit(?): is this more readable as "connecting to" or "connecting from"
> > > > > the subscriber?  (The same wording shows up throughout the
> > > > > document, but I'll try to just comment once.)
> > > >
> > > > I expect that it should be clear enough either way.  I believe
> > > > leaving the current
> > > text should not impact implementations.
> > > >
> > > > > Section 2.4.5
> > > > >
> > > > > Is there any distinction between "killing a subscription" and
> > > > > "administratively deleting a subscription"?  It's unclear to me
> > > > > that we need the extra connotations of the word "kill", here.
> > > >
> > > > We chose to use a different RPC name so that administrative access
> > > > control
> > > permissions differences between the kill-subscription and
> > > delete-subscription would be explicit and obvious.  And once we had
> > > a new RPC name, it seemed easier for the reader to continue using the "kill"
> word for that RPC.
> > >
> > > In vacuum, "admin-delete-subscription" seems like a fine name, to
> > > me.  But this is a non-blocking comment so I'll stop pushing now.
> > >
> > > > > Section 2.4.6
> > > > >
> > > > >    As a result of this mixture, how subscription errors are
> > > > > encoded
> > > > >
> > > > > nit: "mixture" doesn't seem like the right word to me; "variety"
> > > > > or "varied population" are the first alternatives that come to
> > > > > mind, though they are not perfect either.
> > > >
> > > > Changed to 'variety'.
> > > >
> > > > > Is there some sort of "access denied" error that could result
> > > > > from
> > > > > kill- subscription RPCs?  (The table/artwork only lists
> > > > > "no-such-subscription".)
> > > >
> > > > Access denied when an RPC fails access control is part of the base
> > > > transport
> > > error types for the RPC.   I.e., transports like NETCONF and RESTCONF
> already
> > > have non-subscription-specific errors like this one already covered.
> > >
> > > Ah, of course, and we require processing of transport-level errors
> > > before these ones, so it all works out fine.
> > >
> > > > > Section 2.5
> > > > >
> > > > > It's interesting to see a slight dichotomy between dynamic and
> > > > > configured subscriptions, in that (IIUC) for dynamic
> > > > > subscriptions, a modification event un- suspends a subscription
> > > > > immediately, but for configured subscriptions the publisher
> > > > > seems to have some latitude to retain the subscription in the
> > > > > suspended state for some time before un-suspending it and
> > > > > sending the "subscription-modified" state
> > > change message.
> > > > >
> > > > >                  In this case, a separate dynamic subscription can be
> > > > >    established to retransmit the missing event records.
> > > > >
> > > > > Do you want to put in a pointer to replay-start-time here?
> > > >
> > > > I thought getting to that level of detail in the intro was
> > > > confusing for this intro
> > > section.
> > >
> > > Okay.  (Maybe a parenthetical "replay" as a search term would help
> > > without being confusing, but entirely your call.)
> >
> > I will leave as-is.
> >
> > > > > Section 2.5.1
> > > > >
> > > > >          Event records are only sent to active receivers.  Receivers of
> > > > >    a configured subscription remain active if both transport
> > > > >    connectivity can be verified to the receiver, and event records are
> > > > >    not being dropped due to a publisher buffer overflow.  [...]
> > > > >
> > > > > nit: "buffer overflow" is a technical term in security circles
> > > > > indicating a potentially exploitable security flaw; would
> > > > > "publisher buffer capacity being reached" be an acceptable
> > > > > substitute (here and
> > > below)?
> > > >
> > > > Change made
> > > >
> > > > > Section 2.7.7
> > > > >
> > > > >    This notification indicates that all of the event records prior to
> > > > >    the current time have been passed to a receiver.  It is sent before
> > > > >    any notification message containing an event record with a timestamp
> > > > >    later than (1) the "stop-time" or (2) the subscription's start time.
> > > > >
> > > > > nit(?): this text seems to imply that a notification message
> > > > > with a timestamp later than the "stop-time" might actually be
> > > > > sent, which IIUC is
> > > not the case.
> > > >
> > > > You are correct that it is not sent.  But the event record does
> > > > exist on the
> > > stream.
> > > >
> > > > I think it obvious, but if you want I could add the following
> > > > sentence to the end
> > > of the subsequent paragraph.  "If a stop-time has been exceed during
> > > replay, no subsequent event records are sent following the sending
> > > of a "replay- completed" notification."
