Re: [netconf] RFC 6241 Ambiguity

<jonathan@hansfords.net> Fri, 24 May 2019 09:56 UTC

Return-Path: <jonathan@hansfords.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7516A120074 for <netconf@ietfa.amsl.com>; Fri, 24 May 2019 02:56:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hansfords.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pv_1WBhERSPw for <netconf@ietfa.amsl.com>; Fri, 24 May 2019 02:56:38 -0700 (PDT)
Received: from mail.myfast.site (mail.myfast.site [81.19.215.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E67D120045 for <netconf@ietf.org>; Fri, 24 May 2019 02:56:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hansfords.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: Subject:In-Reply-To:References:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=pCLiS4KeG4luJdrKkadE9mGvg83wD0FOiFMSw2WZ47M=; b=ahiKdUagmsvOr+PimCLbVGr+O t/2z4vwrfiZdNOx1VxCx8NKP8acnfBo138G8AAAyY9TMcBaTMG3IvevyZ6b2UAbGqunYmXJ6g9/8s etVdT1Nr4uGMr6Wumzlw3KSuDabSbhp9uuySOVTVMgYLWsQTch7ipkHURb/pXQE6XU0RUxNazwa6b 9gFDql/PMhiO6NmD7OA/0bJOWrmuiOlPsYK+QH4x2lyTVlwrY2TUxTw6mJjYtwNQFiXvHN71shrgF /+rApnUaoMl/sd5xFgyA3n1fEgQYirWwL0vL8FXIsJUStvg+IMNRtm4Jdh8mcwDVE4r6ViI6zWfuf RUpSByV6Q==;
Received: from hansfords.plus.com ([84.92.116.209]:53807 helo=Vanguard) by mail.myfast.site with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <jonathan@hansfords.net>) id 1hU6wD-004FM0-M6; Fri, 24 May 2019 10:56:35 +0100
From: <jonathan@hansfords.net>
To: "'Andy Bierman'" <andy@yumaworks.com>, "'Mahesh Jethanandani'" <mjethanandani@gmail.com>
Cc: "'Kent Watsen'" <kent@watsen.net>, <netconf@ietf.org>
References: <em35e87021-fa76-4888-a383-8b34e960175f@morpheus> <0100016aa75956af-70018fb1-15f8-4394-8ffd-4f4d5b2d7b3f-000000@email.amazonses.com> <CABCOCHScSp8AEjcgSd7tX-Va45y51CxK-b_hO4nd3SzW9rTUKA@mail.gmail.com> <eme2e51d99-6140-4142-b89f-db5e4c6e2a88@morpheus> <0100016ab7a9af7e-cd7f776e-79e1-42a4-9c5d-d04aed0d8fa1-000000@email.amazonses.com> <emdf557a96-2926-4d87-83f9-2f8216ed652e@morpheus> <76ED75C8-AA1A-4A03-A382-0DE834C914A1@gmail.com> <0100016abd77bfe3-88ae515a-d7f9-41c7-b627-9c51bdf16213-000000@email.amazonses.com> <CABCOCHQ-SWFCzs-FzhLe=-n+j+-AEknTuv-nKJ4etFm0srig5w@mail.gmail.com> <884391D0-3F53-4F3D-BFB0-DD333D09507C@gmail.com> <CABCOCHTLzW+2mkau0KHSbprw0e7PjNFO6SZoPyXUzkKm7gsyow@mail.gmail.com>
In-Reply-To: <CABCOCHTLzW+2mkau0KHSbprw0e7PjNFO6SZoPyXUzkKm7gsyow@mail.gmail.com>
Date: Fri, 24 May 2019 10:56:33 +0100
Message-ID: <00d101d51216$f807d120$e8177360$@hansfords.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D2_01D5121F.59D38C20"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEklGrOMV/w/jlFXeDl9P6RpktVAwMZoGKtAkTE2WoB6D+fYgJpYrUFAgVhjmgB0JVjYQJ8PT8lAReGQGcB8z3QDQIlgQtrpzFlk1A=
Content-Language: en-gb
X-Antivirus: Avast (VPS 190524-0, 24/05/2019), Outbound message
X-Antivirus-Status: Clean
X-OutGoing-Spam-Status: No, score=-0.2
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.myfast.site
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hansfords.net
X-Get-Message-Sender-Via: mail.myfast.site: authenticated_id: jonathan@hansfords.net
X-Authenticated-Sender: mail.myfast.site: jonathan@hansfords.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/mMvsdqGRCIKfqtwwvQG9a_mIPkg>
Subject: Re: [netconf] RFC 6241 Ambiguity
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 09:56:42 -0000

