Re: [Netconf] LC on subscribed-notifications-10

Kent Watsen <> Tue, 12 June 2018 22:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E086130FF5 for <>; Tue, 12 Jun 2018 15:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DaDlFVf3AA8T for <>; Tue, 12 Jun 2018 15:38:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 97FB0130DBE for <>; Tue, 12 Jun 2018 15:38:24 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id w5CMT1im013165; Tue, 12 Jun 2018 15:38:21 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=YrR/0WjI4HphFmRZM1pefA6Idj//z7qwQQahppJr7zU=; b=2Fz8ee7ba5oWj9Ju7uYpjoQUw/TyxUG7chj02bmz5JirQn34Pe84yvuMM6e0H/z4wDcJ OFGVBgGRFwnne7VkWYFb40Vkl1niEQlWJB899YAro3PhAXhk6jdRuhfSQvCOBuabfzdA dURNO40Rl5dW9dOQ9Rx80PLrZdN65lSbwFeNDPwk9qsegSkEXbKUrS60tMHZ58MmCzI+ a+ODXYBdwu8A8geADAF8Xv6ZlMnbBjyy02bJK2DZTWAwi3XyE2Mof0C8gqqQEOAkVmyD YJRL3zhn/h2xX6JeBs8MnO+WEahmQSBFcQ8wRrwip69YXMuOCffRYd6O40kJJbQHJiwW ig==
Received: from ( []) by with ESMTP id 2jjpb2g2n3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 12 Jun 2018 15:38:21 -0700
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.6; Tue, 12 Jun 2018 22:38:18 +0000
Received: from ([fe80::959d:9fbe:90e4:3cc]) by ([fe80::959d:9fbe:90e4:3cc%3]) with mapi id 15.20.0863.010; Tue, 12 Jun 2018 22:38:17 +0000
From: Kent Watsen <>
To: "Eric Voit (evoit)" <>
CC: "" <>, Alexander Clemm <>
Thread-Topic: [Netconf] LC on subscribed-notifications-10
Date: Tue, 12 Jun 2018 22:38:17 +0000
Message-ID: <>
References: <> <> <040a01d3be9f$09700490$1c500db0$> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB3943; 7:M/FsObnTTrwasFn12VGh1RcTrInfV7iAls9hg5Dkk5Dx/CMssYVv1BLBL45lT0VXNvUdfjIQxVAE5TvuXjJNzhMQZR1qPIs4U9kgmut8bH2FJEHHrGOIzMoN2xRLAv/YFZ3E8UjSO3IrmC1TTKwQ2Ti3IWEmzCaSTQVvWFiOjg5ej59jtAhE7cRCd2fDbx+BxXra851CF9oxOMAzHT0dMXFYO7S2kQsIA6AGUvnGOs0xJSBhSJrhqcgb+y7ctgUj
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB3943;
x-ms-traffictypediagnostic: BYAPR05MB3943:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(278428928389397)(192374486261705)(114627819485645)(95692535739014)(21748063052155)(17755550239193)(10436049006162);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(944501410)(52105095)(10201501046)(93006095)(93001095)(3002001)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BYAPR05MB3943; BCL:0; PCL:0; RULEID:; SRVR:BYAPR05MB3943;
x-forefront-prvs: 07013D7479
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(346002)(376002)(39380400002)(39860400002)(199004)(189003)(51444003)(966005)(26005)(186003)(6306002)(54896002)(33656002)(106356001)(8936002)(236005)(6506007)(81166006)(6512007)(59450400001)(105586002)(81156014)(6486002)(99286004)(102836004)(2900100001)(3280700002)(5250100002)(14454004)(76176011)(2906002)(6436002)(229853002)(25786009)(82746002)(86362001)(58126008)(478600001)(36756003)(486006)(6246003)(2616005)(5660300001)(68736007)(476003)(4326008)(93886005)(15650500001)(2420400007)(8676002)(316002)(7110500001)(6116002)(6916009)(3660700001)(7736002)(83716003)(54906003)(606006)(66066001)(11346002)(3846002)(53936002)(446003)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB3943;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: BAL5Y34wAW57WrWe3BvG0op5WA/HhZmsi0kzYsL12naDbFBxDeetfceKx+Flxpor9207moV5Anm8cZBfWBUF9w0J1YGpeEws+A6R1HXzB0vGbXb+F95kx9QFI1/90NE6xErSZv1U0oZXUnhBU4/jT0zDnsToz6205panFwE1TLPGIXJKo7IMywZmcbisnqAb
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_470391DD9A9E47EC9CECE8E6BABE3DDFjunipernet_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 21307314-8280-409f-f8d8-08d5d0b5314a
X-MS-Exchange-CrossTenant-Network-Message-Id: 21307314-8280-409f-f8d8-08d5d0b5314a
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jun 2018 22:38:17.6666 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB3943
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-12_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806120249
Archived-At: <>
Subject: Re: [Netconf] LC on subscribed-notifications-10
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Network Configuration WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Jun 2018 22:38:31 -0000

