IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Andy Bierman <andy@yumaworks.com> Thu, 04 May 2017 15:02 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF49D1205D3 for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 08:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ZT5wVM1T_13 for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 08:02:04 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7503E1293EB for <netconf@ietf.org>; Thu, 4 May 2017 08:02:00 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id 142so14397014wma.1 for <netconf@ietf.org>; Thu, 04 May 2017 08:02:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ekRE3D4Q2NUvdl6Rj7ng44k/15zODfRL33pKN5Bgdbw=; b=wXbyK26YFMbySFCNmwBKjN0zkHddUYzs2zoXPTCkUGSMa9sqHRoYja+ggbfBC1N09s M/jRHcRK3pQYny9BpfbLCuAdLmMv1eEI9xGIvq7Lou0+jyXxuHPJB7KNu1peI/1XZgkB E4l9ZN6UO16Sv9PH6B5vTGO5un70gwJTZOvm5cgCmZ+bNMxCxxoc5NCf5i3JfgC56Hjm oykKs2a+hEQhsGNTFIrj1ONJv8VjtNgrB0Qhnn428dbiD0THWaRzahJJgY3HlAGJdFh6 umRLu0jdfe4adcTqZBt0TF4DA623ETtWIn4IK+j4ihKbnLGrbw/8SsDvR9oNFZi0Onrr 7P1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ekRE3D4Q2NUvdl6Rj7ng44k/15zODfRL33pKN5Bgdbw=; b=CPG/CkYfvI52AJmpbJaT6+Sn/v5D8+6UmEPPp/pCNvekqZeOrxckMMhp+Mr9FFnNBv fM1EN6U/CLd7zy9eGFf0adXKrR8boxQaqFsd49spfmXCceSNJgDFkSk7qSfP/ltLBxxy dXD33qXiTiiEr/ZdpskebuO4CywA/l4T/S+GfqLT8tA0Z0KnL8rangX3ulllHleYBgrj xcTLauaKezKsjvZm2BPT+/khlwI3mni1QGLJAXGba7uRGdTRs2i3NawrETBCrywalMHf 22FnUhBnlLGiVKCyEKEFW2a86gXf2K3w4l1elCjUFTrnC3kWjKTxj7ciNjuqUrPXjqD5 mwYw==
X-Gm-Message-State: AODbwcDMqBMWS55qQJWX9KNbyprESYs1JPc4W11qJ8O4lrgyiPH+D3Ej yq7wtA9aAF5pEDq2vwnkeeK/ZbVyWA==
X-Received: by 10.28.143.135 with SMTP id r129mr2128735wmd.54.1493910118953; Thu, 04 May 2017 08:01:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Thu, 4 May 2017 08:01:57 -0700 (PDT)
In-Reply-To: <d1a44db13f3b4de39bb89107fc61fea3@XCH-RTP-013.cisco.com>
References: <A13E62FA-AB96-4164-98D5-3CC1D04A78E8@gmail.com> <E236AC6C-4B6D-43B1-8092-0B8AA3F4D6AA@gmail.com> <f2106a6c538a4b9e96ba490b867bd40d@XCH-RTP-013.cisco.com> <CABCOCHTo+vO7LRJTEPFxOLH5fGkCPDJrO8QRbq_bnOHNS9skqA@mail.gmail.com> <d1a44db13f3b4de39bb89107fc61fea3@XCH-RTP-013.cisco.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Thu, 04 May 2017 08:01:57 -0700
Message-ID: <CABCOCHRW=+V0WCXLS0RZbZ+jqeB5ofwRd0ZyqPoZ9Hvi-JrATA@mail.gmail.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>
Cc: Martin Bjorklund <mbj@tail-f.com>, Netconf <netconf@ietf.org>, Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: multipart/alternative; boundary="001a1145b59ef78a11054eb40dc2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/iKpwJlSZnsI8wOQxwY4jPX8URLo>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 15:02:07 -0000

On Thu, May 4, 2017 at 7:53 AM, Eric Voit (evoit) <evoit@cisco.com> wrote:

>
>
> *From:* Andy Bierman, May 4, 2017 12:51 AM
>
> On Wed, May 3, 2017 at 6:15 PM, Eric Voit (evoit) <evoit@cisco.com> wrote:
>
> Hi Andy,
>
> Hi Martin,
>
>
>
> This is an excellent document.  I  have a few questions:
>
>
>
> #1 Section 3.1.3
>
> If a data node identified in a request has no read access allowed (i.e.,
> data node rule violation), isn’t it better to treat the response like the
> node didn’t exist, i.e. a “data-missing” error code?   You highlight this
> as an issue in 3.7.2, but I don’t see a reason why “data missing” isn’t
> preferable to “access denied” (other than ease of debug.)
>
>
>
>
>
> data-missing seems tied to the delete operation error
>
> (client tried to delete a node that does not exist).
>
> access-denied can apply to the object -- the data may or may not exist.
>
> I think many of the NETCONF error-tags overlap and we just have to make
>
> a subjective choice.
>
>
>
> <Eric> ok
>

