Re: [netmod] AD review: draft-ietf-netmod-revised-datastores-08

Robert Wilton <rwilton@cisco.com> Tue, 09 January 2018 11:18 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 270E5126D3F for <netmod@ietfa.amsl.com>; Tue, 9 Jan 2018 03:18:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y0X3jU7yIksC for <netmod@ietfa.amsl.com>; Tue, 9 Jan 2018 03:18:27 -0800 (PST)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BBD4126C83 for <netmod@ietf.org>; Tue, 9 Jan 2018 03:18:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=49412; q=dns/txt; s=iport; t=1515496706; x=1516706306; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=SEhHR7A1aBZpr7LHFM6AjBImqjr60wzYunfdFRi+ncw=; b=N7gw8IgOjaPSKjYBZkNv0Vo8slWYMzBlEL6uu0sDldX/7LoA+tbM5ZIJ IHaKj/xVeBMwOyoeBLlMLX5KP+iusd6R/h5gOLkp7U9NUqHr+xr90ozKo ZYgUW+0M9Q5ONiji9oOpMfrLbupeVVCZPfFgyDlYUGJaJSyIQoNaw23EE c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B3AQB2pFRa/xbLJq1aAxkBAQEBAQEBA?= =?us-ascii?q?QEBAQEHAQEBAQGCSkaBFnQnhAeLGI9ql0KCAQoYAQqDOoEPTwKEehQBAQEBAQE?= =?us-ascii?q?BAQFrKIUjAQEBAQIBAQEYAQhLCwUJAgkCEAIGIAEGAwICGwwfAw4GDQYCAQEXi?= =?us-ascii?q?g4IEJEsnW6CJyaKHQEBAQEBAQEBAQEBAQEBAQEBAQEBAR0FhBt9gm+BaSmBd4E?= =?us-ascii?q?Ogy8BgUcPAjcmglCCZQWZWReJb5VBgheKCCaBOoYKimGEMYgHgTw2IiWBKzIaC?= =?us-ascii?q?BsVPYIqCYISORyBZ0E3iDMCJQeCHQEBAQ?=
X-IronPort-AV: E=Sophos;i="5.46,335,1511827200"; d="scan'208,217";a="1348454"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jan 2018 11:18:23 +0000
Received: from [10.63.23.84] (dhcp-ensft1-uk-vla370-10-63-23-84.cisco.com [10.63.23.84]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id w09BIN0x028739; Tue, 9 Jan 2018 11:18:23 GMT
To: Andy Bierman <andy@yumaworks.com>
Cc: NETMOD Working Group <netmod@ietf.org>
References: <e2fd599f-7547-d2f7-d450-f67a3f409ae1@cisco.com> <fe856e5c-5760-9bb9-ace3-cec0cfb39278@cisco.com> <79d1baae-397d-883e-3bc0-e1c5f71fc4f8@transpacket.com> <64f59023-e000-18c4-8830-29ba6e9be7e9@cisco.com> <6e899e21-8931-b61c-3b73-6c8a8a1c912a@transpacket.com> <20171221132030.7zebh2xkhddmql3c@elstar.local> <e268a6b6-9024-be90-0225-3cd191185d97@transpacket.com> <20171221222742.izrmwpbiwgoc7col@elstar.local> <CABCOCHSULx3XjmWK8PjynJ-8Se3+cav9A7d7VeYLs2u5jppf=g@mail.gmail.com> <cf27d398-1883-c1ce-a54a-4644bac8a1dc@cisco.com> <CABCOCHQCv8ih9uKFxmews_=3c_rX6fSAA=L8vtW91k-pMSHOEg@mail.gmail.com>
From: Robert Wilton <rwilton@cisco.com>
Message-ID: <d2f8abd1-56fb-93b0-da3c-37cf16d2d4db@cisco.com>
Date: Tue, 9 Jan 2018 11:18:23 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CABCOCHQCv8ih9uKFxmews_=3c_rX6fSAA=L8vtW91k-pMSHOEg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5028F0DD6D1EF7E68FF0ED6D"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/hL4Whl7iZYMHZNbPKFVfJ7mi2O4>
Subject: Re: [netmod] AD review: draft-ietf-netmod-revised-datastores-08
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2018 11:18:31 -0000

