[netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-subscribed-notifications-24: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Tue, 30 April 2019 21:11 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: netconf@ietf.org
Delivered-To: netconf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 26FFC1203E3; Tue, 30 Apr 2019 14:11:11 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-subscribed-notifications@ietf.org, Kent Watsen <kent+ietf@watsen.net>, netconf-chairs@ietf.org, kent+ietf@watsen.net, netconf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.95.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <155665867115.7536.12392383474714269681.idtracker@ietfa.amsl.com>
Date: Tue, 30 Apr 2019 14:11:11 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qN8nApGkcg_31gVMFIAfTLBRqh0>
Subject: [netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-subscribed-notifications-24: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 21:11:14 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-netconf-subscribed-notifications-24: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netconf-subscribed-notifications/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for this document; I just have a few minor "housekeeping" points that should get resolved before publication. (Please also note the substantive comments in the COMMENT section as well, particularly those relating to the transport requirements and security considerations.) I'm not sure that we state clearly enough what is required to have a specification for a transport for notifications. Specifically (see COMMENT), in the module we seem to say that the specification must indicate what the default encoding is to be used if not otherwise specified, but that's not enumerated as a requirement on such a specification anywhere I see. I also think that we could probably require (as opposed to "highly recommend" in the current security considerations) that the transport provide message confidentiality and integrity protection. I'm also unsure that I properly understand the use of the "reset" RPC -- if it has no effect when transit connectivity already exists, then what entity is going to call "reset" in the case of publisher timeout when trying to reach a receiver? Surely not the publisher itself, since that would just be publisher-internal functionality with no need for an external-facing RPC. I'm also a little unclear on the mechanics of the list of subscriptions described in Section 3.3. Does it provide a way for a low-privilege client (that can only access one or a handful of the subscriptions) to enumerate all subscriptions that exist, including subscriptions used by high-privilege clients? If so, we may want to think about some security considerations text to that effect; if not, we may want to say that the access-control will limit which leafs are visible to some clients. Finally, we have a few instances of "leaf filter-failure-hint" that's of type "string", providing "Information describing where and/or why a provided filter was unsupportable for a subscription."; I don't understand why it's a string as opposed to some form of machine-readable data. Is it supposed to be human-readable? Does that bring in any internationalization considerations? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 1.3 Also note that transport specific transport drafts based on this specification MUST detail the life cycle of dynamic subscriptions, as well as the lifecycle of configured subscriptions (if supported). I'm not sure I understand what additional specification is needed for the lifecycle of configured subscriptions -- doesn't the previous text tightly tie their lifecycle to the presence of configuration in the configuration datastore? nit: please be consistent about "life cycle" vs. "lifecycle" throughout. Section 2.1 An event stream is a named entity on a publisher which exposes a continuously updating set of YANG encoded event records. [...] nit: I don't think "YANG encoded" is well-defined (here and below), in that YANG structures generate data models but can be encoded into various formats (like XML and JSON). Section 2.3 If the publisher supports the "dscp" feature, then a subscription with a "dscp" leaf MUST result in a corresponding [RFC2474] DSCP marking being placed within the IP header of any resulting notification messages and subscription state change notifications. Where TCP is used, a publisher which supports the "dscp" feature SHOULD ensure that a subscription's notification messages are returned within a single TCP transport session where all traffic shares the subscription's "dscp" leaf value. Where this cannot be guaranteed, any "establish subscription" RPC request SHOULD be rejected with a "dscp-unavailable" error I can't decide whether we need to be more explicit in the second and/or third sentences that this remains contingent on the subscription in question having a "dscp" leaf. nit: end sentence with a full stop I share the TSV-ART reviewer's confusion about how the weighting (as well as DSCP) functionality is intended to work. Section 2.4.2.1 Replay provides the ability to establish a subscription which is also capable of passing recently generated event records. In other words, nit/editorial: this language could probably be more clear about "recently generated" meaning "in the past", that is, records for events that have already happened when the subscription is established. Section 2.4.3 any number of times. Dynamic subscriptions can only be modified via this RPC using a transport session connecting to the subscriber. If nit(?): is this more readable as "connecting to" or "connecting from" the subscriber? (The same wording shows up throughout the document, but I'll try to just comment once.) Section 2.4.5 Is there any distinction between "killing a subscription" and "administratively deleting a subscription"? It's unclear to me that we need the extra connotations of the word "kill", here. Section 2.4.6 As a result of this mixture, how subscription errors are encoded nit: "mixture" doesn't seem like the right word to me; "variety" or "varied population" are the first alternatives that come to mind, though they are not perfect either. Is there some sort of "access denied" error that could result from kill-subscription RPCs? (The table/artwork only lists "no-such-subscription".) Section 2.5 It's interesting to see a slight dichotomy between dynamic and configured subscriptions, in that (IIUC) for dynamic subscriptions, a modification event un-suspends a subscription immediately, but for configured subscriptions the publisher seems to have some latitude to retain the subscription in the suspended state for some time before un-suspending it and sending the "subscription-modified" state change message. In this case, a separate dynamic subscription can be established to retransmit the missing event records. Do you want to put in a pointer to replay-start-time here? Section 2.5.1 Event records are only sent to active receivers. Receivers of a configured subscription remain active if both transport connectivity can be verified to the receiver, and event records are not being dropped due to a publisher buffer overflow. [...] nit: "buffer overflow" is a technical term in security circles indicating a potentially exploitable security flaw; would "publisher buffer capacity being reached" be an acceptable