IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Andy Bierman <andy@yumaworks.com> Thu, 04 May 2017 04:50 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4CC12943D for <netconf@ietfa.amsl.com>; Wed, 3 May 2017 21:50:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vP08k3ReHq0 for <netconf@ietfa.amsl.com>; Wed, 3 May 2017 21:50:44 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD9A7129B36 for <netconf@ietf.org>; Wed, 3 May 2017 21:50:41 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id u65so6888784wmu.1 for <netconf@ietf.org>; Wed, 03 May 2017 21:50:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pEtkmIDoAiOUspoCqzZM2rpfIls5baSl05iWENCutms=; b=vw4dkEANg4k/ateBakLuk42cLntyVXK618SHvC9exSB12KZRwgzUR1b9mNf8JFVS0p Bq2nxndduzYgukVGVqI37GHYk4m7NDqLd3TGJRPb4Ap1XnpKU8d63pJmj5oWAbT1oJ2B aKUvbKAdRK3NvYWwzNMrQBjTm3F/izYCxTetpnZ0RbDuhdo22LrSxKRPXrqaRrEP0vOf xONOWRvo6ebdT/er6lV2Xn2vC9Zyr2Mdw8IIJAoeA8yM6zF+5Qtc5eV75gOpWao2GvmO E+n59sFK6gT5oodZJO6ksNhtEiWfqyHzfXm/IakMiUAiHnEm6U1b17M4t2F9SACnE5Un 6vGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pEtkmIDoAiOUspoCqzZM2rpfIls5baSl05iWENCutms=; b=YWbugXYwwe+p7ESsJbD0uxt4T9Op23ekVN4mg6La/qyNR6sN18jKwBjFHt74Yz5t7c Iu9rK/LMba1UbFt+8CX+XilzGgEvpeaa/S2/5iVtfeXtqrN+j5/0Qvt4T/uUSDt1gv7v wjdTEp7unu5Wy+gmjWsGC9aZgBrDLItLwJ+c2IC7hsX0rO/smBfzV3CAU2AYeFSFplcR HNEMPrreq2ykcV/qVTZ0iH95c2xPLFjT5UaBijtgn/7gf32dAGhqx3dB/AHiQG4iFsRf fLfaHpnIcwvF3xwLsjIeKIZ6nh2gY7Yi5m3djTdrqa95YfpmWJ7t9TS1tL2P54JgsOX7 vSjA==
X-Gm-Message-State: AN3rC/6EOFmEIdZIH/3Z14fFiZ2IWSEMjOKXJ3VZaI4AMCANxdQG2P7V FrusZ/RJMPDg6YY+xbTCB82DYefz+Q==
X-Received: by 10.28.91.77 with SMTP id p74mr182331wmb.54.1493873440261; Wed, 03 May 2017 21:50:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Wed, 3 May 2017 21:50:39 -0700 (PDT)
In-Reply-To: <f2106a6c538a4b9e96ba490b867bd40d@XCH-RTP-013.cisco.com>
References: <A13E62FA-AB96-4164-98D5-3CC1D04A78E8@gmail.com> <E236AC6C-4B6D-43B1-8092-0B8AA3F4D6AA@gmail.com> <f2106a6c538a4b9e96ba490b867bd40d@XCH-RTP-013.cisco.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Wed, 03 May 2017 21:50:39 -0700
Message-ID: <CABCOCHTo+vO7LRJTEPFxOLH5fGkCPDJrO8QRbq_bnOHNS9skqA@mail.gmail.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>
Cc: Martin Bjorklund <mbj@tail-f.com>, Netconf <netconf@ietf.org>, Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: multipart/alternative; boundary="001a11443132bf1e58054eab8358"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qYOCnDq__PkoN1gDQCMy0dYz8KY>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 04:50:46 -0000

On Wed, May 3, 2017 at 6:15 PM, Eric Voit (evoit) <evoit@cisco.com> wrote:

