[netmod] Re: comments on system-config-08 draft
Andy Bierman <andy@yumaworks.com> Wed, 21 August 2024 08:59 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DA42C151084 for <netmod@ietfa.amsl.com>; Wed, 21 Aug 2024 01:59:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKVLe3PfCm5c for <netmod@ietfa.amsl.com>; Wed, 21 Aug 2024 01:59:37 -0700 (PDT)
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91B91C14F689 for <netmod@ietf.org>; Wed, 21 Aug 2024 01:59:37 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id 41be03b00d2f7-75abb359fa5so68341a12.0 for <netmod@ietf.org>; Wed, 21 Aug 2024 01:59:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks.com; s=google; t=1724230777; x=1724835577; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qtbjXXnuHAceQ+7j0stsU7tWr4+HU/vk9Ke6EIcvZ4g=; b=Ayb0lcJZR/ntp/J7OhmzRvY1c8XUgOv29/9o+ijLbu9DR17vG/5b/R+5pTX3boSt4t Px07GE5ayZzCKEJxs5MRwiU8v0n4YwM+DgRxKBRS4a+zXeBc+5aa1H4sFmdTg7D9hT46 rS0vqwT8q+da7xbuqbNwmZFOVi+FT/4oX4jIlAlCxKsO5gO1tmojhwbYXmHt3/uWpi8U g+qrq73ZYGO9tz+kkc/1GsVyI0KjjmtG+BvF9pn9C5ITZYnJU1xWqx14S087keyovGG4 ccw3+zyXlQvjI0eNFoFbQNl87Yon/WAoDaffSeUSkT1CfH81GtGzl7LxmytliDXLcs0t 5rEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724230777; x=1724835577; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qtbjXXnuHAceQ+7j0stsU7tWr4+HU/vk9Ke6EIcvZ4g=; b=qT0jaKqUaYRB0bmahVbNAN/Z0RrDKvOPuMRhYPAKmCOWhstXMG8VqLXEbt6M21cQt0 HzmDgMfPqT4gGP3B9iZFHebiBC90Hm1OsYxkwFqoRBSrihrOWawHpjT4LIzaB4bWLwo8 oOAqQ/2a9ARkSZwMLiGeKcR6z24IBWljbt2rSwxiWfMR4Y2IGg7OxwEJnIorU7i03FWW /KPcj9tExfAq4THdqZoDlnhHPWvSBvFifP/42RsM8pPmshaCtRsJpVr3QQpnnHdGJalc XO2mLUwAEbBMmePnrjqlpsKhPfxrCJUVCMlwFdPLyMc0Gbx2cB27LJ63AGFpYsXvFcW+ UbjQ==
X-Gm-Message-State: AOJu0Yxv/JRuOHkE6bCbf7EDGpOrvHGLsbE8Wvj7iGPRwiv0/qBlhoz2 fheQbwPgmgaIaNu880Z0m1YZDqlIXE072CldNMiuyiCRjh52NIb+mR1IAiJWtBLkTYkutqMQlkP Vi+919gIBULeLecu8cipdGYdGoirool+6b1ylQcZx0PnJUSX6U5Y=
X-Google-Smtp-Source: AGHT+IEQWYH5dcQpI4x88qS6RnS/f6W+GRAuzysDPw1kfK8ISehw7iWd/pamQRj+Awl3vjhxYOeYVicY5oKXEZujoAU=
X-Received: by 2002:a05:6a20:a10e:b0:1c4:e645:559b with SMTP id adf61e73a8af0-1cada1d73f6mr1136594637.8.1724230776790; Wed, 21 Aug 2024 01:59:36 -0700 (PDT)
MIME-Version: 1.0
References: <CABCOCHScHJENof+1obOgXUDZZMhhPhs9rvKHw4W0RRfF0R1_Hw@mail.gmail.com> <bf769710572f4b3884d58d128cf58305@huawei.com>
In-Reply-To: <bf769710572f4b3884d58d128cf58305@huawei.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Wed, 21 Aug 2024 01:59:25 -0700
Message-ID: <CABCOCHRWgBpt1Cx4FJqec=-80_PLvRKK1gz7oWJ06C=+_zjNRA@mail.gmail.com>
To: "maqiufang (A)" <maqiufang1@huawei.com>
Content-Type: multipart/alternative; boundary="000000000000f63e1d06202dc29a"
Message-ID-Hash: IWHWPH2NUMZST5VZO5OVSO6TSU3DPV4F
X-Message-ID-Hash: IWHWPH2NUMZST5VZO5OVSO6TSU3DPV4F
X-MailFrom: andy@yumaworks.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-netmod.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "netmod@ietf.org" <netmod@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [netmod] Re: comments on system-config-08 draft
List-Id: NETMOD WG list <netmod.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/doU43o-JBWSfLSeMFU07IZgrKeY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Owner: <mailto:netmod-owner@ietf.org>
List-Post: <mailto:netmod@ietf.org>
List-Subscribe: <mailto:netmod-join@ietf.org>
List-Unsubscribe: <mailto:netmod-leave@ietf.org>
On Wed, Aug 21, 2024 at 1:05 AM maqiufang (A) <maqiufang1@huawei.com> wrote: > Hi, Andy, > > > > Thanks for the comments, please see reply inline… > > > > *From:* Andy Bierman [mailto:andy@yumaworks.com] > *Sent:* Wednesday, August 21, 2024 12:34 AM > *To:* NetMod WG <netmod@ietf.org> > *Subject:* [netmod] comments on system-config-08 draft > > > > Hi, > > > > I do not think this draft is ready. > > > > 1) Behavior changes to conventional datastores > > > > There seem to be NBC changes being made to the > > behavior of the conventional non-NMDA datastores, particularly <running>. > > > > I disagree that it is a problem that <running> contains some system > configuration > > mixed in