IETF Logo Mail Archive

[netmod] Re: Regarding RFC 7950 Mandatory validation

Andy Bierman <andy@yumaworks.com> Wed, 18 September 2024 16:27 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE145C16942E for <netmod@ietfa.amsl.com>; Wed, 18 Sep 2024 09:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8mzeKIBfayG4 for <netmod@ietfa.amsl.com>; Wed, 18 Sep 2024 09:27:09 -0700 (PDT)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DF57C14F6F4 for <netmod@ietf.org>; Wed, 18 Sep 2024 09:27:09 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-717839f9eb6so1212719b3a.3 for <netmod@ietf.org>; Wed, 18 Sep 2024 09:27:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks.com; s=google; t=1726676829; x=1727281629; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vd56JQEsunc3i9+kTPgEq5oqhRrnzdrxi8Fj803M5Hc=; b=WbfRkuZwjoe8EaqHkJnSEIMHlkNtb5fnfi0OzCD1TFXH/kp5HR+3C+s0zo44d4AJFA AW96AP2zCiTKxOIvYAO+26ysOkYEF3P3BzLiGaFky3+wnOe5rY9U/6ovaANwSJdxVMCb vRnksU4mTzwcWMi7smIjSVVeuWwtsug9VmZ7r9ZLuGtxQMcho2RjZIJFgKt/ErH3dyOT igpix94ioE8haNjO7aFroz6iWrOOBT2lIl/4+aWsA2OY88VPmgIJD6IcKim+HsD0Efq8 fvb96IhW5czUlIMbTsBNoSNHC4OVz2amNDX17KYMeSpealR3G1gMUF2Sy2L56o+Zpq7n UlyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726676829; x=1727281629; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vd56JQEsunc3i9+kTPgEq5oqhRrnzdrxi8Fj803M5Hc=; b=BaPlSpjAawPygya22sy5prjjAWT+zHBtUfJ7ElEbU0dnVwQG24IAoPbgLu52iJxk5o aMXBw3v09Y3L/2yLHKNCm+fvzlzRwfoNb70+QqZWWIQOl7rpjFO0hpC4dITkr1xbzreK 0vTS49+15U4o4Cto8x0xfISisTAEOoxC0k+iDnyqwugUEagRr1XSjJS30eVOqP45IEQ/ RPbXMdRxAs1N+p6oyixVPxYafq1PEtLPTSOwfpbMZWlTfe4HK+5CTOkPl0ZL10w+fnZx sOMMR6Zw+dS0hlxxWkEeZydiSkjU4v52aPJEyz1TxBAz/fv8be9gNAtPOaf50K6AFmDC r4CA==
X-Forwarded-Encrypted: i=1; AJvYcCUE9+feu8g9p+VpUALfhP7EuZ+NadU1ODmJcHWm3k6jNc9rTrpxcrjVaoWE/Acnm12xXoKDbzU=@ietf.org
X-Gm-Message-State: AOJu0YwdOHc3vZS76qax1kIfc7qXifJEnbgA54oYL4P/IHnHZQwJYlrB QrvYvj2Q6cETL3G0vOKw0aiUOoFILTrnuxgIpNZLkKlsv1hUq5Gz55oahvzxCCAy9sVep1aFfsq MeN8Z/tCco4EoeGSm/DuXk3SKj1bWWa11mG0LuQ==
X-Google-Smtp-Source: AGHT+IFR1xCZcGiLawdI5hBUiEYiQDbqB6HgaLl8CjkdaQEqC4+7+/DJ8Oj2vzU9gWSz/pYcrAVPNSE9BtTNlejaGMU=
X-Received: by 2002:a05:6a00:ccb:b0:718:e49f:246e with SMTP id d2e1a72fcca58-7192620091cmr14177945b3a.6.1726676828656; Wed, 18 Sep 2024 09:27:08 -0700 (PDT)
MIME-Version: 1.0
References: <OS3PR01MB5848ECB03174DF2A56B8B81BF19E2@OS3PR01MB5848.jpnprd01.prod.outlook.com> <01000191fc9ebeef-cf02c2a8-6818-4683-841d-ea41fe0b0d76-000000@email.amazonses.com> <OS3PR01MB584892B40019F7875D146379F1612@OS3PR01MB5848.jpnprd01.prod.outlook.com> <01000192017932af-055438cd-14e1-4829-9b3a-8aa82ffa86ee-000000@email.amazonses.com> <CABCOCHR-Fu=+h19kzqJeC91hoWNEoifdfhENK-RKwF8RfFwrNQ@mail.gmail.com> <0100019201e55722-a8d6d559-f80a-4ef0-9fb4-bbeaff4cf4fb-000000@email.amazonses.com> <OS3PR01MB5848E5599EBDE02D4C1D9168F1622@OS3PR01MB5848.jpnprd01.prod.outlook.com>
In-Reply-To: <OS3PR01MB5848E5599EBDE02D4C1D9168F1622@OS3PR01MB5848.jpnprd01.prod.outlook.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Wed, 18 Sep 2024 09:26:56 -0700
Message-ID: <CABCOCHSdOitHDFHaFxPGiCCqKhaJ4UV+tXsDFXbRF5qvoboetA@mail.gmail.com>
To: "Parthasarathy.R@fujitsu.com" <Parthasarathy.R@fujitsu.com>
Content-Type: multipart/alternative; boundary="00000000000003b5d90622674762"
Message-ID-Hash: W6NLWL2VQE455PNYZWQAVWOEJV2RRTAU
X-Message-ID-Hash: W6NLWL2VQE455PNYZWQAVWOEJV2RRTAU
X-MailFrom: andy@yumaworks.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-netmod.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Kent Watsen <kent@watsen.net>, "netmod@ietf.org" <netmod@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [netmod] Re: Regarding RFC 7950 Mandatory validation
List-Id: NETMOD WG list <netmod.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/SgDCxUt82e4f1cMGjd5UZ29QxtU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Owner: <mailto:netmod-owner@ietf.org>
List-Post: <mailto:netmod@ietf.org>
List-Subscribe: <mailto:netmod-join@ietf.org>
List-Unsubscribe: <mailto:netmod-leave@ietf.org>

