Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt
Kent Watsen <kwatsen@juniper.net> Fri, 09 May 2014 22:57 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1166C1A0023 for <netmod@ietfa.amsl.com>; Fri, 9 May 2014 15:57:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmNO5xoOAbS3 for <netmod@ietfa.amsl.com>; Fri, 9 May 2014 15:57:35 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB6A1A000F for <netmod@ietf.org>; Fri, 9 May 2014 15:57:35 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB460.namprd05.prod.outlook.com (10.141.72.152) with Microsoft SMTP Server (TLS) id 15.0.939.12; Fri, 9 May 2014 22:57:26 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.115]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.115]) with mapi id 15.00.0939.000; Fri, 9 May 2014 22:57:26 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Thread-Topic: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt
Thread-Index: AQHPY3s4jQ4Ilm00G0yRQcHkptQdJ5spG4CAgAF4PICAAEsRgIACYVaAgAtp7QA=
Date: Fri, 09 May 2014 22:57:25 +0000
Message-ID: <CF9004B6.6E8ED%kwatsen@juniper.net>
References: <20140429071743.11894.21006.idtracker@ietfa.amsl.com> <CF859937.6B5B6%kwatsen@juniper.net> <20140430194951.GC31986@elstar.local> <CF872BB7.6BF1B%kwatsen@juniper.net> <20140502123925.GC36168@elstar.jacobs.jacobs-university.de>
In-Reply-To: <20140502123925.GC36168@elstar.jacobs.jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [66.129.241.14]
x-forefront-prvs: 02065A9E77
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(189002)(199002)(51444003)(164054003)(83322001)(77982001)(21056001)(76482001)(4396001)(20776003)(64706001)(80022001)(66066001)(36756003)(74502001)(74662001)(31966008)(79102001)(46102001)(83072002)(85852003)(76176999)(54356999)(81342001)(101416001)(83506001)(92726001)(81542001)(92566001)(87936001)(99396002)(99286001)(86362001)(50986999)(2656002); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB460; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AA2419761F15A94FA98302D9E950C97D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netmod/uf99gnTi6BPPr7n2rsFZ1NJfLlY
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-15.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 May 2014 22:57:38 -0000
Hi Juergen, >>The netmod-system-management defines config for User Authentication and >> says that it does so for SSH because that is NETCONF's mandatory to >> implement transport. Meanwhile we have netconf-server-model, which is >> suppose to be just about configuring the NETCONF server, and yet it has >> user-auth config for TLS (not SSH) in it. This inconsistency is the >>issue. > >I do not think this is a fair summary. Both, SSH and TLS call home >need parameters configured on the NC server side but also on the NC >client side, (e.g. the SSH user and its credentials to call home). >Where will this stuff go? Are you asking where NC client information is configured? - as in which yang model it can go into? We don't define yang models for NC clients, so what do you mean? FWIW, on the client side, there are two call-home preconditions: 1. The client needs a trust anchor to verify the device with. This could be, for instance, a vendor's well-known CA certificate that the NMS installed a priori. Or it could be that the NMS has the device's TLS server-cert or SSH host-key. Either way, how the NMS obtains this information is unspecified in both the 5539bis and reverse-ssh drafts. 2. The client needs to know what user credentials to use when logging into a device. As always, the device must be configured with a local user account. How the NMS knows the account information configured on the device is also unspecified in both the 5539bis and reverse-ssh drafts. >>So, what are our options? >> >> 1. Go forward with current inconsistency >> >> 2. Only modify draft-ietf-netconf-server-model, but move TLS user-auth >>out >> of ietf-server-model into a separate model that augments ietf-system >> >> 3. Similar to #2, but move the ietf-system augmentation back to 5539bis >> >> 4. Similar to #2, but move the TLS-auth directly (no augmentation) into >> the ietf-system model defined in draft-ietf-netmod-system-mgmt >> >> 5. Move all user-auth config from draft-ietf-netmod-system-mgmt into >> draft-ietf-netconf-server-model >> >> 6. Move all user-auth config from both draft-ietf-netmod-system-mgmt >> and draft-ietf-netconf-server-model into yet another draft (for >> instance, draft-ietf-netmod-user-auth?) >> >> 7. Anything else? > >As NETMOD WG co-chair, I want to publish draft-ietf-netmod-system-mgmt. >Building "perfect" modules means we will never finish. Once again, >modules can be revised and augmented if needed. So I take it you're ok with options 1, 2, or 3. Andy said 2 was OK and no one else responded. I think that 2 is better than 1 and tied with 3. So it looks like 2 has the lead, as weak as it is. Thanks, Kent
- [netmod] I-D Action: draft-ietf-netmod-system-mgm… internet-drafts
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Kent Watsen
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Andy Bierman
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Juergen Schoenwaelder
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Kent Watsen
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Andy Bierman
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Juergen Schoenwaelder
- Re: [netmod] I-D Action: draft-ietf-netmod-system… Kent Watsen