with the client configuration. The only problem is that the data > is not > > editable by clients. The "immutable" flag draft provides clients > > with enough information to avoid 'access-denied' errors when editing > system config. > > Changing the behavior of <running> seems to break old non-NMDA clients > > that expect the combined config. > > There are various implementations about system configuration, and some do > put system configuration into <running>, but the vision has always been to > give the client full control over <running>, right? System configuration > comes and goes, which is beyond the control of operators, while I think > <running> should be controlled with more predictability. > > > No, I do not agree that system config "comes and goes" and therefore no system config can be in <running>. Metadata can be used to identify system data vs. client data. The example in the appendix shows a device that would boot without any interfaces in <running>. They would only be in <system>. If this is the case, then all non-NMDA clients and all current NMDA clients need to be rewritten to know about the <system> config. IMO breaking all existing clients would be a bad idea. > 2) NBC Changes to XPath > > > > Changing the XPath evaluation procedures is an NBC change. > > In this case, also quite complicated to implement XPath across > > multiple datastores. > > > > System config could be visible in <running> using the immutable flag. > > Leafrefs and XPath are allowed to point at config=true in the same data > tree. > > This does not require any changes to XPath processing. > > > > Referencing a special read-only datastore is no different than simply > > allowing the XPath to reference config=false. It is the same NBC change. > > I am confused by this comment, as no one has ever proposed to change the > XPath evaluation procedures. > > If the intention is to make <running> alone valid, the proposed approach > is to either copy the referenced system nodes into <running> or use the > “resolve-system” parameter to allow the server do the copy thing. > > If <running> alone doesn’t have to be valid and only <intended> is subject > to validation, then simply merge <running> with <system> to be > referentially complete for <intended>. > > Neither case has proposed a direct cross-datastore reference. > I am confused, because I was told the reason <system> is needed is so leafref and XPath in <running> can reference the system config (i.e. nodes in <running> require nodes from <system> to be part of the data tree.) This violates the XPath context rules in RFC 7950. This prevents offline validation of <running> This violates the MUST requirement in RFC 7950 that <running> MUST be valid. > 3) resolve-system > > > > I am confused why a client would not resolve the system, since > > the <running> datastore needs these nodes so the client nodes can exist. > > Of course the client can resolve the reference and explicitly copy the > missing parts from <system> into <running> (see sec 5.2), “resolve-system” > is just an alternative for the clients that don’t wish a manual copy. It is > optional to implement and clients **may** use. > > > Obviously, an old client is unaware of the new <system> datastore and will never provide the 'resolve-system' leaf. I do not understand how config can be changed, e.g. an address is assigned to an interface, if the parent interface is not in <running>. > > > Andy > > Best Regards, > > Qiufang > Andy
- [netmod] comments on system-config-08 draft Andy Bierman
- [netmod] Re: comments on system-config-08 draft maqiufang (A)
- [netmod] Re: comments on system-config-08 draft Andy Bierman
- [netmod] Re: comments on system-config-08 draft Kent Watsen
- [netmod] Re: comments on system-config-08 draft Andy Bierman
- [netmod] Re: comments on system-config-08 draft Kent Watsen
- [netmod] Re: comments on system-config-08 draft Andy Bierman
- [netmod] Re: comments on system-config-08 draft maqiufang (A)
- [netmod] Re: comments on system-config-08 draft Andy Bierman