[netconf] Latest ietf-netconf-server draft and related modules

Michal Vaško <mvasko@cesnet.cz> Fri, 05 March 2021 08:10 UTC

Return-Path: <mvasko@cesnet.cz>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CA44B3A20FD for <netconf@ietfa.amsl.com>; Fri, 5 Mar 2021 00:10:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cesnet.cz
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3DZHr8gJBUi2 for <netconf@ietfa.amsl.com>; Fri, 5 Mar 2021 00:10:14 -0800 (PST)
Received: from kalendar.cesnet.cz (kalendar.cesnet.cz []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69353A20FC for <netconf@ietf.org>; Fri, 5 Mar 2021 00:10:13 -0800 (PST)
Received: by kalendar.cesnet.cz (Postfix, from userid 110) id 98D4A60084; Fri, 5 Mar 2021 09:10:09 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cesnet.cz; s=kalendar; t=1614931809; bh=FaNoE+r6PZQB0VWPz1apM84hduEuAqbWPNuoSzoDju4=; h=From:To:Date:Subject; b=IyZhLb6Dse4+wq7kNXVao3ft8eNzMAzwEWAoDJh+T0I/N29aMc4onjbwS8V3C7t2h 86a0MpHB0TUvAPnPuCJSq0d9OVbnaiDktfzmOtaXKkFfyPIVzRDjaF2JrK0p409VrA uw9S8IsqZOap+zNBGbirn5pmXePDp88PJcdACDh0=
From: Michal Vaško <mvasko@cesnet.cz>
To: netconf <netconf@ietf.org>
User-Agent: SOGoMail 5.0.1
MIME-Version: 1.0
Date: Fri, 05 Mar 2021 09:10:09 +0100
Message-ID: <67bf-6041e780-35-f195530@37659174>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/NTEGku6cY4EYOrtAV_eFNwR-ijA>
Subject: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 08:10:19 -0000


I had a chance to look at these modules again and have 2 questions regarding some recent changes.

- ietf-ssh-server, ssh-server-grouping/client-authentication/supported-authentication-methods

Since the "other" leaf-list was removed there is no way to support some other methods than those specified. I am not sure whether this was the intention and if so, what is the reason for it? If nothing else, we support "interactive" authentication method but there are some others that I see no reason why they could not be used. For a robust and extendible solution, why not use an identityref leaf-list with all the methods as identities? One could then simply add new ones with specific "if-feature" statements.

- ietf-netconf-server, grouping netconf-server-grouping/client-identity-mappings

The "if-feature" on this container is strange. The practical problem is that if one wants to support certificates only for TLS, both one of the TLS features and "ssh-x509-certs" must be enabled. This then results in the container being defined for both SSH and TLS so there is no way to support it only for TLS or SSH.

Thanks for any input.