On Wed, Sep 18, 2024 at 4:10 AM Parthasarathy.R@fujitsu.com <
Parthasarathy.R@fujitsu.com> wrote:

> Hi Kent and Andy,
>
>             Thanks again for your emails. I am kind of confused on Kent’s
> reply now.
>
>
>
> “The 'edit-config' RPC input parameters have some constraints like
> mandatory parameters.
>
> The 'config' payload constraints are not part of the RPC input parameter
> validation.
>
> Only constraints defined on the RPC input parameters are checked here.“
>
>             Does it mean, whatever mentioned in 8.3.1 of RFC 7950 are only
> applicable to RPC input and not applicable for <config> payload? All the
> points apply to config payload as well, isn’t it? When we have the yang and
> the input payload (assuming a create edit-config request), we can directly
> check if mandatory attribute is missing and report error during the payload
> parsing itself, instead of doing that in ‘processing’ and ‘validation’. It
> is a fail-fast implementation. I was thinking, that as the reason, RFC
> lists down various validations as part of Payload Parsing.
>
>
>
>             From Andy’s reply below:
>
> “Yes, the over-the-wire message must be valid XML but, beyond that, all
> implementations I’m aware of "validate the over-the-wire message" by 1)
> processing it to update a version of <running>and 2) validating the
> resulting version of <running>.“
>
>             I understand, all current implementations are not failing
> fast, and they always check the constraints (including the leaf’s
> ‘mandatory’) during ‘processing’ and ‘validation’ and not during ‘payload
> parsing’. This dilutes the purpose of a separate ‘Payload Parsing’ section
> at all in RFC, when everything is going to be done on
> ‘processing’/’validation’
>
>
>
>             In my humble opinion, we have to include a clause in ‘Payload
> Parsing’ section of RFC, mentioning, “If all mandatory leafs are not
> present, when the edit-config operation is ‘create’, then the server MUST
> reply with a "missing-element" <error-tag> in the <rpc-error>.”. This is
> only applicable for a create operation and not applicable for a merge or
> replace operation.
>


The Payload parsing refers to the RPC input parameters defined in the
edit-config operation.
There are 2 such constraints in this operation:

- mandatory choice config-target
- mandatory choice edit-content

The config parameter is not a representation of a datastore and not subject
to datastore validation
as part of the payload parsing.

