Re: [netconf] AD review of draft-ietf-netconf-sztp-csr

Kent Watsen <> Thu, 24 June 2021 20:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 683B73A2ADA; Thu, 24 Jun 2021 13:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zmqjBUgUi27T; Thu, 24 Jun 2021 13:53:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 248743A2ADB; Thu, 24 Jun 2021 13:53:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;; t=1624567980; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=c4e56BDmZcbhOelX9aPlQwWa0XIxxTr2+kWzRiu+NXA=; b=dT58p95tNag/Le/ZiENTGMCVVBqGfszp16VKh3q9KoEYKtFM53gzbDTpgLgj2iME RHGkQTY1Oj9U7d78URTHKLV8WXRrGtpJv0ahJNQDdRXBqK78uLH+r3iXnjjkRf8LshO Y/UgZ2QvDLQeYowCGz3grQcfr/wq5HuhUvJ/oMCw=
From: Kent Watsen <>
Message-ID: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9975103B-E338-4C97-A4D6-B8383A0FCC56"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Thu, 24 Jun 2021 20:53:00 +0000
In-Reply-To: <>
Cc: "" <>, "" <>, "" <>
To: "Rob Wilton (rwilton)" <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.3654.
X-SES-Outgoing: 2021.06.24-
Archived-At: <>
Subject: Re: [netconf] AD review of draft-ietf-netconf-sztp-csr
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jun 2021 20:53:06 -0000

> I’m not sure.  It feels less RESTful (at least to me) to not allow the data to be provided as a single message, even if in practice that might not make sense in most (almost all) cases.  If you were using a separate YANG RPC to send the crs-support and get the request-info then only including the crs node in the bootstrapping data RPC then I would have no complaints.  I.e., it only feels strange to handle a transactional dependency within the data structures of a single RPC on what is nominally a stateless API.
> Also, worth noting that using a separate YANG RPC to transmit the capabilities avoids the need to return an error.  It could just return success with the required information.  Was this approach considered at all, and would this be too big a change?  I’m not trying to create extra work for you, or delay this document …
> If a separate RPC to get the capabilities in undesirable or infeasible then changing to a choice seems reasonable, but I would probably suggest keeping “intended” and probably keeping the language on page 4 somewhat open, i.e., not strictly locking it down to doing a handshake.

I’m unsure it it makes sense to be concerned about the RESTfulness of this API.  Yes, it uses RESTCONF, but that is more out of convenience than any inherent need or desire for the API to be "RESTful”.  For instance, note that never could HTTP caches be used, as each message is distinct from any other.

That said, the “get-bootstrapping-data” RPC *is* idempotent, as the same POST (get-bootstrapping-data) returns the same response (assuming the server isn’t updated by an operator in the interim).  This is true also for when sending the “csr-support” and “csr” nodes, as described in the current document.   Of course, the idempotency of a YANG “rpc” statement isn’t that meaningful, relative to a RESTCONF "POST” used to edit configuration (e.g., like <edit-config>)…it’s likely fair to say that YANG RPCs are generally NOT RESTful.

Regarding using a separate RPC (returning a 2XX),  yes it was considered, however note that it is impossible for a generic device to anticipate what the specific deployment’s CA infrastructure will require in terms of 1) if *any* CSR is desired (most often not) and 2) when desired, what key-algorithm and CSR-attributes to use (rarely would the nearly-empty CSR a device could proactively send be viable).  

FWIW, if an out-of-band RPC were used, most of the time it would be a roundtrip for a no-op.  The in-band approach currently described is ideal in that it only consumes extra resources when needed.

That said, it does little harm for the draft to say (in addition to supporting the “in-band” mechanism) “a device MAY obtain the ‘request-info’ through an out-of-band mechanism outside the scope of this document”.  If this resolves your concern, then it’s an easy thing to add, and it may (to your point) provide some flexibility.  I think that it is consistent with your last paragraph above.  

I still think we should put “csr-support” and “csr” under a "choice” though, as the use-case for sending both at the same time is very small and it seems wrong to encourage/suggest it’s a good idea or to ask servers to have to support the case.

> 4. References.  RFC 3688 probably should be normative for the XML
> registry, noting that
> RFC 6020 is normatively referenced.
> Really?  I tend to disagree as I thought the litmus test for if something were
> normative was if it had to be understood in order to implement the RFC.
> I guess the logic here is that you need to understand RFC 6020 to understand the registry that is having entries added (given that RFC 7950 doesn't define the registry).
> But, as per below, I'll check with the IESG on this one.
> You raise an interesting point about RFC 6020 being Normative, as I see that
> it is NOT normative in at least one of my other drafts.  I think that it is a
> reasonable position that, if the RFC 6020 reference is only present in the
> IANA Considerations section, then it is INFORMATIVE as far as the draft as a
> whole goes.  Thoughts?
> Let me check with the IESG and get back to you on this one.  Although, perhaps worth noting that both these references are normative in RFC 8343 (and they are only referenced from the IANA registry entries).
> Ack, I will wait for your response on this item.
> I didn’t really get a strong answer from other ADs on this.
> Some of us felt that a normative reference is appropriate (because you need to understand the meaning of the registry that is being updated), and nobody objected to that characterization, but equally, some ADs didn’t think that Informative is necessarily wrong and it is probably not worth worrying about.
> My recommendation is to make them normative, because that is what has been done for other RFCs with YANG modules (and consistency is good), and I don’t see any other ADs objecting to this approach.  I would regard this as the path of least resistance.

Regarding "because you need to understand the meaning of the registry that is being updated”, “you" only refers to IANA, right?   I don’t think SZTP-client and/or SZTP-server developers need to know about IANA registries to implement the document, right again?   Consistency is good, yes, but not when consistently-wrong  ;)   [I’m speaking theoretically here, not to any particular group of people] 

This is not something I care to block on, but I do want Normative references to adhere to the principle of they are for  *implementors* (which doesn’t include IANA, IMO).  Related, there’s also the XML Registry (RFC 3688); should all documents publishing a YANG module have a Normative reference due to an IANA instruction?  [PS: some RFCs exist (i.e., published) already having RFC 3688 as Informative…I wouldn’t by surprised if some also exist having RFC 6020 as Informative, but a quick search didn’t find any]

BTW, other drafts in your queue have "Informative” set for RFC 6020, and one (netconf-notification-capabilities) incorrectly references RFC 7950 instead of RFC 6020 (As shepherd, I apologize for missing it, but it’s one thing to test if all the references provided are accurate [i.e., the doc *does* have a normative dependency on 7950], and another to see if any references were missing altogether…i.e., finding the gaps).

PS: there’s a separate email thread (Reuse of SZTP-CSR YANG definition in BRSKI-AE) regarding this document that is pending your feedback.  Ideally I can collect that and thus apply all updates in one shot.