Re: [netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-restconf-notif-13: (with DISCUSS and COMMENT)

"Reshad Rahman (rrahman)" <rrahman@cisco.com> Fri, 10 May 2019 21:55 UTC

Return-Path: <rrahman@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8231812006B; Fri, 10 May 2019 14:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=LZp96nKV; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=AcP/BLXL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlG9W7WizfHl; Fri, 10 May 2019 14:55:13 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866B012004B; Fri, 10 May 2019 14:55:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15146; q=dns/txt; s=iport; t=1557525312; x=1558734912; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=/REhYnrUTkB7BicMPE2phFOGJV7XTwSFx9NdBzAgk2M=; b=LZp96nKVttHptVcjijIQGJ99Scvic+IWjbAFXgL6xFDrux6KWebL13if Rftv1SC2VZJvRmgGFodnbSSyrGD4HpH6fYhe5FgPb4ruxdy78s+dBZuym opPP3WvwT4I4xAJ13oqqiGmOcsLgazmPBDzmNwwUY+cGEDp7PH8ElU8UH w=;
IronPort-PHdr: =?us-ascii?q?9a23=3AtfH9fxZ80gJdQAl4rk0QE4z/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavwdSU6Gc1EfFRk5Hq8d0NSHZW2ag=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B+AABb8tVc/51dJa1kDhABBgcGgVE?= =?us-ascii?q?JCwGBPSknA2lVIAQLKAqEB4NHA45+mXyBLhSBEANUCQEBAQwBASMKAgEBhEA?= =?us-ascii?q?CF4F0IzQJDgEDAQEEAQECAQRtHAyFSwIEEhERDAEBNwEPAgEIGgIJHQICAjA?= =?us-ascii?q?VEAIEAQ0FIoI1SwGBagMdAQ6iQgKBNYhfcYEvgnkBAQWBMgETQYJ5GIIPAwa?= =?us-ascii?q?BCycBi04XgUA/gREnH4JMPoJhAgECAYFFAi0hAoJQMoImiyKCO5l3CQKCCYY?= =?us-ascii?q?fhDiEMYNRG4IThkuNC4tqR4UwgSSOLwIEAgQFAg4BAQWBTzgpgRURCHAVOyo?= =?us-ascii?q?BgkGCDwwXFG0BCIJChRSFBDoBcgGBKI4tAYEgAQE?=
X-IronPort-AV: E=Sophos;i="5.60,454,1549929600"; d="scan'208";a="558025084"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 May 2019 21:55:11 +0000
Received: from XCH-ALN-020.cisco.com (xch-aln-020.cisco.com [173.36.7.30]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x4ALtB1b030676 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 10 May 2019 21:55:11 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-020.cisco.com (173.36.7.30) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 10 May 2019 16:55:10 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 10 May 2019 16:55:10 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 10 May 2019 16:55:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/REhYnrUTkB7BicMPE2phFOGJV7XTwSFx9NdBzAgk2M=; b=AcP/BLXLiN3MGoGXePXbeoUZVcG592/VMyUBQZlryvux6PyKLldDWMyIRv4swPiPVGWyKclclZmR2iaPqbHkAvonBY6f0kCK9T2nlWA5T60BYzb7lbqwRG8d3rJTs5NpAHX5IIrI3n0oIVRxm/yvolz6wIucMI2yCFhpgJ6QHEo=
Received: from CY4PR1101MB2102.namprd11.prod.outlook.com (10.172.79.15) by CY4PR1101MB2167.namprd11.prod.outlook.com (10.172.77.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1856.12; Fri, 10 May 2019 21:55:08 +0000
Received: from CY4PR1101MB2102.namprd11.prod.outlook.com ([fe80::74d1:4a6:a89c:6e04]) by CY4PR1101MB2102.namprd11.prod.outlook.com ([fe80::74d1:4a6:a89c:6e04%6]) with mapi id 15.20.1856.012; Fri, 10 May 2019 21:55:08 +0000
