Re: [Netconf] LC on subscribed-notifications-10

Kent Watsen <> Thu, 24 May 2018 00:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A8EE4127201 for <>; Wed, 23 May 2018 17:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8DIfL_bU_M_K for <>; Wed, 23 May 2018 17:44:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 028EF12D876 for <>; Wed, 23 May 2018 17:44:22 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id w4O0iKCU027758; Wed, 23 May 2018 17:44:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=ivJqHvRaJy0mYDwHbTi/is/9/lhVyKhJ+1L+EGvdqag=; b=rGCxbBB8dUGTYHFcJOroEfyz29RrG4oFKSyYH64sq5QLDRcuJvTKe8cFOlnMYPp872Fw MF3Ra0bPGGbCxivJoI6kRCFfCAUX27AMGpkGnVOgWHAkyByqkyW1OqXlCQclxS0ASZg1 ByzhkGu2RpN4JKwYDAJDjrnA6ReR2emLXf5vj5zxXwRJOST9P24CgAukywtmr0w14uuA 5+qBYPfhGnKu6yX6Zu5EfvnlrPPR+hFrOOXnfsAU5X3X6IHM+Bqrfvaf91pGnbHZcTbv nFsKxNeaHbSEzkXYmFf+WbUOcBIGhQnvIQja5oET2cNiyx1QISX9+BJ3C5Cziv+K7gJ3 YA==
Received: from ( []) by with ESMTP id 2j5df7gjey-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 23 May 2018 17:44:19 -0700
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.797.5; Thu, 24 May 2018 00:44:16 +0000
Received: from ([fe80::95f0:e564:96c8:7f1c]) by ([fe80::95f0:e564:96c8:7f1c%2]) with mapi id 15.20.0797.011; Thu, 24 May 2018 00:44:15 +0000
From: Kent Watsen <>
To: "Eric Voit (evoit)" <>, Alexander Clemm <>, "" <>
Thread-Topic: [Netconf] LC on subscribed-notifications-10
Date: Thu, 24 May 2018 00:44:15 +0000
Message-ID: <>
References: <> <> <040a01d3be9f$09700490$1c500db0$> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4246; 7:/O/peVXuMpzwnROp7E69fNzbJNBujLaAbG8+VzFP8J09PkO0wQLrWar/NGr+lZV4cZXYLEtfl0XTTj1Ue9tfYXFoAYrdnStH0LDunivregFyMxN4qef+XmsWhLjqlfjCF2dhZqVG/l1dW5CckEFSbs0O1M0LHRlGAzXxI2CNt+EAWr5Nn7gwm+5KcrTZtCFNnjhczjCfKsNGGTPS9lQYQDuZL6AD5EBGwNpGCAhG/2NYCiUyJLlu4TNfBsOh3FTk
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4246;
x-ms-traffictypediagnostic: BYAPR05MB4246:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(192374486261705)(21748063052155)(17755550239193);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231254)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:BYAPR05MB4246; BCL:0; PCL:0; RULEID:; SRVR:BYAPR05MB4246;
x-forefront-prvs: 0682FC00E8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39380400002)(376002)(346002)(39860400002)(199004)(189003)(51444003)(7110500001)(7736002)(6246003)(53936002)(486006)(8936002)(86362001)(6306002)(54896002)(81156014)(81166006)(8676002)(106356001)(105586002)(6512007)(53946003)(2900100001)(6116002)(3846002)(229853002)(66066001)(446003)(476003)(2616005)(11346002)(97736004)(6486002)(36756003)(6436002)(561944003)(5660300001)(59450400001)(10710500007)(6506007)(2906002)(15650500001)(2420400007)(33656002)(3280700002)(478600001)(3660700001)(14454004)(26005)(102836004)(186003)(2501003)(5250100002)(82746002)(110136005)(58126008)(316002)(83716003)(9326002)(93886005)(76176011)(99286004)(68736007)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4246;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 4k13qDaLEGTT7v5yoyp0Cnl+I4bKUxkwuz3o/tGATwe74bm1s6eh6sizVQInqaXhO+q3wQY4o8ayVt5R6aw8P2RYvo5K1t2IoSMe94eqrzinGr6h3aas61j2sWEMXS3mCCJ3bQquG5Y9WbFaFgoxe5MPbG7wTDHHz12r4YUXNDCkNJG06cUVe+ZdXioR7W7d
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_01486F5ECEE34BDD9CD2CA2754981000junipernet_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: d54ae0e7-4f03-4d51-8100-08d5c10f7a11
X-MS-Exchange-CrossTenant-Network-Message-Id: d54ae0e7-4f03-4d51-8100-08d5c10f7a11
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2018 00:44:15.8649 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4246
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-23_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805240007
Archived-At: <>
Subject: Re: [Netconf] LC on subscribed-notifications-10
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 May 2018 00:44:28 -0000

Hi Eric,

Now <Kent7>.    BTW, I wish we switched to ASCII a while back…
Also, I removed highlighting because it was getting confusing.



<Eric3>  Added the descriptive paragraph requested in the middle of the three paragraphs below...

It is possible to place a start time on a configured subscription.  This enables streaming of logged information immediately after restart.

Replay of events records created since restart can be quite useful.  This allows event records generated before transport connectivity was supportable by a publisher to be passed to a receiver.  In addition, event records logged before restart are not sent.  This avoids the potential for accidental event record duplication.  Such duplication might otherwise be likely as a configured subscription’s identifier before and after the reboot is the same, and there may be not be evidence to a receiver that a restart has occurred.  By establishing restart as the earliest potential time for event records to be included in notification messages, a well-understood timeframe for replay is defined.

Therefore, when configured replay subscription receivers first become ACTIVE, buffered event records (if any) will be sent immediately after the "subscription-started" notification.  And the leading event record sent will be the first event record subsequent to the latest of four different times: the "replay-log-creation-time", "replay-log-aged-time", "replay-start-time", or the most recent publisher boot time.

<Kent3> Hmmm, I'm having a negative reaction to the "event records logged before restart are not sent" bit.  I know what you are trying to do, but I worry that this behavior might drop important logs, perhaps to the advantage of an adversary.  Note that some devices implement an <edit-config> with a restart.  Maybe the solution should require publishers to maintain a per configured-subscription awareness of (roughly) which log was sent last?   - and notify the receiver when a restart has occurred, or when the replaying of events occurs, so that they can be aware that there might be some duplicates?

<Eric4>  The current solution guarantees no duplicates, and also informs the receiver of each new “start-time”.  This allows the receiver to attempt to reconstruct any gaps from the last event previously pushed, should the choose to attempt such reconstruction.   As a dynamic subscription has no such boundary constraints on replay and boot time, all a subsequent dynamic subscription needs to do is to request the events between the last received event previously received from that configured subscription and the new replay-start-time.

<Kent4> So, the receiver is informed of each new "start-time" via the "subscription-started" control message, and then MUST do a short-lived dynamic subscription to scoop-up any possibly-missed logs, for which there may be none?   If we choose to keep this behavior, the draft should say this more clearly, perhaps in the Security Considerations section…

<Eric5> Added the following text as the last paragraph in the Implementation Considerations Section...

For configured replay subscriptions, the receiver is protected from duplicated events being pushed after a publisher is rebooted.  However it is possible that a receiver might want to acquire event records which failed to be delivered just prior to the reboot. Delivering these event records be accomplished by leveraging the “eventTime” from the last event record received prior to the receipt of a “subscription-started” state change notification.  With this “eventTime” and  the “replay-start-time” from the “subscription-started” notification, an independent dynamic subscription can be established which retrieves any event records which may have been generated but not sent to the receiver.

 <KENT5> Is this really limited to reboots, or any restarting of a configured subscription?

<Eric6> The protection from event replication is just for reboots – this is because the configured replay start time might duplicate events already sent from a previous boot.

<Kent6> So, in the case of a suspend/resume, the device picks up where it left off?   Or is it also just starting with "current"?  (strangely, I'm having trouble finding this answer in -13).  If it picks up where it left off, does this mean that the device has index of some sort and, if so, why can't that state be persisted in the case of a graceful shutdown/restart?

