IETF Logo Mail Archive

Re: [Netconf] How to augment RFC6470 to supply detail configuration change information

Andy Bierman <andy@yumaworks.com> Sun, 07 June 2015 16:04 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AD8E1A92B1 for <netconf@ietfa.amsl.com>; Sun, 7 Jun 2015 09:04:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.721
X-Spam-Level:
X-Spam-Status: No, score=0.721 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ecU250n9Jzer for <netconf@ietfa.amsl.com>; Sun, 7 Jun 2015 09:04:43 -0700 (PDT)
Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DA511A92AF for <netconf@ietf.org>; Sun, 7 Jun 2015 09:04:43 -0700 (PDT)
Received: by lbbtu8 with SMTP id tu8so51769016lbb.2 for <netconf@ietf.org>; Sun, 07 Jun 2015 09:04:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=LPOs7+ZLexXRFWmec6invdYYjARRgbw8Ebljyw9/jX0=; b=Kv7yPUv0RmTMCUer7hbaI0O04Y6Ne+5ThmxvCaRvGZx8kypuIsqnwP+3cd1s8PqKC2 BIg2hC/cfEmrvQLJ0dEQUB+/3beemUQgEe3h3y/OjK6ywwNnb/1cTIe+QmkU1rKE2Sf0 m9ntjIIZFUhd9Bl63WJqmfdyHUe+aG2+c91l2Vzg1QiupvE6o2amHR5U7CEJifLqhHB+ gBGasE7oSBJnrrukSBtDIjL8UP7OJQkQ/I2dwr03/eKbdgTcit5vTxx+ZaXbrCOW+lRY azZoyhcDEeulm4a3w2u5zRAPXZnG82TotJtEnAupt8xD0B9OpQON8DVnpom70+LTEIJj 9GFA==
X-Gm-Message-State: ALoCoQmgbNAhkJHpRNmistO8s0d6bf0ZKD/ZefTEnxO2A3qA3kekC7FYUAJww9z0YvLKl6YJM1PM
MIME-Version: 1.0
X-Received: by 10.152.36.161 with SMTP id r1mr12505722laj.88.1433693081487; Sun, 07 Jun 2015 09:04:41 -0700 (PDT)
Received: by 10.112.200.102 with HTTP; Sun, 7 Jun 2015 09:04:41 -0700 (PDT)
In-Reply-To: <D970584466921040BD10823F192C30B9382B12CA@ESGSCMB103.ericsson.se>
References: <D970584466921040BD10823F192C30B9382B00ED@ESGSCMB103.ericsson.se> <20150601072552.GA31467@elstar.local> <D970584466921040BD10823F192C30B9382B02AD@ESGSCMB103.ericsson.se> <20150601095456.GD31801@elstar.local> <D970584466921040BD10823F192C30B9382B120E@ESGSCMB103.ericsson.se> <20150602064743.GA66363@elstar.local> <D970584466921040BD10823F192C30B9382B12CA@ESGSCMB103.ericsson.se>
Date: Sun, 07 Jun 2015 09:04:41 -0700
Message-ID: <CABCOCHT77VC6AC-HYbm+wovsp=o=QTYCb_ZvFC-30R3rB1KOtQ@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Mandy Liu <mandy.liu@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/netconf/thFvrTviKz08SQrxRwvqD0MYexU>
Cc: Robert Ottinger <robert.ottinger@ericsson.com>, "andy@netconfcentral.org" <andy@netconfcentral.org>, Athanasios Kyparlis <athanasios.kyparlis@ericsson.com>, Kai Lin <kai.lin@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] How to augment RFC6470 to supply detail configuration change information
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jun 2015 16:04:45 -0000

Hi,

There are (at least) 2 technical issues you should consider, in case you are
wondering why the 'data' was left out of the netconf-config-change event.

1) Access control is effectively disabled by copying config nodes
into an 'anyxml' container within a notification.  Sensitive data
like passwords can be transferred to a client without read privilege
for that data.

2) NETCONF notifications may not be reliable.
Replay is optional to implement.  RFC 5277 is silent
about transport requirements for notification delivery.

For example if the receiver is blocked so that notifications
cannot be sent on a subscription session, a server with
finite resources will eventually be unable to store new
events.

There is one mention of resources in the RFC, wrt/ replay:

   The actual number of stored notifications available for retrieval at
   any given time is a NETCONF server implementation-specific matter.
   Control parameters for this aspect of the feature are outside the
   scope of this document.

Note that notifications can not be retrieved in NETCONF.
This text should say "available for delivery".

Notifications do not have sequence identifiers.
There is no way for a client to tell if a notification was dropped
by the server.


