Re: [Netconf] WG LC for zerotouch
Martin Bjorklund <mbj@tail-f.com> Thu, 05 October 2017 10:30 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09033126C0F for <netconf@ietfa.amsl.com>; Thu, 5 Oct 2017 03:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsZ5Mlkb6ZVY for <netconf@ietfa.amsl.com>; Thu, 5 Oct 2017 03:30:36 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 87EBD134234 for <netconf@ietf.org>; Thu, 5 Oct 2017 03:30:10 -0700 (PDT)
Received: from localhost (unknown [173.38.220.41]) by mail.tail-f.com (Postfix) with ESMTPSA id D52DD1AE018C; Thu, 5 Oct 2017 12:30:08 +0200 (CEST)
Date: Thu, 05 Oct 2017 12:28:39 +0200
Message-Id: <20171005.122839.788091912648000538.mbj@tail-f.com>
To: kwatsen@juniper.net
Cc: netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <51CC12E9-D566-4C70-A889-C740D5A864A8@juniper.net>
References: <36B6D286-F8B6-4423-8DD2-4DF74943F2A1@juniper.net> <20171004.185811.1601400798069063177.mbj@tail-f.com> <51CC12E9-D566-4C70-A889-C740D5A864A8@juniper.net>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/_MNva840qaXoAvNNfR8Oh7i-ev4>
Subject: Re: [Netconf] WG LC for zerotouch
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2017 10:30:39 -0000
Kent Watsen <kwatsen@juniper.net> wrote: > > Hi Martin, > > Again, trimming down to just open threads. > > >> >> > o Section 7.2 > >> >> > > >> >> > Adding custom query parameters like this breaks the normal YANG > >> >> > contract. If I understand this correctly, the instance data tree > >> >> > presented to the client is supposed to change based on these query > >> >> > parameters. > >> >> > >> >> Correct. The idea is that the response could vary based on the input > >> >> query params. Of course, in case there was any doubt, the response > >> >> would always conform to same YANG schema. > >> > > >> >See below. > >> > > >> >> > If you really need to have that functionality, it would better to > >> >> > model the device-specific data as an action; input would be the > >> >> > os-name, os-version etc, and output would be the > >> >> > zerotouch-information and voucher etc. > >> >> > >> >> I thought of this as well, but didn't do anything about it as my > >> >> last message to the list said that we'd add "query parameters" > >> >> and I wanted to follow through on that statement. > >> >> > >> >> But what is the issue? Is it primarily that using query params > >> >> on GET should be limited to returning different representations > >> >> of a resource, and this use seems to be returning different > >> >> resources altogether? > >> > > >> > Yes, this is my concern. A normal RESTCONF / YANG server has *one* > >> > single instance of the operational state, and it just provides an API > >> > to this data. It can be filtered and pruned based on access rights, > >> > but not modified from the outside based on query parameters. > >> > >> I agree, it seems more proper. Okay, let's make this change. No > >> objections from the WG, right? As a heads-up for those following > >> along, this change doesn't affect the essence of the solution, but > >> the diff will appear somewhat big... > >> > >> > >> >> FWIW, if we were to do this, we might also consider moving the > >> >> 'serial-number' field from the URL to an input field > >> > > >> > Hmm, did you mean 'unique-id'? > >> > >> Yes. But what about the idea, moving 'unique-id' from the URL path > >> to an input param? Or, even more dramatically, we could remove > >> 'unique-id' altogether, relying instead on the RESTCONF username > >> extracted from the DevID certificate? > > > > See below. > > > >> If relying on the extracted username, note that none of the > >> 'cert-to-name' identities defined in RFC 7407, which is also > >> used in draft-ietf-netconf-restconf-client-server, would work. > >> The 'common-name' identity is closest, but what is really needed > >> is a combination of a 'serialNumber' attribute and an optional > >> 'hardwareModuleName' attribute (not all DevID certs define it). > > > > Ok. I've tried to find a spec for the DevID, but couldn't find a > > public version. > > Here's the part you're looking for: > > > 7.2.8 subject > The DevID subject field shall uniquely identify the device > associated with the particular DevID credential within the > issuer’s domain of significance. The formatting of this field > shall contain a unique X.500 Distinguished Name (DN). This > may include the unique device serial number assigned by the > manufacturer or any other suitable unique DN value that the > issuer prefers. In the case of a third-party CA or a standards > certification agency, this can contain the manufacturer’s > identity information. The subject field’s DN encoding should > include the “serialNumber” attribute with the device’s unique > serial number. > > 7.2.9 subjectAltName > The non-critical DevID subjectAltName extension may supplement > the subject field identity information as specified in RFC 5280 > by containing a hardwareModuleName as specified in RFC 4108. > > > > >> I suppose that this is an issue for the afore-mentioned restconf > >> client/server draft more so than this one though. Still, since > >> we're talking about it, assuming we did this, would that draft > >> add said identities, or would a 7407bis be better? > > > > I think that such an identitiy could be defined in this draft. Isn't > > such an identity quite specific to this use case? > > okay, but in which module? - it just needs to be a module imported > wherever ietf-x509-cert-to-name is used (ietf-netconf-server and > ietf-restconf-server) but not any module defined in this draft. > So maybe yet another module is needed in this draft: ietf-more- > x509-cert-to-name-identities? - naming suggestions welcomed! ;) Hmm. Maybe a new document with just a new version of ietf-x509-cert-to-name is most appropriate? (I.e., not a complete 7407bis) Or even update ietf-x509-cert-to-name in this document... > > >> > I suggest you shorten the lines of the examples even more, so that > > >> > the examples are properly indented in the draft (they are currently > > >> > outdented) > > >> > > >> It's hard to make the lines much shorter with the URN being so long. > > >> Options are 1) don't indent just the xmlns line or 2) move from two- > > >> space indent to single-space indent. Do you have a preference? > > > > > > In the second example you use (1). You can also use "\", which you > > > are also already using. > > > > So I do, albeit only in the HTTP-header parts, not the HTTP-body parts. > > > > FWIW, my build-script inserts source files in situ as directed by > > processing instructions. I can modify the build-script to do the > > auto-'\' insertion logic on some column-boundary, but it may need > > a complimentary update on the extraction tools. Do we need some > > sort of standard around this? > > > > I'm aware that here you're only talking about examples, which > > currently are not extracted via tools, but the same auto-'\' > > insertion logic could also help with the YANG modules, as they > > could become unwieldy too...though I suppose liberal use of > > groupings could always be employed to keep line-lengths in > > check. Okay, but still, a YANG Doctors discussion at IETF 99 > > suggested introducing the ability to auto-extract and validate > > examples in drafts too, to automate as much of the YD review > > process as possible, so still I think there may be a need for > > a '\' standard of some sort here. Thoughts? > > This is still open. I don't have a good solution to this... It is often possible to format the XML so that it is legal, but then it might look odd, e.g.: <tag >long line here......</tag> > >> >> > o Section 9 > >> >> > > >> >> > Should you also mention that /device list should be protected by > >> >> > nacm rules? > >> >> > >> >> Yes, indeed, I left out the standard security template for the bootstrap > >> >> server YANG module. Will add. > >> >> > >> >> > >> >> > If the RESTCONF user name is the device's unique-id, then a single > >> >> > NACM rule can be used: > >> >> > > >> >> > <rule> > >> >> > <name>allow-device</name> > >> >> > <path xmlns:ztbs="urn:ietf:params:xml:ns:yang:\ietf-zerotouch-bootstrap-server"> > >> >> > /ztbs:device[ztbs:unique-id=$USER] > >> >> > </path> > >> >> > <access-operations>read</access-operations> > >> >> > <action>permit</action> > >> >> > </rule> > >> >> > >> >> Yes, but would you expect this to appear in the draft? Typically, > >> >> the specific NACM rule syntax is left as an exercise to the reader... > >> > > >> > In order to do this, the "username" must be the same as the > >> > "unique-id". This requires the client cert to be constructed > >> > properly. > >> > >> Agreed. In this case, the client cert is a DevID cert, and 802.1AR > >> governs its construction. Not too many options there. Of course, > >> the mapping of said cert to username is being discussed above wrt the > >> cert-to-name mapping logic... > >> > >> > >> >> Since the NACM rule is not obvious, and due to the cert implications, > >> >> I think it would be very helpful with an appendix that describes how > >> >> this can be set up. > >> > >> I think that this will depend on if we go with an action or a top-level > >> RPC. If an action, then NACM may have a place and an example may help. > >> But, if using a top-level RPC, then it seems that the server has no > >> option but to auth the DevID cert and provide a RESTCONF username-specific > >> response - NACM can't constrain it any further, right? > > > > Correct. > > Well, maybe not entirely correct. It looks like NACM rules can > constrain RPCs using the "rpc-name" rule type. Yes, but NACM cannot control access based on input parameters, which is what would be needed in this case. > But, in this case, > an NACM group containing a list of users that matched exactly each > device would have to be maintained, which isn't quite