[Netconf] Comments on draft-ietf-netconf-server-model-03.txt
Alan Luchuk <luchuk@snmp.com> Tue, 30 September 2014 21:45 UTC
Return-Path: <luchuk@snmp.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55E301A924B for <netconf@ietfa.amsl.com>; Tue, 30 Sep 2014 14:45:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.688
X-Spam-Level:
X-Spam-Status: No, score=-2.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8r0mVHN9mjY4 for <netconf@ietfa.amsl.com>; Tue, 30 Sep 2014 14:45:54 -0700 (PDT)
Received: from mailbox.snmp.com (mailbox.snmp.com [192.147.142.80]) by ietfa.amsl.com (Postfix) with ESMTP id D58B71A9177 for <netconf@ietf.org>; Tue, 30 Sep 2014 14:45:53 -0700 (PDT)
Received: from mainfs.snmp.com (mainfs.snmp.com [192.147.142.124]) by mailbox.snmp.com (8.9.3p2-20030922/m.0080228) with ESMTP id RAA12525; Tue, 30 Sep 2014 17:45:51 -0400 (EDT)
Received: from mainfs.snmp.com (localhost [127.0.0.1]) by mainfs.snmp.com (8.14.5/8.14.5) with ESMTP id s8ULjrvL024178; Tue, 30 Sep 2014 17:45:53 -0400 (EDT) (envelope-from luchuk@mainfs.snmp.com)
Received: (from luchuk@localhost) by mainfs.snmp.com (8.14.5/8.14.5/Submit) id s8ULjq7q024177; Tue, 30 Sep 2014 17:45:52 -0400 (EDT) (envelope-from luchuk)
Date: Tue, 30 Sep 2014 17:45:52 -0400
From: Alan Luchuk <luchuk@snmp.com>
Message-Id: <201409302145.s8ULjq7q024177@mainfs.snmp.com>
To: netconf@ietf.org
X-Mailer: mail (GNU Mailutils 2.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/idDekw0KBd-mfxq8aeTULQazLC0
Cc: jshoenwaelder@jacobs-university.de
Subject: [Netconf] Comments on draft-ietf-netconf-server-model-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 21:45:58 -0000
Hello, Included below are comments about draft-ietf-netconf-server-model-03.txt. I gave the most thought to the sections relating to NETCONF over TLS, but did look over the rest of the document fairly carefully. I hope these are helpful and useful to the WG. Section 1, Page 2-3: Nit ------------------------- s/what ports does the server listen on/what port the server listens on/ Section 2: Page 3: Nit ------------------------- s/the NETCONF service on the/the NETCONF communication service on the/ Sections 2.1 and 2.3, Pages 3 and 4 Nit ---------------------------------------- s/Since/Because/ Section 2.4.2, Page 4: Spelling -------------------------------- s/any of the applications/any of the application's/ Section 2.4.6, Page 5: Nit --------------------------- s/aliveness/"aliveness"/ Section 2.4.6, Page 5: Spelling -------------------------------- s/applications requirements/applications' requirements/ General comments ---------------- Not sure if all of the groupings would be useful outside of this document. Some of the groupings have only a single "uses" within the document; e.g., call-home-transport-config, call-home-config, etc. It seems as if this was done to break up one large config into smaller chunks. I find this use of grouping/uses makes the YANG module more difficult to read and understand than if these single-use grouping/users were simply inserted in-line. Comments on the listen-per-transport-config grouping, Page 12: -------------------------------------------------------------- Under the description of the address leaf: s/IP address\/name/IP address or host name/ Under the port leaf: Should this leaf be mandatory, or have a default of 0? The listen-per-transport-config grouping seems roughly like a "sockaddr_storage" structure. An "endpoint", or perhaps a "sockaddr" or "socket" grouping seems like it would be useful in many YANG modules beyond this one. Would it be worthwhile to generalize this grouping, and simplify its use either by putting it in its own (non-server-specific) YANG module, or possibly by promoting into a new rev of the ietf-inet-types YANG module? Perhaps the following might be a generalized grouping: grouping endpoint { description "Specifies the address and port for a transport endpoint." leaf address { type inet:host; mandatory true; description "The IP address or host name for the transport endpoint."; } leaf port { type inet:port-number; description "The port number for the transport endpoint."; default 0; } } /* grouping endpoint */ Comments on the call-home-per-transport-config grouping, Page 14: ----------------------------------------------------------------- This grouping seems generally useful beyond the configuration of call-home configuration. It looks like basically like a list of endpoints, or "sockaddrs". Perhaps generalizing this and putting it into the same YANG module with the revised listen-per-transport-config grouping might simplify its wider use. I _suspect_ I know the answer to this, but what is the purpose of the "endpoints" container around the "endpoint" list? The name leaf seems to serve basically as a key for the list. Would it be possible to eliminate this leaf, and use the address and port leaves as keys? This would slightly simplify the grouping. It might also use the "endpoint" grouping suggested above, and further re-use definitions. Perhaps the following might be a generalized grouping? grouping endpoints-grouping { description "Grouping for a list of transport endpoints."; container endpoints { description "Container for the list of endpoints."; list endpoint-list { key "address port"; /* min-elements 1; Necessary or useful if generalized? */ /* ordered-by user; Necessary or useful if