Please look for <Kent9> below.

Next, I view this as a Security Consideration, since nefarious things can happen when a device reboots and note that a DoS could extend the gap to hours or days.  I think that this draft (the text above) is watering down the issue.  In my view, this is a huge consideration, along the lines of a receiver really MUST always try to use a dynamic subscription to fill in any gaps.

<Eric6> I agree this is a best practice, but a MUST would require telemetry receivers to have to support dynamic subscriptions.  I can see IoT receiver implementations where this wouldn’t be likely.

<Kent6> Good point, but I don't see in the YANG module establish-subscription being optional to implement.  Is that an oversight?

<Eric7> This is ok.  It is totally fine for a publisher to support dynamic subscriptions.  But a receiver need not.  Perhaps a lightweight IoT client just will just be a configured subscription receiver.

<Kent7> I think you misunderstood me.  Using your IoT example, even though a device (or the entire IoT space) only uses configured subscriptions, the current module doesn't enable a server to not support dynamic subscriptions.   For constrained devices, having to implement something never used could be a problem…

<Eric8>  The requirement is that a publisher must support a dynamic subscription.  There is no requirement for that on a configured receiver.   To clarify this, I have tweaked early “Configured Subscriptions” section text to say:

On the publisher, supporting configured subscriptions is optional and advertised using the "configured" feature. On a configured receiver, support for dynamic subscriptions is optional except where replaying missed event records is required.

<Kent8> I understand that supporting dynamic subscriptions is currently a requirement.  I am challenging that requirement.  Why is it a requirement?  Does it have to be a requirement?

What if an IoT device only wants to support configured subscriptions and having code to support dynamic is wasting space?    FWIW, I realize that not supporting dynamic subscriptions also means that it would be impossible to filling in gaps introduced by a reboot, but maybe that's a decision that the vendor can/should make for themselves?

<Eric9> In RFC-5277, all you have is dynamic subscriptions.  So support for that older spec by definition makes dynamic subscriptions mandatory.  Beyond that, newer specifications like RFC-7923 as well as sections of other documents like RFC-7921, section 7.6 identify dynamic subscriptions as mandatory for a subscription service.  So at least some use cases exist where such dynamic support is mandatory.

<Kent9> Does it?   I mean, this draft doesn't obsolete 5277, so it seems that server can optionally support one or the other or both, and when it supports this draft, can't it use a feature statement to limit dynamic subscriptions?

With your IoT publisher use case above you are asserting that dynamic subscriptions are not needed for configured subscription only publishers – i.e., there are a class of publishers which have been driven by use cases not considered by the documents referenced above.  So who has documented the need configured subscription only publishers?   I can’t point to such documentation (beyond IoT case above).  Is such a possibility worth slowing down this spec?     In the end making the fix for this specification which you seem to want is itself really quite trivial: we can make both dynamic and configured subscriptions optional.  The reason I have been resisting it is that this solution (a) leads to more complexity for implementers as yet another feature would have to be advertised as optional, (b) this waters down the mandatory capabilities support of the YANG module, and (c) we would need to include some a constraint that at least one of the two optional features needs to be supported.  Also for (c) AFAIK, features don’t support the application of such constraints, so it would have to be done in the feature descriptions themselves.

