[Netconf] 4742bis RFC Editors notes WAS:RE: David Harrington's Discuss on draft-ietf-netconf-4741bis-09: (with DISCUSS and COMMENT)
"Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com> Tue, 15 March 2011 11:53 UTC
Return-Path: <mehmet.ersue@nsn.com>
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D2F5D3A6B2E; Tue, 15 Mar 2011 04:53:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.554
X-Spam-Level:
X-Spam-Status: No, score=-106.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tyOfwTH93eHI; Tue, 15 Mar 2011 04:53:06 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by core3.amsl.com (Postfix) with ESMTP id 800563A6D61; Tue, 15 Mar 2011 04:53:04 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id p2FBsOM4004331 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 15 Mar 2011 12:54:25 +0100
Received: from demuexc022.nsn-intra.net (demuexc022.nsn-intra.net [10.150.128.35]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id p2FBsNRR023217; Tue, 15 Mar 2011 12:54:23 +0100
Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by demuexc022.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Tue, 15 Mar 2011 12:54:23 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 15 Mar 2011 12:54:21 +0100
Message-ID: <80A0822C5E9A4440A5117C2F4CD36A6401C6E568@DEMUEXC006.nsn-intra.net>
In-Reply-To: <4D7F33B8.10209@bwijnen.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: 4742bis RFC Editors notes WAS:RE: [Netconf] David Harrington's Discuss on draft-ietf-netconf-4741bis-09: (with DISCUSS and COMMENT)
Thread-Index: Acvi9OIGwPHkqUtTR9ungcyUtIw6LwAEcCow
References: <20110301230555.15990.2719.idtracker@localhost> <4D7F33B8.10209@bwijnen.net>
From: "Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com>
To: David Harrington <ietfdbh@comcast.net>, The IESG <iesg@ietf.org>, netconf <netconf@ietf.org>
X-OriginalArrivalTime: 15 Mar 2011 11:54:23.0024 (UTC) FILETIME=[B9B6EB00:01CBE307]
Cc: draft-ietf-netconf-4742bis@tools.ietf.org, draft-ietf-netconf-4741bis@tools.ietf.org
Subject: [Netconf] 4742bis RFC Editors notes WAS:RE: David Harrington's Discuss on draft-ietf-netconf-4741bis-09: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 11:53:07 -0000
Hi All, unfortunately there are two bugs in 4742bis v08, which need to be added to the RFC Editors notes. I assume Dan will change the IESG write-up page soon. Change 1: ====== Appendix A) from v07 got somehow deleted and needs to be added again. Change 2: ====== The text in Section 3.1 contains MUST statements copied from 4741 and is inappropriate. As requested by Alexey we had changed the formulation but forgot to update the Write-up page. -------------------------------------------------------------------- RFC Editors notes for draft-ietf-netconf-rfc4742bis-08.txt: OLD (v08): [empty] NEW: Appendix A. Changes from RFC 4742 This section lists major changes between this document and RFC 4742. o Introduced the new Chunked Framing Mechanism to solve known security issues with the EOM framing. o Extended text in Security Considerations, added text on EOM issues. o Added examples to show new chunked encoding properly, highlighted the location of new lines. o Stated that the extraction of the SSH user name by a NETCONF server is implementation-dependent. o Changed use of the terms client/server, manager/agent to SSH client/server and NETCONF client/server. o Consistently used the term operation, instead of command or message. o Integrated previously-approved errata from http://rfc-editor.org/errata_search.php?rfc=4742 3. Section 3.1. OLD (v08): As specified in [I-D.ietf-netconf-4741bis] the NETCONF server MUST indicate its capabilities by sending an XML document containing a <hello> element as soon as the NETCONF session is established. The NETCONF client can parse this message to determine which NETCONF capabilities are supported by the NETCONF server. As [I-D.ietf-netconf-4741bis] states the NETCONF client must also send an XML document containing a <hello> element to indicate the NETCONF client's capabilities to the NETCONF server. The document containing the <hello> element MUST be the first XML document that the NETCONF client sends after the NETCONF session is established. NEW: As specified in [I-D.ietf-netconf-4741bis] the NETCONF server indicates its capabilities by sending an XML document containing a <hello> element as soon as the NETCONF session is established. The NETCONF client can parse this message to determine which NETCONF capabilities are supported by the NETCONF server. As [I-D.ietf-netconf-4741bis] further specifies, the NETCONF client also sends an XML document containing a <hello> element to indicate the NETCONF client's capabilities to the NETCONF server. The document containing the <hello> element is the first XML document that the NETCONF client sends after the NETCONF session is established. Cheers, Mehmet > -----Original Message----- > From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On > Behalf Of ext Bert (IETF) Wijnen > Sent: Tuesday, March 15, 2011 10:39 AM > To: David Harrington > Cc: netconf; The IESG; netconf-chairs@tools.ietf.org; draft-ietf- > netconf-4741bis@tools.ietf.org > Subject: Re: [Netconf] David Harrington's Discuss on draft-ietf- > netconf-4741bis-09: (with DISCUSS and COMMENT) > > David, > > as you do know I think (at least my memory says that you were > in the NETCONF session where this was discussed), the WG > has extensively discussed the issue of "how to derive/extract > the username from the SSH layer". We then had major consensus > (not full consensus, I believe you indeed objected somewhat) > that "implementation dependent" was the way to go. > > Over the last few weeks, the WG has also discussed your DISCUSS, > and yet more people have expressed that "implementation dependent" > is the best we can do in this situation. > > If anything needs to be done, then it seems that SSH needs to > be "fixed". See wg email thread extracts below. > > However, we have tried to address your DISCUSS with the > following text changes, so that at least at the NETCONF > level we do as much as we can. > > PLEASE reconsider your DISCUSS and see if you can clear it > with the following changes that have been posted in new > revisions of the 4741bis and 4742bis documents: > > For 4741bis, add one sentence and change "MUST explain how" into > "MUST provide". Exact change: > > OLD: > > The authentication process MUST result in an authenticated client > identity whose permissions are known to the server. The > authenticated identity of a client is commonly referred to as the > NETCONF username. The algorithm used to derive the username is > transport protocol specific and in addition specific to the > authentication mechanism used by the transport protocol. NETCONF > transport protocols therefore MUST explain how a NETCONF username > is > derived from the authentication mechanisms supported by the > transport > protocol. > > NEW: > > The authentication process MUST result in an authenticated client > identity whose permissions are known to the server. The > authenticated identity of a client is commonly referred to as the > NETCONF username. The username is a string of characters that > match > the "Char" production from section 2.2 of [W3C.REC-xml-20001006] . > The algorithm used to derive the username is transport protocol > specific and in addition specific to the authentication mechanism > used by the transport protocol. The transport protocol MUST > provide > a username to be used by the other NETCONF layers. > > > for rfc4742bis, the proposed change is: > > OLD: > How the NETCONF Server extracts the SSH user name from the SSH > layer > is implementation-dependent. > > NEW: > The username provided by the SSH implementation will be made > available to the NETCONF message layer as the NETCONF username > without modification. If the username does not comply to the NETCONF > requirements on usernames [I-D.ietf-netconf-4741bis] , i.e., the > username is not representable in XML, the SSH session MUST be > dropped. Any transformations applied to the authenticated identity > of the SSH client made by the SSH server (e.g., via authentication > services or mappings to system accounts) are outside the scope of > this document. > > > We have also addressed your other discuss points and most of your > remarks/comments. > The complete diffs are here: > http://tools.ietf.org/wg/netconf/draft-ietf-netconf-4741bis/draft-ietf- > netconf-4741bis-10-from-09.diff.html > http://tools.ietf.org/wg/netconf/draft-ietf-netconf-rfc4742bis/draft- > ietf-netconf-rfc4742bis-08-from-07.diff.html > > Bert Wijnen > Document shepherd 4741bis > Mehmet Ersue > Document shepherd 4742bis > > -------- Original Message -------- > Subject: Re: [Netconf] David Harrington's Discuss on draft-ietf- > netconf-4741bis-09: (with DISCUSS and COMMENT) > Date: Thu, 10 Mar 2011 11:01:41 -0800 > From: Randy Presuhn <randy_presuhn@mindspring.com> > To: <netconf@ietf.org> > > > > Hi - > > > From: "Juergen Schoenwaelder"<j.schoenwaelder@jacobs-university.de> > > To: "Ersue, Mehmet (NSN - DE/Munich)"<mehmet.ersue@nsn.com> > > Cc:<netconf@ietf.org> > > Sent: Thursday, March 10, 2011 10:33 AM > > Subject: Re: [Netconf] David Harrington's Discuss on draft-ietf- > netconf-4741bis-09: (with DISCUSS and COMMENT) > ... > > > "How the NETCONF Server extracts the user name from the SSH layer > is > > > implementation-dependent." > > > > > > What SSH transport document could say is e.g. (but not much > more): > > > > > > " There is no standard way for an application running on an SSH > > > server to determine a user name for the current session. How > the > > > NETCONF Server extracts the user name from the SSH layer is > > > therefore implementation-dependent. > > > > > > The user name provided by the SSH implementation will be made > > > available to NETCONF message layer as NETCONF username > without > > > any modification. Any transformations applied to the > authenticated > > > user name by the SSH layer are outside the scope of this > document." > > > > > > However this would be insufficient with the MUST statement in > 4741bis > > > above. IMO 4741bis shouldn't impose to 4742bis something, which > 4742bis > > > cannot provide > > Let's get real. Even though "implementation-dependent" isn't the most > satisfying way of describing how something happens, there are times > (and this is probably one) where it's the only reasonable way, unless > one is willing to accept that any effort to further specify matters > will almost > inevitably end up over-constraining implementations. > > ... > > I maintain the statement that a NETCONF transport that does not > > provide a username is unacceptable - or we give up on access > > control. > > Agreed. "Implementation-dependent" may