Re: [netconf] updates to client/server drafts

Martin Bjorklund <> Thu, 13 June 2019 15:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 27C0E1202EA for <>; Thu, 13 Jun 2019 08:43:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yovwgZQ7FzuD for <>; Thu, 13 Jun 2019 08:43:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 23A951202D8 for <>; Thu, 13 Jun 2019 08:43:29 -0700 (PDT)
Received: from localhost ( []) by (Postfix) with ESMTPSA id 597B01AE0331; Thu, 13 Jun 2019 17:43:27 +0200 (CEST)
Date: Thu, 13 Jun 2019 17:43:26 +0200 (CEST)
Message-Id: <>
From: Martin Bjorklund <>
In-Reply-To: <>
References: <> <> <>
X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [netconf] updates to client/server drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Jun 2019 15:43:31 -0000

Kent Watsen <> wrote:
> >>> I am strictly against hiding actions by encoding 'verbs' in an ad-hoc
> >>> data format. I rather not support creation of keys on the device.
> >> 
> >> Remember we had this cases:
> >> 
> >> 1.  upload of keys
> >> 2a. generation of keys on the box that will go into hardware protected
> >>    storage (and never be accessible)
> >> 2b. generation of keys on the box that will be stored on disk
> >>    (and never be accessible over the mgmt interface)
> >> 3.  generation of keys on the box that become (protected)
> >> configuration
> This list is missing cases #1 and #3 described here:
> <>.

#1 (pre-existing key in hw) is orthogonal to the pain points we have
here; it should be possible to handle this case.

#3 (upload of hidden key) should also be straight forward with an

> Also, we currently make no distinction between (2a) and (2b) - hidden
> is hidden, however it's implemented.

I know, but the discussion seems to imply that this would be useful and
it seems trivial to support.

> >> I think the previous version of the draft (with YANG actions) handles
> >> 1 and 2 (a and b with trivial updates).
> >> 
> >> It is only (3) that we don't have a solution for that everybody
> >> accepts.
> >> 
> >> So perhaps we should solve 1 and 2a and 2b, and publish that, and
> >> leave 3 for the future?
> > 
> > This may be a way to move forward. In 2a and 2b, will there be a way
> > to remove a generated key via the mgmt interface or do I have to take
> > a bigger hammer to accomplish this?
> I object to reverting to the approach that doesn't have the key's
> 3-tuple (algorithm, public key, private key) marked as mandatory true,
> our doing that before was unhelpful.

I need to go back and re-read (again, I just read all threads on this
issue) some mails to understand what this means.

> I was hoping that the "verbs"
> approach could leap over the impasse but, if Juergen is strictly
> against it, then we should go back to the approach described here:
> <>,
> for which a draft was never published.
> In the previous link, search for "Now let's discuss what this action
> does" and note the two options: (1) is more user-friendly, but one
> that Martin appears to be strictly against

Yes, and Andy and Rob (at least).  And I do not agree that it is user
friendly at all!

> and so perhaps (2) is all
> we can agree on, and yes, there would need to be a third (not
> mentioned) action to delete the key from <operational> (presumably
> after having deleted the same from <running>).  Yes, it is less
> friendly, if you want more friendly, then let's do (1).  I'll update
> the draft shortly based on the less-friendly approach (2).

I don't think (2) is the right solution either.  I think the previous
version of the draft was very close to a workable solution.

> That said, I'm also okay with giving up (for now) trying to enable a
> client request the server to generate a key (hidden or not) or request
> the server to install a hidden key [note: these are #2 and #3 in my
> first link above].

I don't it is necessary to give up this.

IMO the only problematic use case is "let the device generate a key
that then becomes part of the config".  If we avoid that I think we
can handle the other cases.

> I would support this less complete solution
> because it still supports basic configuration (#0) and
> manufacturer-generated keys for, e.g., IDevID certificates (#1), and
> thus a passable go-to-market solution.  If folks don't like the update
> per the previous paragraph, then this looks like a good fallback.