Hi Andy,


On 08/01/2018 19:45, Andy Bierman wrote:
>
>
> On Mon, Jan 8, 2018 at 5:55 AM, Robert Wilton <rwilton@cisco.com 
> <mailto:rwilton@cisco.com>> wrote:
>
>     Hi Andy,
>
>     Regarding your comment below, this intent is captured by this text
>     describing the operational datastore in section 5.3:
>
>         <operational> SHOULD conform to any constraints specified in the data
>         model, but given the principal aim of returning "in use" values, it
>         is possible that constraints MAY be violated under some
>         circumstances, e.g., an abnormal value is "in use", the structure of
>         a list is being modified, or due to remnant configuration (see
>         Section 5.3.1).  Note, that deviations SHOULD be used when it is
>         known in advance that a device does not fully conform to the
>         <operational> schema.
>
>         Only semantic constraints MAY be violated, these are the YANG "when",
>         "must", "mandatory", "unique", "min-elements", and "max-elements"
>         statements; and the uniqueness of key values.
>
>         Syntactic constraints MUST NOT be violated, including hierarchical
>         organization, identifiers, and type-based constraints.  If a node in
>         <operational> does not meet the syntactic constraints then it MUST
>         NOT be returned, and some other mechanism should be used to flag the
>         error.
>
>
>     Do you agree that this is sufficient?
>
>
>
> Not really.
> It does not address my concern, which is that NMDA is
> removing the YANG constraints on config=false data nodes
> for no apparent reason.

There is a reason. I don't think that the constraints on config=false is 
really being removed, because I don't think that they truly existed in 
the first place (despite what RFC 7950 might indicate!).

I think that we all agree on the expected behavior for configuration: If 
a client sends configuration to a server that would cause <running> to 
become invalid then the server should reject that change, to ensure that 
<running> always holds a consistent configuration.  Having a consistent 
configuration is the most important property here.  I.e. the server has 
the right to reject an invalid configuration request from a client.

However, the flow of operational state data in opposite direction cannot 
hold to the same rules.  If during the processing of a get request (or 
YANG push) a server sends operational state data back to a client then a 
client has to choose how to process the message:
  - if the message is garbled or not sane then it makes sense to discard it.
  - however, what should the client do if the message is well formed but 
either (i) contains some values outside the permitted schema range (but 
can be represented by the schema datatype), or (ii) by applying the 
values would cause the clients copy of <operational> to become invalid?

If the client discards the message because of one bad value, then that 
doesn't seem to be helpful, since it allows for a very fragile model of 
system management.  I.e. if one small thing is bad then the whole house 
of cards collapses.

So I think that the only sensible behaviour here is that the client has 
to process the operational state update in a best effort fashion, keep 
all the good data and probably flag any values that are outside the 
value constraints.  Similarly any reference constraint failures (i.e. 
when/must) can similarly be flagged up, but throwing away an update 
message that would cause the operational state to become inconsistent 
doesn't seem to be helpful.  I.e. it is much better if the client gets 
to see the true state of the server, even if that state isn't good (or 
consistent).

Similar questions arise on the server itself:
  - what if the real value in use (e.g. that is read from the hardware) 
is outside the permitted range (because of a logic defect)?  Is it 
really better to suppress that value entirely or return a value that 
server knows to be wrong?
  - can a server even know that its operational view is consistent? For 
complex systems where the real operational state is split across 
multiple underlying linecards, or remote devices, I think that this is 
very hard (if not impossible) to do.