be distasteful, but the > alternative of abandoning access control would be throwing the > baby out with the bathwater. > > > The issue is also not that SSH does not provide a username - > > the issue is that documenting exactly how this is done without > > restricting SSH authentication protocols and/or AAA systems is > > difficult. Since the easy way forward of declaring this > implementation > > dependent does not seem to fly, someone has to cast creative text > that > > says a bit more than "this implementation dependent" without saying > > too much. This is what we should discuss, not the MUST provide > > username requirement in 4741bis. > > I agree that the username requirement is not what should be > under discussion. I reluctantly agree that if this group is unwilling > to let > the implementation-dependent sleeping dog lie, the only alternative is > to spell out and get agreement on the "blessed" set of implementation- > dependent things that might be done to produce a username. And I > strongly agree that that exercise will need to take care not to say too > much - an over-specification here could cause as much trouble as the > under-specification that caused the mess in the first place. > > Randy > > -----In a later email (dated 3/11/2011) Randy further stated: > > There are apparently different expectations of what satisfies > a requirement to explain how something is done. For me, > "it's implementation dependent" is a perfectly reasonable way > to address such a requirement when the realities of deployed > infrastructure don't permit a more detailed description. Ugly? > Yes, but the alternative is to "fix" SSH, and that seems far > outside this group's charter. > > Randy > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf
- [Netconf] Fwd: David Harrington's Discuss on draf… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss on draft… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss on draft… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… David Harrington
- Re: [Netconf] David Harrington's Discuss on draft… Phil Shafer
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Phil Shafer
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Andy Bierman
- Re: [Netconf] David Harrington's Discuss ondraft-… Randy Presuhn
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss ondraft-… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… David Harrington
- Re: [Netconf] David Harrington's Discuss on draft… David Harrington
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss ondraft-… Randy Presuhn
- Re: [Netconf] David Harrington's Discuss ondraft-… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] David Harrington's Discuss on draft… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Andy Bierman
- Re: [Netconf] David Harrington's Discuss on draft… Randy Presuhn
- Re: [Netconf] David Harrington's Discuss on draft… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Phil Shafer
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Phil Shafer
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Phil Shafer
- Re: [Netconf] David Harrington's Discuss on draft… Randy Presuhn
- Re: [Netconf] David Harrington's Discuss on draft… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] David Harrington's Discuss ondraft-… t.petch
- Re: [Netconf] David Harrington's Discuss on draft… Phil Shafer
- Re: [Netconf] David Harrington's Discuss on draft… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss on draft… Phil Shafer
- Re: [Netconf] David Harrington's Discuss on draft… David Harrington
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss ondraft-… Ladislav Lhotka
- [Netconf] 4742bis RFC Editors notes WAS:RE: David… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] David Harrington's Discuss ondraft-… Randy Presuhn
- Re: [Netconf] David Harrington's Discuss ondraft-… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss ondraft-… Randy Presuhn
- Re: [Netconf] David Harrington's Discuss ondraft-… Martin Bjorklund
- Re: [Netconf] David Harrington's Discuss ondraft-… Andy Bierman
- Re: [Netconf] David Harrington's Discuss ondraft-… Randy Presuhn
- Re: [Netconf] David Harrington's Discuss ondraft-… Ladislav Lhotka
- Re: [Netconf] David Harrington's Discuss ondraft-… Ladislav Lhotka
- Re: [Netconf] David Harrington's Discuss ondraft-… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss ondraft-… t.petch
- Re: [Netconf] David Harrington's Discuss ondraft-… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss ondraft-… t.petch
- Re: [Netconf] David Harrington's Discuss ondraft-… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Wes Hardaker
- Re: [Netconf] David Harrington's Discuss on draft… Juergen Schoenwaelder
- Re: [Netconf] David Harrington's Discuss on draft… Ladislav Lhotka
- Re: [Netconf] David Harrington's Discuss ondraft-… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] David Harrington's Discuss ondraft-… Martin Bjorklund
- [Netconf] draft-ietf-netconf-4741bis-10 is finish… Bert (IETF) Wijnen
- Re: [Netconf] David Harrington's Discuss on draft… Wes Hardaker
- Re: [Netconf] David Harrington's Discuss ondraft-… Wes Hardaker
- Re: [Netconf] David Harrington's Discuss ondraft-… t.petch
- Re: [Netconf] David Harrington's Discussondraft-i… Randy Presuhn
- Re: [Netconf] draft-ietf-netconf-4741bis-10 is fi… Bert (IETF) Wijnen