IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 23 May 2017 19:42 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A920212EAED for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5t5fkDRi7R-l for <netconf@ietfa.amsl.com>; Tue, 23 May 2017 12:42:10 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFC1A12EAF2 for <netconf@ietf.org>; Tue, 23 May 2017 12:42:00 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id b204so215395611oii.1 for <netconf@ietf.org>; Tue, 23 May 2017 12:42:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FzDar1Urli+4e51jyDp4SpnJ17Oo6CSS2HEpYh3J5tI=; b=hcXfllXQUUNE6Bt9WhcQIy6z+BBtLgb8nt5ozYXM+zGg0wMYUeVD8MdBXVxBevHdBa U4P5q55Sk3d/tnaHEuI9yBKwDARdfwv2hddnq2YLJVxjvLMphszGPR3W08SG7AU9AB11 B24shkq6fyOvbZeiIbbEuXEk3oAty5hyp8cAp47qjp/UUXmQvM2pQAZSyQBU2inzOnBQ oJ6HJiOtt3MC1lgek+3/A3SVjk4VfWeJY9bksxJdOsV2HGwVftjed0w5gnkhSqKRZgrQ xEt6oq+BI6ARq1XNZDe0jM5+wrNgeK6YnoLaUap0hqkeaG9BstqQMMCgWXvtt6QR7a2J MADA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FzDar1Urli+4e51jyDp4SpnJ17Oo6CSS2HEpYh3J5tI=; b=PyId8NqRbxjOvnQkJPlj8K7pQaQMruYbM4oGur7HLeaS8zPtcWSUeXJB3ZguwIw7p3 MVwuui9FjReQA3H8PBChkLEdNb18vA5orgcyOylwibzPg5NrWC0xq5pUOAN/9AfGofnB RgFRDOkYakDQjbXXfl0iso95fcosL7kWRMZaJnqHddt5cmTAL1VswMfdTHV7UZSQ1CWl 62mF/XGLlbOKCOxSaXnmpcy1iUd7+u5e8V6g48joO0DN2Nqn7ePcKxXrziGDo3f5zYU3 4lWSm0t7yqUMYTAltzavaozvhd/3DNKi12PhT4d2aOGehROHZmz4+wuII0PmMX4ZTscj jtWg==
X-Gm-Message-State: AODbwcBiho0XwvHMVH+2Sw6Zz7OIdGf6qGVQETL5o+YAzUTeRrB01Npa 4NM/L61SDPCijw==
X-Received: by 10.157.21.39 with SMTP id u36mr2389567otf.187.1495568520088; Tue, 23 May 2017 12:42:00 -0700 (PDT)
Received: from ?IPv6:2001:420:30d:1320:4da2:f54:c85e:a54? ([2001:420:30d:1320:4da2:f54:c85e:a54]) by smtp.gmail.com with ESMTPSA id j60sm704373otc.50.2017.05.23.12.41.58 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 May 2017 12:41:59 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <20170523.091519.1988324449434279102.mbj@tail-f.com>
Date: Tue, 23 May 2017 12:41:58 -0700
Cc: Andy Bierman <andy@yumaworks.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, netconf@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D13AF5F3-1AE1-4A43-866F-10984114BF2C@gmail.com>
References: <CABCOCHRBXbCfW+=-FsoHS7nUmn8qJ=Rv9vsEf89dSs3273NGbQ@mail.gmail.com> <22F66A24-12AB-4447-AC9A-9D8F9B0BB726@gmail.com> <CABCOCHSGa23SR_soKBurzPWOckf0eE_jp=jRkpoCSXczq_2xSg@mail.gmail.com> <20170523.091519.1988324449434279102.mbj@tail-f.com>
To: Martin Bjorklund <mbj@tail-f.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/O1Unw26BFDhJcXfH6bGdxI6YEUw>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 19:42:13 -0000

> On May 23, 2017, at 12:15 AM, Martin Bjorklund <mbj@tail-f.com> wrote:
> 
> Andy Bierman <andy@yumaworks.com> wrote:
>> Hi,
>> 
>> The update is on github.
>> http://github.com/netconf-wg/rfc6536bis
>> 
>> I would like Martin to look it over before it is posted.
> 
> Done, and the new text looks good.  I moved the new subsection to be
> the first in 3.2, and I also fixed some minor terminology issues.
> 
> But, I wonder if we shouldn't make the document even less NETCONF
> specific, and align the terminology to revised-datastores.  For
> example, currently the document talks about access to "NETCONF
> datastores".   With the new less protocol-specific terminology this
> would simply be "datastore”.

I would prefer this.

