Re: [Netconf] LC on subscribed-notifications-10

"Eric Voit (evoit)" <> Wed, 14 March 2018 17:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E2355120724; Wed, 14 Mar 2018 10:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.631
X-Spam-Status: No, score=-12.631 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 763rvrwNdnrp; Wed, 14 Mar 2018 10:14:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA277120227; Wed, 14 Mar 2018 10:14:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=5354; q=dns/txt; s=iport; t=1521047693; x=1522257293; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=n8AbDbq88FJrLFAHrvdn1DNJ8g9Vzz1bCyspuLnwPBU=; b=AqtSnCA/ZGcZ0MQH6IGZhwD30GIRNKi1GEDNFiVRMzAFKv8Xp2R8Ybzl qAKyXkQXYEZjyVZMYT9pGivdR9hqghIscuhR+95H0/6OVhRfh+xaPO3cD yUKyfgysQtU+VBJSzBChzxjHVHQcpxhlHjVwqsR/H1CTds+HPm9dyTLrE o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.48,306,1517875200"; d="scan'208";a="368873509"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Mar 2018 17:14:53 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id w2EHEqf5012554 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 14 Mar 2018 17:14:53 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 14 Mar 2018 13:14:52 -0400
Received: from ([]) by ([]) with mapi id 15.00.1320.000; Wed, 14 Mar 2018 13:14:52 -0400
From: "Eric Voit (evoit)" <>
To: Andy Bierman <>
CC: Martin Bjorklund <>, "" <>, "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" <>, "" <>, "" <>, "" <>
Thread-Topic: [Netconf] LC on subscribed-notifications-10
Date: Wed, 14 Mar 2018 17:14:51 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Netconf] LC on subscribed-notifications-10
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Mar 2018 17:14:57 -0000

(Look for <Eric2>  trying to keep things legible for those using text only email clients)

From: Andy Bierman, March 14, 2018 12:53 PM

On Wed, Mar 14, 2018 at 8:35 AM, Eric Voit (evoit) <> wrote:
(reducing to the single open item, and adding Andy + Alex to the "to")

> From: Martin Bjorklund, March 14, 2018 9:59 AM
> Hi,
> "Eric Voit (evoit)" <> wrote:
> > Hi Martin,
> >
> > But for
> > subscription to event streams, it is assumed that any event records
> > placed on a stream permitted for that receiver is authorized content
> > (just like RFC-5277).
> Hmm.  This is not how it is defined in RFC 5277:

Agree.   I should not have said "just like 5277".   More below.

>    After generation of the <notification> element, access control is
>    applied by the server.  If a session does not have permission to
>    receive the <notification>, then it is discarded for that session,
>    and processing of the internal event is completed for that session.
> Also, NACM is designed to drop notifications that the client doesn't have
> access to.

A few years ago during early discussions, Alex and I remember Andy asking that per receiver access control not be applied to traffic coming out of a stream.    We took that to mean that a receiver should get all the event records on a stream, without any per-notification filtering.  This is what drove the current text.

Per RFC-6536, section 3.4.6., the outgoing <notification> authorization is able to look at the notification event type, and if a receiver is authorized to receive the notification event type, then it is also authorized to receive any data it contains.

Reconsidering this, perhaps Alex and I interpreted Andy's intent wrong.  And Andy actually requested the current event type behavior which NACM can currently perform on the RFC-5277 NETCONF event stream, but no other filtering of event records beyond that.

I think the notification event type filtering is still applicable.

<Eric2>  Based on this, I will add the relevant RFC-5277 text into subscribed notifications.  Look for a link to a draft version on github shortly.  Will send link to this thread.

I remember some discussions about applying NACM to YANG Push subscriptions.
Of course the client needs permission to receive <push-update> events.
The issue for YP is that this is the only access control provided.

In order to support NACM for the contents of <push-update> events, the client
MUST have permission to read every data node specified in the filters for
a subscription. This is checked when the subscription is configured or activated.
If a filter-ref filter is changed so this is no longer true, then the server MUST
suspend or terminate the subscription.

IMO even this is quite an implementation burden, but less than having the
server check NACM rules for every descendant node of every edited node for every

<Eric2> Agree that either is a valid method of achieving the requirements of yang-push.


If that is the case, and this capability is desired by the WG, Alex and I would be happy to replicate the relevant text from RFC-5277 section 3.2 to draft-ietf-netconf-subscribed-notifications to cover this.



> > Effects like this are why the two drafts, as well as the YANG model
> > targets and filters for datastores and to streams have been separated.
> >
> > > Your statement:
> > >
> > >   Access control is to the stream rather than the content.
> > >
> > > seems to imply that in order to subscribe to changes to the
> > > datastore, you need full access to all nodes covered by the filter.
> >
> > As a stream and a datastore are different, hopefully my comment above
> > clears this up.
> >
> > Eric
> > > /martin
> /martin