IETF Logo Mail Archive

Re: [netmod] kw comments on draft-voit-netmod-yang-mount-requirements

"Eric Voit (evoit)" <evoit@cisco.com> Fri, 08 April 2016 02:52 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C050B12D62B for <netmod@ietfa.amsl.com>; Thu, 7 Apr 2016 19:52:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.531
X-Spam-Level:
X-Spam-Status: No, score=-14.531 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Fz7FvJ2OSIm for <netmod@ietfa.amsl.com>; Thu, 7 Apr 2016 19:52:34 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7763612D153 for <netmod@ietf.org>; Thu, 7 Apr 2016 19:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15814; q=dns/txt; s=iport; t=1460083954; x=1461293554; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=p7uYf/MM7EE4pswmDvVNoEb9rGno3mZ1ksFCQc125LA=; b=kmNQFPYYuSML/Stro/o2JlSFvpXTWtEp15sx9G94f69DINDx3x4Q6xuq MKUF1SBWiWBY+l7MNCRR5pROLyMIQnspNDe6bIEgodR0F96g/WF9bjpj0 JOt3F9ciSUmWu0NbNrEAcHUjcWPuju5e8iGno5NZrginc4pIgwRFMaTU3 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ACAgDyGwdX/5FdJa1dgzdTfQa6QAENgXMXCoUiSgIcgSI4FAEBAQEBAQFlJ4RBAQEBAwEBAQEgEToEBwUHBAIBCBEEAQEBAgIjAwICAiULFAEICAIEAQ0FCBOIBAgOsBKSEgEBAQEBAQEBAQEBAQEBAQEBAQEBAREEfIUlhEuEBSKDGIJWBYdthWGBMokEAY4EgW6HdYUxjyMBHgEBQoIEGYFKbId+BxcHGH4BAQE
X-IronPort-AV: E=Sophos;i="5.24,449,1454976000"; d="scan'208";a="258059842"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Apr 2016 02:52:32 +0000
Received: from XCH-RTP-004.cisco.com (xch-rtp-004.cisco.com [64.101.220.144]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id u382qWnI018560 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 8 Apr 2016 02:52:32 GMT
Received: from xch-rtp-013.cisco.com (64.101.220.153) by XCH-RTP-004.cisco.com (64.101.220.144) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 7 Apr 2016 22:52:31 -0400
Received: from xch-rtp-013.cisco.com ([64.101.220.153]) by XCH-RTP-013.cisco.com ([64.101.220.153]) with mapi id 15.00.1104.009; Thu, 7 Apr 2016 22:52:31 -0400
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Ladislav Lhotka <lhotka@nic.cz>, Martin Bjorklund <mbj@tail-f.com>, "Alexander Clemm (alex)" <alex@cisco.com>, "kwatsen@juniper.net" <kwatsen@juniper.net>
Thread-Topic: [netmod] kw comments on draft-voit-netmod-yang-mount-requirements
Thread-Index: AQHRkAAY1dIqVaLFu0y/L6aVF65SwZ9/XLCg
Date: Fri, 08 Apr 2016 02:52:31 +0000
Message-ID: <ed5a1f9e1fe04579956c2b271bca4358@XCH-RTP-013.cisco.com>
References: <20160405.113822.1614298419822308565.mbj@tail-f.com> <16B50CA8-0076-413D-87D1-FFBE6A54175C@nic.cz> <8eab257636824a178c19ebaf83d80dca@XCH-RTP-001.cisco.com> <20160406.091852.487853511276571798.mbj@tail-f.com> <m24mbeapj0.fsf@nic.cz>
In-Reply-To: <m24mbeapj0.fsf@nic.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.227.207]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/netmod/8nEjlxQOZ-HWydnxRpbWWsu3n3g>
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] kw comments on draft-voit-netmod-yang-mount-requirements
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 02:52:37 -0000

> Ladislav Lhotka, Wednesday, April 06, 2016 8:30 AM
> 
> Martin Bjorklund <mbj@tail-f.com> writes:
> 
> > Hi,
> >
> > "Alexander Clemm (alex)" <alex@cisco.com> wrote:
> >> Hi, Martin, Lada,
> >>
> >> unfortunately I wasn't able to attend the discussion, but I have one
> >> comment regarding the "definition" vs "implementation" distinction.
> >
> > I probably failed to communicate my point clearly.  I did not want to
> > make the distinction in this way.
> >
> >> Clearly, peer-mount and alias-mount have a definition component to
> >> it.
> >
> > Yes, absolutely.  I don't think I implied that they didn't.
> >
> >> This is why the YANG extensions were defined to define mountpoints.
> >> This definition component can be aligned with structural mount, and
> >> the goal needs to be to reuse the same.  So far, so good.
> >
> > Yes, this was my point.  In Eric's presentation he had "schema mount",
> > "peer-mount", and "alias-mount" on the same level; all three different
> > variations of the generic concept "YANG Mount".  I think that is
> > incorrect; we should have a generic "schema mount", with "peer-mount"
> > and "alias-mount" being specializations of this concept.
> 
> I would go even further: schema mount and peer mount are independent and
> orthogonal (not sure about alias mount - this is probably still something else).
> That is, I can build a data model with schema mount, and use it for validating a
> good old local datastore. Conversely, it is IMO possible to apply peer mount and
> validate the data against a data model that's constructed according to the
> existing rules.

