Re: [netconf] RFC 6241 Ambiguity

tom petch <> Fri, 24 May 2019 16:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B02D0120305 for <>; Fri, 24 May 2019 09:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.248
X-Spam-Status: No, score=0.248 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RATWARE_MS_HASH=2.148, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KHEeD9K3LB2J for <>; Fri, 24 May 2019 09:22:14 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C6288120304 for <>; Fri, 24 May 2019 09:22:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E2LX/c2547/umb3zSo8GyW3EwKQzvg83y/ijzaz0frk=; b=MPfxDFNp6hYP31gEYwE12+Zx4YN2jD41z16V4TD99QQs1BXkREHi+NxmM+CLgStEkFLq16uPBCrR5/9Fkg2z6l+nAsLgT+FPr2cB8FssEPnq3jjfNaB4DfJmDQ870v+dOf/L7mYiHuKhU6PRUoE/eGz9IsrFbw1yavIVL3CXPq8=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.8; Fri, 24 May 2019 16:22:10 +0000
Received: from ([fe80::7537:44ee:88c1:dd6d]) by ([fe80::7537:44ee:88c1:dd6d%7]) with mapi id 15.20.1943.007; Fri, 24 May 2019 16:22:10 +0000
From: tom petch <>
To: "" <>, 'Andy Bierman' <>, 'Mahesh Jethanandani' <>
CC: 'Kent Watsen' <>, "" <>
Thread-Topic: [netconf] RFC 6241 Ambiguity
Thread-Index: AQHVEkwxbmbSabcwjUS9zmsfFcmOnA==
Date: Fri, 24 May 2019 16:22:10 +0000
Message-ID: <009401d5124c$486e4ba0$>
References: <em35e87021-fa76-4888-a383-8b34e960175f@morpheus> <> <> <eme2e51d99-6140-4142-b89f-db5e4c6e2a88@morpheus> <> <emdf557a96-2926-4d87-83f9-2f8216ed652e@morpheus> <> <> <> <> <> <00d101d51216$f807d120$e8177360$>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-clientproxiedby: LNXP265CA0059.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::23) To (2603:10a6:802:20::28)
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Microsoft Outlook Express 6.00.2800.1106
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a23f9c81-a59f-45ef-e3ac-08d6e063f8a0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:VI1PR07MB4269;
x-ms-traffictypediagnostic: VI1PR07MB4269:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0047BC5ADE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(366004)(136003)(39860400002)(346002)(199004)(189003)(13464003)(446003)(476003)(71200400001)(71190400001)(486006)(53546011)(2501003)(4720700003)(73956011)(66476007)(66556008)(64756008)(66946007)(66446008)(110136005)(7736002)(8676002)(44736005)(68736007)(6436002)(305945005)(229853002)(86362001)(81166006)(81156014)(26005)(102836004)(5660300002)(1556002)(6486002)(186003)(86152003)(2906002)(14496001)(25786009)(966005)(14444005)(478600001)(256004)(50226002)(8936002)(316002)(54906003)(386003)(6506007)(62236002)(6116002)(3846002)(4326008)(44716002)(84392002)(14454004)(52116002)(6246003)(76176011)(81686011)(61296003)(81816011)(6306002)(6512007)(99286004)(53936002)(66066001)(9686003)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR07MB4269;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: o/m09V40+J5e869j4U0s05PS1Ph2aFOlG5FFMLOYJ/foo+naWjZT55kQ5MsCP8l6p0DyNrY9ZszXNgEAB3FgpsrOZQ8V8D5Cu4Oy33wKUwGkHB1kL2ypza1X5jrnzP6Krdh5AeKszdIkcolqyAhIJ/xDaf07bl+dWGX2AawChoQoy2OE278O4KkiZlJ8ea2oTJCx81zWP7371QLM+tgDRrWRUGVvVZvBgHnw+db5YddCRt2IoFqQ0M6oj86B71uV7NaZ/HP9m5Un/JxdXx9VCMoBwgYivi+1yz6Oq8pXCzTOQeNYQT4t0dn6oFvG1qa+EIpnY0HIKHLAhEluCAr2g8s2PFiGyK7fzS5wlfABC4G/zlfu5o0IZ/msRCjskt0EAQZAU9UtMb3nX0SJurXG0RxzsnOv+lRTNQfe/Hzj7zg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a23f9c81-a59f-45ef-e3ac-08d6e063f8a0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2019 16:22:10.1369 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4269
Archived-At: <>
Subject: Re: [netconf] RFC 6241 Ambiguity
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 May 2019 16:22:18 -0000


Tom Petch

----- Original Message -----
From: <>
Sent: Friday, May 24, 2019 10:56 AM


Apologies for the delay in responding.

The reason for the errata I have raised on persistent confirmed commits
is because RFC 6241 seems to me to be ambiguous. For example, section
8.4.1 states, “If the session issuing the confirmed commit is terminated
for any reason before the confirm timeout expires, the server MUST
restore the configuration to its state before the confirmed commit was
issued, unless the confirmed commit also included a <persist> element.”
To my mind, the reasons for terminating the session include the client
issuing a <close-session>, another client issuing a <kill-session> on
the session in question, a network failure, the client rebooting, and
the server rebooting. Yet in the next paragraph it states, “If the
device reboots for any reason before the confirm timeout expires, the
server MUST restore the configuration to its state before the confirmed
commit was issued.” So does the second paragraph overrule the first when
the session terminates due to the device rebooting? If so, what is the
reason why a persistent confirmed commit cannot persist beyond a device
reboot but it can for all other cases of session termination? And why
does the RFC state about the persist parameter on page 101, “This
parameter is used to make a confirmed commit persistent.  A persistent
confirmed commit is not aborted if the NETCONF session terminates.  The
only way to abort a persistent confirmed commit is to let the timer
expire, or to use the <cancel-commit> operation”? The RFC could really
do with making it clearer under what circumstances a persistent
confirmed commit is aborted, hence my errata. If I have got them wrong,
I apologise.

Re Kent’s point about section 8.4 overriding section 7.8 behaviour. Is
that a common approach to RFCs, that subsequent sections can overrule
prior sections without needing to add clarity in those prior sections?
If so, why are there so many forward references to capabilities in
section 7?

With the diffs in the errata, I am unclear what happens when reporting
an error in an existing erratum. If the resultant erratum replaces the
previous one, it would make sense to provide the diff against the
original text. If it becomes an additional erratum, it would make sense
to provide the diff against the previous erratum.



The RFC Editor website says

 [Note: To report an error in an existing erratum, please contact the
RFC Editor.]

which suggests that we have an ad-hoc process and no formal procedure.
As yet, I do not see consensus as to what the totality of the changes to
the RFC should be, which for me is the starting point, before contacting
the RFC Editor to instigate the process.

On the more general point, if I read a document from start to end and
find later sections contradicting earlier ones I would regard the
document as flawed.

Tom Petch

Re Andy’s point about the text on <kill-session> in section 7.9 being
ambiguous, that is why I proposed the change. However, if that change is
not correct, then surely we still need an erratum to clarify what the
intent truly is. Clearly Andy is of the opinion an erratum is not
sufficient and this needs to be fixed in a new version of the protocol
which is why I’m confused as to why he doesn’t want to open this as a
netconf-next issue.

 For the work we are currently undertaking, persistent confirmed commits
could be very useful. But if the RFC is ambiguous, errata cannot fix it
and it isn’t a netconf-next issue we will have to remove support for it.
But if that is the case then presumably we should not support any of


From: netconf <> On Behalf Of Andy Bierman
Sent: 16 May 2019 20:11
To: Mahesh Jethanandani <>
Cc: Kent Watsen <>;
Subject: Re: [netconf] RFC 6241 Ambiguity

On Thu, May 16, 2019 at 11:50 AM Mahesh Jethanandani
< <> > wrote:

Hi Andy,

On May 16, 2019, at 10:02 AM, Andy Bierman <
<> > wrote:

On Wed, May 15, 2019 at 2:48 PM Kent Watsen <
<> > wrote:

I don't think Erratum 5397 should be deleted. Though the original
section 7.8 makes no mention of confirmed commits, section 7.9 does, but
does not differentiate between a vanilla confirmed commit and a
persistent confirmed commit. Since a persistent confirmed commit is
still a type of confirmed commit, without clarification the second
paragraph of the description would seem to apply.

I would agree.

7.8 does not say anything about the <kill-session> is for the
session that started a confirmed commit or extended a confirmed commmit.
It could be interpreted to mean any kill-session for any session causes
a confirmed commit to be rolled back.  The text below is so ambiguous it

is not even clear the <kill-session> has to be for an existing session,

      If a NETCONF server receives a <kill-session> request while
      processing a confirmed commit (Section 8.4), it MUST restore the
      configuration to its state before the confirmed commit was issued.

While the original text in 7.8 was ambiguous, Erratum 5397 does seem to
clarify that the <close-session> (not <kill-session), is for the session
in question, and not any session.

I do not agree that close-session overrides the text in sec 8.4 supports
this procedure.

It also makes no sense from an operational POV, since dropping the

(without a close-session) does not have this affect :

   If the session issuing the confirmed commit is terminated for any
   reason before the confirm timeout expires, the server MUST restore
   the configuration to its state before the confirmed commit was
   issued, unless the confirmed commit also included a <persist>

IMO this text overrides the close-session and kill-session text.

      If a NETCONF server receives a <close-session> request while
      processing a confirmed commit (Section 8.4) for that session, it
      MUST restore the configuration to its state before the confirmed
      commit was issued unless the confirmed commit included a <persist>

That is why I agree that Erratum 5397 should not be deleted, but should
be modified to the text suggested by Jonathan.

This makes no operational sense if the <persist> parameter was used.

It's a minor point, but I could argue, as I wrote before, that such
clarifications in 7.x are unnecessary because 8.4 provides overrides.
I prefer less text because it's easier to get right (wit this is at
least the 3rd time Jonathan is at this now).  However "unnecessary"
doesn't mean "wrong" and since we've already stepped in it, getting the
7.x errata right might be easier than getting 8.4 right.

8.4 para 3 says the confirmed commit is not tied to a session if the
persist/persist0id mechanism is used.

   If the <persist> element is not given in the confirmed commit
   operation, any follow-up commit and the confirming commit MUST be
   issued on the same session that issued the confirmed commit.  If the
   <persist> element is given in the confirmed <commit> operation, a
   follow-up commit and the confirming commit can be given on any
   session, and they MUST include a <persist-id> element with a value
   equal to the given value of the <persist> element.

The problematic text is actually in <cancel_commit>  <cancel-commit>


         Cancels an ongoing confirmed commit.  If the <persist-id>
         parameter is not given, the <cancel-commit> operation MUST be
         issued on the same session that issued the confirmed commit.

In order to cancel a confirmed commit (belonging to another client, i.e
the persist-id is not known), the client issues a <kill-session> for
any random or non-existent session.  It would make more sense to issue a

(maybe require superuser) instead. The access control policy for

is the wrong way to configure access to cancelling a confirmed commit.

IMO these procedures are not well designed or documented, and an Errata

be used to fix it -- a new version of the protocol should fix it, in
which WG and IETF consensus
is reached for the selected solution.

Do you want to open this as a netconf-next issue?

not really

With the diff, should that be against the original text or the original

The diff is building on top of the original erratum. I would think a
diff w.r.t. to the original erratum would make sense.

It depends, are you correcting the earlier errata or filing a new one?
Regardless, I expressed a diff for what I think the text should be
(which you didn't comment on); how that is translated is up to you.

Kent // contributor


netconf mailing list <>

Mahesh Jethanandani <>


This email has been checked for viruses by Avast antivirus software.


> _______________________________________________
> netconf mailing list