Re: [netmod] Does defining a feature require the module be implemented?

Kent Watsen <> Wed, 18 May 2022 14:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CCD38C15790B for <>; Wed, 18 May 2022 07:30:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t6R7FQEtSrrk for <>; Wed, 18 May 2022 07:30:33 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E2E6C14F6E5 for <>; Wed, 18 May 2022 07:30:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw;; t=1652884232; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=65/caLhSkRRQMsTPtk1g31EAN+xaDArARvHKIhF3vGw=; b=NZxTT+6yp3ZE3W2vKlO/YaCnTtbUxnmyv77ee0ntWJX1SIKj570L8pok/aFH4JAw p+VuNJeTUm0wpw7h5EjNTs18VOHcQOgn9S0vp+ak31FNG43g2K1yiKwBytBnBQErjGa vXhxsGtNTcGBhpXW2/LIeDAIThmWurlL4r6ncBkQ=
From: Kent Watsen <>
Message-ID: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_09A9481D-BA87-47D8-8CC3-C952D1097B11"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.\))
Date: Wed, 18 May 2022 14:30:31 +0000
In-Reply-To: <>
Cc: "" <>
To: Martin Björklund <>
References: <> <>
X-Mailer: Apple Mail (2.3693.
X-SES-Outgoing: 2022.05.18-
Archived-At: <>
Subject: Re: [netmod] Does defining a feature require the module be implemented?
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 May 2022 14:30:37 -0000

> On May 18, 2022, at 2:05 AM, Martin Björklund <> wrote:
>> PS: the answer to this impacts the "crypto-types and friends" drafts
>> in the NETCONF WG, where it is assumed (and various tools agreed, sans
>> a recent change in `yanglint`) that the implementation-status of a
>> module is orthogonal to what features supported.
> Can you show a specific example where this is a problem?


The genesis of this issue arises from a change (I think!) in instance-document validation behavior from yanglint 1.x and 2.x, which I've been switching to, whereby validation is now failing due to an assumption that a module is *implemented* when the module is targeted by the "--features" parameter, even if only to explicitly indicate the *no* features are defined (i.e., "--featues=foo:", note that there are no feature-names listed after the colon).  As an aside, this seems a bit like "the tail wagging the dog", but the reasoning was/is that features can only be defined if a module is implemented and therefore it makes sense to auto-implement a module even though it wasn't explicitly listed as such on the command line.


An issue arises when a module (like ietf-keystore) defines a grouping (like "keystore-grouping") that is used both to allow instances in other data models as well as a "global" instance when the module is implemented.  i.e., container keystore { uses keystore-grouping; }

In ietf-keystore, a feature (central-keystore-supported) is used to enable leafrefs to the global instance for cases when the module is implemented (e.g., see local-or-keystore-symmetric-key-grouping).   However, because it was not anticipated that a module had to be implemented in order for a feature to be defined (as was allowed by RFC 7895 YANG Library), the "central-keystore-supported" feature statement was NOT placed on the root node of the protocol-accessible tree.

So, in the case of NOT wanting the global keystore instance and yet there IS a desire to define another keystore feature (e.g., asymmetric-keys), it seems that 1) the module MUST be implemented *and* the root node of the protocol-accessible tree MUST have an "if-feature central-keystore-supported" statement.

Closing thoughts:

1) I'm not saying it is wrong that a module must be implemented in order to define features defined in it.  But I am noting that I can't find where this behavior is defined (e.g., in RFC 7950).   Also I note that RFC 7895 enabled features to be defined independent of implementation-status while RFC 8525 doesn't.   As a co-author of RFC 8525, I don't recall this being discussed and wonder what justification was used, as folks are pointing to and working backwards from RFC 8525 to indicate that it must be so.

2) If it is the case that the module must be implemented to use its features, then I need to update some of my modules (e.g., crypto-types and friends) to explicitly disable the protocol-accessible tree when the module is implemented *only* to use its features.

3) I wish more modules would following the pattern of having the global protocol accessible tree be defined via a "uses" of a grouping defined in the module.   In another recent project, I had to hack the topology modules defined in RFC 8345 (to convert the containers to groupings) to enable a multiplicity of "abstract network topologies" to be configured.  The assumption that only a single global instance is ever needed is proving to be invalid in my work time and again.