I guess the text above is a long way of saying that if you assert the optional dynamic subscription is mandatory to progress the document, I will make the change.  But the change will impose complexity costs which to me are hard to justify.

<Kent9> that's a reasonable answer, but mind you that it was your IoT use-case originally.   I'd like to get other opinions.  Yes, trivial to add now, hard to add later, more flexibility for servers, almost no additional effort for clients.  FWIW, I'm planning to add a feature statement for "periodic connections" in the ietf-[net|rest]conf-client-server drafts for similar reasons, that the server just might not want to support them, and I don't want the minimal bar to be higher than needed.

<Kent8> Separately, "configured receiver" is not a defined term, though I see it appearing eight times in the -13 draft.  FWIW, there are no instances of "configured publisher".   Firstly, I'm not entirely sure what a "configured receiver" is, I think it's suppose to mean "a receiver of a configured subscription", yes?  Next, I'm unsure if the fact that the subscription was configured vs dynamic is important/relevant for these eight instances; if not, then s/configured receiver/receiver/, else if it is relevant/important, then maybe s/configured receiver/receiver of a configured subscription/?

<eric9> Made the change to “receiver of a configured subscription”

 <Kent9> ok

<Kent6> that's helpful.  Perhaps tack onto the end of the last sentence something like ", assuming the publisher supports the ['dynamic' and] 'replay' feature[s]"?

<Eric7>  Added
“, assuming the publisher supports the "replay" feature.”
As dynamic isn’t an optional feature.

<Kent7> okay, that's expected, but see my previous Kent7 comment, I think that we might want dynamic to be optional.

<Eric8> Per above, receiver support for dynamic is what is optional.

<Kent8> I understand that this is what's written, but I'm challenging that premise (see my previous comment on this)

<Eric9> This comment will then fate-share the resolution from the previous comment.

<Kent9> ack.

It almost begs the question for why configured subscriptions are supported at all.

<Eric6> Because there have been lots of industry requests.  And lots of implementations with non-IETF solutions.  Personally I prefer dynamic subscriptions.

<Kent6> I can see the appeal of configured subscriptions, but if each receiver of a configured subscription SHOULD always do a dynamic subscription on every publisher reboot, it is already being coded to support dynamic subscriptions, at which point it seems that maybe it should've just been implemented to support dynamic subscriptions from the start (on top of the publisher-initiated call-home transport, of course).   Can you say some more about these industry requests and, in particular, if the requests are still strong even when made aware of the need to also do dynamic subscriptions?

<Eric7>  Here is an industry request:  stream event record entries being placed into security logs (e.g., Integrity Measurement Architecture audit events).   These events are only relevant starting at boot time.  Losing events means a system cannot be validated.  And days after a boot, streaming all the events since boot would result in too many events.   So, in this environment, doing a dynamic subscription to fill the gap is acceptable.

<Kent7> meh


<Kent4> this I agree with, but I really don't like the fact that receiver MUST do a short-lived dynamic subscription to scoop-up any possibly-missed logs, for which there may be none.  Perhaps we could add more values into the "subscription-started" notification message that would enable to receiver to make a local determination if such a dynamic subscription would be  helpful?

<Eric5> I recommend against providing extra objects/reasons in the “subscription-started” at this time.  Publishers might not want to advertise a reboot, and they might not want to advertise why there was loss in event continuity.   All that should matter to a receiver is that such a discontinuity existed, and they have a way to try to fill event the gap should they care.  If the need for more data and the cause of the discontinuity turns out to be required, we can always augment here with future objects.

<KENT5> first, I'm still not 100% sure if this is just a reboot problem, or any time the subscription is restarted/resumed.

<Eric6> Per above: retrieving missing event records is not a reboot specific problem.  But unintentionally replicating event records is reboot specific.  (Otherwise the configured replay-start-time would drive a repeat of everything on each and every reboot.)

<Kent6> okay, I think I got it this time.  Having a *configurable* replay-start-time is so confusing.  Is it really worth having?

