IETF Logo Mail Archive

Re: [netmod] Must offline-validation of <running> alone be valid?

Andy Bierman <andy@yumaworks.com> Tue, 14 December 2021 01:48 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FEBF3A0D4E for <netmod@ietfa.amsl.com>; Mon, 13 Dec 2021 17:48:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5K70BGL-Q9yq for <netmod@ietfa.amsl.com>; Mon, 13 Dec 2021 17:48:10 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBF5A3A0D4C for <netmod@ietf.org>; Mon, 13 Dec 2021 17:48:09 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id 207so26207128ljf.10 for <netmod@ietf.org>; Mon, 13 Dec 2021 17:48:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dL24dl/E+vt5HINRyr7aKtyelcrpTNTJYifovaVgYQA=; b=4M/dSfcrZDHT+5RzjpheZn+06mgI6BrpMdziDuVr1jooG40yzdoRVOHjQgK/reakQ4 wi2d0UiE3NMO9ldOj1Dp4pPKyiU54NZQcFrVfaCFJLTrmAcHq8npPpfaowMXcTqF/QWE GclEQMnSQSTT/sdDLSbivGc3j604NYkGEZFXz/G+EpqrH+ZszEuU93ih+1zGVb250ZJf j96hoHwuB7euWsrdWuvy6qW7KhzR54PPEfzboMJMo/Gfs0ad9AsJpzhT1CdLilO6Ty7B MqSg4vYqkU+Buhj0YSJ2QKE6m1o7pbR8210V2hv5fD7zgZOyrMrHlQWcgOUhJD7OLBII GmDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dL24dl/E+vt5HINRyr7aKtyelcrpTNTJYifovaVgYQA=; b=el4d+ik82d8PQfDtdM4iBUo2NE5L8G0KQJvEABaI1jTatLyBFnvp4wHSSuIUFt1e3A 9c1lJAUJ8i83DL/DJT47wTSXyy7YnmlvEKi0gBhfdRdI3eWVz4AaEZbpk90jFx4le+OL DJwttRrq6KPXfGRnXnGjZj175rjy2y1Zyjqq6rbKIksoyRQyqfAOxvHH/IdSpmPJkIUE TkNGHch96M1TXeEyqNcodwZ/xEHxG3H1ivHWvLgVM9gUrr9EeWSjzThBxWaL1QkPYnbO 7BcAwzgOMN4E68Fja8q9/G2RgEiHhwIjNUhEVC5bp+N0TY5RJMF9VgQ/vIFRoFfE9841 gHMA==
X-Gm-Message-State: AOAM532IW6IHPPxwPLHEwPLa/lcPTZfouRaAXTyjOEUd9i6/BYQ61AM5 JOSOiqz4EPRkRKWNecFcbxWrCfDvGU2spndizkSzyg==
X-Google-Smtp-Source: ABdhPJxYGSc9p11m/FrVEqnnnAcjgtxRhoCz1w7ZnLG/GhOZU7EocgxiVt0XW0zSzk3MHcE6cNFrvK3E/O0WRHP2gBM=
X-Received: by 2002:a2e:3012:: with SMTP id w18mr2018901ljw.344.1639446487159; Mon, 13 Dec 2021 17:48:07 -0800 (PST)
MIME-Version: 1.0
References: <0df9454875b54804b42ec2f5cc6b151f@huawei.com> <D198DDBF-BC97-4E4C-8B62-470880287A06@tail-f.com> <VI1PR07MB550191DA7C787DD4E344989791609@VI1PR07MB5501.eurprd07.prod.outlook.com> <7511E143-A08F-4089-89CB-17F74C2E9CCE@tail-f.com> <0100017d6dbe6f00-1f424f2e-1faa-433b-bd36-a2b299a3764d-000000@email.amazonses.com> <DD4B9BD4-464D-4D92-AF45-4474185C3D28@tail-f.com> <20211203102610.6zntrwbemnyxxjnr@anna> <CABCOCHTXpcQEH+vSvJfaAJ4o3bzSz5N==8rWrciUh60qbFF_1w@mail.gmail.com> <DM6PR08MB50844DB8F2F7D2D11A6CB0879B6F9@DM6PR08MB5084.namprd08.prod.outlook.com> <CABCOCHQenqXZKMyXc65BHV62z5tJMKF-DzFSiLK=5Dk1ardxtw@mail.gmail.com> <0100017db69159e5-16596fab-ac8f-48b9-8e81-ad5db2e749bf-000000@email.amazonses.com>
In-Reply-To: <0100017db69159e5-16596fab-ac8f-48b9-8e81-ad5db2e749bf-000000@email.amazonses.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Mon, 13 Dec 2021 17:47:56 -0800
Message-ID: <CABCOCHSRNVABWMtE=c4dR-1qUBmt8uMejN3JoE-0=ghWBZkBCQ@mail.gmail.com>
To: Kent Watsen <kent@watsen.net>
Cc: "Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com>, "maqiufang (A)" <maqiufang1=40huawei.com@dmarc.ietf.org>, "netmod@ietf.org" <netmod@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007ee9e005d3116162"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/ysXvq-iVJQLTfzVtT5PtCE3TQ5E>
Subject: Re: [netmod] Must offline-validation of <running> alone be valid?
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2021 01:48:15 -0000

On Mon, Dec 13, 2021 at 5:31 PM Kent Watsen <kent@watsen.net> wrote:

>
>
> On Dec 8, 2021, at 5:50 PM, Andy Bierman <andy@yumaworks.com> wrote:
>
> Andy - about use cases.  Here is a problem we're trying to address:
>>
>>
>>
>> There are at least several major router implementations that have this
>> concept of "hidden config" (i.e. list entries that can be referenced in a
>> leafref by explicit user config, but those list entries are not returned in
>> a <get-config>).
>>
>
> Clearly not in compliance with RFC 7950.
>
>
> Andy, can you please point to the part in RFC 7950 that says offline
> validation must be supported?   I believe that this "common understanding”
> actually lacks a basis, and an equally-valid interoperation is that the
> <running> must be valid *on the server* vis-a-vis it actually validating
> <intended>.
>
>
I think sec. 6.4 and sec. 8 are clear enough how validation of the
<running> datastore is done.
Leafrefs in <running> are not allowed to point to a node outside of
<running>.

Andy


>
> IMO the "enable flag" approach to the general problem, presented by Kent a
> couple years ago,
> is a much simpler and better solution than a new <system> datastore.
> The full set of nodes is in <running>.
> A generalized "enable" mechanism causes the resource to be used or not,
> where it shows up in <intended> and <operational> if enabled=true.
>
> IMO this fits the original intent of NMDA and does so in a way that
> requires
> the least disruption to current compliant implementations.
>
>
> You have the memory of an elephant  ;)
>
> That I-D (conditional-enablement [1]) was mostly about how to support
> JUNOS’s “inactive” annotation.  I replaced the negative “inactive” with
> positive “enabled” for readability.  That draft also shined a light on how
> the “enabled” annotation could be used in firewall pollination for, e.g.,
> 9am-5pm ACL rules.
>
> I guess I’m unclear about the relation to the system-defined config - can
> you say some more?
>
> [1]
> https://datatracker.ietf.org/doc/html/draft-kwatsen-conditional-enablement-00
>
>
> K.
>
>
>
>

v2.23.0 | Report a Bug | By Email