IETF Logo Mail Archive

Re: [Netconf] draft-ietf-netconf-rfc6536bis Query

Martin Bjorklund <mbj@tail-f.com> Mon, 05 February 2018 08:49 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02EF112AF83 for <netconf@ietfa.amsl.com>; Mon, 5 Feb 2018 00:49:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2QuBfpTqFHS for <netconf@ietfa.amsl.com>; Mon, 5 Feb 2018 00:49:39 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 3817C129C6D for <netconf@ietf.org>; Mon, 5 Feb 2018 00:49:39 -0800 (PST)
Received: from localhost (unknown [173.38.220.45]) by mail.tail-f.com (Postfix) with ESMTPSA id 576321AE0397; Mon, 5 Feb 2018 09:49:37 +0100 (CET)
Date: Mon, 05 Feb 2018 09:49:36 +0100
Message-Id: <20180205.094936.840887782388329626.mbj@tail-f.com>
To: rohitrranade@huawei.com
Cc: netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <991B70D8B4112A4699D5C00DDBBF878A6B19504D@DGGEMA502-MBX.china.huawei.com>
References: <991B70D8B4112A4699D5C00DDBBF878A6B192C46@DGGEMA502-MBX.china.huawei.com> <20180202.104713.2160979335819511500.mbj@tail-f.com> <991B70D8B4112A4699D5C00DDBBF878A6B19504D@DGGEMA502-MBX.china.huawei.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/juk2UMzP5Er1bvwq4XTgMOzy7tA>
Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 08:49:41 -0000

Hi,

Rohit R Ranade <rohitrranade@huawei.com> wrote:
> Hi Martin,
> 
> There are around 6-7 places in the BIS and RFC 6536 where the term "
> datastore node" is used. It is unclear what is the meaning of this
> term as it is not defined in the Terminology section and it is unclear
> what is the difference between this term and "data node". Please
> clarify

Is the term "datastore node" really unclear?  Would a defintion "a
node in a datastore" help  (I think it would be a tautology).

The term "data node" is imported from RFC 7950.


/martin


> For example: In section 3.2.3
> 
>    The contents of specific restricted datastore nodes MUST NOT be
>    exposed in any <rpc-error> elements within the reply.
> 
> 
> With Regards,
> Rohit R
> 
> -----Original Message-----
> From: Rohit R Ranade 
> Sent: 02 February 2018 15:19
> To: 'Martin Bjorklund' <mbj@tail-f.com>
> Subject: RE: [Netconf] draft-ietf-netconf-rfc6536bis Query
> 
> Ok. 
> 
> With Regards,
> Rohit R
> 
> -----Original Message-----
> From: Martin Bjorklund [mailto:mbj@tail-f.com]
> Sent: 02 February 2018 15:17
> To: Rohit R Ranade <rohitrranade@huawei.com>
> Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
> 
> Hi,
> 
> Rohit R Ranade <rohitrranade@huawei.com> wrote:
> > Hi Martin,
> > 
> > Should we not be specific in the DRAFT about how to handle 
> > <create-subscription> rpc like we have done for the replay control 
> > notifications ?
> 
> The control notifications are treated differently b/c they are control
> notifications, not b/c they are not defined in a YANG module.
> 
> I think you have a valid point; however, since the WG is currently
> defining new operations that will replace the old
> <create-subscription>, I think this problem will go away.
> 
> Also, 6536bis is in the RFC editor queue, so changing in 6536bis this
> is quite problematic.
> 
> 
> /martin
> 
> 
> > Else each device will have its own mechanism of access control for 
> > <create-subscription>.
> > 
> > With Regards,
> > Rohit R
> > 
> > -----Original Message-----
> > From: Martin Bjorklund [mailto:mbj@tail-f.com]
> > Sent: 01 February 2018 19:05
> > To: Rohit R Ranade <rohitrranade@huawei.com>
> > Cc: netconf@ietf.org
> > Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis Query
> > 
> > Hi,
> > 
> > Rohit R Ranade <rohitrranade@huawei.com> wrote:
> > > Hi All,
> > > 
> > > Q1:
> > > In the notification authorization Section 3.4.6 there is mention 
> > > that REPLAY notifications should be allowed by default.
> > 
> > I think you mean <replay-complete>.   Replayed notifications in
> > general are not allowed by default.
> > 
> > > But there is no mention of how to handle <create-subscription> 
> > > operation authorization which can trigger these Replay notifications ?
> > > Since there is no module defined for it, there is no way to add a 
> > > rule for permitting or denying it.
> > > 
> > > 
> > > 1.  How do the current NACM implementations handle it ? Allow 
> > > <create-subscription> if exec-default is PERMIT ? or always allow 
> > > <create-subscription> ?
> > 
> > I had to check, and our implementation matches create-subscription if 
> > the module-name in the rule is "*".
> > 
> > I think some implementations use an internal (non-standard) YANG 
> > module name for the model in RFC 5277, so they presumably match if 
> > that internal module name is given, or "*".
> > 
> > > Q2: If there is an error of access-denied for edit-config operation, 
> > > does the RFC restrict from outputting the <error-path> of the 
> > > data-store node for such operations ?
> > > Section 3.2.5 has " The contents of specific restricted datastore 
> > > nodes MUST NOT be
> > > 
> > >    exposed in any <rpc-error> elements within the reply." , what is the
> > >    meaning of 'content' here ? the schema-name of the leaf / key-values
> > >    of data-store-nodes ?
> > > 
> > > Since the user has inputted the keys for the data-store nodes is 
> > > there any security risk in giving back the values to the user ?
> > 
> > 3.4.3 also has
> > 
> >    A server MUST NOT include any information the client is not allowed
> >    to read in any <error-info> elements within the <rpc-error> response.
> > 
> > 
> > /martin
> > 
>

v2.23.0 | Report a Bug | By Email