Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
Rohit R Ranade <rohitrranade@huawei.com> Mon, 05 February 2018 07:19 UTC
Return-Path: <rohitrranade@huawei.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BCEC128C0A for <netconf@ietfa.amsl.com>; Sun, 4 Feb 2018 23:19:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.231
X-Spam-Level:
X-Spam-Status: No, score=-4.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FjSf6ln219k9 for <netconf@ietfa.amsl.com>; Sun, 4 Feb 2018 23:19:54 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85191120727 for <netconf@ietf.org>; Sun, 4 Feb 2018 23:19:54 -0800 (PST)
Received: from lhreml703-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 278161595C901 for <netconf@ietf.org>; Mon, 5 Feb 2018 07:16:42 +0000 (GMT)
Received: from DGGEMA405-HUB.china.huawei.com (10.3.20.46) by lhreml703-cah.china.huawei.com (10.201.108.44) with Microsoft SMTP Server (TLS) id 14.3.361.1; Mon, 5 Feb 2018 07:16:42 +0000
Received: from DGGEMA502-MBX.china.huawei.com ([169.254.2.25]) by DGGEMA405-HUB.china.huawei.com ([10.3.20.46]) with mapi id 14.03.0361.001; Mon, 5 Feb 2018 15:16:32 +0800
From: Rohit R Ranade <rohitrranade@huawei.com>
To: Martin Bjorklund <mbj@tail-f.com>
CC: Netconf <netconf@ietf.org>
Thread-Topic: [Netconf] draft-ietf-netconf-rfc6536bis Query
Thread-Index: AdObT5T3Jff3sOmISyuNQj5mNpAqs///naeA//4zjxCAAx8egP//eYqw//pnwuA=
Date: Mon, 05 Feb 2018 07:16:32 +0000
Message-ID: <991B70D8B4112A4699D5C00DDBBF878A6B19504D@DGGEMA502-MBX.china.huawei.com>
References: <991B70D8B4112A4699D5C00DDBBF878A6B191EFD@DGGEMA502-MBX.china.huawei.com> <20180201.143503.657602058523525091.mbj@tail-f.com> <991B70D8B4112A4699D5C00DDBBF878A6B192C46@DGGEMA502-MBX.china.huawei.com> <20180202.104713.2160979335819511500.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.150.121]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/akMCqLOuThC-GuKyLIKz58-AIAc>
Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 07:19:56 -0000
Hi Martin, There are around 6-7 places in the BIS and RFC 6536 where the term " datastore node" is used. It is unclear what is the meaning of this term as it is not defined in the Terminology section and it is unclear what is the difference between this term and "data node". Please clarify For example: In section 3.2.3 The contents of specific restricted datastore nodes MUST NOT be exposed in any <rpc-error> elements within the reply. With Regards, Rohit R -----Original Message----- From: Rohit R Ranade Sent: 02 February 2018 15:19 To: 'Martin Bjorklund' <mbj@tail-f.com> Subject: RE: [Netconf] draft-ietf-netconf-rfc6536bis Query Ok. With Regards, Rohit R -----Original Message----- From: Martin Bjorklund [mailto:mbj@tail-f.com] Sent: 02 February 2018 15:17 To: Rohit R Ranade <rohitrranade@huawei.com> Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Hi, Rohit R Ranade <rohitrranade@huawei.com> wrote: > Hi Martin, > > Should we not be specific in the DRAFT about how to handle > <create-subscription> rpc like we have done for the replay control > notifications ? The control notifications are treated differently b/c they are control notifications, not b/c they are not defined in a YANG module. I think you have a valid point; however, since the WG is currently defining new operations that will replace the old <create-subscription>, I think this problem will go away. Also, 6536bis is in the RFC editor queue, so changing in 6536bis this is quite problematic. /martin > Else each device will have its own mechanism of access control for > <create-subscription>. > > With Regards, > Rohit R > > -----Original Message----- > From: Martin Bjorklund [mailto:mbj@tail-f.com] > Sent: 01 February 2018 19:05 > To: Rohit R Ranade <rohitrranade@huawei.com> > Cc: netconf@ietf.org > Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query > > Hi, > > Rohit R Ranade <rohitrranade@huawei.com> wrote: > > Hi All, > > > > Q1: > > In the notification authorization Section 3.4.6 there is mention > > that REPLAY notifications should be allowed by default. > > I think you mean <replay-complete>. Replayed notifications in > general are not allowed by default. > > > But there is no mention of how to handle <create-subscription> > > operation authorization which can trigger these Replay notifications ? > > Since there is no module defined for it, there is no way to add a > > rule for permitting or denying it. > > > > > > 1. How do the current NACM implementations handle it ? Allow > > <create-subscription> if exec-default is PERMIT ? or always allow > > <create-subscription> ? > > I had to check, and our implementation matches create-subscription if > the module-name in the rule is "*". > > I think some implementations use an internal (non-standard) YANG > module name for the model in RFC 5277, so they presumably match if > that internal module name is given, or "*". > > > Q2: If there is an error of access-denied for edit-config operation, > > does the RFC restrict from outputting the <error-path> of the > > data-store node for such operations ? > > Section 3.2.5 has " The contents of specific restricted datastore > > nodes MUST NOT be > > > > exposed in any <rpc-error> elements within the reply." , what is the > > meaning of 'content' here ? the schema-name of the leaf / key-values > > of data-store-nodes ? > > > > Since the user has inputted the keys for the data-store nodes is > > there any security risk in giving back the values to the user ? > > 3.4.3 also has > > A server MUST NOT include any information the client is not allowed > to read in any <error-info> elements within the <rpc-error> response. > > > /martin >
- [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade