From root@core3.amsl.com Tue Feb 2 06:45:02 2010 Return-Path: X-Original-To: netconf@ietf.org Delivered-To: netconf@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 493613A694E; Tue, 2 Feb 2010 06:45:01 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20100202144502.493613A694E@core3.amsl.com> Date: Tue, 2 Feb 2010 06:45:02 -0800 (PST) Cc: netconf@ietf.org Subject: [Netconf] I-D Action:draft-ietf-netconf-monitoring-11.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 14:45:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Configuration Working Group of the IETF. Title : YANG Module for NETCONF Monitoring Author(s) : M. Scott, M. Bjorklund Filename : draft-ietf-netconf-monitoring-11.txt Pages : 38 Date : 2010-02-02 This document defines a NETCONF data model to be used to monitor the NETCONF protocol. The monitoring data model includes information about NETCONF datastores, sessions, locks and statistics. This data facilitates the management of a NETCONF server. This document also defines methods for NETCONF clients to discover data models supported by a NETCONF server and defines a new NETCONF operation to retrieve them. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-netconf-monitoring-11.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-netconf-monitoring-11.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2010-02-02064044.I-D@ietf.org> --NextPart-- From andyb@iwl.com Wed Feb 3 11:03:07 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AD6F28C187 for ; Wed, 3 Feb 2010 11:03:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLWsPCLhrsIh for ; Wed, 3 Feb 2010 11:03:06 -0800 (PST) Received: from smtp184.dfw.emailsrvr.com (smtp184.dfw.emailsrvr.com [67.192.241.184]) by core3.amsl.com (Postfix) with ESMTP id CA9C73A692D for ; Wed, 3 Feb 2010 11:01:38 -0800 (PST) Received: from relay18.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay18.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 47DA116F1E0D for ; Wed, 3 Feb 2010 14:02:21 -0500 (EST) Received: by relay18.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 209DF16F00DB for ; Wed, 3 Feb 2010 14:02:20 -0500 (EST) Message-ID: <4B69C748.20001@iwl.com> Date: Wed, 03 Feb 2010 10:58:16 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: NETCONF Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [Netconf] netconf-monitoring revision X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 19:03:07 -0000 Hi, The revision date and the namespace URI are the same in draft-10 and draft-11. Please remember to update these fields each time the draft is published. thanks, Andy From mehmet.ersue@nsn.com Thu Feb 4 02:55:53 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DE903A6D5B for ; Thu, 4 Feb 2010 02:55:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.134 X-Spam-Level: X-Spam-Status: No, score=-2.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubEtZeahASck for ; Thu, 4 Feb 2010 02:55:52 -0800 (PST) Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by core3.amsl.com (Postfix) with ESMTP id 3EA403A6D56 for ; Thu, 4 Feb 2010 02:55:51 -0800 (PST) Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o14AuWjF017982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 4 Feb 2010 11:56:32 +0100 Received: from demuexc022.nsn-intra.net (demuexc022.nsn-intra.net [10.150.128.35]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o14AuQFG016205; Thu, 4 Feb 2010 11:56:31 +0100 Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by demuexc022.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Thu, 4 Feb 2010 11:56:31 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 4 Feb 2010 11:56:30 +0100 Message-ID: <80A0822C5E9A4440A5117C2F4CD36A6443936A@DEMUEXC006.nsn-intra.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: NETCONF Monitoring Going to AD Review WAS:FW: [Netconf] I-D Action:draft-ietf-netconf-monitoring-11.txt Thread-Index: AcqkFmgO+g1+tpapRcidtPGDzGgX0wAmqMQw From: "Ersue, Mehmet (NSN - DE/Munich)" To: X-OriginalArrivalTime: 04 Feb 2010 10:56:31.0366 (UTC) FILETIME=[B58EF260:01CAA588] Subject: [Netconf] NETCONF Monitoring Going to AD Review WAS:FW: I-D Action:draft-ietf-netconf-monitoring-11.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 10:55:53 -0000 =20 Dear NETCONF WG, we think the new version of the Monitoring draft Mark=20 submitted solves the remaining issues raised on the maillist.=20 We got also positive feedback for this version from key=20 players in the WG. After having several WGLCs and sufficient discussion on=20 the Monitoring draft the co-chairs think now that version-11=20 of the NETCONF Monitoring draft is ready to go to AD review. If there are no strong and valid objections by February 12,=20 2010 we are going to start the necessary IETF process to=20 publish this WG item as Proposed Standard. Mehmet -----Original Message----- From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf Of ext Internet-Drafts@ietf.org Sent: Tuesday, February 02, 2010 3:45 PM To: i-d-announce@ietf.org Cc: netconf@ietf.org Subject: [Netconf] I-D Action:draft-ietf-netconf-monitoring-11.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Configuration Working Group of the IETF. Title : YANG Module for NETCONF Monitoring Author(s) : M. Scott, M. Bjorklund Filename : draft-ietf-netconf-monitoring-11.txt Pages : 38 Date : 2010-02-02 This document defines a NETCONF data model to be used to monitor the NETCONF protocol. The monitoring data model includes information about NETCONF datastores, sessions, locks and statistics. This data facilitates the management of a NETCONF server. This document also defines methods for NETCONF clients to discover data models supported by a NETCONF server and defines a new NETCONF operation to retrieve them. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-netconf-monitoring-11.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. From root@core3.amsl.com Thu Feb 4 05:15:02 2010 Return-Path: X-Original-To: netconf@ietf.org Delivered-To: netconf@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 4ED9B3A6C11; Thu, 4 Feb 2010 05:15:01 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20100204131502.4ED9B3A6C11@core3.amsl.com> Date: Thu, 4 Feb 2010 05:15:02 -0800 (PST) Cc: netconf@ietf.org Subject: [Netconf] I-D Action:draft-ietf-netconf-4741bis-02.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 13:15:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Configuration Working Group of the IETF. Title : Network Configuration Protocol (NETCONF) Author(s) : R. Enns, et al. Filename : draft-ietf-netconf-4741bis-02.txt Pages : 111 Date : 2010-02-04 The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as Remote Procedure Calls (RPC). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-netconf-4741bis-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-netconf-4741bis-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2010-02-04050253.I-D@ietf.org> --NextPart-- From bertietf@bwijnen.net Thu Feb 4 14:06:59 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B914228C0CE for ; Thu, 4 Feb 2010 14:06:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.858 X-Spam-Level: X-Spam-Status: No, score=0.858 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsQenUs2byQN for ; Thu, 4 Feb 2010 14:06:58 -0800 (PST) Received: from relay.versatel.net (relay56.tele2.vuurwerk.nl [62.250.3.56]) by core3.amsl.com (Postfix) with ESMTP id 483F43A6E60 for ; Thu, 4 Feb 2010 14:06:56 -0800 (PST) Received: from [87.215.199.34] (helo=BertLaptop) by relay.versatel.net with smtp (Exim 4.69) (envelope-from ) id 1Nd9rS-0005cD-LR for netconf@ietf.org; Thu, 04 Feb 2010 23:07:42 +0100 Message-ID: <143AFDAD8F1C44B3B1D0806A15B0DE99@BertLaptop> From: "Bert Wijnen \(IETF\)" To: References: <20100204131502.4ED9B3A6C11@core3.amsl.com> In-Reply-To: <20100204131502.4ED9B3A6C11@core3.amsl.com> Date: Thu, 4 Feb 2010 23:07:23 +0100 Organization: Consultant MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_077B_01CAA5EE.CF7F33E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18005 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005 Subject: [Netconf] PLEASE review: draft-ietf-netconf-4741bis-02.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 22:07:00 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_077B_01CAA5EE.CF7F33E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear WG participants, Could you PLEASE review and comment on this new draft. We can only make progress if we all stay (get) involved and do the reviews when a new revision comes out. There are also a set of open issues remaining I believe. Could the uathors/editors please post them one by one and describe - the issue - a possible solution - pros/cons And then WG participants, PLEAS do rect with your views/comments Bert and Mehmet ----- Original Message -----=20 From: Internet-Drafts@ietf.org=20 To: i-d-announce@ietf.org=20 Cc: netconf@ietf.org=20 Sent: Thursday, February 04, 2010 2:15 PM Subject: [Netconf] I-D Action:draft-ietf-netconf-4741bis-02.txt A New Internet-Draft is available from the on-line Internet-Drafts = directories. This draft is a work item of the Network Configuration Working Group = of the IETF. Title : Network Configuration Protocol (NETCONF) Author(s) : R. Enns, et al. Filename : draft-ietf-netconf-4741bis-02.txt Pages : 111 Date : 2010-02-04 The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as Remote Procedure Calls (RPC). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-netconf-4741bis-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. -------------------------------------------------------------------------= ----- _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf -------------------------------------------------------------------------= ----- Geen virus gevonden in het binnenkomende-bericht. Gecontroleerd door AVG - www.avg.com=20 Versie: 9.0.733 / Virusdatabase: 271.1.1/2667 - datum van uitgifte: = 02/04/10 08:35:00 ------=_NextPart_000_077B_01CAA5EE.CF7F33E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dear WG participants,
 
Could you PLEASE review and comment on this new=20 draft.
We can only make progress if we all stay (get) = involved and do=20 the
reviews when a new revision comes out. There are = also a set of=20 open
issues remaining I believe. Could the = uathors/editors=20 please
post them one by one and describe
 
- the issue
- a possible solution
- pros/cons
 
And then WG participants, PLEAS do rect with = your =20 views/comments
 
Bert and Mehmet
----- Original Message -----
From:=20 Internet-Drafts@ietf.org =
Sent: Thursday, February 04, = 2010 2:15=20 PM
Subject: [Netconf] I-D=20 Action:draft-ietf-netconf-4741bis-02.txt

A New Internet-Draft is available from the on-line=20 Internet-Drafts directories.
This draft is a work item of the = Network=20 Configuration Working Group of the=20 = IETF.


Title        &nb= sp; =20 : Network Configuration Protocol=20 (NETCONF)
Author(s)       : R. Enns, = et=20 al.
Filename        :=20 = draft-ietf-netconf-4741bis-02.txt
Pages     &= nbsp;    =20 :=20 = 111
Date          &n= bsp;=20 : 2010-02-04

The Network Configuration Protocol (NETCONF) = defined in=20 this document
provides mechanisms to install, manipulate, and = delete=20 the
configuration of network devices.  It uses an Extensible=20 Markup
Language (XML)-based data encoding for the configuration = data as=20 well
as the protocol messages.  The NETCONF protocol = operations=20 are
realized as Remote Procedure Calls (RPC).

A URL for this = Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-netconf-4741bis-02.t= xt

Internet-Drafts=20 are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-= drafts/

Below=20 is the data which will enable a MIME compliant mail = reader
implementation=20 to automatically retrieve the ASCII version of = the
Internet-Draft.

_______________________________________________
Netconf = mailing=20 list
Netconf@ietf.org
https://www.ietf.o= rg/mailman/listinfo/netconf


Geen virus gevonden in het = binnenkomende-bericht.
Gecontroleerd=20 door AVG - www.avg.com
Versie: = 9.0.733 /=20 Virusdatabase: 271.1.1/2667 - datum van uitgifte: 02/04/10=20 08:35:00
------=_NextPart_000_077B_01CAA5EE.CF7F33E0-- From mrw@sandstorm.net Thu Feb 4 14:08:44 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A4FDE28C0F3 for ; Thu, 4 Feb 2010 14:08:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.632 X-Spam-Level: X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[AWL=-0.367, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSlWhZ7g82CM for ; Thu, 4 Feb 2010 14:08:43 -0800 (PST) Received: from sirocco.sandstorm.net (sirocco.sandstorm.net [69.33.111.75]) by core3.amsl.com (Postfix) with ESMTP id A0E3828C0CE for ; Thu, 4 Feb 2010 14:08:43 -0800 (PST) Received: from lilac.sandstorm.net (ip-69-33-111-74.bos.megapath.net [69.33.111.74]) (authenticated bits=0) by sirocco.sandstorm.net (8.13.8/8.13.8) with ESMTP id o14M9SFE044603 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Thu, 4 Feb 2010 17:09:29 -0500 (EST) (envelope-from mrw@sandstorm.net) Message-Id: From: Margaret Wasserman To: Netconf In-Reply-To: <4B46EC66.3010908@bwijnen.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Thu, 4 Feb 2010 17:09:28 -0500 References: <4B46EC66.3010908@bwijnen.net> X-Mailer: Apple Mail (2.936) X-Mailman-Approved-At: Thu, 04 Feb 2010 14:11:08 -0800 Subject: Re: [Netconf] [Fwd: I-D Action:draft-ietf-netconf-rfc4742bis-00.txt] X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 22:08:44 -0000 Hi All, As the editor of this document, I am not aware of _any_ comments (positive or negative) on the latest version. Has anyone reviewed the updates? Any thoughts, good or bad? If you have any comments, please send them to the list within the next week, so that there will be time to update the document again before the meeting in Anaheim. Chairs, if no one has any review comments on this document, perhaps it is ready for WG Last Call? Margaret On Jan 8, 2010, at 3:27 AM, Bert (IETF) Wijnen wrote: > WG participants, > > pls review and comment on this initial version. Sooner is better > than later. > > We as WG chairs will work with Dan to update our milestones as > agreed at the last > ietf (and confirmed n the mlist). > > Bert > > -------- Original Message -------- > Subject: [Netconf] I-D Action:draft-ietf-netconf-rfc4742bis-00.txt > Date: Thu, 7 Jan 2010 16:45:01 -0800 (PST) > From: Internet-Drafts@ietf.org > To: i-d-announce@ietf.org > CC: netconf@ietf.org > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Network Configuration Working Group > of the IETF. > > > Title : Using the NETCONF Configuration Protocol over > Secure Shell (SSH) > Author(s) : M. Wasserman, T. Goddard > Filename : draft-ietf-netconf-rfc4742bis-00.txt > Pages : 10 > Date : 2009-12-28 > > This document describes a method for invoking and running the NETCONF > protocol within a Secure Shell (SSH) session as an SSH subsystem. > > Status of this Memo > > This Internet-Draft is submitted to IETF in full conformance with the > provisions of BCP 78 and BCP 79. > > Internet-Drafts are working documents of the Internet Engineering > Task Force (IETF), its areas, and its working groups. Note that > other groups may also distribute working documents as Internet- > Drafts. > > Internet-Drafts are draft documents valid for a maximum of six months > and may be updated, replaced, or obsoleted by other documents at any > time. It is inappropriate to use Internet-Drafts as reference > material or to cite them other than as "work in progress." > > The list of current Internet-Drafts can be accessed at > http://www.ietf.org/ietf/1id-abstracts.txt. > > The list of Internet-Draft Shadow Directories can be accessed at > http://www.ietf.org/shadow.html. > > This Internet-Draft will expire on July 1, 2010. > > Copyright Notice > > Copyright (c) 2009 IETF Trust and the persons identified as the > document authors. All rights reserved. > > This document is subject to BCP 78 and the IETF Trust's Legal > Provisions Relating to IETF Documents > (http://trustee.ietf.org/license-info) in effect on the date of > publication of this document. Please review these documents > carefully, as they describe your rights and restrictions with respect > to this document. Code Components extracted from this document must > include Simplified BSD License text as described in Section 4.e of > the Trust Legal Provisions and are provided without warranty as > described in the BSD License. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-netconf-rfc4742bis-00.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > > Content-Type: text/plain > Content-ID: <2010-01-07163044.I-D@ietf.org> > > > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf From mark.scott@ericsson.com Wed Feb 10 13:07:15 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E53183A6A80 for ; Wed, 10 Feb 2010 13:07:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrh2wPVXY0wm for ; Wed, 10 Feb 2010 13:07:15 -0800 (PST) Received: from imr1.ericy.com (imr1.ericy.com [198.24.6.9]) by core3.amsl.com (Postfix) with ESMTP id 289473A757F for ; Wed, 10 Feb 2010 13:07:14 -0800 (PST) Received: from eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) by imr1.ericy.com (8.13.1/8.13.1) with ESMTP id o1AL9tZH027972; Wed, 10 Feb 2010 15:09:55 -0600 Received: from EUSAACMS0714.eamcs.ericsson.se ([169.254.1.179]) by eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) with mapi; Wed, 10 Feb 2010 16:08:25 -0500 From: Mark Scott To: "andyb@iwl.com" , NETCONF Date: Wed, 10 Feb 2010 16:08:23 -0500 Thread-Topic: [Netconf] netconf-monitoring revision Thread-Index: AcqlBEvGNpxIMcXWSLSrSp4tTX8+GwFkDxlA Message-ID: <75C89D709A9670428520E1CF8DD1344F1F61E31FB3@EUSAACMS0714.eamcs.ericsson.se> References: <4B69C748.20001@iwl.com> In-Reply-To: <4B69C748.20001@iwl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [Netconf] netconf-monitoring revision X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Feb 2010 21:07:16 -0000 I will update these after the WGLC completes (this Friday) and before the A= D review. Mark -----Original Message----- From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf = Of Andy Bierman Sent: February-03-10 1:58 PM To: NETCONF Subject: [Netconf] netconf-monitoring revision Hi, The revision date and the namespace URI are the same in draft-10 and draft-= 11. Please remember to update these fields each time the draft is published. thanks, Andy _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf From andyb@iwl.com Wed Feb 10 14:03:41 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CA3F3A7497 for ; Wed, 10 Feb 2010 14:03:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6zkIC9ER0pg for ; Wed, 10 Feb 2010 14:03:40 -0800 (PST) Received: from smtp164.dfw.emailsrvr.com (smtp164.dfw.emailsrvr.com [67.192.241.164]) by core3.amsl.com (Postfix) with ESMTP id 93D343A7490 for ; Wed, 10 Feb 2010 14:03:40 -0800 (PST) Received: from relay6.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay6.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 5AB723060D; Wed, 10 Feb 2010 17:04:52 -0500 (EST) Received: by relay6.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 2123830386; Wed, 10 Feb 2010 17:04:52 -0500 (EST) Message-ID: <4B732D5B.9020700@iwl.com> Date: Wed, 10 Feb 2010 14:04:11 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Mark Scott References: <4B69C748.20001@iwl.com> <75C89D709A9670428520E1CF8DD1344F1F61E31FB3@EUSAACMS0714.eamcs.ericsson.se> In-Reply-To: <75C89D709A9670428520E1CF8DD1344F1F61E31FB3@EUSAACMS0714.eamcs.ericsson.se> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] netconf-monitoring revision X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Feb 2010 22:03:41 -0000 Mark Scott wrote: > I will update these after the WGLC completes (this Friday) and before the AD review. > OK. I guess there was no interest in adding a capabilities-last-change-time object at this time. SNMP experience has shown that these timestamps are useful to client applications that poll the server to maintain a current view of potentially large monitoring tables. IMO, this is a practical, low-cost partial solution to the 'dynamic capabilities' problem. > Mark Andy > > -----Original Message----- > From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf Of Andy Bierman > Sent: February-03-10 1:58 PM > To: NETCONF > Subject: [Netconf] netconf-monitoring revision > > Hi, > > The revision date and the namespace URI are the same in draft-10 and draft-11. > Please remember to update these fields each time the draft is published. > > > thanks, > Andy > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > From andyb@iwl.com Fri Feb 12 15:32:29 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6384E28C0F7 for ; Fri, 12 Feb 2010 15:32:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BikCD5wbKLr for ; Fri, 12 Feb 2010 15:32:28 -0800 (PST) Received: from smtp184.dfw.emailsrvr.com (smtp184.dfw.emailsrvr.com [67.192.241.184]) by core3.amsl.com (Postfix) with ESMTP id BCE973A7918 for ; Fri, 12 Feb 2010 15:32:28 -0800 (PST) Received: from relay18.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay18.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id D016F16F20B0 for ; Fri, 12 Feb 2010 18:33:48 -0500 (EST) Received: by relay18.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id B156016F0246 for ; Fri, 12 Feb 2010 18:33:48 -0500 (EST) Message-ID: <4B75E55C.1080906@iwl.com> Date: Fri, 12 Feb 2010 15:33:48 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: NETCONF Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [Netconf] 4741bis: boot without loading running from startup X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Feb 2010 23:32:29 -0000 Hi, This may just be an implementation detail, but maybe not... If a server allows the operator to skip the load NV-stored config step, and therefore force the running config to contain factory default settings, and if the :startup capability is not advertised... then when is the server required to keep the NV-storage in synch with the running config? IMO, the server should wait until the operator actually changes the running config before saving the NV-store version in this case. There is 1 relevant sentence in 4741bis, 8.7.1: Operations that affect the running configuration will not be automatically copied to the startup configuration. This says that without :startup, the server will automatically copy to NV-storage *when* an operation that affects the running config is invoked. Andy From andyb@iwl.com Fri Feb 12 18:20:31 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 41E8B28C18F for ; Fri, 12 Feb 2010 18:20:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gty1A23FqaRr for ; Fri, 12 Feb 2010 18:20:29 -0800 (PST) Received: from smtp114.iad.emailsrvr.com (smtp114.iad.emailsrvr.com [207.97.245.114]) by core3.amsl.com (Postfix) with ESMTP id D79CD28C0FB for ; Fri, 12 Feb 2010 18:20:28 -0800 (PST) Received: from relay21.relay.iad.mlsrvr.com (localhost [127.0.0.1]) by relay21.