IETF Logo Mail Archive

Re: [netmod] Kathleen Moriarty's Discuss on draft-ietf-netmod-revised-datastores-09: (with DISCUSS)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 11 January 2018 03:12 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E018F12E855; Wed, 10 Jan 2018 19:12:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6g7BAeBqhW0; Wed, 10 Jan 2018 19:12:43 -0800 (PST)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25AA612E044; Wed, 10 Jan 2018 19:12:43 -0800 (PST)
Received: by mail-pf0-x229.google.com with SMTP id e76so198701pfk.1; Wed, 10 Jan 2018 19:12:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=5TunDxmGKO92Ent3Mcf8eUj4y4LIiWjKU4vjTY7mb+k=; b=vKLYGS+0q5dRMWan1sw5ScNSsNQwGKRdJdg9HrDAwNobyHb52eAQVjPcB+aRTwhw5q oj5jyRfGjzJXSS+nGx7cVzVqi+Agh5vQjeT9l/qY++vbfAJ5TLe+oMcMDh79YJmn4w3/ OKkRIlKez0vnLl00tA+yO4S0Gsl8cb19K5c43e5O4nFAu5G8NCMNdOm1zuNsUJHEaauO Vbq0D1V7v/qUIntbGEbtlP6fkfpdMBdb8RwIsMP6yNkP+jYJRF0cE48o9kIF99Wqxk5e YCe66O/j0uiqganHvOlzDVktqi3e37jikWVthAC/0q4gDSVZ53HqRoHI5li5UPD3CJUh 3+lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=5TunDxmGKO92Ent3Mcf8eUj4y4LIiWjKU4vjTY7mb+k=; b=Rc0d6CGFrstU+FooZcTTl8xHVBHeSuVG9Tn0AzN5JrYXN5XhQAQeeQr8m7kWEAfuOO xT6k1EOmbrTIuw8++NWUgOJ7jOdQmxISvHE1NydLbmszorFPS931M4Tznbr4HC8NVKEm 25VgXpb8bznGCyW7egZ6SlwLTF8Ms7/mQWfZkygZDQ+xE4FYzyBk61rYcFZ9nNuFNCLU Frt30iohBgo415JSFs1TcbKOXxAxe6nuj2kH3ELVtUujKd3cwAMfA5xbN6yZmr1XahR1 Y4PZE0t3aHhfFw2L4yCkceQH1VPkaBxO9Ad64/QUXkv1yU9yRfld7spSTpo9d7DH4yZ8 yCuw==
X-Gm-Message-State: AKGB3mLzR76BneP3K13cU4g728K/1rH9vLHBNpgXEonqRSZUdm+EeLTI kTPnNl3K3hQR4jaGLFdo0n+eSiC0CXO47Shvy4s=
X-Google-Smtp-Source: ACJfBouOCbL3tU09HUJuqBVU7NJTqZ34MWmOWG/tWreMEjJYJAVDtlxY6UwE2/KKOkGtG4UUiQ15wxHuWagciYNvWMA=
X-Received: by 10.84.217.14 with SMTP id o14mr9987516pli.78.1515640362484; Wed, 10 Jan 2018 19:12:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.186.208 with HTTP; Wed, 10 Jan 2018 19:12:02 -0800 (PST)
In-Reply-To: <20180110194529.3myrio6vrvsn3jjh@elstar.local>
References: <151561207372.18313.8094240527199424975.idtracker@ietfa.amsl.com> <20180110194529.3myrio6vrvsn3jjh@elstar.local>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 10 Jan 2018 22:12:02 -0500
Message-ID: <CAHbuEH6WXMU6RknQdfuq30zhbUycQtFRW54hOT9WkwR8g2Rsxg@mail.gmail.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, draft-ietf-netmod-revised-datastores@ietf.org, Lou Berger <lberger@labn.net>, netmod-chairs@ietf.org, netmod@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/kWn1IXxdDl6_WqtEMNU_ZLvjYSM>
Subject: Re: [netmod] Kathleen Moriarty's Discuss on draft-ietf-netmod-revised-datastores-09: (with DISCUSS)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 03:12:46 -0000

Hi Juergen,

Thanks for your quick response.  Inline.

On Wed, Jan 10, 2018 at 2:45 PM, Juergen Schoenwaelder
<j.schoenwaelder@jacobs-university.de> wrote:
> On Wed, Jan 10, 2018 at 11:21:13AM -0800, Kathleen Moriarty wrote:
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> Hello,
>>
>> Thanks for your work on this draft.  I'm a little confused with some text in
>> the draft and have a few questions.
>>
>> 1. The introductions says,
>> "This architectural framework identifies a set of conceptual datastores but
>>    it does not mandate that all network management protocols expose all
>>    these conceptual datastores.  This architecture is agnostic with
>>    regard to the encoding used by network management protocols."
>>
>> As such, the data stores could be exposed for some implementations, using
>> whatever network management protocol (likely NetCONF or RESTCONF).  If this is
>> the case, why doesn't at least some of the security considerations template
>> apply for at least secure transport?
>
> The security considerations text is IMHO correct. The YANG modules defined
> in this document do not define any accessible objects. Hence, the security
> YANG template does not apply.

Could you make that more clear in the document?  The section from the
introduction quoted above says it is possible if network management
protocols expose the datastores.

>
>> 2. Section 5.3.4 - Is there any integrity protection on the origin information?
>>  If not, can it be added or is there a good reason why it’s not possible?  I
>> realize these are conceptual models that may or may not be exposed, but if
>> exposed and used, wouldn’t some integrity protection on this be helpful?
>
> Can you clarify what you mean with 'integrity protection' in this
> context and why you think origin attributes are special? The known
> published network management protocols all use standard security
> protocols (SSH and TLS). In general, security mechanisms are protocol
> specific, I do not see how the architectual definition of datastores
> requires discussion of special integrity mechanisms. Perhaps I do not
> understand your concern.
>

What I'm wondering here and wanted to discuss was really how the
information on origin information will be used.  Does this information
need to be from a source that can be validated?  If so, should there
be some way to provide a MAC for the values for origin information in
the data stores?  I am not referring to transport in this second
question.  Your answer may be an explanation of how the origin
information will be used that excludes any need for integrity
protection.  I just wasn't clear on how the information from the data
stores will be used from the draft.

Thank you,
Kathleen

> /js
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email