<Eric7> It would be *very* difficult to persist on the publisher which event actually was received last by a receiver.  However the receiver can make that determination, as it does maintain that state.  Look for my proposal below on how to handle this with a new leaf in “subscription-started” “replay-previous-event-time”

<Kent7> good point about what was *received* as opposed to what was *sent*, as they may differ, but then would the publisher be able to say the last event it sent?  As I recall your proposal from before, we the receiver *always* needs a dynamic subscription to fill in any *potentially* missing gaps.  My goal is to try to change the "always" to a "sometimes" by giving the receiver enough info to know there is a gap, or perhaps just know when there wasn't a gap but, in either case, it becomes less than "always".

But the mechanism to retrieve lost events is common between reboots and restarts.  I.e., using this solution, a receiver never needs to know a reboot occurred.  It just knows that a subscription restart occurred, and there might be a gap in events which should be retrieved via a dynamic subscription.

By having the receiver follow the same process for both reboots and restarted subscriptions, it simplifies recovery procedures.

<Kent6> I'm unsure about the "same process" (mentioned in my previous comment).

<Eric7> It is the same process.  Note that below, the “replay-previous-event-time” tweak allows a receiver to determine if there are events missed.  And with the tweak, the fact a reboot has happened is still not explicitly exposed.

<Kent7> Sorry, I didn't mean I didn't know if the process was the same between the two interactions, but what the "same process" is.   Nonetheless, what you write above ("allows a receiver to determine if there are events missed") is music to my ears, and I see now that you've just now added the "replay-previous-event-time” (that wasn't clear to me at first, I had to look at -13 to be sure).  I'll look at it more closely in the section where it is introduced below.  Regarding your last sentence, I take it that it not being explicitly exposed is a good thing, right?

Next, I view this as a Security Consideration, since nefarious things can happen when a device reboots and note that a DoS could extend the gap to hours or days.  I think that this draft (the text above) is watering down the issue.  In my view, this is a huge consideration, along the lines of a receiver really MUST always try to use a dynamic subscription to fill in any gaps.

<Eric6> I agree this is a best practice, but a MUST would require telemetry receivers to have to support dynamic subscriptions.  I can see IoT receiver implementations where this wouldn’t be likely.

<Kent6> Good point, but I don't see in the YANG module establish-subscription being optional to implement.  Is that an oversight?

<Eric7> This is ok.  It is totally fine for a publisher to support dynamic subscriptions.  But a receiver need not.  Perhaps a lightweight IoT client just will just be a configured subscription receiver.

<Kent7> I think you misunderstood me.  Using your IoT example, even though a device (or the entire IoT space) only uses configured subscriptions, the current module doesn't enable a server to not support dynamic subscriptions.   For constrained devices, having to implement something never used could be a problem…

To cover your desire to highlight this in security, I have added the following requirement to the Security Considerations Section:

When a configured receiver gets a new “subscription-started” message for a known subscription where it is already consuming events, the receiver SHOULD retrieve any event records generated since the last event record was received.  This can be accomplish by establishing a separate dynamic replay subscription with the same filtering criteria with the publisher.

<Kent6> that's helpful.  Perhaps tack onto the end of the last sentence something like ", assuming the publisher supports the ['dynamic' and] 'replay' feature[s]"?

<Eric7>  Added
“, assuming the publisher supports the "replay" feature.”
As dynamic isn’t an optional feature.

<Kent7> okay, that's expected, but see my previous Kent7 comment, I think that we might want dynamic to be optional.

It almost begs the question for why configured subscriptions are supported at all.

<Eric6> Because there have been lots of industry requests.  And lots of implementations with non-IETF solutions.  Personally I prefer dynamic subscriptions.