Peer Mount implementations have been read-only (so far).  It would be good to avoid requiring the transactional requirements for write and therefore the needs to bring in and validate with the schema.   Such a requirement would be very heavy-weight for use with remote systems.  It might not even be possible if those remote systems have access control permissions which don't permit visibility against objects used for such validations. 
 
> So, even though it may be sometimes beneficial to combine schema mount and
> peer mount, I believe they can and should be implemented as two independent
> concepts.  A pure schema mount should have no security implications, whereas
> accessing remote data certainly has some. And accepting a (sub)schema from an
> external source requires IMO even higher level of trust.

Read-only access control objects should be easier for a sub-schema rather a full schema.  For remote system access we already need these security elements for a get, hopefully we are not requiring anything new when we insert the peer mount abstraction.

Eric
 
> Lada
> 
> >
> >
> >> The aspect that I don't think I agree with is that peer-mount and
> >> alias-mount should be treated merely as an "implementation".
> >
> > Again, this is not what I wrote.  I wrote that:
> >
> >    the client doesn't *necessarily* have to know if the the interfaces
> >    data is implemented w/ "peer mount" or some other mechanism.
> >
> > [note "necessarily"]
> >
> > I agree that *some* clients need to be able to manage mount targets
> > etc, but not all.
> >
> >> I think
> >> I understand where you are coming from - to the user of mounted data,
> >> they don't care if there are other "instances" of the same data and
> >> how the data they see is populated.  That said, I don't think this
> >> viewpoint is entirely correct, because there are certain semantics
> >> associated with it, and also because there are different implications
> >> with regards to mountpoint management which need to be reflected in
> >> the model.  (For example, for peer-mount, there needs to be
> >> information on the remote system.)
> >>
> >> For the semantics, I think the fact should be captured when mounted
> >> data depends on target data.  We capture conditions and constraints
> >> for semantically accurate models; the fact that the "aliased" data
> >> reflects another instance in another subtree is something that sure
> >> needs to be captured and understood.
> >
> > If the client is fully aware of the alias mount concept, why bother
> > with it?
> >
> > As I have said previously, we (tail-f) have had alias mount
> > implemented for many years (we call it "symlink"), and we have bad
> > experiences with all scenarios but the very simplest ones (simple leaf
> > to leaf alias).  And even in this case users get pretty confused by
> > errors caused by validation that depends on the target leaf.
> >
> >> For example, without reflecting
> >> this relationship, an application might try to set an authoritative
> >> subtree/datanode to one value, the mounted version of it to a
> >> different value.  So, whether or not there is an alias, or a peer, to
> >> an instance of data is something that should be reflected in the
> >> model.  In other words, I don't think you can see the mountpoint and
> >> data mounted below it in entire isolation from the rest of the system.
> >> Another question concerns what you are actually mounting.  In
> >> alias-mount, the mounted subtree may actually have been augmented and
> >> have other data nodes underneath it.  Does the mounting apply to also
> >> augmenting data?  For structural mount, the answer is clearly "no",
> >> but for peer-mount it doesn't have to be.
> >
> > I don't understand what you mean.  Maybe you can show an example?
> >
> >
> > /martin
> >
> >
> >>
> >> --- Alex
> >>
> >>
> >> -----Original Message-----
> >> From: netmod [mailto:netmod-bounces@ietf.org] On Behalf Of Ladislav
> >> Lhotka
> >> Sent: Tuesday, April 05, 2016 4:57 AM
> >> To: Martin Björklund <mbj@tail-f.com>
> >> Cc: netmod@ietf.org
> >> Subject: Re: [netmod] kw comments on
> >> draft-voit-netmod-yang-mount-requirements
> >>
> >>
> >> > On 05 Apr 2016, at 06:38, Martin Bjorklund <mbj@tail-f.com> wrote:
> >> >
> >> > Hi,
> >> >
> >> > Kent Watsen <kwatsen@juniper.net> wrote:
> >> >> [As a contributor]
> >> >>
> >> >> Note: this is a -00 document, but only because the draft's name
> >> >> changed.  In reality this is like a
> >> >> draft-voit-netmod-peer-mount-requirements-04.  Looking at the
> >> >> diffs, there aren't many changes, mostly cleanup and adding the
> >> >> "schema mount" concept.  That is, the new "yang mount" term is use
> >> >> to cover all of "schema mount", "alias mount", and "peer mount".
> >> >>