<Eric7>   Yes it is worth having.

(a) In many environments, reboot is very infrequent.  Without configurable start time, an operator setting up a configured subscription would not have the ability to designate what to send.  It could only send the full log (at whatever size).

(b) on-publisher security or troubleshooting diagnostics might identify a breach or some event where streaming recent historical event records is a MUST.  As a result, it might want to stream a subset of event records off a box going back in time to potential events which might have been evidence or contributing factors.

<Kent7> Let me come at this another way.  Assume we drop all support for *configurable* replay-start-time.  As such, configured subscriptions always start with the next-generated event (no replay at all).   This covers most use-cases, right?   For those receivers that really wanted the older logs, can't they just do a dynamic subscription to collect them, same as we've been discussing above?

<Eric8> Some reasons this might not always be practical:

(a) IoT devices just might want to passively listen to event streams of Telemetry.  (I.e., this would force configured receivers to support dynamic subscriptions.)

(b) This forces complexity onto applications which only ever need to track what has happened since boot.  (E.g., per above, continuous Integrity Measurement Architecture (IMA) boot log streaming and evaluation.)

(c) Publisher access permissions for who can use the establish-subscription RPC might have to be expanded to include lots of configured receivers.  This might open up a vector to control plane DDoS.  Right now the access permissions would just have to allow the receiver read access to the event records.

(d) A publisher may choose to firewall classes of receivers (or locations of receivers) into a listen-only mode without the ability to establish subscriptions.

<Kent8> This response seems to address the "can't they just do a dynamic subscription" aspect of my comment, but doesn't really address the "why is it important" (I paraphrase) part.  My contention is that the concept of a *configurable* replay-start-time seems confusing and of low value.   I acknowledge that there is some value, but it seems like the value is limited to a one-time start-up optimization that can be alternatively addressed by a dynamic subscription to fetch earlier events (assuming it's allowed, per your points b-d).   Additionally, FWIW, I've never seen such a feature implemented before, and logging mechanisms have been around for decades, so this makes me think that this is something that probably isn't worth having.

<Eric9> As you point out, the why "can't they just do a dynamic subscription" is covered, and we shouldn’t always assume away (b)-(d) as they can matter in some scenarios.  So if we want to support the use case of streaming log entries made after boot, but before the transport session is available, the only alternative I see is to have a configured replay-flag rather than a configuring a start-time.  Are you ok with a flag instead?  Or do you have an alternative suggestion?

<Kent9> see below.

In terms of using this configured replay capability, Cisco’s Integrity Verification application<>

does do a shell access event log fetch of the full log after boot, and then just does incremental fetch the deltas of the log (based on log line numbers).  This application is interested in configured subscriptions subsequent to boot for this purpose.  So such incremental streaming of portions of syslog after boot seems like a typical/common need to me.

<Kent9> it might be typical/common desire, but it's still once in the lifetime of the configured subscription.  It seems like, if the device supports dynamic subscriptions, after receiving subscription-started, the client could a) pause the configured subscription, b) use a dynamic subscript to fetch the missing logs, and then c) resume the flow of logs from the configured subscriptions.


<Eric4>  Tweaked a Section sentence to say:

This document puts no restrictions on the size or form of the log, where it resides within the publisher, or when event record entries in the log are purged.

I suggest adding text that clarifies this, and details the need for a short-lived dynamic-subscription.

<Eric4> The tweak above, with the suggested text in the Implementation Considerations section above hopefully covers this.

<KENT5> the "purged" part helps, but whyis this information buried inside a section titled "Requesting a replay of event records"?

<Eric6>   This is the second paragraph of the first section which discussed replay.  It is the sentence after the optional feature of replay is introduced.

<Kent6> I understand how it fits into this section, but it seems like it should be in a section called something like "replay log", since it's equally applicable for configured subscriptions (and s2.4 is about dynamic subscriptions).  Of course, if we remove replay from configured subscriptions, then leaving it here makes sense…

<Eric7> Per above, there is lots of value in configured replay.

<Kent7> Yes, but see again my challenge to that assertion.  I'm leaving this here in case the decision is flipped…