<Kent6> I can see the appeal of configured subscriptions, but if each receiver of a configured subscription SHOULD always do a dynamic subscription on every publisher reboot, it is already being coded to support dynamic subscriptions, at which point it seems that maybe it should've just been implemented to support dynamic subscriptions from the start (on top of the publisher-initiated call-home transport, of course).   Can you say some more about these industry requests and, in particular, if the requests are still strong even when made aware of the need to also do dynamic subscriptions?

<Eric7>  Here is an industry request:  stream event record entries being placed into security logs (e.g., Integrity Measurement Architecture audit events).   These events are only relevant starting at boot time.  Losing events means a system cannot be validated.  And days after a boot, streaming all the events since boot would result in too many events.   So, in this environment, doing a dynamic subscription to fill the gap is acceptable.

<Kent7> meh


<Kent4> this I agree with, but I really don't like the fact that receiver MUST do a short-lived dynamic subscription to scoop-up any possibly-missed logs, for which there may be none.  Perhaps we could add more values into the "subscription-started" notification message that would enable to receiver to make a local determination if such a dynamic subscription would be  helpful?

<Eric5> I recommend against providing extra objects/reasons in the “subscription-started” at this time.  Publishers might not want to advertise a reboot, and they might not want to advertise why there was loss in event continuity.   All that should matter to a receiver is that such a discontinuity existed, and they have a way to try to fill event the gap should they care.  If the need for more data and the cause of the discontinuity turns out to be required, we can always augment here with future objects.

<KENT5> first, I'm still not 100% sure if this is just a reboot problem, or any time the subscription is restarted/resumed.

<Eric6> Per above: retrieving missing event records is not a reboot specific problem.  But unintentionally replicating event records is reboot specific.  (Otherwise the configured replay-start-time would drive a repeat of everything on each and every reboot.)

<Kent6> okay, I think I got it this time.  Having a *configurable* replay-start-time is so confusing.  Is it really worth having?

<Eric7>   Yes it is worth having.

(a) In many environments, reboot is very infrequent.  Without configurable start time, an operator setting up a configured subscription would not have the ability to designate what to send.  It could only send the full log (at whatever size).

(b) on-publisher security or troubleshooting diagnostics might identify a breach or some event where streaming recent historical event records is a MUST.  As a result, it might want to stream a subset of event records off a box going back in time to potential events which might have been evidence or contributing factors.

<Kent7> Let me come at this another way.  Assume we drop all support for *configurable* replay-start-time.  As such, configured subscriptions always start with the next-generated event (no replay at all).   This covers most use-cases, right?   For those receivers that really wanted the older logs, can't they just do a dynamic subscription to collect them, same as we've been discussing above?

Next, can you explain what info could be provided that might allow a client to make a local decision as to whether a dynamic subscription is needed of not, and does the "replay-start-time" node provide it?

<Eric6> The local decision is easy.   As a configured receiver, I have just received a new subscription-started state change notification for a subscription I am tracking.  If I *need* to know about any events which occurred since the last event record I received for that subscription-id, then create a separate replay to cover that time gap.

<Kent6> it's not "if I need to know" so much as "I *know* that I'm missing some events because X and Y and, therefore I will create a dynamic subscription otherwise, since I know that I didn't miss any events, I will not create a dynamic subscription."   I'm trying to figure out what X and Y might be…

<Eric7>  Right now the evidence a configured receiver has is:

X = A subscription #3333 exists, the last event record came in at 2:01:55UTC.  I never got a “subscription-terminated” or “subscription-concluded”.

Y = a new “subscription-started” arrives.

Thinking about how to accomplish what you are asking, I do think there might be a possibility.   We could place a new object “replay-previous-event-time” in the subscription-started notification:

       +---n subscription-started {configured}?

          +--ro (target)


            +--ro replay-start-time?       yang:date-and-time        {replay}?

            +--ro replay-previous-event-time?       yang:date-and-time        {replay}?

What this object would do is to provide the timestamp of the event record just prior to the “replay-start-time” in the event buffer (should such a previous event exist).   If this timestamp doesn’t match the last event a receiver got (e.g., 2:01:55UTC), then a dynamic subscription could be established to fill the information gap.

<Kent7> Right, something like that.  Do you think this does it, or are there a bunch of disclaimers around its effectiveness?