Hi,

 

Apologies for the delay in responding.

 

The reason for the errata I have raised on persistent confirmed commits is because RFC 6241 seems to me to be ambiguous. For example, section 8.4.1 states, “If the session issuing the confirmed commit is terminated for any reason before the confirm timeout expires, the server MUST restore the configuration to its state before the confirmed commit was issued, unless the confirmed commit also included a <persist> element.” To my mind, the reasons for terminating the session include the client issuing a <close-session>, another client issuing a <kill-session> on the session in question, a network failure, the client rebooting, and the server rebooting. Yet in the next paragraph it states, “If the device reboots for any reason before the confirm timeout expires, the server MUST restore the configuration to its state before the confirmed commit was issued.” So does the second paragraph overrule the first when the session terminates due to the device rebooting? If so, what is the reason why a persistent confirmed commit cannot persist beyond a device reboot but it can for all other cases of session termination? And why does the RFC state about the persist parameter on page 101, “This parameter is used to make a confirmed commit persistent.  A persistent confirmed commit is not aborted if the NETCONF session terminates.  The only way to abort a persistent confirmed commit is to let the timer expire, or to use the <cancel-commit> operation”? The RFC could really do with making it clearer under what circumstances a persistent confirmed commit is aborted, hence my errata. If I have got them wrong, I apologise.

 

Re Kent’s point about section 8.4 overriding section 7.8 behaviour. Is that a common approach to RFCs, that subsequent sections can overrule prior sections without needing to add clarity in those prior sections? If so, why are there so many forward references to capabilities in section 7?

 

With the diffs in the errata, I am unclear what happens when reporting an error in an existing erratum. If the resultant erratum replaces the previous one, it would make sense to provide the diff against the original text. If it becomes an additional erratum, it would make sense to provide the diff against the previous erratum.

 

Re Andy’s point about the text on <kill-session> in section 7.9 being ambiguous, that is why I proposed the change. However, if that change is not correct, then surely we still need an erratum to clarify what the intent truly is. Clearly Andy is of the opinion an erratum is not sufficient and this needs to be fixed in a new version of the protocol which is why I’m confused as to why he doesn’t want to open this as a netconf-next issue.

 

For the work we are currently undertaking, persistent confirmed commits could be very useful. But if the RFC is ambiguous, errata cannot fix it and it isn’t a netconf-next issue we will have to remove support for it. But if that is the case then presumably we should not support any of :confirmed-commit:1.1.

 

Jonathan

 

From: netconf <netconf-bounces@ietf.org> On Behalf Of Andy Bierman
Sent: 16 May 2019 20:11
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: Kent Watsen <kent@watsen.net>et>; netconf@ietf.org
Subject: Re: [netconf] RFC 6241 Ambiguity

 

 

 

On Thu, May 16, 2019 at 11:50 AM Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> > wrote:

Hi Andy,





On May 16, 2019, at 10:02 AM, Andy Bierman <andy@yumaworks.com <mailto:andy@yumaworks.com> > wrote:

 

 

 

On Wed, May 15, 2019 at 2:48 PM Kent Watsen <kent@watsen.net <mailto:kent@watsen.net> > wrote:

 





I don't think Erratum 5397 should be deleted. Though the original section 7.8 makes no mention of confirmed commits, section 7.9 does, but does not differentiate between a vanilla confirmed commit and a persistent confirmed commit. Since a persistent confirmed commit is still a type of confirmed commit, without clarification the second paragraph of the description would seem to apply. 

