Re: [netmod] Benjamin Kaduk's No Objection on draft-ietf-netmod-nmda-diff-09: (with COMMENT)
Andy Bierman <andy@yumaworks.com> Mon, 12 July 2021 22:42 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557473A14AA for <netmod@ietfa.amsl.com>; Mon, 12 Jul 2021 15:42:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LjdDM-w7SA6c for <netmod@ietfa.amsl.com>; Mon, 12 Jul 2021 15:42:53 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 753F53A1551 for <netmod@ietf.org>; Mon, 12 Jul 2021 15:42:48 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id h9so11492631ljm.5 for <netmod@ietf.org>; Mon, 12 Jul 2021 15:42:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cuy96aELmIGw0NPQxHN0GbNDygwQO1lOsCYgcdyfSy4=; b=IJXBYZZQ2aUYoguDtmdLVQJqkfIRzsoFR0ahdXtJcbEAwTAodIgU3niMopTW1DFCgC eHAe7RsZd9FzjbsTGjmEYgoKjcB2n0H0p2h8y6Oidtf5UE7y8+cN3F6TfmfCCicijk70 eyU1mTR1kzYwML5OTIOitDlcZwq5PUkglbY9c57VxABgY8NZYWFRsYKIT2sTkxUX49id 0lUoExnELlpsmeNSiwlYp63+IGA9VIbEGxwwRIy53kUG7Tn0gkGoxsRwwTZzitt71m8X J+30qQXSZ6hmfpjh9NK6ImxTEqkG07sF/9ZW4DTJG0CNK/m3RHPei/n66L/IdUXFBI3P i9Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cuy96aELmIGw0NPQxHN0GbNDygwQO1lOsCYgcdyfSy4=; b=hkoKGw9aHIWDqMFK6gKHTlBzf0iikyHz1e8MaGfydRlrtpsm8+GV4kw1ce7fgGUoYR P40315C5mJHolpa56YbOgHxN3ufUsB9+XOcmlD1kLoe1YNVHOo2RVfjgk5X376G8n8e1 QxuCmNXUwHzFKFt0Pi73oxUyS18Iq7Ud5ksHXSyzaxw6Ub8njLxNVOAsb1T7aNMq9a5I yxGO6UFB5S3Ode/J0wslU0iUBN13PzB48EOmNxC38vG0u9FlteaDU186ifmvWDOgrA3c WRyfC9V/n+ZbjWBChpnXMeygutCEGA7syjccQOSg7rB+Fl4GWP1loCQryDPhoTx6oAq+ 1olw==
X-Gm-Message-State: AOAM532twV27NHwarKcKluDb/iAuiMsY8Z0q6TJay4QXCuDvMPGWgeJw DRcUh1raUyyJldc9KVRU3o0xvapdoYF2vetqKEGX2g==
X-Google-Smtp-Source: ABdhPJzgU+amWeHoS8sMlXJCBKTBT5ueSU25LE76rYvcG0GhcgnMdLUGofFYcG+bRQs2sUgbT1iilFiXmL4nMLG0FW8=
X-Received: by 2002:a2e:8403:: with SMTP id z3mr208149ljg.298.1626129761476; Mon, 12 Jul 2021 15:42:41 -0700 (PDT)
MIME-Version: 1.0
References: <162578071895.23622.6414701243842084826@ietfa.amsl.com>
In-Reply-To: <162578071895.23622.6414701243842084826@ietfa.amsl.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Mon, 12 Jul 2021 15:42:30 -0700
Message-ID: <CABCOCHQvC+M-=shm0axFSpbjMB4iVm3jfrvcEZvu1shgeDO9DQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netmod-nmda-diff@ietf.org, NetMod WG Chairs <netmod-chairs@ietf.org>, NetMod WG <netmod@ietf.org>, Joel Jaeggli <joelja@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000cab04705c6f4d620"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/9vBqvkFWi8lzMakfFFadm8nEe7Q>
Subject: Re: [netmod] Benjamin Kaduk's No Objection on draft-ietf-netmod-nmda-diff-09: (with COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 22:43:04 -0000
On Thu, Jul 8, 2021 at 2:45 PM Benjamin Kaduk via Datatracker < noreply@ietf.org> wrote: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-netmod-nmda-diff-09: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netmod-nmda-diff/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks to Alexey Melnikov for the secdir review. > > I'm not experienced enough with YANG to know whether or how problematic > it is that the "anydata subtree-filter" node contents are described by > reference to the NETCONF specification, which has a particular (XML) > representation of YANG data and does not give a clear presentation of > the abstract YANG structure/semantics to be used. Is it possible to use > the filter-spec choice option when, for example, RESTCONF is used with > JSON encoding? > > There is not a standard specification for subtree filtering using JSON encoding instead of XML. RESTCONF has its own somewhat compatible filtering mechanism. It would require a new NETCONF work item to officially expand subtree filtering to support JSON. (Unofficially, there