Also, the <candidate> can be changed with many edit-config steps.
The combined result is only required to be valid when the <commit> applies
the changes to <running>.



>
>
> Regards,
>
> Partha.
>


Andy


>
>
> *From:* Kent Watsen <kent@watsen.net>
> *Sent:* Wednesday, September 18, 2024 3:01 AM
> *To:* Andy Bierman <andy@yumaworks.com>
> *Cc:* R, Parthasarathy <Parthasarathy.R@fujitsu.com>; netmod@ietf.org
> *Subject:* Re: [netmod] Regarding RFC 7950 Mandatory validation
>
>
>
> Hi Andy,
>
>
>
> IMO the RFCs are clear.
>
>
>
> The 'edit-config' RPC input parameters have some constraints like
> mandatory parameters.
>
> The 'config' payload constraints are not part of the RPC input parameter
> validation.
>
> Only constraints defined on the RPC input parameters are checked here.
>
>
>
> https://datatracker.ietf.org/doc/html/rfc6241#section-7.2
>
>
>
> The server applies the config to its internal datastore.
>
> At that point the config contents are part of a configuration data tree.
>
>
>
>
>
> https://datatracker.ietf.org/doc/html/rfc7950#section-8
>
>
>
>    o  If the constraint is defined on configuration data, it MUST be
>
>       true in a valid configuration data tree.
>
> ...
>
>    o  If the constraint is defined on RPC or action input parameters, it
>
>       MUST be true in an invocation of the RPC or action operation.
>
>
>
>
>
> You’re right.  Validation is context dependent.
>
>
>
> K.
>
>
>
>
>
>
>
>
>
> Andy
>
>
>
>
>
> K.
>
>
>
>
>
> Thanks & Regards,
>
> Partha.
>
>
>
> *From:* Kent Watsen <kent@watsen.net>
> *Sent:* Tuesday, September 17, 2024 2:26 AM
> *To:* R, Parthasarathy <Parthasarathy.R@fujitsu.com>
> *Cc:* netmod@ietf.org
> *Subject:* Re: [netmod] Regarding RFC 7950 Mandatory validation
>
>
>
> Hi Partha,
>
>
>
>
>
> On Sep 6, 2024, at 1:13 PM, Parthasarathy.R@fujitsu.com<
> Parthasarathy.R=40fujitsu.com@dmarc.ietf.org> wrote:
>
>
>
> Hi,
>
>             I am a Software Engineer working in Fujitsu’s NMS product
> supporting Netconf devices. I want a clarification in RFC 7950 on the
> behavior of constraint validation in an edit-config request enforced by
> ‘mandatory’ statement. I referred to section 8 in RFC 7950 regarding this
> and from what I see, all edit-config requests should include the mandatory
> leafs. There is no special behavior mentioned on edit-config’s operation
> type as ‘create’ or ‘merge’ or ‘delete’ in the validation section of RFC.
>
>
>
>             This ends up in two different interpretations:
>
> 1.      All edit-config requests must always include the mandatory
> attributes irrespective of the operation type is create/merge
>
> 2.      Edit-config requests must include the mandatory attributes only
> if operation type is create and it can choose to skip if the attribute is
> already present in Datastore due to previous edit-configs.
>
>
>
> Kindly confirm which interpretation holds good. Also, I would like to
> understand, if, ‘mandatory’ check applies to the payload during Payload
> Parsing stage (mentioned in section 8.3.1 of RFC 7950) for every edit
> config and that all edit config operations must include the mandatory
> attributes into the payload, even if the operation is merge and the
> mandatory attribute exists in the candidate store.
>
>
>
>
>
> It’s more the latter, but please note that YANG doesn’t validate what is
> in a message over-the-wire, so much as the contents of the <running>
> datastore (as Andy mentioned) after the over-the-wire message has been
> processed.
>
>
>
> PS: If using NMDA (RFC8342), then it’s the <intended> datastore that is
> subject to validation.
>
>
>
> K.
>
>
>
>
>
>
>
>             Kindly help to clarify.
>
>
>
> Thanks & Regards,
>
> Partha.
>
> _______________________________________________
> netmod mailing list -- netmod@ietf.org
> To unsubscribe send an email to netmod-leave@ietf.org
>
>
>
>
>

v2.29.0 | Report a Bug | By Email | System Status