Re: [Netconf] [SPAM?] RE: LC on subscribed-notifications-10

Randy Presuhn <> Sun, 18 March 2018 22:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B826712D7EF for <>; Sun, 18 Mar 2018 15:16:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nsiIypSJtYbw for <>; Sun, 18 Mar 2018 15:16:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 22D6A126B72 for <>; Sun, 18 Mar 2018 15:16:20 -0700 (PDT)
Received: by with SMTP id u5so6268665pfh.6 for <>; Sun, 18 Mar 2018 15:16:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=t4tpe/UT8zjTvYc4R9pCH1OgfQaifkgOwMV2SxTgJAQ=; b=LwOph0oryBU5A+tG6YPRJ+hksFfClYpJI1Dw0rnCLWy5BzKa7CPzFvAKBbcsQML/xS jxj2JT+MVjf5zjEKbNF7CoZPTqJkB+G6gZ2H59X/VxZL7CAKXgzhZ1XHc62ED3VoXeT+ D2vjLjBZlNuB8/UiNM+amYgJ8QNJaKHMNNrZPmssE1hyL+IR6DNYGRjJ2W3AG3v7FllA r2vmnbYHimW7px1LSEpvSQTVKWzxN35ijHZ8goW+AP1iMrlCtpQhrXlT+KPV/dqoddp2 rg8ZiMwrhupt43B22eDByZiKeqQjNXo3GXfhuxuT/pIPCYUiHcKeuEj8Sr1vqNN6tAnJ lVew==
X-Gm-Message-State: AElRT7GrOdJY59JLdFBcVxylRFxuJd1wM6/79cHj4y9nekH2qW4RIMjz 5Oe7qJZSmM1Pk4bqchPSnymCzp9gWQo=
X-Google-Smtp-Source: AG47ELtnhjqUKew9NX9n/h3wnP+YaTmbGgkFyXRe6ykx8rVuY5nC6X+ql9+yK01+KRVIUMggJiTXIQ==
X-Received: by with SMTP id h4mr7320118pgn.230.1521411379209; Sun, 18 Mar 2018 15:16:19 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id c4sm23564821pgt.24.2018. for <> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Mar 2018 15:16:18 -0700 (PDT)
References: <> <> <> <> <> <> <041f01d3be9f$c73a2370$55ae6a50$>
From: Randy Presuhn <>
Message-ID: <>
Date: Sun, 18 Mar 2018 15:16:17 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <041f01d3be9f$c73a2370$55ae6a50$>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Netconf] [SPAM?] RE: LC on subscribed-notifications-10
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Mar 2018 22:16:22 -0000

Hi -

On 3/18/2018 2:59 AM, wrote:
> Yes.  Conceptually, it is cleanest to apply the filter on the event 
> contents with each update.  At the same time, in the interest of 
> performance, Andy and others have raised the issue of performance 
> penalty if every update has to be subjected to a filter.  One option is 
> for an implementation to simply reject a subscription if there is a 
> chance that it might contain information that would have to be filtered 
> (i.e. do the NACM check at the time the subscription is created), and in 
> case of NACM changes later that might affect subscriptions, to terminate 
> the subscription (and let users resubscribe).

This would increase the cost of NACM configuration changes (probably
not a big deal, but it means hooks between NACM and the notification
subsystem are needed so NACM would be able to let the notification
stuff know it needs to re-evaluate some of its subscriptions) and
would potentially leak information to other users about the fact that
the security administrator is making NACM configuration changes, even
if nothing is happening that would otherwise expose the fact that
the change has taken place.