It would be disruptive to change this because 6536-compliant
implementations send access-denied



>
>
> #2  Section 3.1.3
>
> On the sentence: “If the user is not authorized to read all the specified
> data nodes and the notification node, then the notification is dropped for
> that subscription.”    There is a difference between events (where the
> whole event should be discarded), and YANG object selections (where it is
> preferable to just discard those node for which a receiver has no
> access).   What are your thoughts based on the type of notification of
> allowing the simple dropping any nodes where read access is not available
> if the notification includes some extract of a yang datastore?
>
>
>
> The initial intent was to keep NACM simple and make it easier to have high
> performance implementations.
>
> NACM only allows the event-type to be tested, not any data within it. IMO
> the new notification work will
>
> be significantly more expensive to implement high performance notification
> delivery.
>
>
>
> NACM does not really work the way YANG push wants it to work.
>
> The  path /my-event/interfaces/interface/name is not the same node
>
> as /interfaces/interface/name. Some handwaving text may say treat these
>
> nodes the same, but they are not related at all (from a NACM POV)
>
>
>
> <Eric> Understand.  For this high performance reason in the YANG Push work
> we do allow for subscriptions to be re-established if underlying object
> permissions change.
>
>
>
> Do you see this NACM text providing a blocker for someone who desires such
> notification content filtering?  Some early yang-push use cases I am seeing
> are in the security and config change validation spaces.  As these have low
> transaction volumes, it may be viable to support such event based
> permissions mapping in implementation.
>


no -- see below


>
>
> #3 Section 3.4.6
>
> Outgoing <notification> Authorization in 3.4.6 say descendent nodes are
> out of scope.  But as some notifications can contain datastore extracts, it
> would seem useful allow NACM to act similarly to the processing of a
> response to a get.  Also is there an intersection of this point with #2
> above?
>
>
>
> IMO this should not be done (unless you want you code to run way slower)
>
> It also means the client cannot be sure what the server will leak.
>
> I prefer to apply NACM at subscription-time. If the client is not allowed
> to
>
> read everything in the requested subscription, it is denied.
>
>
>
> This doesn't really work for data rules on specific instances that get
> created
>
> after the subscription starts. But applying NACM data rules to every
> descendant
>
> node in a YANG push is going to be extremely slow. This gets even worse
>
> for subscriptions with multiple receivers (as NACM has to be enforced for
>
> each receiver). I would prefer to see a solution that forces YANG push
>
> to enforce NACM at update generation time (before the notification
>
> delivery system ever sees it) But this assumes YANG push is aware
>
> of the active subscriptions, so not an ideal solution at all.
>
>
>
> <Eric> understand, and agree these are valid approaches.   I am just
> hoping that the text doesn’t explicitly preclude implementations which
> might be able to accomplish notification based content filtering.  As the
> text currently says “out of scope”, my reading is that this not precluded.
>
>
>

IMO it is OK to put this requirement on a YANG push implementation.
The pruning is done by YANG push, not NACM
Then NACM checks the event-type (if so configured)



> Eric
>

Andy


>
>
>
>
>
>
> Thanks,
> Eric
>
>
>
> Andy
>
>
>
>
>
> *From:* Mahesh Jethanandani, May 3, 2017 5:18 PM
>
> Folks,
>
>
>
> There has been literally no feedback on this document, either to say they
> have read the document and support it, or to express concerns about the
> document. Silence, unfortunately is not a good guide for us. To move the
> document forward, we need to hear from folks, including those who were in
> IETF 98.
>
>
>
> Thanks.
>
>
>
> On Apr 18, 2017, at 5:34 PM, Mahesh Jethanandani <mjethanandani@gmail.com>
> wrote:
>
>
>
> NETCONF WG,
>
> In IETF 98, the authors indicated that the above draft was ready for Last
> Call, and the consensus in the room indicated as much.
>
>
>
> This is a start of a 2 week WG Last Call for
> draft-ietf-netconf-rfc6536bis. After two weeks, the document will be
> assigned a shepherd, and the document will be prepared for IESG.
>
> The latest version of the draft can be found at:
> https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-01
>
> Please review and send any comments to the WG mailing list or by
> responding to this e-mail. Comments can be statements such as, I
> read/reviewed the document and believe it is ready for publication, or I
> have concerns about the document. For the latter, please indicate what your
> concerns are.
>
> Any reports on implementation status or plans to implement are also very
> useful.
>
>
>
> Authors, please indicate if you are aware of any IPRs related to the draft.
>
>
>
> Thanks.
>
> Mahesh and Mehmet
>
>
>
>
>
>
>
> Mahesh & Mehmet
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email