Re: [Netconf] Reminder: WG Last Call for draft-ietf-netconf-access-control-04.txt
Kent Watsen <kwatsen@juniper.net> Wed, 03 August 2011 16:47 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEE8221F86D6 for <netconf@ietfa.amsl.com>; Wed, 3 Aug 2011 09:47:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jb2poR50k5DP for <netconf@ietfa.amsl.com>; Wed, 3 Aug 2011 09:47:52 -0700 (PDT)
Received: from exprod7og108.obsmtp.com (exprod7og108.obsmtp.com [64.18.2.169]) by ietfa.amsl.com (Postfix) with ESMTP id 89B3A21F8548 for <netconf@ietf.org>; Wed, 3 Aug 2011 09:47:52 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob108.postini.com ([64.18.6.12]) with SMTP ID DSNKTjl7wakPtAdAT5PqtQoKFdipX82wG7m0@postini.com; Wed, 03 Aug 2011 09:48:05 PDT
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB02-HQ.jnpr.net ([fe80::88f9:77fd:dfc:4d51%11]) with mapi; Wed, 3 Aug 2011 07:55:51 -0700
From: Kent Watsen <kwatsen@juniper.net>
To: "Bert (IETF) Wijnen" <bertietf@bwijnen.net>, netconf <netconf@ietf.org>
Date: Wed, 03 Aug 2011 07:55:48 -0700
Thread-Topic: [Netconf] Reminder: WG Last Call for draft-ietf-netconf-access-control-04.txt
Thread-Index: AcxODPeXulcqbXuwS8eYx9bauJdjBQD1SsDg
Message-ID: <84600D05C20FF943918238042D7670FD3E871944E2@EMBX01-HQ.jnpr.net>
References: <4E1DB164.5090007@bwijnen.net> <4E32E057.7030707@bwijnen.net>
In-Reply-To: <4E32E057.7030707@bwijnen.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Netconf] Reminder: WG Last Call for draft-ietf-netconf-access-control-04.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 16:47:53 -0000
> Pls review BEFORE or BY August 1 if you have not already done so. > A "I read it and see no issues or have no concerns" is also very welcome! I continue to struggle with why this is an important problem to solve (see http://www.ietf.org/mail-archive/web/netconf/current/msg06962.html). First off, from an implementation perspective, I feel that this I-D would only be implemented for green-field developments. Having a common access-model for those systems would be nice indeed, but I don't imagine any existing Juniper or similar gear ever supporting it. This means it has little impact for a multi-vendor NMS, which is my focus. Keep in mind that this data-model is different than others that we might talk about in that it's not just an abstraction, it goes to the core of how the device works. Presumably this I-D only impacts the NetConf interface, but vendors will likely not see it that way after needing to pass a Common Criteria certification. Next I question the utility of the I-D. IMO, the purpose for common data-models is so an off-box tool (NMS) can interoperate with many devices. As I wrote before (see above link), this typically results in the NMS logging into *all* the devices with root-like permissions and then itself presenting its own RBAC model to its users. With this in mind, it seems that this I-D only impacts tools that talk to one device at a time, such that when it is interacting with the device, it can use the device-provided NACM model to restrict access to stuff in its UI. This use-case is weak as it seems customers would more likely use a device's native management interfaces (Web, CLI, etc.) I understand that this I-D is chartered work and my comments aren't very helpful towards reaching that goal, but I can't support this I-D in its current form either knowing that it won't be picked up by Juniper. Thanks, Kent
- [Netconf] WG Last Call for draft-ietf-netconf-acc… Bert (IETF) Wijnen
- Re: [Netconf] WG Last Call for draft-ietf-netconf… Bert (IETF) Wijnen
- [Netconf] Reminder: WG Last Call for draft-ietf-n… Bert (IETF) Wijnen
- Re: [Netconf] Reminder: WG Last Call for draft-ie… Wes Hardaker
- Re: [Netconf] Reminder: WG Last Call for draft-ie… Andy Bierman
- Re: [Netconf] Reminder: WG Last Call for draft-ie… Wes Hardaker
- Re: [Netconf] Reminder: WG Last Call for draft-ie… Andy Bierman
- Re: [Netconf] Reminder: WG Last Call for draft-ie… Kent Watsen
- Re: [Netconf] Reminder: WG Last Call for draft-ie… Bert (IETF) Wijnen
- Re: [Netconf] Reminder: WG Last Call for draft-ie… Bert (IETF) Wijnen
- [Netconf] Finished WG Last Call for draft-ietf-ne… Bert (IETF) Wijnen
- Re: [Netconf] Finished WG Last Call fordraft-ietf… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] Finished WG Last Call fordraft-ietf… Kent Watsen
- Re: [Netconf] Finished WG LastCall fordraft-ietf-… Bert Wijnen (IETF)