IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Andy Bierman <andy@yumaworks.com> Tue, 16 May 2017 21:37 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3584812EC2A for <netconf@ietfa.amsl.com>; Tue, 16 May 2017 14:37:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VLS8odX_k9r5 for <netconf@ietfa.amsl.com>; Tue, 16 May 2017 14:37:45 -0700 (PDT)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F258312EB87 for <netconf@ietf.org>; Tue, 16 May 2017 14:32:34 -0700 (PDT)
Received: by mail-wr0-x22f.google.com with SMTP id z52so84014015wrc.2 for <netconf@ietf.org>; Tue, 16 May 2017 14:32:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gcTt/5R7Rvv+tTXpi7ccimBXxFB1uMF9Z+KMOADlAEc=; b=QT5myUbAygCQ3yDGrELp2WawjRWC36Di7tXIqZ7ea0Y0bUCsT+h4N0Kr4gPX0F4me6 o5bh3J3V6YAMAY8oRL7HKiV9B6FYRjdIsPNmInrAgqY0+G0i+c+QaOWdySzKc/Ol0wIj TXGP0209ZxBee1ukP1/dwU3XVMG+oM23tZBn9zYfJWefaiOTmsp9rNb7lLHuWqiVzuZ+ xTpb3245r76wr3zIpLtJ8jnJ36LthqUeGK8+MQGoyXpgOqV1AMgwmZAW05GmCl1FKpt2 IwWR24Ve2IlR+E5GqAqKHsbJsGU/6Rz6nKQkxmX6v1UQdVRHNAhdv4UxJcLUMjK9UeRr ZnUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gcTt/5R7Rvv+tTXpi7ccimBXxFB1uMF9Z+KMOADlAEc=; b=lKWaCegqMUxIHsVw3DTonfCaE4cgZDIXUIU0lyIzgaYYcihLHCb3bFqsiV8PzNkbq9 6lNMOtMQkEAtUXT0YGktSW6ZdPi6dhaSvZbXSikFQvXkAxxFDEJ2Cca/Ctwnm6ka4cjR 0sf65cW4JX6zqD5A1CmSaAfCXbVN7WMZU9fvFjLGluR7avY/yrw+O2aowFJTfP2gCr52 Dck/le7pWkA0n7R8R5sTHjz5PhRRRGfRWUJy767qb9muxrdBIHcQC5Fzv0lVV/4F2Ecd EsNaUhi0P7AngwrqVXi7a/bPXpASoU3bXmmH48sKFJYv8t7aINpl/bIHruJ4tDb/nxji xnnQ==
X-Gm-Message-State: AODbwcAhwOehA1Hjie6NKM6ZwOmhJLHNIOUzQCC5nAJtWmwzaUWx8HFA YMo/A0w0ybFuxCj+OHlul1rlYC25raoN
X-Received: by 10.223.134.80 with SMTP id 16mr39407wrw.62.1494970353346; Tue, 16 May 2017 14:32:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Tue, 16 May 2017 14:32:32 -0700 (PDT)
In-Reply-To: <04623446-36C5-4ABE-81C3-9E6B1F0BC39A@gmail.com>
References: <CABCOCHT9fNKHn=qgFsQ0mznByArCpqsAz4m4jjjPE7M243UjeA@mail.gmail.com> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF9584C@SJCEML701-CHM.china.huawei.com> <CABCOCHRgaTpxXJ0nOgbHx4Hbz6FgfTahN3T2OedfC6gnbnAN0A@mail.gmail.com> <20170509.145030.58029732242199759.mbj@tail-f.com> <20170510064608.GA14838@elstar.local> <04623446-36C5-4ABE-81C3-9E6B1F0BC39A@gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Tue, 16 May 2017 14:32:32 -0700
Message-ID: <CABCOCHRBXbCfW+=-FsoHS7nUmn8qJ=Rv9vsEf89dSs3273NGbQ@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: Martin Bjorklund <mbj@tail-f.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="001a11491e7edc8004054faae87e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/OlKZk_v7ItAJYGkZVrYgoBWVflk>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 21:37:48 -0000

On Tue, May 16, 2017 at 2:02 PM, Mahesh Jethanandani <
mjethanandani@gmail.com> wrote:

> Having reviewed all the e-mails, I believe that there are few issues that
> need to be resolved before we send the draft for publication. We need to
> agree on the language, even if we do have the exact text in the draft.
>
> To begin with, do the authors have a response to the suggestions from
> Juergen prompted by the question from Alex? Are we leaving the NACM
> definition of any future datastores to the datastore draft, or are we
> saying NACM applies to all datastores?
>
>
No. IMO the text should say NACM applies to NETCONF and RESTCONF
with the existing datastores.