> 
> Also, we currently have this:
> 
>   A standalone RESTCONF server (i.e., not co-located with a NETCONF
>   server) applies NACM rules to a conceptual datastore, since
>   datastores are not supported in RESTCONF.
> 
> I don't think this is quite correct.  Even in a stand-alone RESTCONF
> server there is an underlying conceptual datastore, for which NACM can
> be used to control access.  
> 
> 
> 
> /martin
> 
> 
>> 
>> 
>> Andy
>> 
>> 
>> On Sun, May 21, 2017 at 10:25 PM, Mahesh Jethanandani <
>> mjethanandani@gmail.com> wrote:
>> 
>>> Andy,
>>> 
>>> On May 16, 2017, at 2:32 PM, Andy Bierman <andy@yumaworks.com> wrote:
>>> 
>>> 
>>> 
>>> On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani <
>>> mjethanandani@gmail.com> wrote:
>>> 
>>>> Having reviewed all the e-mails, I believe that there are few issues that
>>>> need to be resolved before we send the draft for publication. We need to
>>>> agree on the language, even if we do have the exact text in the draft.
>>>> 
>>>> To begin with, do the authors have a response to the suggestions from
>>>> Juergen prompted by the question from Alex? Are we leaving the NACM
>>>> definition of any future datastores to the datastore draft, or are we
>>>> saying NACM applies to all datastores?
>>>> 
>>>> 
>>> No. IMO the text should say NACM applies to NETCONF and RESTCONF
>>> with the existing datastores.
>>> 
>>> NACM MAY be applied to other datastores that have similar operation sets.
>>> Any new datastore specification needs to define how it maps to the NACM
>>> CRUDX
>>> model.  The datastore does not need to use NACM (e.g., datastore defines
>>> something else
>>> or does not use access control).
>>> 
>>> 
>>> Can you update the draft with this text.
>>> 
>>> 
>>> 
>>> To the point that Andy raised earlier, we need to have texts around
>>>> datastores that provide more than CRUDX capabilities, including any
>>>> protocol operations, e.g. priority, as something that is out of scope of
>>>> this document.
>>>> 
>>>> 
>>> This would be outside the scope of NACM.
>>> This is part of the RPC input validation.
>>> 
>>> 
>>> And clarify that operations outside of CRUDX are outside the scope of
>>> NACM. We can them move the document towards publication.
>>> 
>>> Thanks.
>>> 
>>> 
>>> 
>>> 
>>>> NETCONF WG has moved to redefine its charter beyond NETCONF and RESTCONF.
>>>> Therefore there is a real possibility of another protocol being discussed
>>>> in the WG. Is there something in the NACM draft that restricts it to
>>>> NETCONF/RESTCONF that other protocols cannot adopt? If so, can they be
>>>> called out?
>>>> 
>>> 
>>> If NACM needs to be changed in the future because a new or existing
>>> protocol needs new features
>>> then the WG will have to deal with it then.
>>> 
>>> 
>>> 
>>>> 
>>>> Thanks.
>>>> 
>>>> 
>>> Andy
>>> 
>>> 
>>>>> On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder <
>>>> j.schoenwaelder@jacobs-university.de> wrote:
>>>>> 
>>>>> On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote:
>>>>>> Andy Bierman <andy@yumaworks.com> wrote:
>>>>>>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm <
>>>> alexander.clemm@huawei.com
>>>>>>>> wrote:
>>>>>>> 
>>>>>>>> As mentioned in my message, I don’t think specific access control
>>>> will be
>>>>>>>> needed (I am not aware of specific use cases), but specifically with
>>>> the
>>>>>>>> revised datastore architecture about to the be introduced, its
>>>> impact or
>>>>>>>> nonimpact and interrelation with NACM should be discussed.  This can
>>>> be as
>>>>>>>> simple as a small paragraph or subsection “Revised Datastore
>>>>>>>> Considerations”.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>>> there is no text about candidate vs. running vs. startup.
>>>>>>> The NACM rules apply to all of them the same.
>>>>>>> I could add text that says there is no consideration for specific
>>>>>>> datastores.
>>>>>> 
>>>>>> Actually, the document already says:
>>>>>> 
>>>>>> 3.2.  Datastore Access
>>>>>> 
>>>>>>  The same access control rules apply to all datastores, for example,
>>>>>>  the candidate configuration datastore or the running configuration
>>>>>>  datastore.
>>>>>> 
>>>>>>  Only the standard NETCONF datastores (candidate, running, and
>>>>>>  startup) are controlled by NACM.
>>>>>> 
>>>>>> 
>>>>>> Somehow this needs to be updated when the revised datastore work is
>>>>>> done.  E.g., I expect read access to intended to follow the same NACM
>>>>>> rules.
>>>>>> 
>>>>> 
>>>>> Yes. NACM likely also applies to the <operational/> datastore (but
>>>>> this follows already from the text that talks about 'state data').
>>>>> 
>>>>> My question, however, was about other future yet to be defined
>>>>> 'dynamic' datastores - does NACM make a statement of the form 'once an
>>>>> implementation announces NACM, NACM applies to all datastores - no
>>>>> exceptions' or do we leave it to the definition of future datastores
>>>>> to declare whether NACM applies to it. There may be three possible
>>>>> solutions:
>>>>> 
>>>>> a) Once an implementation supports NACM, NACM applies to all
>>>>>  datastores (including any datastores defined in the future).
>>>>> 
>>>>> b) Once an implementation supports NACM, NACM applies to all
>>>>>  conventional datastores and the operational state datastore.  Other
>>>>>  datastores must define whether NACM applies to them.
>>>>> 
>>>>>  (This means, whenever a new datastore is introduced, the question
>>>>>  whether NACM applies has to answered for the new datastore.)
>>>>> 
>>>>> c) Once an implementation supports NACM, NACM applies to all current
>>>>>  and future datastore unless explicitely stated or signaled that
>>>>>  NACM does not apply to a certain future datastore.
>>>>> 
>>>>>  (This is essentially b) but with a default that NACM applies unless
>>>>>  things are explicitly regulated to be different.)
>>>>> 
>>>>> I just thought it is worth to take a moment to think about this
>>>>> question.
>>>>> 
>>>>> /js
>>>>> 
>>>>> --
>>>>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>>>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>>>>> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>>>>> 
>>>>> _______________________________________________
>>>>> Netconf mailing list
>>>>> Netconf@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/netconf
>>>> 
>>>> Mahesh Jethanandani
>>>> mjethanandani@gmail.com
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> Mahesh Jethanandani
>>> mjethanandani@gmail.com
>>> 
>>> 

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email