Re: [secdir] review of draft-ietf-netconf-nmda-restconf-04

Mahesh Jethanandani <> Thu, 26 July 2018 22:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D2F54131242; Thu, 26 Jul 2018 15:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3nXMeIRLpQ7M; Thu, 26 Jul 2018 15:08:15 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C03FC13123B; Thu, 26 Jul 2018 15:08:15 -0700 (PDT)
Received: by with SMTP id b1-v6so1400608pls.5; Thu, 26 Jul 2018 15:08:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=B+H7z1iJKOJrNej/Wb2wJFy4U2kFLz8gzkGje0mncz8=; b=sIyvsFS909ocffPDil4hiqnWzRArfmSEmpK5dPTF7ReeXpenxfL+0j5Hu1aiBJrkid U9syvR3RDYdX7OgTQgr+GRQtq7IRGj065lI3c/riUMrDlX1xQKdve788VNPEhLvbr9rN YzoNMWa53z9zIrfzGsd3rzP74n9+Juv4vAf++Q2PGkn7mSfEK4BnUASYhXWFFpAmTRdM yESPSaNbd+bwVDlR19cOTK8OtRwQnFbeww4qBVbk60eVvsOINVASxzDR7DAdKMm5kruP eeiQcQy/M0SoPrMosbC9H9P/E33ZLA45IG4PI5OMqzsY6diSZURG9T2jeUeN/8xAUizr 6xzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=B+H7z1iJKOJrNej/Wb2wJFy4U2kFLz8gzkGje0mncz8=; b=jARc5mSTkmFBRlv/mCsCI0O8VPQj2jfGppSnh4dd7M8CCxC5VST8pnId/52WoYAT6e vHXLShxv23JiYIAEUOAsaWc5tR/HStVka2+fM0r6NRBRQ3ereAQGjKk+AUiMy700+2Qh 6rgUcOyB6Af4o2wpy714IZPPEsCs3yQdE6mHO9vDEvUZUyN1a+3/uz8gppFhTohyENUM d3OznHBDIupN1FBpFTQyEOx7jUhYjYhn7SScn8vEvAjbgG76D7/z1a+4p47SOIZBhIdy nJXMKr8sFVyknjIA4kAyaHJ7pE1CNFCMI/b6Bne4Dw3tbOZGnaJI3ZGY/ZfqpxMJyYr7 d/fQ==
X-Gm-Message-State: AOUpUlH3J9KEhWk5P8OS89UV3b0Ihm7cLJqeHFl19nlGjRIKr5zSZFL6 S9sDf+L17MLIZSITz+1feyc41QZK
X-Google-Smtp-Source: AAOMgpdGpoKIHCLYT9VFDEw7NuxHqiB+KBEbjcgL6yqTVTdeSmoDaoIuDJ0KdmUNGMeRdUTFkO9GAw==
X-Received: by 2002:a17:902:c6b:: with SMTP id 98-v6mr3478928pls.233.1532642895312; Thu, 26 Jul 2018 15:08:15 -0700 (PDT)
Received: from ?IPv6:2601:647:4700:1280:c591:d2f4:a72b:c1de? ([2601:647:4700:1280:c591:d2f4:a72b:c1de]) by with ESMTPSA id r22-v6sm4234534pfl.112.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 15:08:14 -0700 (PDT)
From: Mahesh Jethanandani <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E65F9D6C-2A65-4AA4-83AC-83CF4BD3C7CF"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 26 Jul 2018 15:08:11 -0700
In-Reply-To: <>
Cc: Daniel Harkins <>, Kent Watsen <>, The IESG <>, "" <>, "" <>, Russ Housley <>
To: Juergen Schoenwaelder <>
References: <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [secdir] review of draft-ietf-netconf-nmda-restconf-04
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Jul 2018 22:08:19 -0000

[Adding Russ Housley]

> On Jul 16, 2018, at 3:42 AM, Juergen Schoenwaelder <> wrote:
> On Mon, Jul 09, 2018 at 05:48:53PM -0700, Mahesh Jethanandani wrote:
>> There have been a few comments that have been made to the version of the draft that has been submitted to IESG. While we wait for other comments to be provided, and direction of when an update should be provided, who amongst the authors is updating GitHub with these changes? 
>> I am concerned we might lose track of the changes that need to be made.
>> Here are the changes that I am aware of for nmda-restconf. I can compile a similar list for nmda-netconf if needed.
> Having a list of outstanding edits for nmda-netconf would be nice as well
> so we can make the edits on github.

Let me compile a list of edits that are applicable for nmda-netconf.

>> Kent’s comment on nmda-restconf operations (thread <> from today).
> Given that lock and unlock require session semantics, I think the
> resolution should be to add.
>   A RESTCONF server supporting NMDA datastores MAY implement the
>   "ietf-netconf-nmda" [I-D. ietf-netconf-nmda-netconf] module to
>   enable the NETCONF operations defined in this draft to appear
>   under the {+restconf}/operations resource.
> But then, what is the value of this? You do not need get-data and
> edit-data with RESTCONF since you can send GET/POST/PATCH straight to
> the datastore resources. I guess I am still unclear which problem we
> are trying to solve by adding this (or a similar) statement.

I am responding to the last sentence that was made on that thread, where Kent asked the question.

> So, adding something like this to nmda-restconf would be good?

It likely does not hurt to be clear that this option of using NETCONF
operations in RESTCONF exists.
If you and the authors now believe that the clarification is not needed, then please state so.

>> Dan’s comment on this thread (also from today, but is not on netconf mailing list)
> Not sure which one you mean.

I mean all the the OLD and NEW suggestions from Kent. Basically replace “optional to support” with RFC 2119 use of MAY.

>> Russ’s Genart review (thread <> from June 28)
> Not sure what the resolution is, removing the example text or trying
> to better explain that this is example text.

I believe either of the options would be ok with Russ. I have added him to confirm.

>> Rohit’s change-2 comments provided for nmda-netconf, that are applicable for nmda-restconf (thread <> from June 1)
> The inclusion of an example showing the usage of
> negated-origin-filter? This was an nmda netconf command. We do not
> seem to have an origin filter in nmda restconf, this is an nmda
> netconf only feature?

Again, I am responding to the last comment that Robert made on the follow up e-mail where he proposed changes for NETCONF and said:

Similar updates will need to also be done to RESTCONF, but let's agree the NETCONF text first.

Maybe he can clarify what he had in mind for RESTCONF.


>> Anything else that I missing?
> Not that I recall.
> /js
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <>

Mahesh Jethanandani