IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Alexander Clemm <alexander.clemm@huawei.com> Thu, 04 May 2017 17:32 UTC

Return-Path: <alexander.clemm@huawei.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9425D129B10 for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 10:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVfQDBFudv7y for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 10:32:51 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62EA0129431 for <netconf@ietf.org>; Thu, 4 May 2017 10:32:50 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml701-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DMH05171; Thu, 04 May 2017 17:32:48 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 4 May 2017 18:32:46 +0100
Received: from SJCEML701-CHM.china.huawei.com ([169.254.3.8]) by SJCEML702-CHM.china.huawei.com ([169.254.4.233]) with mapi id 14.03.0235.001; Thu, 4 May 2017 10:32:42 -0700
From: Alexander Clemm <alexander.clemm@huawei.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>, Andy Bierman <andy@yumaworks.com>
CC: Netconf <netconf@ietf.org>
Thread-Topic: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
Thread-Index: AQHSuKTAIzHBCUfDlEODIHfKLGbb7aHjqZkAgABCSACAADwigIAAqIWAgAACRoCAAAFcgP//sVYg
Date: Thu, 04 May 2017 17:32:40 +0000
Message-ID: <644DA50AFA8C314EA9BDDAC83BD38A2E0DF95738@SJCEML701-CHM.china.huawei.com>
References: <A13E62FA-AB96-4164-98D5-3CC1D04A78E8@gmail.com> <E236AC6C-4B6D-43B1-8092-0B8AA3F4D6AA@gmail.com> <f2106a6c538a4b9e96ba490b867bd40d@XCH-RTP-013.cisco.com> <CABCOCHTo+vO7LRJTEPFxOLH5fGkCPDJrO8QRbq_bnOHNS9skqA@mail.gmail.com> <d1a44db13f3b4de39bb89107fc61fea3@XCH-RTP-013.cisco.com> <CABCOCHRW=+V0WCXLS0RZbZ+jqeB5ofwRd0ZyqPoZ9Hvi-JrATA@mail.gmail.com> <24ebeed239a0459cafad264eba05ff71@XCH-RTP-013.cisco.com>
In-Reply-To: <24ebeed239a0459cafad264eba05ff71@XCH-RTP-013.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.213.48.144]
Content-Type: multipart/alternative; boundary="_000_644DA50AFA8C314EA9BDDAC83BD38A2E0DF95738SJCEML701CHMchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090203.590B65C0.00E0, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.3.8, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 37bb3e215755e39c59742f08690b9019
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/OQiTJF65Je1oA5TY9BIDxdWpcCM>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 17:32:54 -0000

One comment below, very bottom, <ALEX>
--- Alex

From: Netconf [mailto:netconf-bounces@ietf.org] On Behalf Of Eric Voit (evoit)
Sent: Thursday, May 04, 2017 8:07 AM
To: Andy Bierman <andy@yumaworks.com>
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Thanks Andy.   I am good with the document.

From: Andy Bierman,  May 4, 2017 11:02 AM



On Thu, May 4, 2017 at 7:53 AM, Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>> wrote:

From: Andy Bierman, May 4, 2017 12:51 AM
On Wed, May 3, 2017 at 6:15 PM, Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>> wrote:
….

#3 Section 3.4.6
Outgoing <notification> Authorization in 3.4.6 say descendent nodes are out of scope.  But as some notifications can contain datastore extracts, it would seem useful allow NACM to act similarly to the processing of a response to a get.  Also is there an intersection of this point with #2 above?

IMO this should not be done (unless you want you code to run way slower)
It also means the client cannot be sure what the server will leak.
I prefer to apply NACM at subscription-time. If the client is not allowed to
read everything in the requested subscription, it is denied.

This doesn't really work for data rules on specific instances that get created
after the subscription starts. But applying NACM data rules to every descendant
node in a YANG push is going to be extremely slow. This gets even worse
for subscriptions with multiple receivers (as NACM has to be enforced for
each receiver). I would prefer to see a solution that forces YANG push
to enforce NACM at update generation time (before the notification
delivery system ever sees it) But this assumes YANG push is aware
of the active subscriptions, so not an ideal solution at all.

<Eric> understand, and agree these are valid approaches.   I am just hoping that the text doesn’t explicitly preclude implementations which might be able to accomplish notification based content filtering.  As the text currently says “out of scope”, my reading is that this not precluded.


IMO it is OK to put this requirement on a YANG push implementation.
The pruning is done by YANG push, not NACM
Then NACM checks the event-type (if so configured)

<ALEX> Is this something that could be added to NACM as a feature/extension to be applied to specific notification types?   Perhaps it does not need to be fully speced out in this document, but still described how this could be accommodated.  As mentioned in my other message, I do think this is an important limitation.  It is made for a reason, but still with possible scenarios that we can already anticipate (with other WG items that are WIP) which will call for that limitation to be overcome, so I think this warrants adding at a minimum a brief section discussing this.
</ALEX>

v2.23.0 | Report a Bug | By Email