So what the NMDA architecture states is:
  (i) if a server knows that it won't conform to the operational schema 
then it must use deviations,
  (ii) a server in a normal steady state should conform to the 
operational schema (and be valid),
  (iii) but, if the system is churning (e.g. configuration, route 
update, etc) then the operational state of the server might be 
transiently inconsistent and this is OK,
  (iv) if, the server is in a bad state, then it is better to return the 
actual state than to lie or not report a particular value (as long as it 
can be encoded).
  (v) a server does not need to explicitly validate that its view of 
operational is valid. It is unclear what it would/could do if it 
detected that the operational state is invalid, nor is it clear that 
servers would generally be able to always perform this operation.

>
> The server implementation requirements expressed in YANG constraints
> are applicable to any data node, not just config=true data nodes.
> The requirement to implement the ancestor nodes (with keys) does not 
> change.

The draft does not allow this to be violated.  I.e. the following 
statement prevents this: "Syntactic constraints MUST NOT be violated, 
including hierarchical organization".


> The requirement to conform to the YANG constraints defined within 
> config=false
> data nodes does not change.
>
> To do otherwise does not make sense.  E.g. "when" conditions that add 
> ethernet
> counters only when the interface type is ethernetCsmacd. Why would it 
> be OK for
> the server to ignore that when-stmt and add ethernet counters to every 
> interface?

It is not OK for a server to ignore that and add Ethernet counters to 
every interface (without using a deviation).  The draft is not trying to 
allow that.

But if an interface could change type (e.g. between Ethernet and ATM via 
a different optics module being inserted) then it would be allowed for a 
server to transiently report the ethernet counters on the interface 
whilst it is in the process of changing the interface type from ethernet 
to ATM (e.g. if the counters are maintained by a separate daemon that is 
updated asynchronously with respect to the config or optics change).  
Once the change had completed, the the system reaches steady state then 
the Ethernet counter must no longer be reported.