a nice as > using the $USER variable. > > > > >>> (note: this seems > >>> more secure to me - I like it) > >> > >> Hmm, I think it is less clear. With an explicit list and actions, you > >> can use NACM to do the access control. With top-level RPCs, the > >> implementation of the RPC has to do the access control. > > Right, but it wouldn't be "access control" so much as something akin > to a 404. When establishing the RC connection, the server must first > auth the client's cert (at the TLS-level) that, in the case of an > IDevID cert, most like maps to checking to see if it has a chain of > trust to the vendor's CA cert. Then cert-maps is used to extract a > username; in the IDevID case, it is most likely some combo of the > serialNumber and hardwareModuleName attributes. This username is > fed into the RPC handling logic which will do some internal lookup > and either find a match (and return data) or not (and return an error). > No need for NACM in this flow is there? > > > > Also, a list of devices is more transparent - I mean, this list must > > somehow exist anyway, but with top-level RPCs it will be hidden. > > A list of devices needs to exist in the database, and the NBI, but > not the SBI, right? The bootstrap server has one RC interface. If it used for NB or SB access doesn't really matter. I was thinking that the list of devices might be useful also for a "NB" client. > > Maybe implementations want to add additional objects to this list, for > > monitoring or something. > > Unsure. The point of the SBI is that the device only receives a > device-specific response, no other objects are ever included, right? Sure; again I was thinking of objects for other clients. > But maybe you mean some implementations will want to modify the format > of the device-specific response, which I agree is possible, but that > doesn't impact if we use an RPC versus an action. Do you agree? Right. > >> >> > o Other comment > >> >> > > >> >> > Is it assumed that there will be a vendor-specific YANG module to > >> >> > enable the zero-touch process? Did you consider an > >> >> > ietf-zerotouch-device module for this purpose? Such a configuration > >> >> > must be carefully designed to allow for a "merge" configuration file > >> >> > to actually disable the zero touch process. > >> >> > >> >> It is assumed to be vendor-specific currently. I have not thought to > >> >> define a ietf-zerotouch-device module as of yet that, presumably, would > >> >> contain a boolean or an enum (but not a p-container) for enabling the > >> >> service. Do you think we should add such a module to the draft, or just > >> >> put a note somewhere about it? > >> > > >> > I don't have a strong opinion, but if there's not a standard module > >> > for this, the text should mention that it is assumed that vendors > >> > define this themselves. Hmm, I think I would prefer a standard > >> > module; it would make the solution more complete. > >> > >> We can add a module, but maybe it should be called something like > >> ietf-zerotouch-bootstrap-client, to mirror the ietf-zerotouch- > >> bootstrap-server module? - though this may be a mismatch as the > >> former regards a southbound protocol and the latter regards a > >> configuration model... > >> > >> Maybe we can discuss what would be in this model. I'm not sure if > >> I'm oversimplifying it, but I think the module might be just a single > >> config true leaf called something like "enabled". There might also > >> be some config false leafs for the stuff mentioned in section 5.1, > >> though it doing so is not so important since the bootstrapping only > >> occurs once (not ongoing management). So a module would primarily > >> be for the "enabled" leaf. Anything else? Still think it's worth it? > > > > I'm not sure. It does seem odd to write that we expect vendors to > > provide this single leaf in a proprietary module, but maybe it is ok. > > Okay, I'll add a ietf-zerotouch-device module. It doesn't hurt. > Vendors can use it or not. If nothing else, at least they can > reference it for their native model. /martin
- Re: [Netconf] WG LC for zerotouch Martin Bjorklund
- [Netconf] WG LC for zerotouch Mahesh Jethanandani
- Re: [Netconf] WG LC for zerotouch Kent Watsen
- Re: [Netconf] WG LC for zerotouch Martin Bjorklund
- Re: [Netconf] WG LC for zerotouch Kent Watsen
- Re: [Netconf] WG LC for zerotouch Martin Bjorklund
- Re: [Netconf] WG LC for zerotouch Kent Watsen
- Re: [Netconf] WG LC for zerotouch Martin Bjorklund
- Re: [Netconf] WG LC for zerotouch Kent Watsen
- Re: [Netconf] WG LC for zerotouch Martin Bjorklund
- [Netconf] IPR and known implementation (Was Re: W… Mahesh Jethanandani
- Re: [Netconf] IPR and known implementation (Was R… Mikael Abrahamsson
- Re: [Netconf] IPR and known implementation (Was R… ianfarrer
- Re: [Netconf] IPR and known implementation (Was R… Kent Watsen
- Re: [Netconf] IPR and known implementation (Was R… Kent Watsen