Re: [netconf] Create IANA-defined modules?

[Qin Wu <bill.wu@huawei.com>]

发件人: Kent Watsen [mailto:kent+ietf@watsen.net]
发送时间: 2021年6月15日 0:22
收件人: Qin Wu <bill.wu@huawei.com>; tom petch <ietfc@btconnect.com>; Per Andersson (perander) <perander@cisco.com>
抄送: netconf@ietf.org
主题: Re: [netconf] Create IANA-defined modules?

Thank you Qin, Tom, and Per for the responses to my last post…this message addresses them all.

Since the discussion has been mostly about *how* to create the IANA-defined module (not *if* we should, e.g., dropping the work for some future effort to pickup), I take it that folks believe having the ability for configure supported-algorithms is needed now.  As no one offered to help (:sigh:, and people wonder why this work takes so long), I wrote the attached script that creates the attached module directly from the data obtained from the IANA-maintained "TLS Cipher Suites" sub-registry of the "Transport Layer Security (TLS) Parameters” registry here: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml.  The resulting module is also attached.

[Qin Wu]  The proposed module looks good to me, I assume these cipher-suite identities are not specific to particular version of TLS, e.g., TLS1.3.

Tom, you will be happy to know that the all the identity names begin with “tls”  :)    Also, there are no “feature” statements, since there is nothing in the source registry that can be used to generate “if-feature” statements.  Out of the 347 algorithms listed in the registry,  310 algorithms are marked “status deprecated” (driven by the “recommended” column having value ’N’), and 7 algorithms are marked “status obsolete” (driven by the "SC-tls-des-idea-ciphers-to-historic” reference).

Regarding if to use a  “config false” tree or an RPC, Per makes an interesting point about “must" and “when” expressions, though I do wonder how that would play out in practice, as said expressions would (presumably) be defined under “config true” nodes and hence couldn't reference the “config false” values?  Maybe Per could say some more about the use-case in mind.

No one responded regarding if we should use identities or enumerations.  The attached sample module uses identities, but it would be an easy thing to change the script to generated enumerations - thoughts?

Again: if “identity” statements are used, and the module is *implemented*, it would NOT mean the server supports all (or even any) of the algorithms. This would only be known if the algorithm appears in the “supported algorithms” "config false” list.  Does anyone feel this is a misuse of YANG?  IMO, YANG identities needing to be implemented is not very useful in practice, and so I don’t view that as a negative in the slightest.

[Qin Wu] I agree with Per that it seems identities are better choice.
K.