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id 2EAC11B4017 for ; Fri, 12 Feb 2010 21:21:49 -0500 (EST) Received: by relay21.relay.iad.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 020421B4010 for ; Fri, 12 Feb 2010 21:21:48 -0500 (EST) Message-ID: <4B760CBD.1050906@iwl.com> Date: Fri, 12 Feb 2010 18:21:49 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: NETCONF Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 02:20:31 -0000 Hi, I am trying to understand how all the NETCONF operations behave in the presence of an access control model, and I don't think copy-config and nc:operation="replace" do the right thing, according to the current text. Consider an operation like backup and restore: 1) $backup = get-config(source=running) 2) copy-config(source=$backup, target=running) OR edit-config(source=$backup, target=running, default-operation=replace) One would think this is a 'NO-OP' operation, but what if $backup contains config data that the user is not authorized to view? The ACM will silently skip such child nodes when generating the get-config reply. When the same user replaces the entire config, it is not the same as the original. According to rules for replace and copy-config, nodes missing in source will be deleted in target. Since this user is not authorized to delete the nodes it wasn't allowed to view, the copy-config and replace operation should fail will an access-denied error. Is this a feature, a bug, or vendor-specific? IMO, it is not clear that default-operation can ever be 'replace' unless the user has access to the entire database. It is not clear that copy-config should be so fragile either. It is also a security hole to require non-authorized users to know the exact database nodes they are not authorized to know about. (Oh no! Is he trying to get us to discuss access control requirements on the mailing list?! :-) Andy From johan.rydberg@edgeware.tv Sat Feb 13 00:29:39 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D54C3A7752 for ; Sat, 13 Feb 2010 00:29:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxw0Om3nFfEi for ; Sat, 13 Feb 2010 00:29:38 -0800 (PST) Received: from mail.edgeware.tv (mail.edgeware.tv [94.127.35.114]) by core3.amsl.com (Postfix) with ESMTP id 4729E3A6D30 for ; Sat, 13 Feb 2010 00:29:37 -0800 (PST) Received: from Linne.local (c-cc08e253.1137-1-64736c10.cust.bredbandsbolaget.se [83.226.8.204]) by mail.edgeware.tv (Postfix) with ESMTPSA id B746E1910067; Sat, 13 Feb 2010 09:30:57 +0100 (CET) Message-ID: <4B766341.2080209@edgeware.tv> Date: Sat, 13 Feb 2010 09:30:57 +0100 From: Johan Rydberg User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: andyb@iwl.com References: <4B760CBD.1050906@iwl.com> In-Reply-To: <4B760CBD.1050906@iwl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 08:29:39 -0000 On 2/13/10 3:21 AM, Andy Bierman wrote: > When the same user replaces the entire config, > it is not the same as the original. According > to rules for replace and copy-config, nodes > missing in source will be deleted in target. > I can't say what's right or wrong, just tell you how we do it; Our implementation starts out with doing a copy of the source dataset. It then copies the nodes from the target dataset to the intermediate dataset that the session has not access to read. We only have access-control on top-level containers. From andyb@iwl.com Sat Feb 13 04:03:05 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 328DF3A79A5 for ; Sat, 13 Feb 2010 04:03:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XLwcEth-lrYR for ; Sat, 13 Feb 2010 04:03:04 -0800 (PST) Received: from smtp184.dfw.emailsrvr.com (smtp184.dfw.emailsrvr.com [67.192.241.184]) by core3.amsl.com (Postfix) with ESMTP id 73CD43A79A4 for ; Sat, 13 Feb 2010 04:03:04 -0800 (PST) Received: from relay8.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay8.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 726A9402A2; Sat, 13 Feb 2010 07:04:26 -0500 (EST) Received: by relay8.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 3D1CC400C4; Sat, 13 Feb 2010 07:04:26 -0500 (EST) Message-ID: <4B76954D.6030602@iwl.com> Date: Sat, 13 Feb 2010 04:04:29 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Johan Rydberg References: <4B760CBD.1050906@iwl.com> <4B766341.2080209@edgeware.tv> In-Reply-To: <4B766341.2080209@edgeware.tv> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 12:03:05 -0000 Johan Rydberg wrote: > On 2/13/10 3:21 AM, Andy Bierman wrote: >> When the same user replaces the entire config, >> it is not the same as the original. According >> to rules for replace and copy-config, nodes >> missing in source will be deleted in target. >> > I can't say what's right or wrong, just tell you how we do it; > > Our implementation starts out with doing a copy of the source > dataset. It then copies the nodes from the target dataset to the > intermediate dataset that the session has not access to read. > Agreed. But this is clearly in violation of the standard. In a replace operation, any nodes deleted from the source are supposed to be deleted from the target. This is not how any real systems actually work, just how the standard is written. > We only have access-control on top-level containers. > This isn't very robust. IMO, the standard needs an ACM which will allow any node (and all its descendants) to be isolated. However, the write access needs to work the same way as read access for 'wildcard' or 'implied' access. When I ask for access to /foo/*, I am implicitly asking for only the child nodes of /foo I am authorized to use, so child node expansion is post-access-control. Andy From andyb@iwl.com Mon Feb 15 08:46:12 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F3B528C1E0 for ; Mon, 15 Feb 2010 08:46:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXi5jeHBFP6D for ; Mon, 15 Feb 2010 08:46:11 -0800 (PST) Received: from smtp144.iad.emailsrvr.com (smtp144.iad.emailsrvr.com [207.97.245.144]) by core3.amsl.com (Postfix) with ESMTP id 5F39F28C1D5 for ; Mon, 15 Feb 2010 08:46:11 -0800 (PST) Received: from relay24.relay.iad.mlsrvr.com (localhost [127.0.0.1]) by relay24.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id 07CDA1B4079; Mon, 15 Feb 2010 11:47:42 -0500 (EST) Received: by relay24.relay.iad.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id BD78B1B408B; Mon, 15 Feb 2010 11:47:41 -0500 (EST) Message-ID: <4B797AC0.4000707@iwl.com> Date: Mon, 15 Feb 2010 08:48:00 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: NETCONF , NETMOD Working Group Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [Netconf] create and delete operations on default values X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Feb 2010 16:46:12 -0000 Hi, I understand that the NETMOD WG thinks it is important to treat leafs with the YANG default value as if they MUST NOT exist. IMO, this should be a vendor choice, but oh well. I think the 4741bis draft needs to explain how the create and delete operation is applied to leafs containing the schema default value. leaf foo { type int32; default 42; } It is not clear to me when a create operation on the /foo leaf is expected to succeed and when it expected to fail with a 'data-exists' error. - will it succeed if the server set this to 42? we know it will fail if a client already set it to 42. What about the same question for a delete operation? Does the server choose based on its 'basic' mode of the with-defaults capability? What if this capability is not supported? What if the behavior is not the same for every object in the database? If I have a module that was defined in SMIv2, XSD, RNG, or some other DML, then it seems I cannot reliably convert a default in that data model to YANG default-stmt. It seems advertising the YANG version instead of the XSD version will have an impact on NETCONF protocol operations. Andy From wjhns1@hardakers.net Tue Feb 16 10:56:16 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6902D3A7D8A for ; Tue, 16 Feb 2010 10:56:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yszNzz3bzd9y for ; Tue, 16 Feb 2010 10:56:15 -0800 (PST) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 886033A7D79 for ; Tue, 16 Feb 2010 10:56:15 -0800 (PST) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 84B9F980F9; Tue, 16 Feb 2010 10:57:49 -0800 (PST) From: Wes Hardaker To: andyb@iwl.com Organization: Sparta References: <4B760CBD.1050906@iwl.com> Date: Tue, 16 Feb 2010 10:57:49 -0800 In-Reply-To: <4B760CBD.1050906@iwl.com> (Andy Bierman's message of "Fri, 12 Feb 2010 18:21:49 -0800") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Feb 2010 18:56:16 -0000 >>>>> On Fri, 12 Feb 2010 18:21:49 -0800, Andy Bierman said: AB> It is not clear that copy-config should be so fragile either. AB> It is also a security hole to require non-authorized users AB> to know the exact database nodes they are not authorized to AB> know about. For a long time I've tried to describe the problems associated with combining large bulk operations (copy-config) and small ones (edit-config) when combined with things like access control and locking. Thanks for finding another example problem! -- Wes Hardaker Cobham Analytic Solutions From andyb@iwl.com Tue Feb 16 11:07:16 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 041E93A7D8A for ; Tue, 16 Feb 2010 11:07:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.991 X-Spam-Level: X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[AWL=0.274, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NwiXQ5Z80YSC for ; Tue, 16 Feb 2010 11:07:15 -0800 (PST) Received: from smtp154.dfw.emailsrvr.com (smtp154.dfw.emailsrvr.com [67.192.241.154]) by core3.amsl.com (Postfix) with ESMTP id 461023A7D75 for ; Tue, 16 Feb 2010 11:07:15 -0800 (PST) Received: from relay5.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay5.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id A61623F016C; Tue, 16 Feb 2010 14:08:50 -0500 (EST) Received: by relay5.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 6F97F3EF726; Tue, 16 Feb 2010 14:08:50 -0500 (EST) Message-ID: <4B7AED56.5030000@iwl.com> Date: Tue, 16 Feb 2010 11:09:10 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Wes Hardaker References: <4B760CBD.1050906@iwl.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Feb 2010 19:07:16 -0000 Wes Hardaker wrote: >>>>>> On Fri, 12 Feb 2010 18:21:49 -0800, Andy Bierman said: > > AB> It is not clear that copy-config should be so fragile either. > > AB> It is also a security hole to require non-authorized users > AB> to know the exact database nodes they are not authorized to > AB> know about. > > For a long time I've tried to describe the problems associated with > combining large bulk operations (copy-config) and small ones > (edit-config) when combined with things like access control and > locking. Thanks for finding another example problem! > I am starting to think that there are some corner cases where you need a 'root' class of user with access to everything. I think the current NETCONF behavior could be considered OK if this more restrictive POV was taken. IMO, the Apache 'virtual host' kind of approach is better, in order to let the user pretend that a copy-config or commit is affecting the entire database, when it is actually just the authorized subset. BTW, if the NETCONF WG ever starts an access control model, you might be obliged to help document these problems! ;-) Andy From wjhns1@hardakers.net Tue Feb 16 15:00:50 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E98F3A7A62 for ; Tue, 16 Feb 2010 15:00:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJXoTb5opq10 for ; Tue, 16 Feb 2010 15:00:49 -0800 (PST) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 49A883A73B6 for ; Tue, 16 Feb 2010 15:00:49 -0800 (PST) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id CCAF498046; Tue, 16 Feb 2010 15:02:24 -0800 (PST) From: Wes Hardaker To: andyb@iwl.com Organization: Sparta References: <4B760CBD.1050906@iwl.com> <4B7AED56.5030000@iwl.com> Date: Tue, 16 Feb 2010 15:02:24 -0800 In-Reply-To: <4B7AED56.5030000@iwl.com> (Andy Bierman's message of "Tue, 16 Feb 2010 11:09:10 -0800") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Feb 2010 23:00:50 -0000 >>>>> On Tue, 16 Feb 2010 11:09:10 -0800, Andy Bierman said: AB> I am starting to think that there are some AB> corner cases where you need a 'root' class of AB> user with access to everything. I think the AB> current NETCONF behavior could be considered OK if this AB> more restrictive POV was taken. The other thing I've been saying for a long time both inside and outside the IETF: "netconf is a great looking protocol, but it's designed for all-or-nothing access". IE, it works great if everyone is root. -- Wes Hardaker Cobham Analytic Solutions From andyb@iwl.com Tue Feb 16 15:41:38 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B90A3A7E13 for ; Tue, 16 Feb 2010 15:41:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.014 X-Spam-Level: X-Spam-Status: No, score=-2.014 tagged_above=-999 required=5 tests=[AWL=0.251, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QId-XwRhRV1W for ; Tue, 16 Feb 2010 15:41:37 -0800 (PST) Received: from smtp154.dfw.emailsrvr.com (smtp154.dfw.emailsrvr.com [67.192.241.154]) by core3.amsl.com (Postfix) with ESMTP id 363403A6AD0 for ; Tue, 16 Feb 2010 15:41:37 -0800 (PST) Received: from relay15.