> >> >> My comment is mostly high-level.  I'm wondering about the need for
> >> >> this draft to include schema mount at all.  That is, a schema
> >> >> mount solution draft is now an adopted WG item, and I'm unsure if
> >> >> the authors of that draft are looking to this one to define requirements.
> >> >> Perhaps the goal is to define the umbrella term "yang mount", but
> >> >> to be honest, I don't really see a need to have a term that spans
> >> >> both schema and data mounts.  I'm not sure how others feel about
> >> >> this, but my thoughts are that we should define terms like:
> >> >>
> >> >> - scheme-mount
> >> >> - data-mount
> >> >> - remote data mount   (a.k.a. peer mount)
> >> >> - local data mount        (a.k.a. alias mount)
> >> >>
> >> >> More so than:
> >> >>
> >> >> yang-mount
> >> >> - scheme-mount
> >> >> - alias-mount
> >> >> - peer-mount
> >> >
> >> > Listening to Eric's presentation yesterday, I realized that I have
> >> > a slightly different view on these terms.
> >> >
> >> > I prefer to separate the *schema* (data model) from how things are
> >> > implemented.  The various proposals for specific implementations
> >> > (peer
> >>
> >> Yes, I expressed this opinion already in Yokohama. Moreover, Eliot's
> >> presentation indicated that there are use cases in which YANG is used
> >> for modelling data outside the context of a management protocol. So
> >> IMO it is legitimate to require that even with schema mount it is
> >> possible to write a compact specification of the complete schema.
> >> Such a schema is static as before, the only change is that we have
> >> more flexibility in composing the modules, whereas currently they can
> >> be only put side by side. Also, there needn't be any mechanism like
> >> peer mount, all data may be local.
> >>
> >> Perhaps this use case is really different from the more dynamic
> >> situation where the server needs to fetch the subschemas at runtime
> >> and the data are contributed by an external entity.
> >>
> >> Lada
> >>
> >> > mount and alias mount etc) all need a "schema mount" to take of
> >> > defining a proper data model.   (This was the whole point of defining
> >> > structural-mount...)
> >> >
> >> > For example, suppose we have:
> >> >
> >> >  container logical-devices {
> >> >    list logical-device {
> >> >      key name;
> >> >      ...
> >> >      yangmnt:mount-point logical-device;
> >> >    }
> >> >  }
> >> >
> >> > With the associated yang-library, a client might learn that
> >> > ietf-interfaces is mounted under the "logical-device" mount mount.
> >> >
> >> > Now, the client knows that there are paths:
> >> >
> >> >  /logical-devices/logical-device/if:interfaces/if:interface
> >> >
> >> > but the client doesn't necessarily have to know if the the
> >> > interfaces data is implemented w/ "peer mount" or some other mechanism.
> >> >
> >> >
> >> > So, in my view, we have:
> >> >
> >> >  schema mount
> >> >      |
> >> >      +---- peer mount
> >> >      +---- alias mount
> >> >      +---- other cool mount
> >> >
> >> >
> >> >
> >> > As a concrete example, peer mount might be used like this (example
> >> > taken from draft-clemm-netmod-mount-03):
> >> >
> >> >   import ietf-schema-mount {
> >> >     prefix yangmnt;
> >> >   }
> >> >   import ietf-peer-mount {
> >> >     prefix pmnt;
> >> >   }
> >> >
> >> >   ...
> >> >
> >> >   list network-element {
> >> >     key "element-id";
> >> >     leaf element-id {
> >> >       type element-ID;
> >> >     }
> >> >     container element-address {
> >> >       ... // choice definition that allows to specify
> >> >           // host name,
> >> >           // IP addresses, URIs, etc
> >> >     }
> >> >     yangmnt:mount-point "interfaces" {
> >> >       pmnt:target "./element-address";
> >> >       pmnt:subtree "/if:interfaces";
> >> >     }
> >> >     ...
> >> >   }
> >> >
> >> >
> >> > A client that knows about the generic, abstract schema mount can
> >> > work with this, without knowing anything of the specific
> >> > implementation of peer mount.
> >> >
> >> > [Actually, since peer mount is just one implementation technique,
> >> > I'd prefer to decouple the definition of this implementation detail
> >> > from the data model, but that's a different topic.]
> >> >
> >> >
> >> > /martin
> >> >
> >> > _______________________________________________
> >> > netmod mailing list
> >> > netmod@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/netmod
> >>
> >> --
> >> Ladislav Lhotka, CZ.NIC Labs
> >> PGP Key ID: E74E8C0C
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> netmod mailing list
> >> netmod@ietf.org
> >> https://www.ietf.org/mailman/listinfo/netmod
> >>
> 
> --
> Ladislav Lhotka, CZ.NIC Labs
> PGP Key ID: E74E8C0C
> 
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod

v2.23.0 | Report a Bug | By Email