substitute (here and below)? Section 2.7.7 This notification indicates that all of the event records prior to the current time have been passed to a receiver. It is sent before any notification message containing an event record with a timestamp later than (1) the "stop-time" or (2) the subscription's start time. nit(?): this text seems to imply that a notification message with a timestamp later than the "stop-time" might actually be sent, which IIUC is not the case. Section 2.9 nit: the name "supports-vrf" for the feature doesn't really parallel the other feature names, that don't include a word like "support" and rather just describe the actual feature. Section 3.1 Is there any risk of collision in event stream names from vendor-specific streams? (We don't seem to create an IANA registry for them, for example.) Section 4 identity subscription-suspended-reason { description "Problem condition communicated to a receiver as part of a 'subscription-terminated' notification."; } identity subscription-terminated-reason { description "Problem condition communicated to a receiver as part of a 'subscription-terminated' notification."; } Are these descriptions supposed to be the same? identity configurable-encoding { description "If a transport identity derives from this identity, it means that it supports configurable encodings. An example of a [...] Is it intended that such future transports (or future encodings?) will derive from both this and the normal base identity (i.e., "transport")? I guess I'm asking why this identity does not derive from the corresponding base, but that's just a style question and not really a protocol matter, making this question a side note. leaf weighting { if-feature "qos"; type uint8 { range "0 .. 255"; } description "Relative weighting for a subscription. Allows an underlying transport layer perform informed load balance allocations between various subscriptions"; reference "RFC-7540, section 5.3.2"; Do we want to chase the reference for readers and say that larger weights get more resources? leaf encoding { when 'not(../transport) or derived-from(../transport, "sn:configurable-encoding")'; type encoding; description "The type of encoding for notification messages. For a dynamic subscription, if not included as part of an establish- subscription RPC, the encoding will be populated with the encoding used by that RPC. For a configured subscription, if not explicitly configured the encoding with be the default encoding for an underlying transport."; Where is the default encoding for an underlying transport specified? Section 5.3 does not seem to say that a transport specification must provide this information, nor does Section 1.3 (which mentions that transport specifications must detail the lifecycle of dynamic subscriptions), nor does Section 2.5.7 (that discusses the need for a separate model augmenting /subscriptions/subscription/receivers/receiver to provide transport details). choice notification-message-origin { if-feature "configured"; description "Identifies the egress interface on the publisher from which notification messages are to be sent."; nit: given the address-originated case, perhaps "the egress interface" is not quite correct anymore. enum connecting { value 3; if-feature "configured"; description "A subscription has been configured, but a 'subscription-started' subscription state change notification needs to be successfully received before notification messages are sent. nit: successful receipt happens on the receiver but sending happens on the publisher, so there's a bit of a mismatch in the sentence subject here. Perhaps we could talk about "successfully sent" state-changes to resolve things. config false; mandatory true; description "Specifies the state of a subscription from the perspective of a particular receiver. With this info it is possible to determine whether a subscriber is currently generating notification messages intended for that receiver."; nit: is it the subscriber that is generating messages or the publisher? Section 5.3 A secure transport is highly recommended and the publisher MUST ensure that the receiver has sufficient authorization to perform the function they are requesting against the specific subset of content involved. "secure transport" usually means that it provides message confidentiality, integrity protection, and source authenticity (akin to the mutual authentication). This is qualitatively different from implementing authorization checks, and it's surprising to see them squashed into the same sentence. Do we want to say anything about discovery for support of new transports, and what workflow would be used to negotiate the use of a new transport? Section 5.4 I can think of a couple other considerations to mention here: - Using DNS names for receiver "name" lookup can cause situations where the name resolves differently on the publisher and subscriber, so the recipient would be different than expected. - Using the publisher's boot time for deduplication protection on replayed messages introduces a dependency on accurate time. We don't have a great secure time story at present, so this is more of a "beware of risk" situation than something we can mitigate, but it does seem that an attacker that could (e.g.) spoof the NTP traffic to the publisher on boot could cause it to send duplicate notifications to recipients that requested historical data. Some other comments on what's already there (which is pretty good; thanks for it!) follow. Container: "/filters" o "stream-subtree-filter": updating a filter could increase the computational complexity of all referencing subscriptions. o "stream-xpath-filter": updating a filter could increase the computational complexity of all referencing subscriptions. Do we want to say anything about modifying either of these causing the set of notifications delivered to recipients to shrink (or become unmanageably large)? I guess it may not be necessary, since the recipient gets a notification about the modification that includes the details of the filter. Container: "/subscriptions" o "excluded-event-records": leaf can provide information about filtered event records. A network operator should have permissions to know about such filtering. To be clear, this is event records filtered either via explicit filter or via access control restrictions. Specifically, it can allow a receiver to learn that there exists access controls that deny it access to some data, in the case when they did not apply any filtering rules explicitly. This potential for information leakage (of the existence of ACLs) should be mentioned explicitly. Appendix A This example transport module does not specify the life cycle of dynamic subscriptions per Section 1.3, and a couple other things required from a transport module specification. Perhaps we are okay claiming that since this is just an example YANG model and not a full transport example, the omission is okay, but it may be worth mentioning the omission for clarity.
- [netconf] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk via Datatracker
- Re: [netconf] Benjamin Kaduk's Discuss on draft-i… Eric Voit (evoit)
- Re: [netconf] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [netconf] Benjamin Kaduk's Discuss on draft-i… Eric Voit (evoit)
- Re: [netconf] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [netconf] Benjamin Kaduk's Discuss on draft-i… Eric Voit (evoit)