generalized? */ description "List of transport endpoints." uses endpoint; } /* list endpoint-list */ } /* container endpoints */ } /* grouping endpoints-grouping */ Comments on the listen-config grouping, Page 11: ------------------------------------------------ It seems like the listen-per-transport-config could be promoted from from below each case branch to above the "choice transport". Does the name leaf does have a function other than providing a list key? If the listen-per-transport-config were promoted, then the address and port could be used as keys, no? This would simplify the grouping. Perhaps something like: grouping listen-config { description "Grouping for listen configuration."; uses endpoint; /* The new grouping, described above */ choice transport { mandatory true; description "Selects between SSH and TLS transports."; case ssh { if-feature ssh-listen; container ssh { description "SSH-specific listening configuration for inbound connections."; refine port { default 830; } } } case tls { if-feature tls-listen; container tls { description "TLS-specific listening configuration for inbound connections."; refine port { default 6513; } } } } } Then, where this grouping is used: container netconf-server { description "Top-level container for NETCONF server configuration."; list listen { key "address port"; description "List of endpoints to listen for connections on."; //if-feature "(ssh-listen or tls-listen)"; uses listen-config; Comments on the call-home-connection-type-config grouping, Page 15: ------------------------------------------------------------------- Under the persistent-connection case, there is a "container persistent" and, under that, a "container keep-alives". What is the function of the extra containment layer? Would it make sense to remove one of these containment layers? Comments on the call-home-reconnection-strategy-config grouping, Page 17: ------------------------------------------------------------------------- What determines the order in which management applications are contacted by call-home connections? Is it the name key of the endpoint list in the call-home-per-transport-config grouping? How is the last-connected reconnection strategy handled across reboots of devices without stable storage? Or is the "no stable storage" situ- ation out-of-scope? Comments on the trusted-ca-certs-grouping grouping, Page 17: ------------------------------------------------------------ Is it expected that this grouping may be used elsewhere in other YANG modules? Is it intended that the trusted-ca-cert leaf-list is used for root (self-signed) CA certs only, or are subordinate CA certs allowed also? If this leaf-list is intended for self-signed CA certs only, then how are CA cert chains handled? Comments on the trusted-client-certs-grouping grouping, Page 17: ---------------------------------------------------------------- What is the purpose of this grouping? As it is documented, this grouping may be unnecessary. When a management application connects to the NETCONF Server, either by forward or reverse (call-home) TLS, the management application will present an application cert (or cert chain) that identifies it. Two things have to happen for the NETCONF Server to authenticate the management application: 1) The application cert presented by the management application must pass certificate verification up through one of the CA certs configured (in the NETCONF server) in the trusted-ca-certs-grouping, and 2) the NETCONF server must be able to convert this application cert to the NETCONF NACM username. Based upon the way the TLS authentication works (described in the previous paragraph), and the description of the trusted-client-certs container, I don't see what the function of this grouping is. What am I missing here? Should the trusted-client-certs-grouping be deleted? Comments on the cert-maps-grouping, Page 19: -------------------------------------------- The x509c2n:cert-to-name grouping defined in the ietf-x509-cert-to-name YANG module defined in draft-ietf-netmod-snmp-cfg-08.txt looks fine. Other comments on the NETCONF-over-TLS configuration: ------------------------------------------------------- When a NETCONF over TLS session is initiated, the NETCONF server must present an X.509 certificate to the NETCONF client so the client can verify the identity of the NETCONF server. I do not see any mechanism for configuring an X.509 certificate that identifies the NETCONF server. Should there be such an object, or is this something that can only be configured out-of-band, or perhaps only by the manufacturer? Regards, --Alan ------------------------------------------------------------------------------ Alan Luchuk SNMP Research, Inc. Voice: +1 865 573 1434 Senior Software Engineer 3001 Kimberlin Heights Road FAX: +1 865 573 9197 luchuk at snmp.com Knoxville, TN 37920-9716 http://www.snmp.com/ ------------------------------------------------------------------------------
- [Netconf] Comments on draft-ietf-netconf-server-m… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Juergen Schoenwaelder
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Martin Bjorklund
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Martin Bjorklund
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Juergen Schoenwaelder
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen