Re: [Netconf] Comments on draft-ietf-netconf-server-model-03.txt
Kent Watsen <kwatsen@juniper.net> Fri, 03 October 2014 19:02 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D7321A8897 for <netconf@ietfa.amsl.com>; Fri, 3 Oct 2014 12:02:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PzH3rgSqVMpA for <netconf@ietfa.amsl.com>; Fri, 3 Oct 2014 12:02:54 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0125.outbound.protection.outlook.com [65.55.169.125]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27AA41A8884 for <netconf@ietf.org>; Fri, 3 Oct 2014 12:02:54 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB457.namprd05.prod.outlook.com (10.141.72.141) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Fri, 3 Oct 2014 19:02:51 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.196]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.196]) with mapi id 15.00.1044.008; Fri, 3 Oct 2014 19:02:51 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Alan Luchuk <luchuk@snmp.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Comments on draft-ietf-netconf-server-model-03.txt
Thread-Index: AQHP3PfuIWXKEogrdkyrjScW4AT0uZwefEcA
Date: Fri, 03 Oct 2014 19:02:51 +0000
Message-ID: <D051D9D2.83A74%kwatsen@juniper.net>
References: <201409302145.s8ULjq7q024177@mainfs.snmp.com>
In-Reply-To: <201409302145.s8ULjq7q024177@mainfs.snmp.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [66.129.241.14]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB457;
x-forefront-prvs: 0353563E2B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51704005)(76104003)(189002)(43784003)(199003)(105586002)(230783001)(106116001)(106356001)(76482002)(99286002)(95666004)(64706001)(10300001)(85306004)(120916001)(99396003)(40100001)(77096002)(66066001)(4396001)(107046002)(122386001)(101416001)(20776003)(54356999)(76176999)(50986999)(36756003)(97736003)(2656002)(85852003)(21056001)(31966008)(87936001)(92566001)(86362001)(92726001)(19580395003)(15975445006)(83506001)(2501002)(15202345003)(46102003)(80022003); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB457; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <CDFAD8208F52AF4EB09F121BF66ABF61@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/wrNFGGPnZv6eyqhsUARD6Ijq5VQ
Cc: "jshoenwaelder@jacobs-university.de" <jshoenwaelder@jacobs-university.de>
Subject: Re: [Netconf] Comments on draft-ietf-netconf-server-model-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 19:02:57 -0000
Hi Alan, Thank you for a fantastic review. I have already incorporated all your Nit comments. Please see below for other responses. Thanks again, Kent >General comments >---------------- > >Not sure if all of the groupings would be useful outside of this document. >Some of the groupings have only a single "uses" within the document; e.g., >call-home-transport-config, call-home-config, etc. It seems as if this >was done to break up one large config into smaller chunks. I find this >use >of grouping/uses makes the YANG module more difficult to read and >understand >than if these single-use grouping/users were simply inserted in-line. Correct, all but 2 of the 11 groupings are only used once. Interestingly, I did this to help make the module more readable. Of course I understand that chasing the definition can be cumbersome, but the tradeoff is that now each parent container can easily fit on the screen. I don't know, is there best practice to follow on this? FWIW, I added https://github.com/netconf-wg/server-model/issues/12 to track this issue. >Comments on the listen-per-transport-config grouping, Page 12: >-------------------------------------------------------------- > >Under the description of the address leaf: > > s/IP address\/name/IP address or host name/ Fixed! >Under the port leaf: > > Should this leaf be mandatory, or have a default of 0? In both places where this grouping is used, a transport-specific default is provided (830 for SSH, 6513 for TLS). Is it good enough? >The listen-per-transport-config grouping seems roughly like a >"sockaddr_storage" structure. An "endpoint", or perhaps a "sockaddr" >or "socket" grouping seems like it would be useful in many YANG >modules beyond this one. <SNIP/> True, it would've been a nice addition to ietf-inet-types. What do others think? >Comments on the call-home-per-transport-config grouping, Page 14: >----------------------------------------------------------------- > >This grouping seems generally useful beyond the configuration of >call-home configuration. It looks like basically like a list of >endpoints, or "sockaddrs". Perhaps generalizing this and putting it >into the same YANG module with the revised listen-per-transport-config >grouping might simplify its wider use. Another good point. What do others think? >I _suspect_ I know the answer to this, but what is the purpose of the >"endpoints" container around the "endpoint" list? I thought that it was best practice to always have a parent container for a list. In RESTCONF terms, the container would be the "collection" and would render URLs like .../widgets/widget=<key>/, which is a pretty common idiom. That said, the module is itself inconsistent in that the top-level "listen" and "call-home" do NOT have parent containers. The module is trying to follow guildlines set by http://tools.ietf.org/html/draft-schoenw-netmod-yang-pattern-00. One option might be use this: +--rw netconf-server +--rw listen | +--rw endpoint* [name] | +--rw name string | ... +--rw call-home +--rw application* [name] +--rw name string | ... What do you think, is it better? >The name leaf seems to serve basically as a key for the list. Would >it be possible to eliminate this leaf, and use the address and port >leaves as keys? This would slightly simplify the grouping. It might >also use the "endpoint" grouping suggested above, and further re-use >definitions. As Juergen mentioned already, this would prevent augmentations from supporting multiple routing instances (VRFs) if needed. >Comments on the listen-config grouping, Page 11: >------------------------------------------------ > >It seems like the listen-per-transport-config could be promoted from >from below each case branch to above the "choice transport". Does the >name leaf does have a function other than providing a list key? If the >listen-per-transport-config were promoted, then the address and port >could be used as keys, no? This would simplify the grouping. Perhaps >something like: > > grouping listen-config { > description > "Grouping for listen configuration."; > > uses endpoint; /* The new grouping, described above */ > > choice transport { > mandatory true; > description > "Selects between SSH and TLS transports."; > > case ssh { > if-feature ssh-listen; > container ssh { > description > "SSH-specific listening configuration for inbound > connections."; > refine port { > default 830; > } > } > } > case tls { > if-feature tls-listen; > container tls { > description > "TLS-specific listening configuration for inbound > connections."; > refine port { > default 6513; > } > } > } > } > } > >Then, where this grouping is used: > > container netconf-server { > description > "Top-level container for NETCONF server configuration."; > > list listen { > key "address port"; > > description > "List of endpoints to listen for connections on."; > //if-feature "(ssh-listen or tls-listen)"; > uses listen-config; The solution used follows the guidelines set by draft-schoenw-netmod-yang-pattern-00. That said, I agree with you that flattening the model some would be nice. One issue in doing that, though, is how to set the transport-specific default port values, as the port node would longer be refine-able... >Comments on the call-home-connection-type-config grouping, Page 15: >------------------------------------------------------------------- > >Under the persistent-connection case, there is a "container persistent" >and, under that, a "container keep-alives". What is the function of the >extra containment layer? Would it make sense to remove one of these >containment layers? This is me just grouping things together for readability and extensibility. We could flatten the model some by having "keep-alive-interval-secs" and "keep-alive-count-max" - does that seem bester to you? Also, while the model doesn't currently have any other nodes under the "persistent" node, it may someday (perhaps through an augmentation), such that having this structure helps keeps things nice and organized. Thoughts? >Comments on the call-home-reconnection-strategy-config grouping, Page 17: >------------------------------------------------------------------------- > >What determines the order in which management applications are contacted >by call-home connections? Is it the name key of the endpoint list >in the call-home-per-transport-config grouping? > >How is the last-connected reconnection strategy handled across reboots >of devices without stable storage? Or is the "no stable storage" situ- >ation out-of-scope? No order is expected, a device could even connect to all it's "call-home" nodes in parallel. The draft defines the "call-home" list as unordered - is it good enough? - if not, what text would you suggest adding? The draft says in the description statement: "If no previous connection has ever been established, last-connected defaults to the first endpoint listed". What the draft fails to say is if the "previous connection" information needs to survive reboots. Do you think this choice could be left to implementations? >Comments on the trusted-ca-certs-grouping grouping, Page 17: >------------------------------------------------------------ > >Is it expected that this grouping may be used elsewhere in other YANG >modules? > >Is it intended that the trusted-ca-cert leaf-list is used for root >(self-signed) CA certs only, or are subordinate CA certs allowed also? > >If this leaf-list is intended for self-signed CA certs only, then how >are CA cert chains handled? AFAIK, there is no known intension to use the grouping elsewhere. That said, you never know and, besides, I like to use groupings because I think it improves readability (YMMV). Yes, absolutely, subordinate certs are allowed. That said, there may still be an issue with supporting chains, such as when a client cert is signed by an intermediate CA that is signed by trust anchor CA. That is, the end user would like to configure the device to auth any client cert having a chain of trust leading to the trust anchor. Currently this is not possible because the wording "A client's certificate is authenticated if its Issuer matches one of the configured trusted CA certificates." does allow for indirections. This seems like an oversight to me, but I inherited this text and don't know if there is a reason behind it. Added https://github.com/netconf-wg/server-model/issues/13 to track this. >Comments on the trusted-client-certs-grouping grouping, Page 17: >---------------------------------------------------------------- > >What is the purpose of this grouping? As it is documented, this >grouping may be unnecessary. > >When a management application connects to the NETCONF Server, either >by forward or reverse (call-home) TLS, the management application >will present an application cert (or cert chain) that identifies it. >Two things have to happen for the NETCONF Server to authenticate the >management application: 1) The application cert presented by the >management application must pass certificate verification up through >one of the CA certs configured (in the NETCONF server) in the >trusted-ca-certs-grouping, and 2) the NETCONF server must be able >to convert this application cert to the NETCONF NACM username. > >Based upon the way the TLS authentication works (described in the >previous paragraph), and the description of the trusted-client-certs >container, I don't see what the function of this grouping is. What >am I missing here? Should the trusted-client-certs-grouping be >deleted? This grouping is provides an alternate mechanism to authenticate client certs. It is to auth a specific user without authenticating every other user's cert having the same Issuer. This came from issue #3 in this thread: http://www.ietf.org/mail-archive/web/netconf/current/msg08825.html. Makes sense? >Other comments on the NETCONF-over-TLS configuration: >------------------------------------------------------- > >When a NETCONF over TLS session is initiated, the NETCONF server must >present an X.509 certificate to the NETCONF client so the client can >verify the identity of the NETCONF server. I do not see any mechanism >for configuring an X.509 certificate that identifies the NETCONF server. > >Should there be such an object, or is this something that can only be >configured out-of-band, or perhaps only by the manufacturer? Yes, and this issue is tracked here: https://github.com/netconf-wg/server-model/issues/4 Question, do you think configuring the TLS-server-cert/SSH-host-key to use should be a system-wide configuration, or something specific to the NETCONF server? Thanks again, Kent
- [Netconf] Comments on draft-ietf-netconf-server-m… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Juergen Schoenwaelder
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Martin Bjorklund
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Martin Bjorklund
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Juergen Schoenwaelder
- Re: [Netconf] Comments on draft-ietf-netconf-serv… Kent Watsen