IETF Logo Mail Archive

Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)

Kent Watsen <kwatsen@juniper.net> Thu, 10 January 2019 20:09 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48619131008; Thu, 10 Jan 2019 12:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.253
X-Spam-Level:
X-Spam-Status: No, score=-5.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6VxbIBAbPZK0; Thu, 10 Jan 2019 12:09:16 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CC9A131007; Thu, 10 Jan 2019 12:09:16 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0AK6kdm003007; Thu, 10 Jan 2019 12:09:11 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=i5EoRNt8LcCfrH/LM0mXFZiidEyJjyVtz0NKWk5m7sA=; b=cQ7HacHRMrY0zK7hVnmafmoaijgqL6kSVvYlwqa33GNupOTVbmHhmF3pWljI2P+QuEY3 HQqoofxyyW99vS3UwSIa3YvszcCcvRvMeJvbBcsV+fe5iJE6NwYGQOLOuRqTzY+iDM4s ZzUp8tEhihBk68L1pW2aFaUne6mDRUGoz2kNSpE0FHnGM9su6O1z9xT5haBaEhdNkkKj PS6HvdabZuTLEED+XnciApxuIz4MvXQYQ9Xop2Q9+6sQLWZ8DFuy1zSXXlEyLhe9b2MR oYrhJyYutSC60kO+fIeKW4s5ZjZpKYuALY9BkyOI0fshH0K+jY+l6ifksEDMNOJ6cZ3r Vg==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2058.outbound.protection.outlook.com [104.47.36.58]) by mx0a-00273201.pphosted.com with ESMTP id 2px1pyh1eg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 10 Jan 2019 12:09:11 -0800
Received: from BYAPR05MB5416.namprd05.prod.outlook.com (20.177.184.221) by BYAPR05MB4552.namprd05.prod.outlook.com (52.135.203.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.7; Thu, 10 Jan 2019 20:09:08 +0000
Received: from BYAPR05MB5416.namprd05.prod.outlook.com ([fe80::ccee:5d54:3370:e50b]) by BYAPR05MB5416.namprd05.prod.outlook.com ([fe80::ccee:5d54:3370:e50b%5]) with mapi id 15.20.1516.015; Thu, 10 Jan 2019 20:09:08 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Benjamin Kaduk <kaduk@mit.edu>, Adam Roach <adam@nostrum.com>
CC: Dave Crocker <dcrocker@bbiw.net>, Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>, "draft-ietf-netconf-zerotouch@ietf.org" <draft-ietf-netconf-zerotouch@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
Thread-Index: AQHUi5qky69pAtgeuk6GIUpsNSYi7qVz1VIAgCLBFICAB70FgIADj4qAgAJJm4CAAxXrAIAAYVAA//+xH4CAAacWAIAAD4+AgAADiwD//8aMAA==
Date: Thu, 10 Jan 2019 20:09:08 +0000
Message-ID: <0CDD631D-47A4-4478-A250-85603C653D23@juniper.net>
References: <F526DA60-77EC-45D6-ADE0-B345020A89BF@juniper.net> <20181230003002.GC57547@kduck.kaduk.org> <5DCD6C74-7918-45AB-BEA7-2C1A020B4411@juniper.net> <20190106050255.GJ28515@kduck.kaduk.org> <35A436B3-5D57-4015-A51E-5F9A1E349D31@juniper.net> <DAC627AC-8453-41D2-B95C-BC25746E66C1@juniper.net> <cc5adc78-6751-fabf-03d2-e0c65f8a6c91@bbiw.net> <F844EDFB-3E15-47FB-A714-06363B996FC2@juniper.net> <42cddba1-9f59-f19f-176f-197f0c0c0c96@bbiw.net> <32cfe06c-8204-a63a-263d-cb5b30a7a2fc@nostrum.com> <20190110183444.GN28515@kduck.mit.edu>
In-Reply-To: <20190110183444.GN28515@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.5.181209