NACM MAY be applied to other datastores that have similar operation sets.
Any new datastore specification needs to define how it maps to the NACM
CRUDX
model.  The datastore does not need to use NACM (e.g., datastore defines
something else
or does not use access control).


To the point that Andy raised earlier, we need to have texts around
> datastores that provide more than CRUDX capabilities, including any
> protocol operations, e.g. priority, as something that is out of scope of
> this document.
>
>
This would be outside the scope of NACM.
This is part of the RPC input validation.



> NETCONF WG has moved to redefine its charter beyond NETCONF and RESTCONF.
> Therefore there is a real possibility of another protocol being discussed
> in the WG. Is there something in the NACM draft that restricts it to
> NETCONF/RESTCONF that other protocols cannot adopt? If so, can they be
> called out?
>

If NACM needs to be changed in the future because a new or existing
protocol needs new features
then the WG will have to deal with it then.



>
> Thanks.
>
>
Andy


> > On May 9, 2017, at 11:46 PM, Juergen Schoenwaelder <
> j.schoenwaelder@jacobs-university.de> wrote:
> >
> > On Tue, May 09, 2017 at 02:50:30PM +0200, Martin Bjorklund wrote:
> >> Andy Bierman <andy@yumaworks.com> wrote:
> >>> On Thu, May 4, 2017 at 11:21 AM, Alexander Clemm <
> alexander.clemm@huawei.com
> >>>> wrote:
> >>>
> >>>> As mentioned in my message, I don’t think specific access control
> will be
> >>>> needed (I am not aware of specific use cases), but specifically with
> the
> >>>> revised datastore architecture about to the be introduced, its impact
> or
> >>>> nonimpact and interrelation with NACM should be discussed.  This can
> be as
> >>>> simple as a small paragraph or subsection “Revised Datastore
> >>>> Considerations”.
> >>>>
> >>>>
> >>>>
> >>>
> >>> there is no text about candidate vs. running vs. startup.
> >>> The NACM rules apply to all of them the same.
> >>> I could add text that says there is no consideration for specific
> >>> datastores.
> >>
> >> Actually, the document already says:
> >>
> >> 3.2.  Datastore Access
> >>
> >>   The same access control rules apply to all datastores, for example,
> >>   the candidate configuration datastore or the running configuration
> >>   datastore.
> >>
> >>   Only the standard NETCONF datastores (candidate, running, and
> >>   startup) are controlled by NACM.
> >>
> >>
> >> Somehow this needs to be updated when the revised datastore work is
> >> done.  E.g., I expect read access to intended to follow the same NACM
> >> rules.
> >>
> >
> > Yes. NACM likely also applies to the <operational/> datastore (but
> > this follows already from the text that talks about 'state data').
> >
> > My question, however, was about other future yet to be defined
> > 'dynamic' datastores - does NACM make a statement of the form 'once an
> > implementation announces NACM, NACM applies to all datastores - no
> > exceptions' or do we leave it to the definition of future datastores
> > to declare whether NACM applies to it. There may be three possible
> > solutions:
> >
> > a) Once an implementation supports NACM, NACM applies to all
> >   datastores (including any datastores defined in the future).
> >
> > b) Once an implementation supports NACM, NACM applies to all
> >   conventional datastores and the operational state datastore.  Other
> >   datastores must define whether NACM applies to them.
> >
> >   (This means, whenever a new datastore is introduced, the question
> >   whether NACM applies has to answered for the new datastore.)
> >
> > c) Once an implementation supports NACM, NACM applies to all current
> >   and future datastore unless explicitely stated or signaled that
> >   NACM does not apply to a certain future datastore.
> >
> >   (This is essentially b) but with a default that NACM applies unless
> >   things are explicitly regulated to be different.)
> >
> > I just thought it is worth to take a moment to think about this
> > question.
> >
> > /js
> >
> > --
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> >
> > _______________________________________________
> > Netconf mailing list
> > Netconf@ietf.org
> > https://www.ietf.org/mailman/listinfo/netconf
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
>
>

v2.23.0 | Report a Bug | By Email