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay15.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 6B74630B0372; Tue, 16 Feb 2010 18:43:13 -0500 (EST) Received: by relay15.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 3B0D130B0371; Tue, 16 Feb 2010 18:43:13 -0500 (EST) Message-ID: <4B7B2DAC.6000305@iwl.com> Date: Tue, 16 Feb 2010 15:43:40 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Wes Hardaker References: <4B760CBD.1050906@iwl.com> <4B7AED56.5030000@iwl.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Feb 2010 23:41:38 -0000 Wes Hardaker wrote: >>>>>> On Tue, 16 Feb 2010 11:09:10 -0800, Andy Bierman said: > > AB> I am starting to think that there are some > AB> corner cases where you need a 'root' class of > AB> user with access to everything. I think the > AB> current NETCONF behavior could be considered OK if this > AB> more restrictive POV was taken. > > The other thing I've been saying for a long time both inside and outside > the IETF: "netconf is a great looking protocol, but it's designed for > all-or-nothing access". IE, it works great if everyone is root. It is designed so that access control is proprietary until it is standardized in the future. Every development cycle, I (and others) suggest we work on standard access control. But 5 times in a row, the WG has decided that other things should be standardized first. Andy From mehmet.ersue@nsn.com Thu Feb 18 01:28:41 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03FC228C1B0 for ; Thu, 18 Feb 2010 01:28:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.289 X-Spam-Level: X-Spam-Status: No, score=-2.289 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIGiwDQ1-kMn for ; Thu, 18 Feb 2010 01:28:40 -0800 (PST) Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by core3.amsl.com (Postfix) with ESMTP id E457A28C11B for ; Thu, 18 Feb 2010 01:28:39 -0800 (PST) Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o1I9UI64032611 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 18 Feb 2010 10:30:19 +0100 Received: from demuexc024.nsn-intra.net (demuexc024.nsn-intra.net [10.159.32.11]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o1I9UExi005555; Thu, 18 Feb 2010 10:30:18 +0100 Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by demuexc024.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Thu, 18 Feb 2010 10:30:15 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 18 Feb 2010 10:30:14 +0100 Message-ID: <80A0822C5E9A4440A5117C2F4CD36A644D715F@DEMUEXC006.nsn-intra.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Access Control discussion in Anaheim WAS:RE: [Netconf] NETCONF replace operation Thread-Index: AcqwfPlcN+uIu3DWTcW0aGoH0sWTUA== From: "Ersue, Mehmet (NSN - DE/Munich)" To: X-OriginalArrivalTime: 18 Feb 2010 09:30:15.0645 (UTC) FILETIME=[FA5F18D0:01CAB07C] Subject: [Netconf] Access Control discussion in Anaheim WAS:RE: NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2010 09:28:41 -0000 Hi Andy and Wes, Thanks for bringing up (again) the issues of acces control. We as WG-chairs believe that the best way forward is to have an initial draft that describes some the things/problems you talk about. Sort of a "problem statement" if you like. It would also be good if the draft hints=20 at some direction and/or possible solutions. Then, if you could prepare some slides for the next IETF meeting, that would allows us to hopefully have a fruitfull discussion. It is not that we do not want access control on our charter. It is just=20 that we would like to have some understanding of how we can tackle it,=20 so that we can try to estimate: - what we must/can deliver - when we can deliver it - what is in and what is out of scope. Without some people putting in an initial effort to get things documented=20 in an Internet Draft, it seems that we just rehash some issues that only a very small set of people understand. Bert and Mehmet From wjhns1@hardakers.net Fri Feb 19 09:21:40 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67D3928C251 for ; Fri, 19 Feb 2010 09:21:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZryU1Rq7StJp for ; Fri, 19 Feb 2010 09:21:39 -0800 (PST) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 5A1F828C17E for ; Fri, 19 Feb 2010 09:21:38 -0800 (PST) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 381709850D; Fri, 19 Feb 2010 09:23:25 -0800 (PST) From: Wes Hardaker To: andyb@iwl.com Organization: Sparta References: <4B760CBD.1050906@iwl.com> <4B7AED56.5030000@iwl.com> <4B7B2DAC.6000305@iwl.com> Date: Fri, 19 Feb 2010 09:23:24 -0800 In-Reply-To: <4B7B2DAC.6000305@iwl.com> (Andy Bierman's message of "Tue, 16 Feb 2010 15:43:40 -0800") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 17:21:40 -0000 >>>>> On Tue, 16 Feb 2010 15:43:40 -0800, Andy Bierman said: >> The other thing I've been saying for a long time both inside and outside >> the IETF: "netconf is a great looking protocol, but it's designed for >> all-or-nothing access". IE, it works great if everyone is root. AB> It is designed so that access control is proprietary AB> until it is standardized in the future. No, you missed the point: access control will be difficult at best to get right considering the nature of the protocol operations. You're seeing some of the issues now as you've just pointed out some of the difficulties in getting it right or even workable. The protocol, intentionally or not, is designed to trust the operators. As you've just shown in another example, copy-config and edit-config are dangerous command to give to someone that doesn't have global root-level access to everything. It's inherit in the protocol. It's not, necessarily, a bad thing unless you *want* to do role-based access control. Many claim that role-based access control isn't used in the wild and we shouldn't worry about it anyway because 99% of the use case is "everyone with access is already root". Though I agree that's true for many enterprises, I've definitely seen (many) cases where it isn't true. -- Wes Hardaker Cobham Analytic Solutions From andyb@iwl.com Fri Feb 19 09:42:14 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8DE833A7FB7 for ; Fri, 19 Feb 2010 09:42:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.05 X-Spam-Level: X-Spam-Status: No, score=-2.05 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dkh04elYiBLV for ; Fri, 19 Feb 2010 09:42:13 -0800 (PST) Received: from smtp144.dfw.emailsrvr.com (smtp144.dfw.emailsrvr.com [67.192.241.144]) by core3.amsl.com (Postfix) with ESMTP id C94DD3A7FC1 for ; Fri, 19 Feb 2010 09:42:13 -0800 (PST) Received: from relay4.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay4.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id C008F10CC0EC; Fri, 19 Feb 2010 12:44:00 -0500 (EST) Received: by relay4.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 88E8410CC0C8; Fri, 19 Feb 2010 12:44:00 -0500 (EST) Message-ID: <4B7ECE0F.7030904@iwl.com> Date: Fri, 19 Feb 2010 09:44:47 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Wes Hardaker References: <4B760CBD.1050906@iwl.com> <4B7AED56.5030000@iwl.com> <4B7B2DAC.6000305@iwl.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 17:42:14 -0000 Wes Hardaker wrote: >>>>>> On Tue, 16 Feb 2010 15:43:40 -0800, Andy Bierman said: > >>> The other thing I've been saying for a long time both inside and outside >>> the IETF: "netconf is a great looking protocol, but it's designed for >>> all-or-nothing access". IE, it works great if everyone is root. > > AB> It is designed so that access control is proprietary > AB> until it is standardized in the future. > > No, you missed the point: access control will be difficult at best to > get right considering the nature of the protocol operations. You're > seeing some of the issues now as you've just pointed out some of the > difficulties in getting it right or even workable. The protocol, > intentionally or not, is designed to trust the operators. As you've > just shown in another example, copy-config and edit-config are dangerous > command to give to someone that doesn't have global root-level access to > everything. It's inherit in the protocol. It's not, necessarily, a bad > thing unless you *want* to do role-based access control. Many > claim that role-based access control isn't used in the wild and we > shouldn't worry about it anyway because 99% of the use case is "everyone > with access is already root". Though I agree that's true for many > enterprises, I've definitely seen (many) cases where it isn't true. > The NETCONF protocol is still a work in progress. SNMP was published in August 1988. There wasn't any access control published (VACM) until January 1998. By then, everyone was using a 'public' and 'private' community strings (sometimes with those exact values!). Operators wanted to partition read-only and read-write access. That much of SNMP access control was used. I disagree that it is too late to add access control to NETCONF. It is not too late to learn that VACM was an over-engineered disaster and a simpler approach is needed for NETCONF. It may not be bullet-proof (e.g., poorly documented vendor RPC changes some underlying config nodes), but it will be a whole lot better than nothing. Andy From phil@juniper.net Fri Feb 19 10:22:55 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D63B3A8196 for ; Fri, 19 Feb 2010 10:22:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IC4dcKVdWm-n for ; Fri, 19 Feb 2010 10:22:54 -0800 (PST) Received: from exprod7og117.obsmtp.com (exprod7og117.obsmtp.com [64.18.2.6]) by core3.amsl.com (Postfix) with ESMTP id 11BD93A7D3B for ; Fri, 19 Feb 2010 10:22:52 -0800 (PST) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob117.postini.com ([64.18.6.12]) with SMTP ID DSNKS37XZzaz2weVwYpGimDgZSFwvjya6z8W@postini.com; Fri, 19 Feb 2010 10:24:42 PST Received: from p-emfe01-sac.jnpr.net (66.129.254.72) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server id 8.1.393.1; Fri, 19 Feb 2010 10:23:56 -0800 Received: from p-emlb01-sac.jnpr.net ([66.129.254.46]) by p-emfe01-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 19 Feb 2010 10:23:56 -0800 Received: from emailsmtp56.jnpr.net ([172.24.60.77]) by p-emlb01-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 19 Feb 2010 10:23:56 -0800 Received: from magenta.juniper.net ([172.17.27.123]) by emailsmtp56.