Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt
Kent Watsen <kwatsen@juniper.net> Thu, 01 May 2014 04:18 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE6B01A084D for <netmod@ietfa.amsl.com>; Wed, 30 Apr 2014 21:18:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rk_23qIZxdAS for <netmod@ietfa.amsl.com>; Wed, 30 Apr 2014 21:18:38 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0190.outbound.protection.outlook.com [207.46.163.190]) by ietfa.amsl.com (Postfix) with ESMTP id 5A12C1A0730 for <netmod@ietf.org>; Wed, 30 Apr 2014 21:18:38 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB459.namprd05.prod.outlook.com (10.141.72.146) with Microsoft SMTP Server (TLS) id 15.0.934.12; Thu, 1 May 2014 04:18:34 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.186]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.186]) with mapi id 15.00.0934.000; Thu, 1 May 2014 04:18:34 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Thread-Topic: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt
Thread-Index: AQHPY3s4jQ4Ilm00G0yRQcHkptQdJ5spG4CAgAF4PICAAEsRgA==
Date: Thu, 01 May 2014 04:18:33 +0000
Message-ID: <CF872BB7.6BF1B%kwatsen@juniper.net>
References: <20140429071743.11894.21006.idtracker@ietfa.amsl.com> <CF859937.6B5B6%kwatsen@juniper.net> <20140430194951.GC31986@elstar.local>
In-Reply-To: <20140430194951.GC31986@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [66.129.241.11]
x-forefront-prvs: 01986AE76B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(164054003)(189002)(199002)(20776003)(80022001)(81342001)(74662001)(15202345003)(31966008)(92726001)(99286001)(83506001)(99396002)(4396001)(92566001)(86362001)(76482001)(77982001)(76176999)(2656002)(81542001)(83072002)(74502001)(87936001)(54356999)(66066001)(50986999)(85852003)(80976001)(83322001)(19580395003)(36756003)(101416001)(46102001)(15975445006); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB459; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <BB997EAE869EF74E987036E48A8C0F6A@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netmod/Dv4yyUA2gnpR4ubdRs0z15WjA1Y
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 May 2014 04:18:44 -0000
Hi Juergen, > Kent, > > the process is somewhat like this > <snip/> I can¹t help the timing on this. The reason this is coming up now is because the NETCONF WG wanted to unify the TLS and SSH config, which meant that suddenly the TLS config showed up in a the draft-ietf-netconf-server-model, which is supposed to be about configuring the server (not user auth). Maybe the issue can be traced to 5539bis-00 (Sep 2012), as that is where the TLS-auth config was very first introduced. Perhaps it should¹ve been put into the draft-ietf-netmod-system-mgmt at that time, but the issue was less visible then since it kind of makes sense that the config would be in the 5539bis. In fact, Tom said as much here: http://www.ietf.org/mail-archive/web/netconf/current/msg08841.html. >Of course, since there is another IETF last call, you can raise an >issue during this second IETF last call if you believe the document is >not ready. And that we should do if we agree that it¹s the best course of action. ><history deleted> >So keep this in mind when you think about the issue. Are we having an >issue that renders the current version unusable or is this just one of >the many additions one can imagine but which may as well go into a >future revision or augmentation of the data model? In the later case, >I prefer to not pull this document out of the IESG back into the WG. The problem is that if it doesn¹t go into draft-ietf-netmod-system-mgmt, then the alternative solutions (see bottom) may compound the problem. Now is the time for us to at least look at it and agree what makes sense. I¹m all for us doing the right thing, whatever it might be, but we haven¹t even discussed what that is yet. >PS: I personally do not believe that the user authentation objects in > the sytem draft need configuration of certifications and trust > anchors. Great, the discussion begins, so here goes. The netmod-system-management defines config for User Authentication and says that it does so for SSH because that is NETCONF¹s mandatory to implement transport. Meanwhile we have netconf-server-model, which is suppose to be just about configuring the NETCONF server, and yet it has user-auth config for TLS (not SSH) in it. This inconsistency is the issue. So, what are our options? 1. Go forward with current inconsistency 2. Only modify draft-ietf-netconf-server-model, but move TLS user-auth out of ietf-server-model into a separate model that augments ietf-system 3. Similar to #2, but move the ietf-system augmentation back to 5539bis 4. Similar to #2, but move the TLS-auth directly (no augmentation) into the ietf-system model defined in draft-ietf-netmod-system-mgmt 5. Move all user-auth config from draft-ietf-netmod-system-mgmt into draft-ietf-netconf-server-model 6. Move all user-auth config from both draft-ietf-netmod-system-mgmt and draft-ietf-netconf-server-model into yet another draft (for instance, draft-ietf-netmod-user-auth?) 7. Anything else? Thanks, Kent
- [netmod] I-D Action: draft-ietf-netmod-system-mgm… internet-drafts
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Kent Watsen
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Andy Bierman
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Juergen Schoenwaelder
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Kent Watsen
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Andy Bierman
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Juergen Schoenwaelder
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Kent Watsen