Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-05.txt

Qin Wu <bill.wu@huawei.com> Mon, 04 November 2019 06:26 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 465291201DE; Sun, 3 Nov 2019 22:26:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFTgc_VI-6MI; Sun, 3 Nov 2019 22:26:54 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B563C1200F1; Sun, 3 Nov 2019 22:26:53 -0800 (PST)
Received: from lhreml708-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 66F799DBE65F3AF0C13C; Mon, 4 Nov 2019 06:26:52 +0000 (GMT)
Received: from DGGEML423-HUB.china.huawei.com (10.1.199.40) by lhreml708-cah.china.huawei.com (10.201.108.49) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 4 Nov 2019 06:26:51 +0000
Received: from DGGEML531-MBS.china.huawei.com ([169.254.5.209]) by dggeml423-hub.china.huawei.com ([10.1.199.40]) with mapi id 14.03.0439.000; Mon, 4 Nov 2019 14:26:46 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Andy Bierman <andy@yumaworks.com>, Kent Watsen <kent+ietf@watsen.net>
CC: "netmod@ietf.org" <netmod@ietf.org>, "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>
Thread-Topic: [netmod] I-D Action: draft-ietf-netmod-factory-default-05.txt
Thread-Index: AdWS2Mf9xF1iDcUBTmy/s/dHY1ef7g==
Date: Mon, 4 Nov 2019 06:26:45 +0000
Message-ID: <B8F9A780D330094D99AF023C5877DABAA93E5953@dggeml531-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.31.203]
Content-Type: multipart/alternative; boundary="_000_B8F9A780D330094D99AF023C5877DABAA93E5953dggeml531mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/tVv5Xcm3UUVxtOeVb_ha_Euygwk>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-05.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 06:26:57 -0000

Thanks Andy for valuable review, please see my reply inline below.
发件人: Andy Bierman [mailto:andy@yumaworks.com]
发送时间: 2019年11月2日 6:42
收件人: Kent Watsen <kent+ietf@watsen.net>
抄送: netmod@ietf.org; draft-ietf-netmod-factory-default@ietf.org
主题: Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-05.txt

Hi,

I have read draft-ietf-netmod-factory-default-05 and have the following comments:

* sec 2. Specifying factory-reset content

This section uses SHALL (equivalent to MUST) to declare the implementation details for
the server to load the factory-default content.  This is not appropriate for a server implementation detail.
What hard to the Internet is caused if the server has some other way to load the factory config?
This section should be removed.

[Qin]:how about change SHALL into MAY?

point 1 is unclear what it means to derive the factory-config from the current config.
[Qin]: It means the factory-config content may be specified by <factory-default>datastore if it exists, I will make this clear in the text.
point 2 specifies a file format but there is no way to specify the file. What is the value added here?
Some servers can use an XML file (and will continue to do so, per point 3).
[Qin]: how about change the text as follows:
“
   2.  by vendors using a file in YANG Instance Data
       [I-D.ietf-netmod-yang-instance-file-format] format or some other
       format in vendor's website or other places where similar off-line
       documents are kept;
”

Why would this document specify that a dynamic datastore SHALL be empty upon reset?
This is an implementation detail or a standard detail for some future work.
[Qin]: Okay, how about just remove this restriction.

* Sec. 4: rpc factory-reset

This RPC has no NACM protections.
There should be a nacm:default-deny-all extension added to restrict access.
The client invoking the RPC MUST have permission to write all the existing config
that is being replaced with factory-reset contents.

[Qin]: Will add nacm:default-deny-all on this RPC.
There is no mention of any operational disruption caused by setting the config to factory-reset contents.
This will vary greatly depending on the implementation and current config.

What if the config includes session and client config?
This RPC can prevent any further management of the device.
That seems worth mentioning in the security considerations.

[Qin]: Good input, will document this in the security section.

Overall the draft provides useful functionality so I support its publication.


(BTW, my name is also misspelled in the draft)

[Qin]: Apologize, will fix this.

Andy






On Fri, Nov 1, 2019 at 8:22 AM Kent Watsen <kent+ietf@watsen.net<mailto:kent%2Bietf@watsen.net>> wrote:

This begins a two-week Working Group Last Call (WGLC) on draft-ietf-netmod-factory-default-05.  The WGLC ends on Nov 15 (two days before the NETMOD 106 session).  Please send your comments to the working group mailing list.

Positive comments, e.g., "I've reviewed this document and believe it is ready for publication", are welcome!  This is useful and important, even from authors.  Objections, concerns, and suggestions are also welcomed at this time.

Thank you,
NETMOD Chairs




On Nov 1, 2019, at 1:59 AM, internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> wrote:


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Network Modeling WG of the IETF.

       Title          : Factory Default Setting
       Authors         : Qin Wu
                    Balazs Lengyel
                    Ye Niu
Filename        : draft-ietf-netmod-factory-default-05.txt
Pages           : 11
Date            : 2019-10-31

Abstract:
  This document defines a method to reset a server to its factory-
  default content.  The reset operation may be used e.g. during initial
  zero-touch configuration or when the existing configuration has major
  errors, so re-starting the configuration process from scratch is the
  best option.

  A new factory-reset RPC is defined.  Several methods of documenting
  the factory-default content are specified.

  Optionally a new "factory-default" read-only datastore is defined,
  that contains the data that will be copied over to the running
  datastore at reset.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-netmod-factory-default/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-netmod-factory-default-05
https://datatracker.ietf.org/doc/html/draft-ietf-netmod-factory-default-05

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-netmod-factory-default-05


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
netmod mailing list
netmod@ietf.org<mailto:netmod@ietf.org>
https://www.ietf.org/mailman/listinfo/netmod

_______________________________________________
netmod mailing list
netmod@ietf.org<mailto:netmod@ietf.org>
https://www.ietf.org/mailman/listinfo/netmod