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 19 Feb 2010 10:23:56 -0800 Received: from idle.juniper.net (idleski.juniper.net [172.25.4.26]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id o1JINtF63258; Fri, 19 Feb 2010 10:23:55 -0800 (PST) (envelope-from phil@juniper.net) Received: from idle.juniper.net (localhost [127.0.0.1]) by idle.juniper.net (8.14.3/8.14.3) with ESMTP id o1JI81G9051086; Fri, 19 Feb 2010 18:08:01 GMT (envelope-from phil@idle.juniper.net) Message-ID: <201002191808.o1JI81G9051086@idle.juniper.net> To: In-Reply-To: <4B7ECE0F.7030904@iwl.com> Date: Fri, 19 Feb 2010 13:08:01 -0500 From: Phil Shafer X-OriginalArrivalTime: 19 Feb 2010 18:23:56.0155 (UTC) FILETIME=[B27EECB0:01CAB190] MIME-Version: 1.0 Content-Type: text/plain Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 18:22:55 -0000 Andy Bierman writes: >There wasn't any access control published >(VACM) until January 1998. Sure but when will useful[1] access control for SNMP be available? ;^) Sorry, couldn't resist, but in trying to solve a single problem in an exhaustive way, VACM makes something that no one wants. I hope we can do better for NETCONF. Perhaps you would be well served to start with the 10 biggest ACM-related problem scenarios you want to solve and work forward from there. Thanks, Phil 1: Feel free to replace "useful" with "real-world", "useable", or "widely deployed". From andyb@iwl.com Fri Feb 19 11:15:54 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0FF353A67F0 for ; Fri, 19 Feb 2010 11:15:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbNk6Z1S-GYg for ; Fri, 19 Feb 2010 11:15:53 -0800 (PST) Received: from smtp154.iad.emailsrvr.com (smtp154.iad.emailsrvr.com [207.97.245.154]) by core3.amsl.com (Postfix) with ESMTP id 073DD3A7BA1 for ; Fri, 19 Feb 2010 11:15:53 -0800 (PST) Received: from relay5.relay.iad.emailsrvr.com (localhost [127.0.0.1]) by relay5.relay.iad.emailsrvr.com (SMTP Server) with ESMTP id 35B975C0ABB; Fri, 19 Feb 2010 14:17:40 -0500 (EST) Received: by relay5.relay.iad.emailsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id CA8DA5C0BD3; Fri, 19 Feb 2010 14:17:39 -0500 (EST) Message-ID: <4B7EE402.7060405@iwl.com> Date: Fri, 19 Feb 2010 11:18:26 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Phil Shafer References: <201002191808.o1JI81G9051086@idle.juniper.net> In-Reply-To: <201002191808.o1JI81G9051086@idle.juniper.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 19:15:54 -0000 Phil Shafer wrote: > Andy Bierman writes: >> There wasn't any access control published >> (VACM) until January 1998. > > Sure but when will useful[1] access control for SNMP be available? ;^) > > Sorry, couldn't resist, but in trying to solve a single problem in > an exhaustive way, VACM makes something that no one wants. I hope > we can do better for NETCONF. Perhaps you would be well served to > start with the 10 biggest ACM-related problem scenarios you want > to solve and work forward from there. > I just pointed out a 10 year time span between publication dates. It is well understood that VACM is not widely deployed. The most common form of SNMP access control several years ago was to simply disable the 'write' community string with the CLI. There isn't much need to partition the read-only data into different access levels. We should learn from VACM and move on. > Thanks, > Phil Andy From phil@juniper.net Fri Feb 19 11:27:23 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 796F63A7CCD for ; Fri, 19 Feb 2010 11:27:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIGYV9dFK9Uc for ; Fri, 19 Feb 2010 11:27:22 -0800 (PST) Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by core3.amsl.com (Postfix) with ESMTP id 86FB33A7349 for ; Fri, 19 Feb 2010 11:27:20 -0800 (PST) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKS37mg1/SodCzHrQgo6u9STDJ+dCPJxzB@postini.com; Fri, 19 Feb 2010 11:29:10 PST Received: from p-emfe01-sac.jnpr.net (66.129.254.72) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server id 8.1.393.1; Fri, 19 Feb 2010 11:25:54 -0800 Received: from p-emlb01-sac.jnpr.net ([66.129.254.46]) by p-emfe01-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 19 Feb 2010 11:25:53 -0800 Received: from emailsmtp56.jnpr.net ([172.24.60.77]) by p-emlb01-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 19 Feb 2010 11:25:53 -0800 Received: from magenta.juniper.net ([172.17.27.123]) by emailsmtp56.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 19 Feb 2010 11:25:53 -0800 Received: from idle.juniper.net (idleski.juniper.net [172.25.4.26]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id o1JJPqF85308; Fri, 19 Feb 2010 11:25:52 -0800 (PST) (envelope-from phil@juniper.net) Received: from idle.juniper.net (localhost [127.0.0.1]) by idle.juniper.net (8.14.3/8.14.3) with ESMTP id o1JJ9wa2051930; Fri, 19 Feb 2010 19:09:58 GMT (envelope-from phil@idle.juniper.net) Message-ID: <201002191909.o1JJ9wa2051930@idle.juniper.net> To: In-Reply-To: <4B7EE402.7060405@iwl.com> Date: Fri, 19 Feb 2010 14:09:58 -0500 From: Phil Shafer X-OriginalArrivalTime: 19 Feb 2010 19:25:53.0139 (UTC) FILETIME=[59FDAC30:01CAB199] MIME-Version: 1.0 Content-Type: text/plain Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 19:27:23 -0000 Andy Bierman writes: >We should learn from VACM and move on. IMHO we should learn this isn't a problem we will solve in the next little while and our efforts will be better spent on other issues where we can bear fruit that people will need and use. Thanks, Phil From andyb@iwl.com Fri Feb 19 11:35:27 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 885E43A7C9E for ; Fri, 19 Feb 2010 11:35:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTvU4qvWjxdr for ; Fri, 19 Feb 2010 11:35:26 -0800 (PST) Received: from smtp154.iad.emailsrvr.com (smtp154.iad.emailsrvr.com [207.97.245.154]) by core3.amsl.com (Postfix) with ESMTP id CDF483A71BD for ; Fri, 19 Feb 2010 11:35:26 -0800 (PST) Received: from relay5.relay.iad.emailsrvr.com (localhost [127.0.0.1]) by relay5.relay.iad.emailsrvr.com (SMTP Server) with ESMTP id 1E0D25C0ADA; Fri, 19 Feb 2010 14:37:14 -0500 (EST) Received: by relay5.relay.iad.emailsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id BB6B05C0A9A; Fri, 19 Feb 2010 14:37:13 -0500 (EST) Message-ID: <4B7EE897.6000602@iwl.com> Date: Fri, 19 Feb 2010 11:37:59 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Phil Shafer References: <201002191909.o1JJ9wa2051930@idle.juniper.net> In-Reply-To: <201002191909.o1JJ9wa2051930@idle.juniper.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 19:35:27 -0000 Phil Shafer wrote: > Andy Bierman writes: >> We should learn from VACM and move on. > > IMHO we should learn this isn't a problem we will solve in the next > little while and our efforts will be better spent on other issues > where we can bear fruit that people will need and use. > If NETCONF is going to be a real replacement/supplement to CLI then it needs at least some of the ACM features used in CLI. Some operators use Radius and TACACS+ for CLI access control. Some just use 2 types of passwords -- root user and everybody else. IMO, we should support these CLI access control modes in NETCONF standard. > Thanks, > Phil > Andy From j.schoenwaelder@jacobs-university.de Fri Feb 19 12:04:37 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77A453A7BA5 for ; Fri, 19 Feb 2010 12:04:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.092 X-Spam-Level: X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[AWL=0.157, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRfPA+cpfd2u for ; Fri, 19 Feb 2010 12:04:36 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 412A23A769C for ; Fri, 19 Feb 2010 12:04:36 -0800 (PST) Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id A188FC0040; Fri, 19 Feb 2010 21:06:23 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id N2X9zcB5Yu18; Fri, 19 Feb 2010 21:06:22 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 50C04C0007; Fri, 19 Feb 2010 21:06:07 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 6EC8510884DC; Fri, 19 Feb 2010 21:05:52 +0100 (CET) Date: Fri, 19 Feb 2010 21:05:52 +0100 From: Juergen Schoenwaelder To: Wes Hardaker Message-ID: <20100219200551.GA4067@elstar.local> Mail-Followup-To: Wes Hardaker , "andyb@iwl.com" , NETCONF References: <4B760CBD.1050906@iwl.com> <4B7AED56.5030000@iwl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 20:04:37 -0000 On Wed, Feb 17, 2010 at 12:02:24AM +0100, Wes Hardaker wrote: > The other thing I've been saying for a long time both inside and outside > the IETF: "netconf is a great looking protocol, but it's designed for > all-or-nothing access". IE, it works great if everyone is root. I do not see it that way. This is similar to a backup of a Unix system - if you want a full backup, you better have full access to the filesystem in question. Still, if you are an ordinary user of a Unix box, it is still meaningful to do a backup of your home directory and it is also meaningful to restore it. And yes, you would not expect any other parts to be included in the backup and you would not expect other parts you do not have access to to change. Can there be odd cases? Sure, depends to a large extend how you organize the data; if the logical unit of work is in a subtree, things get simpler. This is why having a home directory is a perfectly reasonable file system organization for most users. In other words, I believe a meaningful solution can be engineered, even if it might assume some reasonable organization of the config. (Even VACM assumes or sometimes requires a meaningful organization, so this is not even something new.) /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From bertietf@bwijnen.net Fri Feb 19 14:59:10 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A26AA3A7F00 for ; Fri, 19 Feb 2010 14:59:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.026 X-Spam-Level: X-Spam-Status: No, score=-0.026 tagged_above=-999 required=5 tests=[AWL=0.416, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kD+kfW8c-ZJI for ; Fri, 19 Feb 2010 14:59:09 -0800 (PST) Received: from relay.versatel.net (relay56.tele2.vuurwerk.nl [62.250.3.56]) by core3.amsl.com (Postfix) with ESMTP id 4B17E3A7874 for ; Fri, 19 Feb 2010 14:59:09 -0800 (PST) Received: from [87.215.199.34] (helo=BertLaptop) by relay.versatel.net with smtp (Exim 4.69) (envelope-from ) id 1NibqB-0007Ar-9h; Sat, 20 Feb 2010 00:00:55 +0100 Message-ID: <81C2B03F5F0343E0B8817BEEA3401E9A@BertLaptop> From: "Bert Wijnen \(IETF\)" To: "Phil Shafer" , "Andy Bierman" Date: Sat, 20 Feb 2010 00:00:29 +0100 Organization: Consultant MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_21DE_01CAB1BF.B6F28F20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18005 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005 Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 22:59:10 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_21DE_01CAB1BF.B6F28F20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have learned from VACM two things: - We should not over-engineer. We did that with VACM. Nodbody uses/wants = it, It was mainly a theorethical exercise. - Even though VACM can be configerd in a simple way (like just read and = write acces), it is not being used in a simple way... mostly (I think) because we = overengineered it and so it looks/feels compliated to do even the simple thing. my 2 cents, Bert ----- Original Message -----=20 From: Andy Bierman=20 To: Phil Shafer=20 Cc: NETCONF=20 Sent: Friday, February 19, 2010 8:37 PM Subject: Re: [Netconf] NETCONF replace operation Phil Shafer wrote: > Andy Bierman writes: >> We should learn from VACM and move on. >=20 > IMHO we should learn this isn't a problem we will solve in the next > little while and our efforts will be better spent on other issues > where we can bear fruit that people will need and use. >=20 If NETCONF is going to be a real replacement/supplement to CLI then it needs at least some of the ACM features used in CLI. Some operators use Radius and TACACS+ for CLI access control. Some just use 2 types of passwords -- root user and everybody else. IMO, we should support these CLI access control modes in NETCONF = standard. > Thanks, > Phil >=20 Andy _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf -------------------------------------------------------------------------= ----- Geen virus gevonden in het binnenkomende-bericht. Gecontroleerd door AVG - www.avg.com=20 Versie: 9.0.733 / Virusdatabase: 271.1.1/2697 - datum van uitgifte: = 02/19/10 08:34:00 ------=_NextPart_000_21DE_01CAB1BF.B6F28F20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have learned from VACM two things:
 