Andy


On Tue, Jun 2, 2015 at 12:18 AM, Mandy Liu <mandy.liu@ericsson.com> wrote:
> I am not intent to insist that. I just want to make sure it won't violate RFC6020. I think you have convinced me by below sentence. Thanks for your support, Juergen!
> - "But it is not the writable configuration data but more a copy of the configuration data that got changed."
>
> Regards,
> Mandy
>
> -----Original Message-----
> From: Juergen Schoenwaelder [mailto:j.schoenwaelder@jacobs-university.de]
> Sent: Tuesday, June 02, 2015 2:48 PM
> To: Mandy Liu
> Cc: andy@netconfcentral.org; Kai Lin; Robert Ottinger; netconf@ietf.org; Athanasios Kyparlis
> Subject: Re: [Netconf] How to augment RFC6470 to supply detail configuration change information
>
> But it is not the writable configuration data but more a copy of the configuration data that got changed. Anyway, if you want to insist that this is a violation of section 7.10 of RFC6020, then don't do it. I do not believe it is a violation of section 7.10 of RFC6020.
>
> /js
>
> On Tue, Jun 02, 2015 at 06:22:25AM +0000, Mandy Liu wrote:
>> Ok, thanks! Got your point.
>> But here I want to use "data" to address the changed configuration data in the notification. Although "data" is in the notification, but because it is used to address the configuration data seems it still conflicts with the statement in section 7.10 of RFC6020 "it is RECOMMENDED that the "anyxml" statement not be used to represent configuration data. "
>>
>> list edit {
>>      leaf target {
>>          type instance-identifier;
>>         description
>>         .....
>>      }
>>      leaf operation {
>>          type nc:edit-operation-type;
>>         description
>>              .....
>>      }
>>      anyxml data;
>>  }
>>
>> Regards,
>> Mandy
>>
>> -----Original Message-----
>> From: Juergen Schoenwaelder
>> [mailto:j.schoenwaelder@jacobs-university.de]
>> Sent: Monday, June 01, 2015 5:55 PM
>> To: Mandy Liu
>> Cc: andy@netconfcentral.org; Kai Lin; Robert Ottinger;
>> netconf@ietf.org; Athanasios Kyparlis
>> Subject: Re: [Netconf] How to augment RFC6470 to supply detail
>> configuration change information
>>
>> Let me try to say it differently: Using anyxml in a notification does not cause a conflict with this statement in section 7.10 of RFC 6020:
>>
>>    Since the use of anyxml limits the manipulation of the content, it is
>>    RECOMMENDED that the "anyxml" statement not be used to represent
>>    configuration data.
>>
>> Note that configuration data is defined as follows:
>>
>>    o  configuration data: The set of writable data that is required to
>>       transform a system from its initial default state into its current
>>       state [RFC4741].
>>
>> Notification content is not configuration data.
>>
>> /js
>>
>> On Mon, Jun 01, 2015 at 07:48:51AM +0000, Mandy Liu wrote:
>> > Sorry, I don't get your point. But hopefully I addressed my question more clearly this time.
>> >
>> > The configuration change notification is generated when the NETCONF server detects that the <running> or <startup> configuration datastore has been changed by a management session. The notification summarizes the "edits" that have been detected. "  The structure of the "edit" is addressed in RFC6470 as below. What I want is to add the another leaf to address the "target" is changed to what. But because the "target" may be a container, a list, a leaf or a leaf-reference, etc. It could be any node of the tree. So a common format for addressing the "target" is changed to what is needed.
>> > list edit {
>> >     leaf target {
>> >         type instance-identifier;
>> >        description
>> >        .....
>> >     }
>> >     leaf operation {
>> >         type nc:edit-operation-type;
>> >        description
>> >             .....
>> >     }
>> > }
>> >
>> > Thanks,
>> > Mandy
>> > -----Original Message-----
>> > From: Juergen Schoenwaelder
>> > [mailto:j.schoenwaelder@jacobs-university.de]
>> > Sent: Monday, June 01, 2015 3:26 PM
>> > To: Mandy Liu
>> > Cc: andy@netconfcentral.org; Kai Lin; Robert Ottinger;
>> > netconf@ietf.org; Athanasios Kyparlis
>> > Subject: Re: [Netconf] How to augment RFC6470 to supply detail
>> > configuration change information
>> >
>> > On Mon, Jun 01, 2015 at 06:51:27AM +0000, Mandy Liu wrote:
>> >
>> > > [...] So we need to find a common format for the "content" to
>> > > accommodate different types of "target". what I can imagine is
>> > > anyxml could be used. But seems it is not a good choice. Because
>> > > based on RFC6020, it is not recommended to be used on configuration data.
>> >
>> > Since you plan to augment a notification, this won't be config true data (this is what the statement in RFC 6020 really hints at). See also the definition of 'configuration data' in section 3 of RFC 6020.
>> >
>> > /js
>> >
>> > --
>> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>> > Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>>
>> --
>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.46.0 | Report a Bug | By Email | System Status