> Hi Andy,
>
> Hi Martin,
>
>
>
> This is an excellent document.  I  have a few questions:
>
>
>
> #1 Section 3.1.3
>
> If a data node identified in a request has no read access allowed (i.e.,
> data node rule violation), isn’t it better to treat the response like the
> node didn’t exist, i.e. a “data-missing” error code?   You highlight this
> as an issue in 3.7.2, but I don’t see a reason why “data missing” isn’t
> preferable to “access denied” (other than ease of debug.)
>
>
>

data-missing seems tied to the delete operation error
(client tried to delete a node that does not exist).
access-denied can apply to the object -- the data may or may not exist.
I think many of the NETCONF error-tags overlap and we just have to make
a subjective choice.




> #2  Section 3.1.3
>
> On the sentence: “If the user is not authorized to read all the specified
> data nodes and the notification node, then the notification is dropped for
> that subscription.”    There is a difference between events (where the
> whole event should be discarded), and YANG object selections (where it is
> preferable to just discard those node for which a receiver has no
> access).   What are your thoughts based on the type of notification of
> allowing the simple dropping any nodes where read access is not available
> if the notification includes some extract of a yang datastore?
>

The initial intent was to keep NACM simple and make it easier to have high
performance implementations.
NACM only allows the event-type to be tested, not any data within it. IMO
the new notification work will
be significantly more expensive to implement high performance notification
delivery.

NACM does not really work the way YANG push wants it to work.
The  path /my-event/interfaces/interface/name is not the same node
as /interfaces/interface/name. Some handwaving text may say treat these
nodes the same, but they are not related at all (from a NACM POV)



>
> #3 Section 3.4.6
>
> Outgoing <notification> Authorization in 3.4.6 say descendent nodes are
> out of scope.  But as some notifications can contain datastore extracts, it
> would seem useful allow NACM to act similarly to the processing of a
> response to a get.  Also is there an intersection of this point with #2
> above?
>

IMO this should not be done (unless you want you code to run way slower)
It also means the client cannot be sure what the server will leak.
I prefer to apply NACM at subscription-time. If the client is not allowed to
read everything in the requested subscription, it is denied.

This doesn't really work for data rules on specific instances that get
created
after the subscription starts. But applying NACM data rules to every
descendant
node in a YANG push is going to be extremely slow. This gets even worse
for subscriptions with multiple receivers (as NACM has to be enforced for
each receiver). I would prefer to see a solution that forces YANG push
to enforce NACM at update generation time (before the notification
delivery system ever sees it) But this assumes YANG push is aware
of the active subscriptions, so not an ideal solution at all.






>
>
> Thanks,
> Eric
>

Andy


>
>
> *From:* Mahesh Jethanandani, May 3, 2017 5:18 PM
>
> Folks,
>
>
>
> There has been literally no feedback on this document, either to say they
> have read the document and support it, or to express concerns about the
> document. Silence, unfortunately is not a good guide for us. To move the
> document forward, we need to hear from folks, including those who were in
> IETF 98.
>
>
>
> Thanks.
>
>
>
> On Apr 18, 2017, at 5:34 PM, Mahesh Jethanandani <mjethanandani@gmail.com>
> wrote:
>
>
>
> NETCONF WG,
>
> In IETF 98, the authors indicated that the above draft was ready for Last
> Call, and the consensus in the room indicated as much.
>
>
>
> This is a start of a 2 week WG Last Call for
> draft-ietf-netconf-rfc6536bis. After two weeks, the document will be
> assigned a shepherd, and the document will be prepared for IESG.
>
> The latest version of the draft can be found at:
> https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-01
>
> Please review and send any comments to the WG mailing list or by
> responding to this e-mail. Comments can be statements such as, I
> read/reviewed the document and believe it is ready for publication, or I
> have concerns about the document. For the latter, please indicate what your
> concerns are.
>
> Any reports on implementation status or plans to implement are also very
> useful.
>
>
>
> Authors, please indicate if you are aware of any IPRs related to the draft.
>
>
>
> Thanks.
>
> Mahesh and Mehmet
>
>
>
>
>
>
>
> Mahesh & Mehmet
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email