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4552; 6:ZT3W5UqKrTWFJgGosAPC55Tl70jxzZq/oAoBx+VbfYVhygKG9yeYN5rVKBvbjMwOCm9vntMs6woc/HEnYkHjEKy0pK3ckjNkRQlixwzHrcWt5Y5cKWSf8DkYGjVCpJdkggDH4XesZ3HF/ZJlT2UO2a75EBmCVQ//3uSs/gKCsH5a4APX1fJYJ8BT/18JCgcYBAF5iXRmlvopKBXpNusi19/+3BbZ76+pUhDE/N0Fs/4hiEMsCYeEv6SI9yXEIZihL5Puz5qZWWOw3N3tn+dat6EirEqg6nXjRQbep4nJMXSSmpLcu485FCrRlT+FO+6f7Zgd/4dqpSl5//zzuAfoF35Wv2NOQbiAd/KI1xU1A7+vkVP1iUpEps0qie38Z52zPf8EZPmZ3uGJoHP3Fa6jteVeeFPf18XKMHjkVE43aurCJ4MA3Ae5idAXj+PTQu7XiT3oUaLcnLnp+reYvbjDXQ==; 5:QR/dhBLXNZTK5Og0qKIJXijMfEjUM4ppm62QnqfApZhlNJ0QDR3YXJ+IeHYQ81G9aepY3rKh9Y9oNb+GhxQrkQUnaE2FTu9OxKeEig1RUoP8wktF3FpHcMNvVIkLeuRS8N3ykgrchZSDv1iZeICn4EfRk/3FQivccC/NztvBPCquQGhXOgVGtbLPlI4gbD1nrN/cyj5BgzVeYEUgRWolSQ==; 7:SZCHnm/vKqWfLO4pYFsqfe5jbOiX6obSvWNQXgFJuq5FDF2ecCa22TEQNmUjVSkbhdsmuwQHgrunftTXym0kPmvxx2SGfIFEDJ878FRy2VczaR3kpbEwEbu0JJR48bPj/j0HNZLW++dI3c74ouJDBw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c1a664ca-2cbb-4bbb-672d-08d677377a90
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4552;
x-ms-traffictypediagnostic: BYAPR05MB4552:
x-microsoft-antispam-prvs: <BYAPR05MB455257B6F032E6268DB4368DA5840@BYAPR05MB4552.namprd05.prod.outlook.com>
x-forefront-prvs: 0913EA1D60
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(396003)(346002)(376002)(136003)(199004)(189003)(40224003)(51444003)(229853002)(83716004)(14454004)(316002)(25786009)(71200400001)(71190400001)(58126008)(53936002)(81166006)(567974002)(4326008)(76176011)(8936002)(6486002)(8676002)(478600001)(33656002)(81156014)(86362001)(93886005)(82746002)(2906002)(305945005)(6512007)(66066001)(97736004)(6246003)(54906003)(6506007)(110136005)(5660300001)(6436002)(99286004)(102836004)(36756003)(26005)(2171002)(486006)(7736002)(14444005)(68736007)(6116002)(256004)(3846002)(106356001)(446003)(186003)(105586002)(11346002)(476003)(2616005); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4552; H:BYAPR05MB5416.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ov1w4VYk59WFBGcMhsIMiHLf78zD/ANyeLcvVN9uudIEvoMHNZ6LuHFmu+KDIH3wwVxqgZm5loJI6VV9dWGmG7jaw/medLrZw0SwcX9+Tvfeyp8vP9HBo583FJztAor4ioWvNrhK8MYbSOJQV+zzRknkyKrJkOSoWoRoxpWcGuUcl52CvG9Tz7Y0ZYtfzT4Ry/GmmONTeA9SSA0gofrT1/hlb+EyDwBouVFa2asUzmtJQ7KNQDLFsH6BI+KGhd7SBZ4+ZGWeMTHFj+t4/Wvug+IjLgXUyAXv0U1dwat6/WDx3l7vN0SEE/HTf9z5ubfxL7WPBEdBEXYiSuzmqaLbe7y3qeMkfuzQ5R8ltyiSB9onctGWN90VWP7WzjgWT3CJ3rVuu5CStgnbKcRENKJVIQca2HZbpgsKjti1aIirsy9Ct8PtsahmHM+3FWPPIOi4sXtXL4TN+0XhNifcwnOEaQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F5BC4C289819464799B8D2253256AA7F@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: c1a664ca-2cbb-4bbb-672d-08d677377a90
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jan 2019 20:09:08.1213 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4552
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-10_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=842 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901100155
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/mpHIjurTY3w0kVc4nxNT9IhoN4Q>
Subject: Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 20:09:18 -0000

>> I don't think this is right. Draft-ietf-netconf-zerotouch is explicitly 
>> using DNS-SD procedures [1]. In turn, DNS-SD absolutely mandates the 
>> presence of both SRV and TXT records with the same name [2]. So the 
>> names need to match.
>
> Whoops, that's totally an error on my part.  If we're explicitly doing
> DNS-SD, then there's "nothing to see here".
>
> Sorry for missing that.