> > >
> > > I don't think there's a need to add that sentence, but thanks for offering.
> > >
> > > >
> > > > > Section 2.9
> > > > >
> > > > > nit: the name "supports-vrf" for the feature doesn't really
> > > > > parallel the other feature names, that don't include a word like "support"
> > > > > and rather just describe the actual feature.
> > > >
> > > > This is true.  Several years ago when someone proposed this name,
> > > > there was
> > > a reason.  But I can't remember what it is right now.  So hopefully
> > > we can leave it so as not to break someone's thinking.
> > > >
> > > > > Section 3.1
> > > > >
> > > > > Is there any risk of collision in event stream names from
> > > > > vendor-specific streams?  (We don't seem to create an IANA
> > > > > registry for them, for example.)
> > > >
> > > > In theory yes.  But it has not proven to be an issue with RFC-5277
> > > > streams, so it
> > > doesn't seem worth it to do something new now.   So in this document, we
> have
> > > one IETF stream "NETCONF" defined in Section 2.1.  Hopefully it is enough to
> > > hard-code this.   We can always revisit if IETF groups want to start defining
> > > streams
> > > >
> > > > > Section 4
> > > > >
> > > > >    identity subscription-suspended-reason {
> > > > >       description
> > > > >        "Problem condition communicated to a receiver as part of a
> > > > >        'subscription-terminated' notification.";
> > > > >    }
> > > > >
> > > > >    identity subscription-terminated-reason {
> > > > >       description
> > > > >        "Problem condition communicated to a receiver as part of a
> > > > >        'subscription-terminated' notification.";
> > > > >    }
> > > > >
> > > > > Are these descriptions supposed to be the same?
> > > >
> > > > Good catch.   Fixed the 'subscription-suspended' description.
> > > >
> > > > >    identity configurable-encoding {
> > > > >      description
> > > > >        "If a transport identity derives from this identity, it means
> > > > >         that it supports configurable encodings.  An example of
> > > > > a [...]
> > > > >
> > > > > Is it intended that such future transports (or future
> > > > > encodings?) will derive from both this and the normal base identity (i.e.,
> "transport")?
> > > > > I guess I'm asking why this identity does not derive from the
> > > > > corresponding base, but that's just a style question and not
> > > > > really a protocol matter, making this question a side note.
> > > >
> > > > Yes.  Future identities can derive from configurable-encoding
> > > >
> > > > >      leaf weighting {
> > > > >        if-feature "qos";
> > > > >        type uint8 {
> > > > >           range "0 .. 255";
> > > > >        }
> > > > >        description
> > > > >          "Relative weighting for a subscription. Allows an underlying
> > > > >           transport layer perform informed load balance allocations
> > > > >           between various subscriptions";
> > > > >        reference
> > > > >          "RFC-7540, section 5.3.2";
> > > > >
> > > > > Do we want to chase the reference for readers and say that
> > > > > larger weights get more resources?
> > > >
> > > > I put in "Larger weights get more resources." as sentence two of
> > > > the
> > > description.
> > > >
> > > > >      leaf encoding {
> > > > >        when 'not(../transport) or derived-from(../transport,
> > > > >        "sn:configurable-encoding")';
> > > > >        type encoding;
> > > > >        description
> > > > >          "The type of encoding for notification messages.   For a
> > > > >          dynamic subscription, if not included as part of an establish-
> > > > >          subscription RPC, the encoding will be populated with the
> > > > >          encoding used by that RPC.  For a configured subscription, if
> > > > >          not explicitly configured the encoding with be the default
> > > > >          encoding for an underlying transport.";
> > > > >
> > > > > Where is the default encoding for an underlying transport specified?
> > > > > Section 5.3 does not seem to say that a transport specification
> > > > > must provide this information, nor does Section 1.3 (which
> > > > > mentions that transport specifications must detail the lifecycle
> > > > > of dynamic subscriptions), nor does Section 2.5.7 (that
> > > > > discusses the need for a separate model augmenting
> > > > > /subscriptions/subscription/receivers/receiver
> > > > > to provide transport details).
> > > >
> > > > For many transports, the encoding is redundant information.  The
> > > > reason is that transport RFCs themselves define supported
> > > > encodings (e.g., "NETCONF + XML" , "RESTCONF + JSON").  And WG
> > > > members who built those transport RFCs did not want to allow
> > > > operators to misconfigure anything here.  (As an aside, this
> > > > desire to significantly reduce the opportunity for misconfiguration is what
> drove the interesting 'when'
> > > > statement above.)