- We should not over-engineer. We did that with = VACM. Nodbody=20 uses/wants it,
  It was mainly a theorethical = exercise.
- Even though VACM can be configerd in a simple way = (like just=20 read and write acces),
  it is not being used in a simple way... = mostly (I=20 think) because we overengineered it and
  so it looks/feels compliated to do even the = simple=20 thing.
 
my 2 cents,
Bert
----- Original Message -----
From:=20 Andy = Bierman
Cc: NETCONF
Sent: Friday, February 19, 2010 = 8:37=20 PM
Subject: Re: [Netconf] NETCONF = replace=20 operation

Phil Shafer wrote:
> Andy Bierman = writes:
>> We=20 should learn from VACM and move on.
>
> IMHO we should = learn this=20 isn't a problem we will solve in the next
> little while and our = efforts=20 will be better spent on other issues
> where we can bear fruit = that=20 people will need and use.
>

If NETCONF is going to be a = real=20 replacement/supplement to CLI
then it needs at least some of the = ACM=20 features used in CLI.
Some operators use Radius and TACACS+ for CLI = access=20 control.
Some just use 2 types of passwords -- root user and = everybody=20 else.

IMO, we should support these CLI access control modes in = NETCONF=20 standard.


> Thanks,
>  Phil
>=20 =

Andy
_______________________________________________
Netcon= f=20 mailing list
Netconf@ietf.org
https://www.ietf.o= rg/mailman/listinfo/netconf


Geen virus gevonden in het = binnenkomende-bericht.
Gecontroleerd=20 door AVG - www.avg.com
Versie: = 9.0.733 /=20 Virusdatabase: 271.1.1/2697 - datum van uitgifte: 02/19/10=20 08:34:00
------=_NextPart_000_21DE_01CAB1BF.B6F28F20-- From randy_presuhn@mindspring.com Fri Feb 19 16:35:55 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 808113A700F for ; Fri, 19 Feb 2010 16:35:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id by+vgKh9BrbN for ; Fri, 19 Feb 2010 16:35:54 -0800 (PST) Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64]) by core3.amsl.com (Postfix) with ESMTP id 7AC193A67E4 for ; Fri, 19 Feb 2010 16:35:53 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=pQs/xD0YRFpOBnwR2+HCm/s8Pduslj62S7ysypGad7rtOVg9/JhVOXSyuoCq3Ull; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP; Received: from [99.60.27.76] (helo=oemcomputer) by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1NidLp-0000cj-Dz for netconf@ietf.org; Fri, 19 Feb 2010 19:37:41 -0500 Message-ID: <003f01cab1c5$91131120$6801a8c0@oemcomputer> From: "Randy Presuhn" To: "NETCONF" References: <81C2B03F5F0343E0B8817BEEA3401E9A@BertLaptop> Date: Fri, 19 Feb 2010 16:42:22 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-ELNK-Trace: 4488c18417c9426da92b9037bc8bcf44d4c20f6b8d69d888494b88d665f13b40a90d86e30fc2b3284b91f9966f1e316e350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 99.60.27.76 Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2010 00:35:55 -0000 Hi - I think the "overengineered" aspects of VACM really have nothing at all to do with formulating access control policy, but were instead thought (at least by their proponents) to be ways to make things "easier" or "more efficient" for particular uses cases. But they just get in the way of understanding the normal cases. Two specific examples: - "prefix matching" for contexts - the vacmViewTreeFamilyMask Both of these can dramatically reduce the number of entries needed for complex policies, and the size of policies was a big concern when VACM was developed. The flip side is that these two features both make the MIB harder to understand, and require substantial intelligence on the part of the security administrator application to put to optimal use. Configuring these by hand is madness, but that appears to be what at least some folks still try to do. The lesson, I think, is that NETCONF should be explicit in its expectations regarding how access control policy configurations will be created and administered. Randy ----- Original Message ----- From: "Bert Wijnen (IETF)" To: "Phil Shafer" ; "Andy Bierman" Cc: "NETCONF" Sent: Friday, February 19, 2010 3:00 PM Subject: Re: [Netconf] NETCONF replace operation I have learned from VACM two things: - We should not over-engineer. We did that with VACM. Nodbody uses/wants it, It was mainly a theorethical exercise. - Even though VACM can be configerd in a simple way (like just read and write acces), it is not being used in a simple way... mostly (I think) because we overengineered it and so it looks/feels compliated to do even the simple thing. my 2 cents, Bert ----- Original Message ----- From: Andy Bierman To: Phil Shafer Cc: NETCONF Sent: Friday, February 19, 2010 8:37 PM Subject: Re: [Netconf] NETCONF replace operation Phil Shafer wrote: > Andy Bierman writes: >> We should learn from VACM and move on. > > IMHO we should learn this isn't a problem we will solve in the next > little while and our efforts will be better spent on other issues > where we can bear fruit that people will need and use. > If NETCONF is going to be a real replacement/supplement to CLI then it needs at least some of the ACM features used in CLI. Some operators use Radius and TACACS+ for CLI access control. Some just use 2 types of passwords -- root user and everybody else. IMO, we should support these CLI access control modes in NETCONF standard. > Thanks, > Phil > Andy _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf ------------------------------------------------------------------------------ Geen virus gevonden in het binnenkomende-bericht. Gecontroleerd door AVG - www.avg.com Versie: 9.0.733 / Virusdatabase: 271.1.1/2697 - datum van uitgifte: 02/19/10 08:34:00 -------------------------------------------------------------------------------- > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > From phil@juniper.net Sat Feb 20 07:34:27 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37D5528C152 for ; Sat, 20 Feb 2010 07:34:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2q-9pjSpi9j for ; Sat, 20 Feb 2010 07:34:26 -0800 (PST) Received: from exprod7og106.obsmtp.com (exprod7og106.obsmtp.com [64.18.2.165]) by core3.amsl.com (Postfix) with ESMTP id 2965828C119 for ; Sat, 20 Feb 2010 07:34:24 -0800 (PST) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob106.postini.com ([64.18.6.12]) with SMTP ID DSNKS4ABbpDXnbmYw5uCh7mhW6DcpJzoDk33@postini.com; Sat, 20 Feb 2010 07:36:17 PST Received: from p-emfe01-sac.jnpr.net (66.129.254.71) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server id 8.1.393.1; Sat, 20 Feb 2010 07:28:54 -0800 Received: from p-emlb02-sac.jnpr.net ([66.129.254.47]) by p-emfe01-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 20 Feb 2010 07:28:54 -0800 Received: from emailsmtp56.jnpr.net ([172.24.60.77]) by p-emlb02-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 20 Feb 2010 07:28:53 -0800 Received: from magenta.juniper.net ([172.17.27.123]) by emailsmtp56.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 20 Feb 2010 07:28:53 -0800 Received: from idle.juniper.net (idleski.juniper.net [172.25.4.26]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id o1KFSqF24421; Sat, 20 Feb 2010 07:28:52 -0800 (PST) (envelope-from phil@juniper.net) Received: from idle.juniper.net (localhost [127.0.0.1]) by idle.juniper.net (8.14.3/8.14.3) with ESMTP id o1KFCvfh057440; Sat, 20 Feb 2010 15:12:57 GMT (envelope-from phil@idle.juniper.net) Message-ID: <201002201512.o1KFCvfh057440@idle.juniper.net> To: In-Reply-To: <4B7EE897.6000602@iwl.com> Date: Sat, 20 Feb 2010 10:12:57 -0500 From: Phil Shafer X-OriginalArrivalTime: 20 Feb 2010 15:28:53.0554 (UTC) FILETIME=[68DEF120:01CAB241] MIME-Version: 1.0 Content-Type: text/plain Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2010 15:34:27 -0000 Andy Bierman writes: >If NETCONF is going to be a real replacement/supplement to CLI >then it needs at least some of the ACM features used in CLI. >Some operators use Radius and TACACS+ for CLI access control. >Some just use 2 types of passwords -- root user and everybody else. Given that: (a) operators want something simple (b) operators already use the CLI (c) operators use Radius and TACACS+ for CLI access control (d) operators have their ACM model already set up for the CLI users the simplest path would be for the on-box NETCONF ACM to mirror the CLI ACM mechanism. If you can't touch a config knob via the CLI, you can't touch it via the API. If you can't see a config knob in the CLI, you can't see it in the API. The operator wants a single cohesive ACM model for the entire box, not one for the CLI and one for the API. If my RANCID login needs read access to the full config, then my application that performs backups can use this same login without the operator even needing to understand a different ACM model. This is my view and the way the XML API in JUNOS has always worked. This gives operators a level of comfort in using the API, knowing they are not opening anything that isn't already accessible. Regardless of how simple a model you think you can build, reusing what's already there (understood, configured, deployed, working) makes more sense. This is the same reasoning that led us to use ssh instead of rolling our own login mechanism. ssh (keys, agents, etc) are already in use, so we couldn't have made anything simpler. If you see the need for a new ACM model for NETCONF, please feel free to write a draft with specific ideas. Until we have something concrete to discuss, can we please lay this topic to rest (one more time)? Thanks, Phil From phil@juniper.net Sat Feb 20 07:43:27 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DEEF28C174 for ; Sat, 20 Feb 2010 07:43:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xcb6Ayej3rUW for ; Sat, 20 Feb 2010 07:43:26 -0800 (PST) Received: from exprod7og109.obsmtp.com (exprod7og109.obsmtp.com [64.18.2.171]) by core3.amsl.com (Postfix) with ESMTP id 3591728C16C for ; Sat, 20 Feb 2010 07:43:24 -0800 (PST) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob109.postini.com ([64.18.6.12]) with SMTP ID DSNKS4ADihQON3CsMR/eGyeNe046XOlH2Zy2@postini.com; Sat, 20 Feb 2010 07:45:17 PST Received: from p-emfe01-sac.jnpr.net (66.129.254.72) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server id 8.1.393.1; Sat, 20 Feb 2010 07:37:49 -0800 Received: from p-emlb02-sac.jnpr.net ([66.129.254.47]) by p-emfe01-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 20 Feb 2010 07:37:49 -0800 Received: from emailsmtp56.jnpr.net ([172.24.60.77]) by p-emlb02-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 20 Feb 2010 07:37:49 -0800 Received: from magenta.juniper.net ([172.17.27.123]) by emailsmtp56.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Sat, 20 Feb 2010 07:37:48 -0800 Received: from idle.juniper.net (idleski.juniper.net [172.25.4.26]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id o1KFblF26984; Sat, 20 Feb 2010 07:37:47 -0800 (PST) (envelope-from phil@juniper.net) Received: from idle.juniper.net (localhost [127.0.0.1]) by idle.juniper.net (8.14.3/8.14.3) with ESMTP id o1KFLqsJ057548; Sat, 20 Feb 2010 15:21:53 GMT (envelope-from phil@idle.juniper.net) Message-ID: <201002201521.o1KFLqsJ057548@idle.juniper.net> To: Wes Hardaker In-Reply-To: Date: Sat, 20 Feb 2010 10:21:52 -0500 From: Phil Shafer X-OriginalArrivalTime: 20 Feb 2010 15:37:48.0683 (UTC) FILETIME=[A7D525B0:01CAB242] MIME-Version: 1.0 Content-Type: text/plain Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2010 15:43:27 -0000 Wes Hardaker writes: >As you've >just shown in another example, copy-config and edit-config are dangerous >command to give to someone that doesn't have global root-level access to >everything. It's inherit in the protocol. I can't disagree more. "edit-config" is no more dangerous than "load" in the CLI. If the user isn't allowed to delete something and attempts to, it's an error. If you want to backup the full config, then you need to give your user access to the full config. If you arrange to only backup part of the config, then you'll only restore that part of the config. This is not dangerous or an error in protocol design. Thanks, Phil From andyb@iwl.com Sat Feb 20 07:46:38 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F24D528C174 for ; Sat, 20 Feb 2010 07:46:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.064 X-Spam-Level: X-Spam-Status: No, score=-2.064 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Drk1V6BrENf for ; Sat, 20 Feb 2010 07:46:37 -0800 (PST) Received: from smtp204.dfw.emailsrvr.com (smtp204.dfw.emailsrvr.com [67.192.241.204]) by core3.amsl.com (Postfix) with ESMTP id 3C8FC28C16C for ; Sat, 20 Feb 2010 07:46:37 -0800 (PST) Received: from relay20.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay20.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 23E3B21282DD; Sat, 20 Feb 2010 10:48:28 -0500 (EST) Received: by relay20.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id BD13E21282DB; Sat, 20 Feb 2010 10:48:27 -0500 (EST) Message-ID: <4B800480.1030508@iwl.com> Date: Sat, 20 Feb 2010 07:49:20 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Phil Shafer References: <201002201512.o1KFCvfh057440@idle.juniper.net> In-Reply-To: <201002201512.o1KFCvfh057440@idle.juniper.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2010 15:46:38 -0000 Phil Shafer wrote: > Andy Bierman writes: >> If NETCONF is going to be a real replacement/supplement to CLI >> then it needs at least some of the ACM features used in CLI. >> Some operators use Radius and TACACS+ for CLI access control. >> Some just use 2 types of passwords -- root user and everybody else. > > Given that: > > (a) operators want something simple > (b) operators already use the CLI > (c) operators use Radius and TACACS+ for CLI access control > (d) operators have their ACM model already set up for the CLI users > > the simplest path would be for the on-box NETCONF ACM to mirror the > CLI ACM mechanism. If you can't touch a config knob via the CLI, > you can't touch it via the API. If you can't see a config knob in > the CLI, you can't see it in the API. The operator wants a single > cohesive ACM model for the entire box, not one for the CLI and one > for the API. > > If my RANCID login needs read access to the full config, then my > application that performs backups can use this same login without > the operator even needing to understand a different ACM model. > > This is my view and the way the XML API in JUNOS has always worked. > This gives operators a level of comfort in using the API, knowing > they are not opening anything that isn't already accessible. > > Regardless of how simple a model you think you can build, reusing > what's already there (understood, configured, deployed, working) > makes more sense. This is the same reasoning that led us to use > ssh instead of rolling our own login mechanism. ssh (keys, agents, > etc) are already in use, so we couldn't have made anything simpler. > > If you see the need for a new ACM model for NETCONF, please feel > free to write a draft with specific ideas. Until we have something > concrete to discuss, can we please lay this topic to rest (one more > time)? > This applies to any and every new work item, right? IMO, we should be using the mailing list (like we are right now) to discuss access control requirements. You say we have other more important work to do. Where are the drafts? What work are you talking about? IMO, Wes is mostly correct -- the NETCONF standard has all-or-nothing access, and this is not suitable for all systems. It's kind of like the IPFIX vendors who want to run over UDP and do not care that the IETF wants a more congestion-friendly transport for IPFIX. > Thanks, > Phil > Andy From bertietf@bwijnen.net Sat Feb 20 14:12:47 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DF1A83A8280 for ; Sat, 20 Feb 2010 14:12:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.061 X-Spam-Level: X-Spam-Status: No, score=-0.061 tagged_above=-999 required=5 tests=[AWL=0.381, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-8nR5NmNzQf for ; Sat, 20 Feb 2010 14:12:46 -0800 (PST) Received: from relay.versatel.net (relay56.tele2.vuurwerk.nl [62.250.3.56]) by core3.amsl.com (Postfix) with ESMTP id 92AC43A827C for ; Sat, 20 Feb 2010 14:12:44 -0800 (PST) Received: from [87.215.199.34] (helo=BertLaptop) by relay.versatel.net with smtp (Exim 4.69) (envelope-from ) id 1Nixat-0006Zk-VC for netconf@ietf.org; Sat, 20 Feb 2010 23:14:36 +0100 Message-ID: <42FD5FC11874486A83D63AFE9A93DE38@BertLaptop> From: "Bert Wijnen \(IETF\)" To: "NETCONF" Date: Sat, 20 Feb 2010 23:12:37 +0100 Organization: Consultant MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_23C3_01CAB282.314FB3C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18005 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005 Subject: [Netconf] Fw: NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2010 22:12:48 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_23C3_01CAB282.314FB3C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have learned from VACM two things: - We should not over-engineer. We did that with VACM. Nodbody uses/wants = it, It was mainly a theorethical exercise. - Even though VACM can be configerd in a simple way (like just read and = write acces), it is not being used in a simple way... mostly (I think) because we = overengineered it and so it looks/feels compliated to do even the simple thing. my 2 cents, Bert ----- Original Message -----=20 From: Andy Bierman=20 To: Phil Shafer=20 Cc: NETCONF=20 Sent: Friday, February 19, 2010 8:37 PM Subject: Re: [Netconf] NETCONF replace operation Phil Shafer wrote: > Andy Bierman writes: >> We should learn from VACM and move on. >=20 > IMHO we should learn this isn't a problem we will solve in the next > little while and our efforts will be better spent on other issues > where we can bear fruit that people will need and use. >=20 If NETCONF is going to be a real replacement/supplement to CLI then it needs at least some of the ACM features used in CLI. Some operators use Radius and TACACS+ for CLI access control. Some just use 2 types of passwords -- root user and everybody else. IMO, we should support these CLI access control modes in NETCONF = standard. > Thanks, > Phil >=20 Andy _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf -------------------------------------------------------------------------= ----- Geen virus gevonden in het binnenkomende-bericht. Gecontroleerd door AVG - www.avg.com=20 Versie: 9.0.733 / Virusdatabase: 271.1.1/2697 - datum van uitgifte: = 02/19/10 08:34:00 ------=_NextPart_000_23C3_01CAB282.314FB3C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I have learned from VACM two things:
 
