IETF Logo Mail Archive

Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 02 May 2014 12:39 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2546F1A6FA7 for <netmod@ietfa.amsl.com>; Fri, 2 May 2014 05:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.201
X-Spam-Level:
X-Spam-Status: No, score=-2.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZbS0ni4sXKvM for <netmod@ietfa.amsl.com>; Fri, 2 May 2014 05:39:31 -0700 (PDT)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) by ietfa.amsl.com (Postfix) with ESMTP id BB00D1A6F74 for <netmod@ietf.org>; Fri, 2 May 2014 05:39:31 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id ECDB9751; Fri, 2 May 2014 14:39:28 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id UlM2x7Wg82pO; Fri, 2 May 2014 14:39:28 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Fri, 2 May 2014 14:39:28 +0200 (CEST)
Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id 1E73820017; Fri, 2 May 2014 14:39:28 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 53DuzP_YZTIu; Fri, 2 May 2014 14:39:26 +0200 (CEST)
Received: from elstar.jacobs.jacobs-university.de (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 4B79020013; Fri, 2 May 2014 14:39:26 +0200 (CEST)
Received: by elstar.jacobs.jacobs-university.de (Postfix, from userid 501) id 625F42CC81B3; Fri, 2 May 2014 14:39:25 +0200 (CEST)
Date: Fri, 02 May 2014 14:39:25 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kwatsen@juniper.net>
Message-ID: <20140502123925.GC36168@elstar.jacobs.jacobs-university.de>
Mail-Followup-To: Kent Watsen <kwatsen@juniper.net>, "netmod@ietf.org" <netmod@ietf.org>
References: <20140429071743.11894.21006.idtracker@ietfa.amsl.com> <CF859937.6B5B6%kwatsen@juniper.net> <20140430194951.GC31986@elstar.local> <CF872BB7.6BF1B%kwatsen@juniper.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CF872BB7.6BF1B%kwatsen@juniper.net>
User-Agent: Mutt/1.4.2.3i
Archived-At: http://mailarchive.ietf.org/arch/msg/netmod/M79pyTiK9IQmfslWvHwULjYFA4A
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 12:39:34 -0000

On Thu, May 01, 2014 at 04:18:33AM +0000, Kent Watsen wrote:
> 
> 
> The problem is that if it doesn¹t go into draft-ietf-netmod-system-mgmt,
> then the alternative solutions (see bottom) may compound the problem.  Now
> is the time for us to at least look at it and agree what makes sense.  I¹m
> all for us doing the right thing, whatever it might be, but we haven¹t
> even discussed what that is yet.
> 

Since there are no concrete edits people agree on at this point in
time, I do not plan to move draft-ietf-netmod-system-mgmt back form
the IESG into the WG to work on it a couple of more weeks and then to
restart the whole procedure.

> The netmod-system-management defines config for User Authentication and
> says that it does so for SSH because that is NETCONF¹s mandatory to
> implement transport.  Meanwhile we have netconf-server-model, which is
> suppose to be just about configuring the NETCONF server, and yet it has
> user-auth config for TLS (not SSH) in it.  This inconsistency is the issue.

I do not think this is a fair summary. Both, SSH and TLS call home
need parameters configured on the NC server side but also on the NC
client side, (e.g. the SSH user and its credentials to call home).
Where will this stuff go?

Sure, we can move the cert-maps and psk-maps to some other module, I
am not sure though it really helps solving a concrete problem. These
are at the end objects to implement on the NC server, whether they are
defined as part of draft-ietf-netmod-system-mgmt, netconf-server-model
or some other module. And the maps are rather NETCONF over TLS
specific.  The SSH authentication objects may also be used outside
NETCONF, e.g. to configure plain old access to the system's CLI.
 
> So, what are our options?
> 
> 1. Go forward with current inconsistency
> 
> 2. Only modify draft-ietf-netconf-server-model, but move TLS user-auth out
>    of ietf-server-model into a separate model that augments ietf-system
> 
> 3. Similar to #2, but move the ietf-system augmentation back to 5539bis
> 
> 4. Similar to #2, but move the TLS-auth directly (no augmentation) into
>    the ietf-system model defined in draft-ietf-netmod-system-mgmt
> 
> 5. Move all user-auth config from draft-ietf-netmod-system-mgmt into
>    draft-ietf-netconf-server-model
> 
> 6. Move all user-auth config from both draft-ietf-netmod-system-mgmt
>    and draft-ietf-netconf-server-model into yet another draft (for
>    instance, draft-ietf-netmod-user-auth?)
> 
> 7. Anything else?

As NETMOD WG co-chair, I want to publish draft-ietf-netmod-system-mgmt.
Building "perfect" modules means we will never finish. Once again,
modules can be revised and augmented if needed.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email