Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
Martin Bjorklund <mbj@tail-f.com> Mon, 05 February 2018 10:01 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561B5129C59 for <netconf@ietfa.amsl.com>; Mon, 5 Feb 2018 02:01:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rDKoH4aWm4J for <netconf@ietfa.amsl.com>; Mon, 5 Feb 2018 02:01:20 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 3038E12946D for <netconf@ietf.org>; Mon, 5 Feb 2018 02:01:20 -0800 (PST)
Received: from localhost (unknown [173.38.220.45]) by mail.tail-f.com (Postfix) with ESMTPSA id 7F0C81AE0397; Mon, 5 Feb 2018 11:01:18 +0100 (CET)
Date: Mon, 05 Feb 2018 11:01:17 +0100
Message-Id: <20180205.110117.638345654982212288.mbj@tail-f.com>
To: rohitrranade@huawei.com
Cc: netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <991B70D8B4112A4699D5C00DDBBF878A6B1951BB@DGGEMA502-MBX.china.huawei.com>
References: <991B70D8B4112A4699D5C00DDBBF878A6B19504D@DGGEMA502-MBX.china.huawei.com> <20180205.094936.840887782388329626.mbj@tail-f.com> <991B70D8B4112A4699D5C00DDBBF878A6B1951BB@DGGEMA502-MBX.china.huawei.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/gHXnEv7N5zFWZRar3j-Cup-lXpY>
Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 10:01:23 -0000
Hi, Rohit R Ranade <rohitrranade@huawei.com> wrote: > Hi Martin, > > Consider running data-store has below node. ^^^^^^^^^^^^^^^^^^^^^^^^^ > /top/interface[name="Ethernet0/0"]/mtu > > In the above case, "mtu" is a data-store node , because it is part of > a running data-store ? Yes. > And if I just have a path as /top/interface/mtu ==> Here mtu is just a > "data node" ? A path by itself can't tell you what kind of node it points to. If this is a path into the schema, and mtu is a leaf, then it is a data node. If mtu had been a 'choice' it wouldn't be a data node. > The reason why I am asking these points is that RFC 6536 mentions that > data-store nodes should not be shown in rpc-error. But we want to > output in error-message something like "access is denied for > /top/interface/mtu" to give a meaningful error-message. Whether such ^^^^^^^^^^^^^^^^^^ I assume you mean: /top/interface[name="Ethernet0/0"]/mtu ? > an error-message makes the server non-compliant ? If the user doesn't have access to "Ethernet0/0" at all, you might reveal the fact that this interface exists if you send this error-path. In general it is safer to just send 'access-denied' and no additional info. /martin > With Regards, > Rohit R > > -----Original Message----- > From: Martin Bjorklund [mailto:mbj@tail-f.com] > Sent: 05 February 2018 14:20 > To: Rohit R Ranade <rohitrranade@huawei.com> > Cc: netconf@ietf.org > Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query > > Hi, > > Rohit R Ranade <rohitrranade@huawei.com> wrote: > > Hi Martin, > > > > There are around 6-7 places in the BIS and RFC 6536 where the term " > > datastore node" is used. It is unclear what is the meaning of this > > term as it is not defined in the Terminology section and it is unclear > > what is the difference between this term and "data node". Please > > clarify > > Is the term "datastore node" really unclear? Would a defintion "a > node in a datastore" help (I think it would be a tautology). > > The term "data node" is imported from RFC 7950. > > > /martin > > > > For example: In section 3.2.3 > > > > The contents of specific restricted datastore nodes MUST NOT be > > exposed in any <rpc-error> elements within the reply. > > > > > > With Regards, > > Rohit R > > > > -----Original Message----- > > From: Rohit R Ranade > > Sent: 02 February 2018 15:19 > > To: 'Martin Bjorklund' <mbj@tail-f.com> > > Subject: RE: [Netconf] draft-ietf-netconf-rfc6536bis Query > > > > Ok. > > > > With Regards, > > Rohit R > > > > -----Original Message----- > > From: Martin Bjorklund [mailto:mbj@tail-f.com] > > Sent: 02 February 2018 15:17 > > To: Rohit R Ranade <rohitrranade@huawei.com> > > Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query > > > > Hi, > > > > Rohit R Ranade <rohitrranade@huawei.com> wrote: > > > Hi Martin, > > > > > > Should we not be specific in the DRAFT about how to handle > > > <create-subscription> rpc like we have done for the replay control > > > notifications ? > > > > The control notifications are treated differently b/c they are control > > notifications, not b/c they are not defined in a YANG module. > > > > I think you have a valid point; however, since the WG is currently > > defining new operations that will replace the old > > <create-subscription>, I think this problem will go away. > > > > Also, 6536bis is in the RFC editor queue, so changing in 6536bis this > > is quite problematic. > > > > > > /martin > > > > > > > Else each device will have its own mechanism of access control for > > > <create-subscription>. > > > > > > With Regards, > > > Rohit R > > > > > > -----Original Message----- > > > From: Martin Bjorklund [mailto:mbj@tail-f.com] > > > Sent: 01 February 2018 19:05 > > > To: Rohit R Ranade <rohitrranade@huawei.com> > > > Cc: netconf@ietf.org > > > Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query > > > > > > Hi, > > > > > > Rohit R Ranade <rohitrranade@huawei.com> wrote: > > > > Hi All, > > > > > > > > Q1: > > > > In the notification authorization Section 3.4.6 there is mention > > > > that REPLAY notifications should be allowed by default. > > > > > > I think you mean <replay-complete>. Replayed notifications in > > > general are not allowed by default. > > > > > > > But there is no mention of how to handle <create-subscription> > > > > operation authorization which can trigger these Replay notifications ? > > > > Since there is no module defined for it, there is no way to add a > > > > rule for permitting or denying it. > > > > > > > > > > > > 1. How do the current NACM implementations handle it ? Allow > > > > <create-subscription> if exec-default is PERMIT ? or always allow > > > > <create-subscription> ? > > > > > > I had to check, and our implementation matches create-subscription > > > if the module-name in the rule is "*". > > > > > > I think some implementations use an internal (non-standard) YANG > > > module name for the model in RFC 5277, so they presumably match if > > > that internal module name is given, or "*". > > > > > > > Q2: If there is an error of access-denied for edit-config > > > > operation, does the RFC restrict from outputting the <error-path> > > > > of the data-store node for such operations ? > > > > Section 3.2.5 has " The contents of specific restricted datastore > > > > nodes MUST NOT be > > > > > > > > exposed in any <rpc-error> elements within the reply." , what is the > > > > meaning of 'content' here ? the schema-name of the leaf / key-values > > > > of data-store-nodes ? > > > > > > > > Since the user has inputted the keys for the data-store nodes is > > > > there any security risk in giving back the values to the user ? > > > > > > 3.4.3 also has > > > > > > A server MUST NOT include any information the client is not allowed > > > to read in any <error-info> elements within the <rpc-error> response. > > > > > > > > > /martin > > > > > >
- [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis Query Rohit R Ranade