No, wait, I think that the draft's stating that it uses DNS-SD procedures
may be in error.  It might be more correct to say that it uses DNS in the
following two separate/distinct ways (in order of device-processing):

   1) A lookup for device-specific data (for the TXT RRs)

      Currently is this:<serial-number>._sztp._tcp.example.com
      But maybe should be: <serial-number>._sztp.example.com ???

      Returns TXT records (no SRV records) supplying bootstrapping
      data.

      Only if this lookup fails (not in addition to), then the 
      device moves to (2), in conflict with RFC 6763 §6.3 says:

        "DNS-SD uses DNS TXT records to store arbitrary key/value pairs
         conveying *additional* information about the named service."
        (emphasis mine)


   2) A traditional SRV lookup (per RFC 2782, not DNS-SD, right?)

      Example: _szpt._tcp.example.com

      Returns SRV records (no TXT or PTR records) supplying 
      traditional service info (address, port, priority, weight).

      FWIW, technically, SZTP defines an application-level protocol
      on top of RESTCONF, which is on top of HTTPS, but I don't
      think anyone is suggesting this:

          _sztp._restconf._http._tls._tcp.example.com   ;)


More reasons why it may be a more correct to say DNS-SD is NOT used:

  1) This draft doesn't use any PTR records, since PTR records 
     are more oriented for human-in-the-loop.  Instead, the draft 
     effectively hardcodes the PTR response to be the device's
     serial number.

     FWIW, this within itself is likely not that big of a deal, since 
     RFC 6763 allows that zero PTR are returned.


  2) The draft's definition of some of the contents of the TXT records
     overalps with SRV information, in conflict with RFC 6763:

     RFC 6763 §6.3 says:

      "The target host name and TCP (or UDP) port number of the service
       are given in the SRV record.  This information -- target host 
       name and port number -- MUST NOT be duplicated using key/value
       attributes in the TXT record."

     But this isn't the case in this draft.  If a device gets a device-
     specific response (i.e., TXT RRs from <sn>._sztp[._tcp].example.com)
     then it is NOT supposed to query for the device-independent SRV
     records.


Note that the WG didn't know about draft-ietf-dnsop-attrleaf until just
now in the IESG review.  We were shoe-horning in DNS-SD as it the closest
fit.  But now that draft-ietf-dnsop-attrleaf is brought to our attention,
perhaps it makes more sense to define a top-level "_sztp" attribute for
the device-specific bootstrapping data?


>> In short, unless we're making radical changes to zerotouch so that it no 
>> longer uses RFC 6763, there is no valid path forward other than 
>> registering a corresponding service in the IANA table cited above (such 
>> as "sztp").

Right, maybe this draft shouldn't say it's using RFC 6763?
That said, happy to keep it as is as well, if that's okay...

Thanks,
Kent


> /a
> 
> ____
> [1] draft-ietf-netconf-zerotouch §4.2.1: "Devices claiming to support 
> DNS as a source of bootstrapping data MUST first query for 
> device-specific DNS records using DNS-SD [RFC6763]"
> 
> [2] RFC 6763 §6: "Every DNS-SD service MUST have a TXT record in 
> addition to its SRV record, with the same name"
> 
> [3] draft-ietf-dnsop-attrleaf §2: "Only global underscored names are 
> registered in the IANA Underscore Global table."
> 
> [4] draft-ietf-dnsop-attrleaf §4.3 defers authority for SRV/_tcp to RFC 
> 2782 and authority for TXT/_tcp to RFC 6763.
> 
> [5] RFC 6763 §7: "The first label of the pair is an underscore character 
> followed by the Service Name [RFC6335]."
> 
> [6] RFC 6335 §10, which is too long too reasonably quote here.
> 
> [7] RFC2782 §"The format of the SRV RR"; see definition of "Service", 
> with STD 2/RFC 1700 -> RFC 3232 -> iana.org
> 
>

v2.23.0 | Report a Bug | By Email