From: "Reshad Rahman (rrahman)" <rrahman@cisco.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-netconf-restconf-notif@ietf.org" <draft-ietf-netconf-restconf-notif@ietf.org>, Kent Watsen <kent+ietf@watsen.net>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-netconf-restconf-notif-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVBRe+rV3duncRlUSQ6Gy9iRmrQ6ZkqNGA
Date: Fri, 10 May 2019 21:55:08 +0000
Message-ID: <6F96C6CD-B0F1-44F2-A2BE-E2FD23B309CC@cisco.com>
References: <155726272794.32635.6531627027808857417.idtracker@ietfa.amsl.com>
In-Reply-To: <155726272794.32635.6531627027808857417.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.6.190114
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rrahman@cisco.com;
x-originating-ip: [173.38.117.94]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eee63999-0fdc-4909-9b86-08d6d5922b50
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:CY4PR1101MB2167;
x-ms-traffictypediagnostic: CY4PR1101MB2167:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <CY4PR1101MB2167EF3F5DBBCDFB2EA29EF3AB0C0@CY4PR1101MB2167.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0033AAD26D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(396003)(346002)(136003)(376002)(189003)(51914003)(199004)(256004)(66066001)(478600001)(4326008)(14444005)(54906003)(966005)(11346002)(446003)(2906002)(82746002)(102836004)(58126008)(186003)(6506007)(316002)(25786009)(76176011)(5660300002)(110136005)(26005)(81156014)(68736007)(6306002)(36756003)(6116002)(3846002)(83716004)(53936002)(33656002)(6436002)(305945005)(64756008)(6512007)(229853002)(73956011)(66556008)(8676002)(486006)(71200400001)(99286004)(66476007)(76116006)(91956017)(2171002)(71190400001)(66946007)(8936002)(476003)(81166006)(14454004)(2616005)(7736002)(6246003)(86362001)(6486002)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2167; H:CY4PR1101MB2102.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZoRfBfvdUY577jwN7UReMvSMBjPO8Xp1YfbingxSahyTsXfBlu7iw/XyaeeiOPg4IqYFdZ91lL7AUwlx1kxVnISedKhWhDn1EAZi7Q+wYlXrDN1KOLsvVmT+LjC5s3oEaNwFBEduHxw7a09Zdj0HlFCLJsnm5585ivcjill4Uq+9z3TMl8514yJrakb362Jlr6HM+AHBSfT1sZfmcq9EM/1AEO6vvjeOh0qL2Z178wnJWwQJpY+H824vIxmqwBzZsT+i9ioJosVKt2v38bX306zJ1FeVfT0mTxvk+xMS1ipZ7b/86nAY/SDyJ0lKqIPNTHEQiX63VM+vR72DaNpYXozuPILs0ZFvdkMw/25C5//ZL/U/x66duDbOyw34MNLcj1YkMnd2cwLHbS5z2KHTKL0fmGCCLx8biY2VI4kkw9Q=
Content-Type: text/plain; charset="utf-8"
Content-ID: <A69CEDB937E2F84CAF31763C2EA66629@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: eee63999-0fdc-4909-9b86-08d6d5922b50
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2019 21:55:08.7097 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2167
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.30, xch-aln-020.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/UOZEQjA_nK6lGl1s_bKSR9NPmw8>
Subject: Re: [netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-restconf-notif-13: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 21:55:17 -0000

Hi,

Thanks for the review, please see inline.

´╗┐On 2019-05-07, 4:59 PM, "Benjamin Kaduk via Datatracker" <noreply@ietf.org>; wrote:

    Benjamin Kaduk has entered the following ballot position for
    draft-ietf-netconf-restconf-notif-13: Discuss
        
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-netconf-restconf-notif/
    
    
    
    ----------------------------------------------------------------------
    DISCUSS:
    ----------------------------------------------------------------------
    
    Thanks for the well-written document!  I  just have some boring housecleaning
    points that should be easy to resolve.
    
    Section 3.2 states:
    
       Subscribers can learn what event streams a RESTCONF server supports
       by querying the "streams" container of ietf-subscribed-
       notification.yang in
       [I-D.draft-ietf-netconf-subscribed-notifications].  Support for the
       "streams" container of ietf-restconf-monitoring.yang in [RFC8040] is
       not required.  If it is supported, the event streams which are in the
       "streams" container of ietf-subscribed-notifications.yang SHOULD also
       be in the "streams" container of ietf-restconf-monitoring.yang.
    
    This "SHOULD" seems to be attempting to impose a normative requirement
    on specifications that implement
    draft-ietf-netconf-subscribed-notifications and RFC 8040 streams,
    without regard to whether they implement this specification.  It seems
    better-placed in draft-ietf-netconf-subscribed-notifications.
<RR> RFC8040 is the RESTCONF RFC and subscribed-notifications is not transport specific. Since this document is for RESTCONF, this is why we have added this statement in this document.

    Similarly, when Section 4 writes:
    
       To meet subscription quality of service promises, the publisher MUST
       take any existing subscription "dscp" and apply it to the DSCP
       marking in the IP header.
    
    that seems to be duplicating a normative requirement from the core
    subscribed-notifications document.  (And I'm sure Magnus will have
    further follow-up about how DSCP markings are per-connection for the
    stream transports we have available, as well.)
<RR> You are correct, this text can be removed.   I can replace it with a reference to the section in subscribed-notifications, would that work for you?

    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    The core subscribed-notifications document notes that dynamic
    subscriptions only last as long as the underlying transport.  In this
    document, we have two connections in Figure 1, which could potentially
    be separate TCP/TLS connections (or HTTP/2 streams).  In the "two TCP
    connections" case, does terminating either one cause the cessation of
    the subscription, or just (b)?
<RR> There are no "long-lived RESTCONF sessions". Terminating (a) does not terminate the subscription.
    
    Section 2
    
    Please use the boilerplate from RFC 8174.
<RR> Ack, will do in next rev.
    
    Section 3
    
                                          YANG datastore subscription is
       accomplished via augmentations to
       [I-D.draft-ietf-netconf-subscribed-notifications] as described within
       [I-D.ietf-netconf-yang-push] Section 4.4.
    
    I see some reviewers commented that things were a bit terse/arcane; I
    might suggest that "via augmentations to [subscribed notifications]" is
    not really adding much here, and the yang-push RPCs are the important
    part.
<RR> The augmentation to subscribed-notifications is mentioned because it is needed for RESTCONF. Are you suggesting we change this to "...accomplished as described in  [I-D.ietf-netconf-yang-push] Section 4.4."?
    
    Section 3.1
    
                                                             Where quick
       recognition of the loss of a publisher is required, a subscriber
       SHOULD use a TLS heartbeat [RFC6520], just from receiver to
       publisher, to track HTTP session continuity.
    
    TLS heartbeats require initiation by the TLS client, by virtue of
    including the HeartbeatExtension in the ClientHello.  Who is going to be
    making the determination that quick recognition is required, and if
    that's the publisher, how does the subscriber know to use TLS
    heartbeats?
<RR> The subscriber is the one making that determination since this is to recognize the loss of the publisher.
    
    nit: It's interesting that we seem to be using both "subscriber" and
    "receiver" to talk about the TLS client, in the same sentence.
<RR> Will change to subscriber.
    
    side note: per https://github.com/openssl/openssl/pull/1928, OpenSSL
    will not support TLS or DTLS heartbeats of any form in its next major
    release (3.0.0).
    
       Loss of the heartbeat MUST result in any subscription related TCP
       sessions between those endpoints being torn down.  A subscriber can
       then attempt to re-establish the dynamic subscription by using the
       procedure described in Section 3.
    
    RFC 6520 does not specify retransmit numbers or intervals to be used to
    determine that a peer is nonresponsive (i.e., "lost"), so this text
    seems under-specified.  Is the intent to leave these decisions to be
    implementation-specific?
<RR> Yes this is the intent since it all depends on what the subscriber needs/wishes.
    
    Section 3.3
    
    I see that draft-ietf-netconf-subscribed-notifications (section 2.4.6)
    admonishes us to check for transport-layer errors (and ACLs!) before
    RPC-level errors; is the text here about "fails to serve the RPC
    request" and our description of error handling consistent with the
    separate transport-layer error handling?  (I think it can be, with a
    careful reading of "one of the reasons indicated in [] Section 2.4.6",
    but perhaps other readings are possible.)
<RR> Yes this section is for RPC-level errors, it references 2.4.6 of subscribed-notifications which provided a list of possible errors.
    
          The yang-data included within "error-info" SHOULD NOT include the
          optional leaf "error-reason", as such a leaf would be redundant
          with information that is already placed within the
          "error-app-tag".
    
    I'm not sure where this "error-reason" leaf is defined -- I don't see it
    in any of subscribed-notifications, yang-push, or RFC 8040.
<RR>Good catch,  I think this should be "reason" from yang-push, will check.    

    Section 3.4
    
    I'm not sure that I've previously encountered using the section heading
    to introduce an acronym (as is done here for SSE).  I bet the RFC Editor
    will do the right thing, though.
<RR> I'll move the acronym to the section text
    
       o  In addition to an RPC response for a "modify-subscription" RPC
          traveling over (a), a "subscription-modified" state change
          notification MUST be sent within (b).  This allows the receiver to
          know exactly when the new terms of the subscription have been
          applied to the notification messages.  See arrow (c).
    
    nit: I might suggest some language about "order within the notifications
    stream" for this state change, but that's purely editorial.
<RR> So you would like this text changed to clarify the order of events?
    
       o  In addition to any required access permissions (e.g., NACM), RPCs
          modify-subscription, resync-subscription and delete-subscription
          SHOULD only be allowed by the same RESTCONF username [RFC8040]
          which invoked establish-subscription.
    
    I'm confused about this "SHOULD" (the secdir reviewer noted it as well)
    -- in my understanding, the core subscribed-notifications requires that
    such RPCs must be done on the same transport connection as the one used
    to create a dynamic subscription (i.e., line (a) in Figure 1), and since
    RFC 8040 authenticated client identities are at the connection level,
    there could never be any change of username across the calls.
<RR> What you describe above is true for netconf (all done on same session. 
However restconf doesn't work the same way (no long-lived sessions), so subsequent RPCs could actually be on a different transport connection.
I do recall the secdir comments and your comments to my response, I will include the text you had suggested to justify the SHOULD.
    
       o  Loss of TLS heartbeat
    
    (As noted above, this is under-specified at present.)
    
    Section 9
    
    I would suggest also recommending that the 'uri' values not have a
    predictable structure or be guessable.  While we do have solid access
    control in place via NACM/etc., there is still a risk of side-channel
    leakage if there's a distinction between "resource does not exist" and
    "not authorized".  (FYI we had a long discussion about unguessable URIs
    in the context of draft-ietf-acme-acme, which had a much weaker
    access-control story and could in some sense be said to use "capability
    URIs", if anyone wants to do some background reading.)
    (One might see also draft-gont-numeric-ids-sec-considerations.)
<RR> Section 9 says "The subscription URI is implementation specific ...". I can add text, as you suggested, to recommend that the uri values not be predictable.
    
    I see that the subscription-id type is only of type uint32 in
    draft-ietf-netconf-subscribed-notifications, which to some extent limits
    the unguessability property to the URIs and not as much for the IDs
    themselves (though randomization within a 32-bit space is not without
    value).
    
    Appendix A
    
    Consistent with my suggestion in the Security Considerations, I'd change
    the returned URI here or at least note that the "22", "23", etc. are
    placeholders and not indicative of expected usage.
<RR> I will add a note.
    
    (This snippet from A.1.1)
    
       {
          "ietf-subscribed-notifications:input": {
             "stream-xpath-filter": "/example-module:foo/",
             "stream": "NETCONF",
             "dscp": "10"
          }
       }
    
    The ambiguity of "10" has been noted elsewhere, but since it's a uint8
    (range "0..63") wouldn't it be a JSON number, not a JSON string?
<RR> You are correct, will change to 10
    
    Similarly, subscription IDs are uint32, which IIUC gets encoded as a
    number.
<RR> Correct again.    
    
Regards,
Reshad.