 

I would agree.

 

 

7.8 does not say anything about the <kill-session> is for the
session that started a confirmed commit or extended a confirmed commmit.
It could be interpreted to mean any kill-session for any session causes
a confirmed commit to be rolled back.  The text below is so ambiguous it

is not even clear the <kill-session> has to be for an existing session,




      If a NETCONF server receives a <kill-session> request while
      processing a confirmed commit (Section 8.4), it MUST restore the
      configuration to its state before the confirmed commit was issued.

 

 

While the original text in 7.8 was ambiguous, Erratum 5397 does seem to clarify that the <close-session> (not <kill-session), is for the session in question, and not any session.

 

 

I do not agree that close-session overrides the text in sec 8.4 supports this procedure.

It also makes no sense from an operational POV, since dropping the session

(without a close-session) does not have this affect :

 




   If the session issuing the confirmed commit is terminated for any
   reason before the confirm timeout expires, the server MUST restore
   the configuration to its state before the confirmed commit was
   issued, unless the confirmed commit also included a <persist>
   element.

 

IMO this text overrides the close-session and kill-session text.

 

 

 

      If a NETCONF server receives a <close-session> request while
      processing a confirmed commit (Section 8.4) for that session, it
      MUST restore the configuration to its state before the confirmed
      commit was issued unless the confirmed commit included a <persist>
      element.

That is why I agree that Erratum 5397 should not be deleted, but should be modified to the text suggested by Jonathan.

 

 

This makes no operational sense if the <persist> parameter was used.

 

 

 

It's a minor point, but I could argue, as I wrote before, that such clarifications in 7.x are unnecessary because 8.4 provides overrides.   I prefer less text because it's easier to get right (wit this is at least the 3rd time Jonathan is at this now).  However "unnecessary" doesn't mean "wrong" and since we've already stepped in it, getting the 7.x errata right might be easier than getting 8.4 right.

 

 

 

8.4 para 3 says the confirmed commit is not tied to a session if the persist/persist0id mechanism is used.

 

   If the <persist> element is not given in the confirmed commit
   operation, any follow-up commit and the confirming commit MUST be
   issued on the same session that issued the confirmed commit.  If the
   <persist> element is given in the confirmed <commit> operation, a
   follow-up commit and the confirming commit can be given on any
   session, and they MUST include a <persist-id> element with a value
   equal to the given value of the <persist> element.

 

The problematic text is actually in <cancel_commit>

 

8.4.4.1.  <cancel-commit>
 
   Description:
 
         Cancels an ongoing confirmed commit.  If the <persist-id>
         parameter is not given, the <cancel-commit> operation MUST be
         issued on the same session that issued the confirmed commit.
 

In order to cancel a confirmed commit (belonging to another client, i.e
the persist-id is not known), the client issues a <kill-session> for
any random or non-existent session.  It would make more sense to issue a <cancel-commit>

(maybe require superuser) instead. The access control policy for <kill-session>

is the wrong way to configure access to cancelling a confirmed commit.

 

IMO these procedures are not well designed or documented, and an Errata cannot

be used to fix it -- a new version of the protocol should fix it, in which WG and IETF consensus

is reached for the selected solution.

 

Do you want to open this as a netconf-next issue?





 

 

not really

 

 





 





With the diff, should that be against the original text or the original erratum?

 

The diff is building on top of the original erratum. I would think a diff w.r.t. to the original erratum would make sense.

 

It depends, are you correcting the earlier errata or filing a new one?   Regardless, I expressed a diff for what I think the text should be (which you didn't comment on); how that is translated is up to you.

 

 

Kent // contributor

 

 

Andy

 

_______________________________________________
netconf mailing list
netconf@ietf.org <mailto:netconf@ietf.org> 
https://www.ietf.org/mailman/listinfo/netconf

 

Mahesh Jethanandani

mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> 

 

 

 

 

Andy

 

 



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus