Re: [NGO] comments on CANMOD BoF
Andy Bierman <ietf@andybierman.com> Sun, 16 March 2008 19:21 UTC
Return-Path: <ngo-bounces@ietf.org>
X-Original-To: ietfarch-ngo-archive@core3.amsl.com
Delivered-To: ietfarch-ngo-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBD8328C25A; Sun, 16 Mar 2008 12:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.218
X-Spam-Level:
X-Spam-Status: No, score=-100.218 tagged_above=-999 required=5 tests=[AWL=0.219, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouNbEeRstaVW; Sun, 16 Mar 2008 12:21:49 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F25228C1B6; Sun, 16 Mar 2008 12:21:49 -0700 (PDT)
X-Original-To: ngo@core3.amsl.com
Delivered-To: ngo@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 225DD28C249 for <ngo@core3.amsl.com>; Sun, 16 Mar 2008 12:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1rO9VJ8+2RI for <ngo@core3.amsl.com>; Sun, 16 Mar 2008 12:21:46 -0700 (PDT)
Received: from smtp113.sbc.mail.mud.yahoo.com (smtp113.sbc.mail.mud.yahoo.com [68.142.198.212]) by core3.amsl.com (Postfix) with SMTP id 276913A67A2 for <ngo@ietf.org>; Sun, 16 Mar 2008 12:21:45 -0700 (PDT)
Received: (qmail 18699 invoked from network); 16 Mar 2008 19:19:29 -0000
Received: from unknown (HELO ?127.0.0.1?) (andybierman@att.net@67.127.97.59 with plain) by smtp113.sbc.mail.mud.yahoo.com with SMTP; 16 Mar 2008 19:19:28 -0000
X-YMail-OSG: mu5J_TQVM1k84BC7.HbmTVzgF89FonD_x.ikL7bYsbH.uK.f
X-Yahoo-Newman-Property: ymail-3
Message-ID: <47DD72BE.707@andybierman.com>
Date: Sun, 16 Mar 2008 12:19:26 -0700
From: Andy Bierman <ietf@andybierman.com>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Phil Shafer <phil@juniper.net>
References: <200803161721.m2GHLUlc054962@idle.juniper.net>
In-Reply-To: <200803161721.m2GHLUlc054962@idle.juniper.net>
Cc: NETCONF Goes On <ngo@ietf.org>
Subject: Re: [NGO] comments on CANMOD BoF
X-BeenThere: ngo@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NETCONF Goes On - discussions on future work and extensions to NETCONF <ngo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ngo>
List-Post: <mailto:ngo@ietf.org>
List-Help: <mailto:ngo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ngo-bounces@ietf.org
Errors-To: ngo-bounces@ietf.org
Phil Shafer wrote: > Andy Bierman writes: >> The NETMOD WG (if there ever is one) should deal >> with the entire problem of standardized CM, which includes >> secure operation in a multi-user environment. > > With this approach, we'd still be working on the NETCONF draft. We > need to find what we agree on, build concensus on that, publish, > gain experience, learn, and evolve. > > If the plan is "all or nothing", we'll get nothing. > The NETCONF access control model is "all or nothing", not the NETCONF feature development plan. That is in its 3rd phase, and new stuff like partial-locking and yet another optional transport (which is only needed to avoid the mandatory transport) are given higher priority than security. You have to design the 2nd floor of the house, even though you start out by building the first floor. If you don't, at best the project will cost 10X more expensive than it should, and at worse, the house will collapse when you add the weight the load-bearing walls on the first floor were never designed to handle. A standard access control model is clearly needed. Every NETCONF implementation has its own proprietary ACM. The requirements for standardized access control could impact the NETMOD architecture and the DML. Ignoring access control and bolting it on later might be a huge mistake. So by 'all', I mean a coherent and well-planned execution strategy to reach a complete standardized CM solution for NETCONF, as opposed to an ad-hoc free-for-all that continues to produce zero writable standard objects for NETCONF. > Thanks, > Phil > > > Andy _______________________________________________ NGO mailing list NGO@ietf.org https://www.ietf.org/mailman/listinfo/ngo
- [NGO] comments on CANMOD BoF Andy Bierman
- Re: [NGO] comments on CANMOD BoF Phil Shafer
- Re: [NGO] comments on CANMOD BoF Yoshifumi Atarashi
- Re: [NGO] comments on CANMOD BoF Andy Bierman
- Re: [NGO] comments on CANMOD BoF Phil Shafer
- Re: [NGO] comments on CANMOD BoF Andy Bierman
- Re: [NGO] comments on CANMOD BoF Phil Shafer
- Re: [NGO] comments on CANMOD BoF Andy Bierman
- Re: [NGO] comments on CANMOD BoF Leif Johansson
- Re: [NGO] comments on CANMOD BoF Phil Shafer
- Re: [NGO] comments on CANMOD BoF Andy Bierman
- Re: [NGO] comments on CANMOD BoF Balazs Lengyel
- Re: [NGO] comments on CANMOD BoF Mehmet Ersue
- Re: [NGO] comments on CANMOD BoF Andy Bierman
- Re: [NGO] comments on CANMOD BoF Jon Saperia
- Re: [NGO] comments on CANMOD BoF David Harrington