is RFC for JSON encoding of YANG data and an implementation could map the RFC 6241 text to JSON). > Section 4 > > o report-origin: When set, this parameter indicates that origin > metadata should be included as part of RPC output. When this > parameter is omitted, origin metadata in comparisons that involve > <operational> is by default omitted. > > Why is it important to complicate the semantics of this parameter with a > dependence on the datastore? It seems like it would be simpler to get > this effect by having clients specify report-origin when the target is > not <operational>. Note that changing the semantics would require text > changes in subsequent parts of the document for consistency. (If > retaining the current semantics, please clarify whether "comparisons > that involve <operational>" applies when operational is source, target, > or either.) > > IMO NMDA is way too complicated, so I cannot argue with that complaint. The origin attribute only applies to the <operational> datastore. I think it is not allowed to appear elsewhere. Section 9 > > In addition to noting that the "compare" RPC is sensitive and should be > restricted to authorized parties, I suggest to reiterate that the > "compare" operation should not provide a mechanism to work around access > control on other nodes -- that is, a result should only be returned if > the requestor would be allowed to access both the "source" and "target" > trees independently of the RPC. In particular, even a "no-matches" > output should not be returned, as that might provide a way to determine > the structure of the datastore even without accessing it. > Fortunately the access control model (NACM) is per server and not per datastore so the same access rules apply to all datastores. I agree the no-access subtrees should be silently skipped, the same way that GET operations are treated in NACM. > We might also incorporate by reference the security considerations for > subtree filtering (RFC 6241) and xpath filtering (RFC 6991). > > NITS > > Section 1 > > an unusually long time to do so. This can be the case due to certain > conditions not being met, certain parts of the configuration not > propagating because considered inactive, resource dependencies not > being resolved, or even implementation errors in corner conditions. > > "because considered inactive" seems like an incomplete clause; maybe > "because they are considered inactive"? > > Section 4 > > o differences: This parameter contains the list of differences. > Those differences are encoded per YANG-Patch data model defined in > > s/YANG-Patch/the YANG-Patch/ > I'd also consider s/per/according to/, since this is not exactly a > logic-driven deduction but rather more of a new requirement. > > Section 6 > > for the management of interfaces defined in [RFC8343]. The excerpt > of the data model whose instantiation is the basis of the comparison > is as follows: > > I feel like this phrasing is a little misleading, as not only is the > following snippet only a subset of the nodes contained within "container > interfaces" but the descriptions have been greatly abbreviated as well. > Perhaps we could say something about "for the purposes of understanding > the subsequent example, the following subset of the [RFC8343] data model > is provided". > > Accept: application/yang-d > > (I believe this truncated header field was already noted by another > reviewer.) > > Andy
- [netmod] Benjamin Kaduk's No Objection on draft-i… Benjamin Kaduk via Datatracker
- Re: [netmod] Benjamin Kaduk's No Objection on dra… Andy Bierman
- Re: [netmod] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk
- Re: [netmod] Benjamin Kaduk's No Objection on dra… Alexander L Clemm