Thanks,
Rob


>
> IMO the text above can only apply to the operational values of 
> config=true nodes.
>
>
>     Thanks,
>     Rob
>
>
>
> Andy
>
>
>
>     On 21/12/2017 22:49, Andy Bierman wrote:
>>     Hi,
>>
>>     It should be clear somehow that server requirements to provide
>>     config=false data
>>     that is valid according to the YANG definitions is not affected
>>     by NMDA.
>>     That is not being taken away.  The ability to validate
>>     operational values
>>     of configuration data has never been provided, and therefore is
>>     not being taken away either.
>>
>>     A constraint on config=true nodes only applies to configuration
>>     datastores.
>>     These are the only constraints that should be ignored in
>>     <operational>.
>>     Constraints on config=false nodes still apply in <operational>.
>>
>>
>>     Andy
>>
>>
>>
>>     On Thu, Dec 21, 2017 at 2:27 PM, Juergen Schoenwaelder
>>     <j.schoenwaelder@jacobs-university.de
>>     <mailto:j.schoenwaelder@jacobs-university.de>> wrote:
>>
>>         On Thu, Dec 21, 2017 at 07:52:54PM +0100, Vladimir Vassilev
>>         wrote:
>>         > On 12/21/2017 02:20 PM, Juergen Schoenwaelder wrote:
>>         >
>>         > > On Thu, Dec 21, 2017 at 02:03:45PM +0100, Vladimir
>>         Vassilev wrote:
>>         > > > On 12/21/2017 11:34 AM, Robert Wilton wrote:
>>         > > >
>>         > > > > Hi Vladimir,
>>         > > > >
>>         > > > > First point of clarification is that this is not
>>         about running/intended
>>         > > > > at all.  The contents of running/intended do not
>>         change in anyway
>>         > > > > depending on whether hardware is present or absent.
>>         > > > >
>>         > > > > The section is only concerned with how the
>>         configuration is applied in
>>         > > > > operational, and basically says that you cannot apply
>>         configuration for
>>         > > > > resources that are missing (which seems reasonable). 
>>         E.g. I cannot
>>         > > > > configure an IP address on a physical interface that
>>         isn't there.  Or if
>>         > > > > the physical interface gets removed then the
>>         configuration associated
>>         > > > > with that interface is also removed from operational.
>>         > > > >
>>         > > > > Operational isn't validated and data model
>>         constraints are allowed to be
>>         > > > > broken (ideally transiently).
>>         > > > I want to focus on this. IMO giving up schema validitiy
>>         for any datastore is
>>         > > > unacceptable price. Pre-NMDA devices had full model
>>         support in operational
>>         > > > data (all YANG constrains part of the model without
>>         discrimination were
>>         > > > enforced).
>>         > > There was a long debate about the value of returning the true
>>         > > operational state. What do you do if the operational
>>         state is invalid?
>>         > > A server can reject configuration changes if they lead to
>>         invalid
>>         > > state, a server can not reject reality.
>>         > IMO if the model can represent reality then data conforming
>>         to the model
>>         > can. If not a better model is needed not a hack that breaks
>>         the datastore
>>         > conformance to the YANG model. I do not see how
>>         > /interfaces/interface/oper-status=not-present was not
>>         representing the
>>         > reality of a system with removed line card that is
>>         configured and ready to
>>         > resume operation as soon as the line card is reconnected.
>>
>>         I assume this is all system and implementation specific. If your
>>         system knows about interfaces that are not present (i.e.,
>>         there is
>>         operational state about them), you can report these
>>         interfaces.  But
>>         'is configured' is confusing here. I am not sure a line card
>>         that does
>>         not exist should be considered configured. But yes, this may
>>         be system
>>         specific. Anyway, draft-ietf-netmod-rfc7223bis-01.txt still has
>>         oper-status 'not-present' - so this seems to be a mood point.
>>
>>         > > > If this is about to change it will compromise
>>         interoperability
>>         > > > and a significant portion of the client implementation
>>         workload that can be
>>         > > > automated will need to be coded in hand and tested.
>>         Unresolved leafrefs,
>>         > > > undefined behaviour of different implementations
>>         removing different
>>         > > > configuration nodes in violation of YANG semantic
>>         constraints (which I do
>>         > > > not think can be so clearly separated from the
>>         syntactic constraints when
>>         > > > one considers types like leafref, instance-identifier
>>         etc.) and the
>>         > > > corresponding side effects based on the server
>>         implementators own creativity
>>         > > > is eventually going to create more problems.
>>         > > >
>>         > > > 1. IMO the only acceptable solution is to have YANG
>>         valid operational
>>         > > > datastore at all times. operational like any other
>>         datastore MUST be valid
>>         > > > YANG data tree and it has to be a system implementation
>>         task to consider all
>>         > > > complications resulting from the removal of the
>>         resources leading to any
>>         > > > data transformations. If this is difficult or
>>         impossible other mechanisms to
>>         > > > flag missing resources should be used (e.g.
>>         > > > /interfaces/interface/oper-status=not-present) This
>>         sounds like a useful
>>         > > > contract providing the value of a standard the
>>         alternative does not.
>>         > > As said above, it is impossible to report valid
>>         operational state if
>>         > > the operational state is not valid according to the models.
>>         > >
>>         > > > 2. Even with the change in 1. I do not see the removal
>>         of intended
>>         > > > configuration nodes from operational as a solution
>>         worth implementing on our
>>         > > > servers. I do not see a real world plug-and-play
>>         scenario that can be
>>         > > > automatically solved without specific additions to the
>>         models e.g.
>>         > > > /interfaces/interface/oper-status=not-present is
>>         oversimplified solution but
>>         > > > it needs to be extended exactly as much as the solution
>>         provided by the
>>         > > > removal of config true; nodes without the sacrifice of
>>         YANG validity of
>>         > > > operational.
>>         > > Your thinking is likely wrong. <operational> reports the
>>         operational
>>         > > state. It may have little in common with <intended>.
>>         Trying to derive
>>         > > operational from intended is likely a not well working
>>         approach.
>>         > The proposal for this solution ("derive operational from
>>         intended" e.g.
>>         > merge /interfaces-state in /interfaces) comes from the
>>         revised datastores
>>         > draft not me.
>>         >
>>         > By definition config true; data represents intent. Reusing
>>         the model of a
>>         > config true; data to represent state absent of intent (e.g.
>>         > /interfaces/interface with origin="or:system") is a hack.
>>         The hack works
>>         > fine without compromising the conformance of operational to
>>         the YANG model
>>         > as long as certain conditions are met. I am pointing out
>>         that one of the
>>         > conditions is to keep all of the intended configuration
>>         data present in
>>         > 'operational' and handle missing resources with
>>         conventional means e.g.
>>         > /interfaces/interface/oper-status=not-present instead of
>>         adding the straw
>>         > that breaks the camel's back.
>>
>>         I fail to see why you believe all objects that appear in intended
>>         configuration needs to exist in applied configuration. In fact,
>>         operators told us very clearly that they care about the
>>         distinction
>>         between intended and applied config.
>>
>>         > > > 3. Solutions like /interfaces/interface/admin-state
>>         stop working. With the
>>         > > > interface removed you can no longer figure if the
>>         if-mib has or does not
>>         > > > have the interface enabled so an operator has to use
>>         SNMP or wait for a
>>         > > > replacement line card to be connected to figure this
>>         bit of information.
>>         > > At least on my boxes, if I remove a line card, the
>>         interface also
>>         > > disappears in SNMP tables. Stuff that is operationally
>>         not present is
>>         > > simply operationally not present.
>>         > >
>>         > > > My
>>         > > > interpretation of the MAY as requirement level in sec.
>>         5.3. The Operational
>>         > > > State Datastore (<operational>) is that plug-and-play
>>         solutions can be
>>         > > > implemented without this limited approach that has the
>>         same problem as the
>>         > > > pre-NMDA only now we have to have /interfaces-state to
>>         keep config false;
>>         > > > data relevant to hardware that is configured but not
>>         present:
>>         > > >
>>         > > >     configuration data nodes supported in a
>>         configuration datastore
>>         > > >     MAY be omitted from <operational> if a server is
>>         not able to
>>         > > >     accurately report them.
>>         > > >
>>         > > > I realize this discussion comes late. I have stated my
>>         objections to this
>>         > > > particular part of the NMDA draft earlier.
>>         > > I believe there is a conceptual misunderstanding. I think
>>         there never
>>         > > was a requirement that a server reports the state of
>>         hardware that is
>>         > > not present.
>>         > "Data relevant to hardware that is configured but not
>>         present" is different
>>         > from "state of hardware that is not present". For example
>>         information
>>         > indicating when the line card became unavailable, what was
>>         the reason, or
>>         > other information like how many packets that had this
>>         interface as egress
>>         > destination are being dropped as a result of the removal.
>>
>>         I think that systems handle non-existing interfaces
>>         differently. It
>>         seems that ietf-interfaces is flexible enough to accomodate the
>>         differnet styles.
>>
>>         /js
>>
>>         --
>>         Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>         Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen
>>         | Germany
>>         Fax:   +49 421 200 3103       
>>          <http://www.jacobs-university.de/
>>         <http://www.jacobs-university.de/>>
>>
>>         _______________________________________________
>>         netmod mailing list
>>         netmod@ietf.org <mailto:netmod@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/netmod
>>         <https://www.ietf.org/mailman/listinfo/netmod>
>>
>>
>>
>>
>>     _______________________________________________
>>     netmod mailing list
>>     netmod@ietf.org <mailto:netmod@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/netmod
>>     <https://www.ietf.org/mailman/listinfo/netmod>
>
>