> > > >
> > > > But encodings can vary.  This is the purpose of the identity
> > > > "configurable-
> > > encoding" in the YANG model.   And this identity does say that "Further
> details
> > > for any specific configurable encoding would be explored in a
> > > transport document based on this specification."  I guess this
> > > information could be repeated in Section 5.3 if necessary.
> > >
> > > I think that duplication would be my preference, to get things
> > > consolidated in one place.
> >
> > Per above in the discuss, text added to 5.3.
> >
> > > > >        choice notification-message-origin {
> > > > >          if-feature "configured";
> > > > >          description
> > > > >            "Identifies the egress interface on the publisher from which
> > > > >             notification messages are to be sent.";
> > > > >
> > > > > nit: given the address-originated case, perhaps "the egress interface"
> > > > > is not quite correct anymore.
> > > >
> > > > Every alternative I come up with seems more problematic.   I believe
> readers
> > > should be able to understand based on the cases below.
> > >
> > > (I don't have any better suggestions, either.)
> > >
> > > > >                enum connecting {
> > > > >                  value 3;
> > > > >                  if-feature "configured";
> > > > >                  description
> > > > >                    "A subscription has been configured, but a
> > > > >                    'subscription-started' subscription state change
> > > > >                    notification needs to be successfully received before
> > > > >                    notification messages are sent.
> > > > >
> > > > > nit: successful receipt happens on the receiver but sending
> > > > > happens on the publisher, so there's a bit of a mismatch in the
> > > > > sentence subject here.  Perhaps we could talk about
> > > > > "successfully sent" state-changes
> > > to resolve things.
> > > >
> > > > This wording is as intended.  Basically it is highly desirable for
> > > > configured receivers will need to acknowledgement of successful
> > > > receipt of a "subscription-started" before sending event records.
> > > > This helps prevent DDOS attacks.  The mechanism for gaining an
> > > > acknowledgement varies by transport.  As an example of what we
> > > > have been thinking about here, see
> > > >
> > > > https://datatracker.ietf.org/doc/draft-ietf-netconf-restconf-notif
> > > > /04/
> > > Section 3.1.2
> > > > Hopefully this type of mechanism will be revived in future drafts.
> > >
> > > I agree that getting explicit acknowledgment of delivery is highly
> > > desirable; my qualm here is solely about the grammar of the sentence.
> > > Does it preserve the desired meaning to replace "successfully received"
> > > with "successfully acknowledged" (or "successfully received and
> > > acknowledged")?
> >
> > I would love to have had acknowledged.  However I have heard from
> implementers that NETCONF is not as robust in this way as HTTP.  And
> acknowledged might imply things to developers they might not be able to
> deliver.
> >
> > > > >              config false;
> > > > >              mandatory true;
> > > > >              description
> > > > >                "Specifies the state of a subscription from the
> > > > >                perspective of a particular receiver.  With this info it
> > > > >                is possible to determine whether a subscriber is
> > > > >                currently generating notification messages intended for
> > > > >                that receiver.";
> > > > >
> > > > > nit: is it the subscriber that is generating messages or the publisher?
> > > >
> > > > Good catch.  Changed to publisher.
> > > >
> > > > > Section 5.3
> > > > >
> > > > >    A secure transport is highly recommended and the publisher MUST
> > > > >    ensure that the receiver has sufficient authorization to perform the
> > > > >    function they are requesting against the specific subset of content
> > > > >    involved.
> > > > >
> > > > > "secure transport" usually means that it provides message
> > > > > confidentiality, integrity protection, and source authenticity
> > > > > (akin to the
> > > mutual authentication).
> > > > > This is qualitatively different from implementing authorization
> > > > > checks, and it's surprising to see them squashed into the same sentence.
> > > >
> > > > Tweaked to "A secure transport is highly recommended.  Beyond
> > > > this, the
> > > publisher MUST".
> > > >
> > > > > Do we want to say anything about discovery for support of new
> > > > > transports, and what workflow would be used to negotiate the use
> > > > > of a new
> > > transport?
> > > >
> > > > Not at this point.
> > >
> > > Okay.