<Eric4>  Tweaked a Section sentence to say:

This document puts no restrictions on the size or form of the log, where it resides within the publisher, or when event record entries in the log are purged.

I suggest adding text that clarifies this, and details the need for a short-lived dynamic-subscription.

<Eric4> The tweak above, with the suggested text in the Implementation Considerations section above hopefully covers this.

<KENT5> the "purged" part helps, but whyis this information buried inside a section titled "Requesting a replay of event records"?

<Eric6>   This is the second paragraph of the first section which discussed replay.  It is the sentence after the optional feature of replay is introduced.

<Kent6> I understand how it fits into this section, but it seems like it should be in a section called something like "replay log", since it's equally applicable for configured subscriptions (and s2.4 is about dynamic subscriptions).  Of course, if we remove replay from configured subscriptions, then leaving it here makes sense…

<Eric7> Per above, there is lots of value in configured replay.

<Kent7> Yes, but see again my challenge to that assertion.  I'm leaving this here in case the decision is flipped…


<Eric5>  Move to a new section just before Security Considerations.   Added the last sentence:

Additional transport requirements will be dictated by the choice of transport used with a subscription. For an example of such requirements with NETCONF transport, see [I-D.draft-ietf-netconf-netconf-event-notifications].

<KENT5> This new section "Transport Considerations" seems to be a mashup of requirements, security considerations, and recommendations and, as such, is a bit confusing.  I recommend ensuring the right info is in the right sections.

<Eric6> Look at <Kent4>.  My attempt was to do exactly what you requested.

Per the above, there simply are not many common transport requirements.    If you want me to split them up, that is fine.   If you want me to house them in “transport considerations” that is fine too.   I think that collapsing everything back to Security Considerations is the cleanest approach.    But a consistent target would be help us close this questions.   If you have cycles to propose a specific distribution, that would be great.

<Kent6> sorry, I wasn't clear before.  Requirements are having MUST and MAY.  Security Considerations are more SHOULD and RECOMMENDED.  I'm seeing a mix in this section.  I think that all the SHOULD and RECOMMENDED statements should be moved to the Security Considerations section (assuming they are indeed Security related).

Renamed section to “Transport Requirements”

Moved the SHOULD NOT requirement back to the security considerations section.

Moved the “One subscription identifier can be used for two or more receivers” statement back to the security considerations section.

<Kent7> sounds good

<Kent5?>It only mentions the need for one-way authentication, is that correct?

<Eric6>: One way authentication is needed before pushing events from the perspective of the publisher.   The receiver certainly might want to verify the publisher.  Mechanisms to accomplish that can be transport dependent.  If you want to add a simple statement “A receiver MUST authenticate a publisher”, that can be done as generic guidance.

<Kent6> Yes, exactly, if it is true.   Perhaps have the two statements and then say something about "mutual authentication" so that it is crystal clear.

<Eric7>  Now Says:

For both configured and dynamic subscriptions the publisher MUST authenticate a receiver via some transport level mechanism before sending any event records for which they are authorized to see.  In addition, the receiver MUST authenticate the publisher at the transport level.  The result is mutual authentication between the two.

<Kent7> perfect, very clear now!

<Kent5?> The first paragraph's use of the word "authorize" confuses me, especially in context of the 2nd paragraph, what would the "transport" authorize?

<Eric6>  Tweaked the wording to:

For both configured and dynamic subscriptions the publisher MUST authenticate a receiver via some transport level mechanism before sending any event records for which they are authorized to see.

<Kent6> better, thx.

BTW, maybe this section needs to more clearly specify that it only regards the transport for dedicated notification channels (not the transport for NC or RC).

<Eric7>   Tweaked the section lead-off to:

This section provides requirements for any subscribed notification transport supporting the solution presented in this document.

<Kent7> okay

<Eric6>  Added the sentence at the beginning of the section:

This section provides requirements which must be supportable via any transport technology supporting this solution.

<Kent6> perhaps s/this solution/the solution presented in this document/???


Change made.

<Kent7> good!