[netconf] updates to the suite of client/server drafts
Kent Watsen <kent+ietf@watsen.net> Tue, 30 April 2019 03:37 UTC
Return-Path: <0100016a6c516906-a2beb17b-d32c-4368-81f1-fe81e17b3755-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00DE120284 for <netconf@ietfa.amsl.com>; Mon, 29 Apr 2019 20:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u497TgdO8-pQ for <netconf@ietfa.amsl.com>; Mon, 29 Apr 2019 20:37:17 -0700 (PDT)
Received: from a8-83.smtp-out.amazonses.com (a8-83.smtp-out.amazonses.com [54.240.8.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA27120287 for <netconf@ietf.org>; Mon, 29 Apr 2019 20:37:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556595436; h=From:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Message-Id:Date:To:Feedback-ID; bh=eZh7Ib+hBpYcVRdBpbfFoOizAhfe0TRAUa5AqGJfMNE=; b=jiDMJdgK0Oh4dAP+7wLzIihrCHdILQtfPBx4ceyqS+M/IgNINjzwt7j5vZolStAk cMSeaFL0RjaQZtEF/GJgzp3T3XZSVw4B8lYx79wcDozrNaorQpqT7p5XF+CKY6+Ho2V AUAZTfju/5O/fC04jM4VCgNzvsACgSTUCYwjc9ZQ=
From: Kent Watsen <kent+ietf@watsen.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Message-ID: <0100016a6c516906-a2beb17b-d32c-4368-81f1-fe81e17b3755-000000@email.amazonses.com>
Date: Tue, 30 Apr 2019 03:37:15 +0000
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.04.30-54.240.8.83
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/fG5y4s2t4sBCP8NVzdtb5vwoZI4>
Subject: [netconf] updates to the suite of client/server drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 03:37:20 -0000
Below are the change logs for each draft just submitted.
Highlights:
- all issues from the tcp adoption call have been addressed.
Lowlights:
- some issues from the http adoption call remain.
- there are some "fixme" comments left in the models.
- the tree-diagram in Sections 2.1 and 3.1 in both the NC
and RC drafts are a bit off (GitHub issue reported).
K. // contributor
=== change logs ===
crypto-types
o Added NACM annotations.
o Updated Security Considerations section.
o Added 'asymmetric-key-pair-with-cert-grouping' grouping.
o Removed text from 'permanently-hidden' enum regarding such keys
not being backed up or restored.
o Updated the boilerplate text in module-level "description"
statement to match copyeditor convention.
o Added an explanation to the 'public-key-grouping' and 'asymmetric-
key-pair-grouping' statements as for why the nodes are not
mandatory (e.g., because they may exist only in <operational>.
o Added 'must' expressions to the 'public-key-grouping' and
'asymmetric-key-pair-grouping' statements ensuring sibling nodes
either all exist or do not all exist.
o Added an explanation to the 'permanently-hidden' that the value
cannot be configured directly by clients and servers MUST fail any
attempt to do so.
o Added 'trust-anchor-certs-grouping' and 'end-entity-certs-
grouping' (the plural form of existing groupings).
o Now states that keys created in <operational> by the *-hidden-key
actions are bound to the lifetime of the parent 'config true'
node, and that subsequent invocations of either action results in
a failure.
keystore
o Added a 'description' statement to the 'must' in the /keystore/
asymmetric-key node explaining that the descendent values may
exist in <operational> only, and that implementation MUST assert
that the values are either configured or that they exist in
<operational>.
o Copied above 'must' statement (and description) into the local-or-
keystore-asymmetric-key-grouping, local-or-keystore-asymmetric-
key-with-certs-grouping, and local-or-keystore-end-entity-cert-
with-key-grouping statements.
trust-anchors
o Added groupings 'local-or-truststore-certs-grouping' and 'local-
or-truststore-host-keys-grouping', matching similar definitions in
the keystore draft. Note new (and incomplete) "truststore" usage!
o Related to above, also added features 'truststore-supported' and
'local-trust-anchors-supported'.
tcp-client-server
o addressed issues raised by Michael Scharf, TCPM WG chair and now co-author
o this version resolves the adoption-call comments (okay to resubmit as "ietf" now?)
ssh-client-server
o Removed the "demux containers", floating the nacm:default-deny-
write to each descendent node, and adding a note to model
designers regarding the potential need to add their own demux
containers.
o In the server model, replaced <client-cert-auth> with <client-
authentication> and introduced 'local-or-external' choice.
tls-client-server
o In server model, made 'client-authentication' a 'presence' node
indicating that the server supports client authentication.
o In the server model, added a 'required-or-optional' choice to
'client-authentication' to better support protocols such as
RESTCONF.
o In the server model, added a 'local-or-external' choice to
'client-authentication' to better support consuming data models
that prefer to keep client auth with client definitions than in a
model principally concerned with the "transport".
o In both models, removed the "demux containers", floating the
nacm:default-deny-write to each descendent node, and adding a note
to model designers regarding the potential need to add their own
demux containers.
http-client-server
o number of "improvements" (i hope)
o not reviewed by HTTP WG chairs yet
o likely needs finessing before asking them to review it again
netconf-client-server
o Removed the "Design Considerations" section.
o Removed the 'must' statement limiting keepalives in periodic
connections.
o Updated models and examples to reflect removal of the "demux"
containers in the imported models.
o Updated the "periodic-connnection" description statements to be
more like the RESTCONF draft, especially where it described
dropping the underlying TCP connection.
o Updated text to better reference where certain examples come from
(e.g., which Section in which draft).
o In the server model, commented out the "must 'pinned-ca-certs or
pinned-client-certs'" statement to reflect change made in the TLS
draft whereby the trust anchors MAY be defined externally.
o Replaced the 'listen', 'initiate', and 'call-home' features with
boolean expressions.
restconf-client-server
o Removed the 'must' statement limiting keepalives in periodic
connections.
o Updated models and examples to reflect removal of the "demux"
containers in the imported models.
o Updated the "periodic-connnection" description statements to
better describe behavior when connections are not closed
gracefully.
o Updated text to better reference where certain examples come from
(e.g., which Section in which draft).
o In the server model, commented out the "must 'pinned-ca-certs or
pinned-client-certs'" statement to reflect change made in the TLS
draft whereby the trust anchors MAY be defined externally.
o Replaced the 'listen', 'initiate', and 'call-home' features with
boolean expressions.