IETF Logo Mail Archive

Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Alexander Clemm <alexander.clemm@huawei.com> Thu, 04 May 2017 17:22 UTC

Return-Path: <alexander.clemm@huawei.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C897F129471 for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 10:22:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hrXSkB1aSqVL for <netconf@ietfa.amsl.com>; Thu, 4 May 2017 10:22:41 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FD14128C82 for <netconf@ietf.org>; Thu, 4 May 2017 10:22:40 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DFZ77708; Thu, 04 May 2017 17:22:35 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 4 May 2017 18:22:34 +0100
Received: from SJCEML701-CHM.china.huawei.com ([169.254.3.8]) by SJCEML702-CHM.china.huawei.com ([169.254.4.233]) with mapi id 14.03.0235.001; Thu, 4 May 2017 10:22:31 -0700
From: Alexander Clemm <alexander.clemm@huawei.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>, Netconf <netconf@ietf.org>
Thread-Topic: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
Thread-Index: AQHSuKTAIzHBCUfDlEODIHfKLGbb7aHjqZkAgADTj3A=
Date: Thu, 04 May 2017 17:22:30 +0000
Message-ID: <644DA50AFA8C314EA9BDDAC83BD38A2E0DF956E8@SJCEML701-CHM.china.huawei.com>
References: <A13E62FA-AB96-4164-98D5-3CC1D04A78E8@gmail.com> <E236AC6C-4B6D-43B1-8092-0B8AA3F4D6AA@gmail.com>
In-Reply-To: <E236AC6C-4B6D-43B1-8092-0B8AA3F4D6AA@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.213.48.144]
Content-Type: multipart/alternative; boundary="_000_644DA50AFA8C314EA9BDDAC83BD38A2E0DF956E8SJCEML701CHMchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.590B635E.0119, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.3.8, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: d85c8d325a47478ee78e7b4c7292f8ef
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/sQv3URsJam45-2sDNnvdkr00Tzc>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 17:22:44 -0000

Hi,

FWIW, I do have a few comments.  Overall the document is in good shape, but there are a few items where I think it can be made even better:-)


-          I think it would be good to include a section on how the revised datastores will impact requirements on NACM.  I don't think anything major is required, but there are a few places where some updates could be made, and/or perhaps a brief section could be added somewhere discussing this.  For example, in Figure 1 (Section 2.1) where it says "datastore or state data access" (technically, this remains correct, but this seems to have the previous model in mind), also fig 3 assuming RPCs will always be against config datastore).   It might also mention which datastore NACM rules apply to when the same data is contained in multiple datastores.  Technically, I don't think there will be a distinction (any differentiation would apply to read operations, and I cannot think of a good example where such differentiation would be needed), still it might be good to be explicit about it.

-          In section 3.4.6 (outgoing <notification> authorization), it states that access control is applied only to notification as a whole, not to any data it contains.  This is clear enough; however, it is a limitation.  Specifically, in YANG-Push there is a requirement to be able to apply a security filter to not push data that the receiver is not authorized to receive (or not accept/terminate a subscription which contains such data altogether).  If NACM does not provide this, another mechanism or a NACM extension will be needed (that will still need to use the privileges configured in NACM).  At a minimum, this needs to be clearly called out.

-          I wonder why NACM is restricted to NETCONF or RESTCONF.  Really, this restricts access to data in YANG datastores; while NETCONF and RESTCONF do need to be called out specifically and the document does need to spell out how it is applied in this context, it would probably be good to clarify that NACM should apply to other protocol access.

-          It would be good to indicate that the source of access control rules is not restricted to external clients, but that they could originate from the server itself.  This is the same config/operational state discussion that has come up in other contexts (e.g. the topology models), and I think it applies here as well.  Again, this is where the revised datastores model is intended to provide a solution - i.e. the NACM rules in the config datastore may be only a subset of the ones in the operational datastore, etc - but I think it is important enough to be called.

Thanks
--- Alex

From: Netconf [mailto:netconf-bounces@ietf.org] On Behalf Of Mahesh Jethanandani
Sent: Wednesday, May 03, 2017 2:18 PM
To: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] WG LC for draft-ietf-netconf-rfc6536bis

Folks,

There has been literally no feedback on this document, either to say they have read the document and support it, or to express concerns about the document. Silence, unfortunately is not a good guide for us. To move the document forward, we need to hear from folks, including those who were in IETF 98.

Thanks.

On Apr 18, 2017, at 5:34 PM, Mahesh Jethanandani <mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>> wrote:

NETCONF WG,

In IETF 98, the authors indicated that the above draft was ready for Last Call, and the consensus in the room indicated as much.

This is a start of a 2 week WG Last Call for draft-ietf-netconf-rfc6536bis. After two weeks, the document will be assigned a shepherd, and the document will be prepared for IESG.

The latest version of the draft can be found at:
https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-01

Please review and send any comments to the WG mailing list or by responding to this e-mail. Comments can be statements such as, I read/reviewed the document and believe it is ready for publication, or I have concerns about the document. For the latter, please indicate what your concerns are.

Any reports on implementation status or plans to implement are also very useful.

Authors, please indicate if you are aware of any IPRs related to the draft.

Thanks.

Mahesh and Mehmet



Mahesh & Mehmet

v2.23.0 | Report a Bug | By Email