Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
Andy Bierman <andy@yumaworks.com> Thu, 04 May 2017 15:02 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF49D1205D3 for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 08:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ZT5wVM1T_13 for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 08:02:04 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7503E1293EB for <netconf@ietf.org>; Thu, 4 May 2017 08:02:00 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id 142so14397014wma.1 for <netconf@ietf.org>; Thu, 04 May 2017 08:02:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ekRE3D4Q2NUvdl6Rj7ng44k/15zODfRL33pKN5Bgdbw=; b=wXbyK26YFMbySFCNmwBKjN0zkHddUYzs2zoXPTCkUGSMa9sqHRoYja+ggbfBC1N09s M/jRHcRK3pQYny9BpfbLCuAdLmMv1eEI9xGIvq7Lou0+jyXxuHPJB7KNu1peI/1XZgkB E4l9ZN6UO16Sv9PH6B5vTGO5un70gwJTZOvm5cgCmZ+bNMxCxxoc5NCf5i3JfgC56Hjm oykKs2a+hEQhsGNTFIrj1ONJv8VjtNgrB0Qhnn428dbiD0THWaRzahJJgY3HlAGJdFh6 umRLu0jdfe4adcTqZBt0TF4DA623ETtWIn4IK+j4ihKbnLGrbw/8SsDvR9oNFZi0Onrr 7P1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ekRE3D4Q2NUvdl6Rj7ng44k/15zODfRL33pKN5Bgdbw=; b=CPG/CkYfvI52AJmpbJaT6+Sn/v5D8+6UmEPPp/pCNvekqZeOrxckMMhp+Mr9FFnNBv fM1EN6U/CLd7zy9eGFf0adXKrR8boxQaqFsd49spfmXCceSNJgDFkSk7qSfP/ltLBxxy dXD33qXiTiiEr/ZdpskebuO4CywA/l4T/S+GfqLT8tA0Z0KnL8rangX3ulllHleYBgrj xcTLauaKezKsjvZm2BPT+/khlwI3mni1QGLJAXGba7uRGdTRs2i3NawrETBCrywalMHf 22FnUhBnlLGiVKCyEKEFW2a86gXf2K3w4l1elCjUFTrnC3kWjKTxj7ciNjuqUrPXjqD5 mwYw==
X-Gm-Message-State: AODbwcDMqBMWS55qQJWX9KNbyprESYs1JPc4W11qJ8O4lrgyiPH+D3Ej yq7wtA9aAF5pEDq2vwnkeeK/ZbVyWA==
X-Received: by 10.28.143.135 with SMTP id r129mr2128735wmd.54.1493910118953; Thu, 04 May 2017 08:01:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Thu, 4 May 2017 08:01:57 -0700 (PDT)
In-Reply-To: <d1a44db13f3b4de39bb89107fc61fea3@XCH-RTP-013.cisco.com>
References: <A13E62FA-AB96-4164-98D5-3CC1D04A78E8@gmail.com> <E236AC6C-4B6D-43B1-8092-0B8AA3F4D6AA@gmail.com> <f2106a6c538a4b9e96ba490b867bd40d@XCH-RTP-013.cisco.com> <CABCOCHTo+vO7LRJTEPFxOLH5fGkCPDJrO8QRbq_bnOHNS9skqA@mail.gmail.com> <d1a44db13f3b4de39bb89107fc61fea3@XCH-RTP-013.cisco.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Thu, 04 May 2017 08:01:57 -0700
Message-ID: <CABCOCHRW=+V0WCXLS0RZbZ+jqeB5ofwRd0ZyqPoZ9Hvi-JrATA@mail.gmail.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>
Cc: Martin Bjorklund <mbj@tail-f.com>, Netconf <netconf@ietf.org>, Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: multipart/alternative; boundary="001a1145b59ef78a11054eb40dc2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/iKpwJlSZnsI8wOQxwY4jPX8URLo>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 15:02:07 -0000
On Thu, May 4, 2017 at 7:53 AM, Eric Voit (evoit) <evoit@cisco.com> wrote: > > > *From:* Andy Bierman, May 4, 2017 12:51 AM > > On Wed, May 3, 2017 at 6:15 PM, Eric Voit (evoit) <evoit@cisco.com> wrote: > > Hi Andy, > > Hi Martin, > > > > This is an excellent document. I have a few questions: > > > > #1 Section 3.1.3 > > If a data node identified in a request has no read access allowed (i.e., > data node rule violation), isn’t it better to treat the response like the > node didn’t exist, i.e. a “data-missing” error code? You highlight this > as an issue in 3.7.2, but I don’t see a reason why “data missing” isn’t > preferable to “access denied” (other than ease of debug.) > > > > > > data-missing seems tied to the delete operation error > > (client tried to delete a node that does not exist). > > access-denied can apply to the object -- the data may or may not exist. > > I think many of the NETCONF error-tags overlap and we just have to make > > a subjective choice. > > > > <Eric> ok > It would be disruptive to change this because 6536-compliant implementations send access-denied > > > #2 Section 3.1.3 > > On the sentence: “If the user is not authorized to read all the specified > data nodes and the notification node, then the notification is dropped for > that subscription.” There is a difference between events (where the > whole event should be discarded), and YANG object selections (where it is > preferable to just discard those node for which a receiver has no > access). What are your thoughts based on the type of notification of > allowing the simple dropping any nodes where read access is not available > if the notification includes some extract of a yang datastore? > > > > The initial intent was to keep NACM simple and make it easier to have high > performance implementations. > > NACM only allows the event-type to be tested, not any data within it. IMO > the new notification work will > > be significantly more expensive to implement high performance notification > delivery. > > > > NACM does not really work the way YANG push wants it to work. > > The path /my-event/interfaces/interface/name is not the same node > > as /interfaces/interface/name. Some handwaving text may say treat these > > nodes the same, but they are not related at all (from a NACM POV) > > > > <Eric> Understand. For this high performance reason in the YANG Push work > we do allow for subscriptions to be re-established if underlying object > permissions change. > > > > Do you see this NACM text providing a blocker for someone who desires such > notification content filtering? Some early yang-push use cases I am seeing > are in the security and config change validation spaces. As these have low > transaction volumes, it may be viable to support such event based > permissions mapping in implementation. > no -- see below > > > #3 Section 3.4.6 > > Outgoing <notification> Authorization in 3.4.6 say descendent nodes are > out of scope. But as some notifications can contain datastore extracts, it > would seem useful allow NACM to act similarly to the processing of a > response to a get. Also is there an intersection of this point with #2 > above? > > > > IMO this should not be done (unless you want you code to run way slower) > > It also means the client cannot be sure what the server will leak. > > I prefer to apply NACM at subscription-time. If the client is not allowed > to > > read everything in the requested subscription, it is denied. > > > > This doesn't really work for data rules on specific instances that get > created > > after the subscription starts. But applying NACM data rules to every > descendant > > node in a YANG push is going to be extremely slow. This gets even worse > > for subscriptions with multiple receivers (as NACM has to be enforced for > > each receiver). I would prefer to see a solution that forces YANG push > > to enforce NACM at update generation time (before the notification > > delivery system ever sees it) But this assumes YANG push is aware > > of the active subscriptions, so not an ideal solution at all. > > > > <Eric> understand, and agree these are valid approaches. I am just > hoping that the text doesn’t explicitly preclude implementations which > might be able to accomplish notification based content filtering. As the > text currently says “out of scope”, my reading is that this not precluded. > > > IMO it is OK to put this requirement on a YANG push implementation. The pruning is done by YANG push, not NACM Then NACM checks the event-type (if so configured) > Eric > Andy > > > > > > > Thanks, > Eric > > > > Andy > > > > > > *From:* Mahesh Jethanandani, May 3, 2017 5:18 PM > > Folks, > > > > There has been literally no feedback on this document, either to say they > have read the document and support it, or to express concerns about the > document. Silence, unfortunately is not a good guide for us. To move the > document forward, we need to hear from folks, including those who were in > IETF 98. > > > > Thanks. > > > > On Apr 18, 2017, at 5:34 PM, Mahesh Jethanandani <mjethanandani@gmail.com> > wrote: > > > > NETCONF WG, > > In IETF 98, the authors indicated that the above draft was ready for Last > Call, and the consensus in the room indicated as much. > > > > This is a start of a 2 week WG Last Call for > draft-ietf-netconf-rfc6536bis. After two weeks, the document will be > assigned a shepherd, and the document will be prepared for IESG. > > The latest version of the draft can be found at: > https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-01 > > Please review and send any comments to the WG mailing list or by > responding to this e-mail. Comments can be statements such as, I > read/reviewed the document and believe it is ready for publication, or I > have concerns about the document. For the latter, please indicate what your > concerns are. > > Any reports on implementation status or plans to implement are also very > useful. > > > > Authors, please indicate if you are aware of any IPRs related to the draft. > > > > Thanks. > > Mahesh and Mehmet > > > > > > > > Mahesh & Mehmet > > > > > > > > >
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- [Netconf] WG LC for draft-ietf-netconf-rfc6536bis Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Alexander Clemm
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Juergen Schoenwaelder
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… t.petch
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Eric Voit (evoit)
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Mahesh Jethanandani
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Andy Bierman
- Re: [Netconf] WG LC for draft-ietf-netconf-rfc653… Martin Bjorklund