> > >
> > > > > Section 5.4
> > > > >
> > > > > I can think of a couple other considerations to mention here:
> > > > >
> > > > > - Using DNS names for receiver "name" lookup can cause situations
> where
> > > > >   the name resolves differently on the publisher and subscriber, so the
> > > > >   recipient would be different than expected.
> > > > >
> > > > > - Using the publisher's boot time for deduplication protection on
> > > > >   replayed messages introduces a dependency on accurate time.  We
> don't
> > > > >   have a great secure time story at present, so this is more of a
> > > > >   "beware of risk" situation than something we can mitigate, but it does
> > > > >   seem that an attacker that could (e.g.) spoof the NTP traffic to the
> > > > >   publisher on boot could cause it to send duplicate notifications to
> > > > >   recipients that requested historical data.
> > > >
> > > > I tweaked and inserted the two paragraphs from you...
> > > >
> > > > "Using DNS names for configured subscription receiver "name"
> > > > lookup can
> > > cause situations where the name resolves unexpectedly differently on
> > > the publisher, so the recipient would be different than expected."
> > > >
> > > > "Using the publisher's boot time for deduplication protection on
> > > > replayed
> > > messages introduces a dependency on accurate time."
> > >
> > > Can we also say something like "An attacker that can cause the
> > > publisher to use an incorrect time can induce message replay by
> > > setting the time in the past, and introduce a risk of message loss by setting
> the time in the future"?
> >
> > Text you suggest above has been inserted instead of " Using the publisher's
> boot time for deduplication protection...".
> >
> > > >
> > > > > Some other comments on what's already there (which is pretty
> > > > > good; thanks for
> > > > > it!) follow.
> > > > >
> > > > >    Container: "/filters"
> > > > >
> > > > >    o  "stream-subtree-filter": updating a filter could increase the
> > > > >       computational complexity of all referencing subscriptions.
> > > > >
> > > > >    o  "stream-xpath-filter": updating a filter could increase the
> > > > >       computational complexity of all referencing subscriptions.
> > > > >
> > > > > Do we want to say anything about modifying either of these
> > > > > causing the set of notifications delivered to recipients to
> > > > > shrink (or become
> > > unmanageably large)?
> > > > > I guess it may not be necessary, since the recipient gets a
> > > > > notification about the modification that includes the details of the filter.
> > > >
> > > > Yes, that was the thinking.
> > > >
> > > > >    Container: "/subscriptions"
> > > > >
> > > > >    o  "excluded-event-records": leaf can provide information about
> > > > >       filtered event records.  A network operator should have
> > > > >       permissions to know about such filtering.
> > > > >
> > > > > To be clear, this is event records filtered either via explicit
> > > > > filter or via access control restrictions.
> > > >
> > > > Yes.
> > >
> > > I think that the semantic difference is worth noting.
> > >
> > > > > Specifically, it can allow a receiver to learn that there exists
> > > > > access controls that deny it access to some data, in the case
> > > > > when they did not apply any filtering rules explicitly.
> > > >
> > > > Yes.
> > > >
> > > > >This potential for information leakage (of the  existence of
> > > > > ACLs) should be mentioned explicitly.
> > > >
> > > > Added the sentence: "Improper configuration could provide a
> > > > receiver with
> > > information leakage consisting of the dropping of event records."
> > >
> > > Can I counter-propose: "Improper configuration could allow a
> > > receiver to learn that event records were dropped due to an ACL when
> > > the existence of that ACL would otherwise be transparent."
> > >
> > > >
> > > > > Appendix A
> > > > >
> > > > > This example transport module does not specify the life cycle of
> > > > > dynamic subscriptions per Section 1.3, and a couple other things
> > > > > required from a transport module specification.  Perhaps we are
> > > > > okay claiming that since this is just an example YANG model and
> > > > > not a full transport example, the omission is okay, but it may
> > > > > be worth mentioning
> > > the omission for clarity.
> > > >
> > > > I added as the second sentence
> > > > " This example is not intended to be a complete transport model."
> > > >
> > > > Thanks again for the review, it was excellently done.
> > >
> > > And thanks for the clear explanations of the parts that I didn't
> > > understand, it was very helpful to me.
> >
> > No problem.  This thread has been good for me too.  I will post v25 as soon as
> you give the ok.
> 
> Please go ahead and post v25.

Posted

-Eric

> Thanks,
> 
> Ben