- We should not over-engineer. We did that with = VACM. Nodbody=20 uses/wants it,
  It was mainly a theorethical = exercise.
- Even though VACM can be configerd in a simple way = (like just=20 read and write acces),
  it is not being used in a simple way... = mostly (I=20 think) because we overengineered it and
  so it looks/feels compliated to do even the = simple=20 thing.
 
my 2 cents,
Bert
----- Original Message -----
From:=20 Andy = Bierman
Cc: NETCONF
Sent: Friday, February 19, 2010 = 8:37=20 PM
Subject: Re: [Netconf] NETCONF = replace=20 operation

Phil Shafer wrote:
> Andy Bierman = writes:
>> We=20 should learn from VACM and move on.
>
> IMHO we should = learn this=20 isn't a problem we will solve in the next
> little while and our = efforts=20 will be better spent on other issues
> where we can bear fruit = that=20 people will need and use.
>

If NETCONF is going to be a = real=20 replacement/supplement to CLI
then it needs at least some of the = ACM=20 features used in CLI.
Some operators use Radius and TACACS+ for CLI = access=20 control.
Some just use 2 types of passwords -- root user and = everybody=20 else.

IMO, we should support these CLI access control modes in = NETCONF=20 standard.


> Thanks,
>  Phil
>=20 =

Andy
_______________________________________________
Netcon= f=20 mailing list
Netconf@ietf.org
https://www.ietf.o= rg/mailman/listinfo/netconf


Geen virus gevonden in het = binnenkomende-bericht.
Gecontroleerd=20 door AVG - www.avg.com
Versie: = 9.0.733 /=20 Virusdatabase: 271.1.1/2697 - datum van uitgifte: 02/19/10=20 08:34:00
------=_NextPart_000_23C3_01CAB282.314FB3C0-- From dromasca@avaya.com Sun Feb 21 01:56:36 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 824753A7CFB for ; Sun, 21 Feb 2010 01:56:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.53 X-Spam-Level: X-Spam-Status: No, score=-2.53 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N73BeuTWRQNX for ; Sun, 21 Feb 2010 01:56:35 -0800 (PST) Received: from p-us1-iereast-outbound-tmp.us1.avaya.com (nj300815-nj-outbound.net.avaya.com [135.11.29.16]) by core3.amsl.com (Postfix) with ESMTP id 21FE83A7CD2 for ; Sun, 21 Feb 2010 01:56:34 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.49,511,1262581200"; d="scan'208";a="4563184" Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by p-us1-iereast-outbound-tmp.us1.avaya.com with ESMTP; 21 Feb 2010 04:58:28 -0500 X-IronPort-AV: E=Sophos;i="4.49,511,1262581200"; d="scan'208";a="448054805" Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.15]) by co300216-co-erhwest-out.avaya.com with ESMTP; 21 Feb 2010 04:58:27 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sun, 21 Feb 2010 10:58:11 +0100 Message-ID: In-Reply-To: <003f01cab1c5$91131120$6801a8c0@oemcomputer> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Netconf] NETCONF replace operation Thread-Index: AcqxxOzXnGJLQWYpTbiBjA1TYnubjQBFoHGw References: <81C2B03F5F0343E0B8817BEEA3401E9A@BertLaptop> <003f01cab1c5$91131120$6801a8c0@oemcomputer> From: "Romascanu, Dan (Dan)" To: "Randy Presuhn" , "NETCONF" Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Feb 2010 09:56:36 -0000 I agree with Randy and Bert. I would add that the principal problem with VACM was that the document or documents that describe it did not make a good enough job in explaining how VACM is to be used in the simpler and most common use cases, and what the complexity added for the special cases brings and why it is special. I hope that we can learn and avoid such mistakes with NETCONF access control.=20 Dan (speaking as contributor) =20 > -----Original Message----- > From: netconf-bounces@ietf.org=20 > [mailto:netconf-bounces@ietf.org] On Behalf Of Randy Presuhn > Sent: Saturday, February 20, 2010 2:42 AM > To: NETCONF > Subject: Re: [Netconf] NETCONF replace operation >=20 > Hi - >=20 > I think the "overengineered" aspects of VACM really have=20 > nothing at all to do with formulating access control policy,=20 > but were instead thought (at least by their proponents) to be=20 > ways to make things "easier" or "more efficient" for=20 > particular uses cases. But they just get in the way of=20 > understanding the normal cases. Two specific examples: > - "prefix matching" for contexts > - the vacmViewTreeFamilyMask >=20 > Both of these can dramatically reduce the number of entries=20 > needed for complex policies, and the size of policies was a=20 > big concern when VACM was developed. The flip side is that=20 > these two features both make the MIB harder to understand,=20 > and require substantial intelligence on the part of the=20 > security administrator application to put to optimal use. =20 > Configuring these by hand is madness, but that appears to be=20 > what at least some folks still try to do. >=20 > The lesson, I think, is that NETCONF should be explicit in=20 > its expectations regarding how access control policy=20 > configurations will be created and administered. >=20 > Randy >=20 > ----- Original Message ----- > From: "Bert Wijnen (IETF)" > To: "Phil Shafer" ; "Andy Bierman" > Cc: "NETCONF" > Sent: Friday, February 19, 2010 3:00 PM > Subject: Re: [Netconf] NETCONF replace operation >=20 >=20 > I have learned from VACM two things: >=20 > - We should not over-engineer. We did that with VACM. Nodbody=20 > uses/wants it, > It was mainly a theorethical exercise. > - Even though VACM can be configerd in a simple way (like=20 > just read and write acces), > it is not being used in a simple way... mostly (I think)=20 > because we overengineered it and > so it looks/feels compliated to do even the simple thing. >=20 > my 2 cents, > Bert > ----- Original Message -----=20 > From: Andy Bierman=20 > To: Phil Shafer=20 > Cc: NETCONF=20 > Sent: Friday, February 19, 2010 8:37 PM > Subject: Re: [Netconf] NETCONF replace operation >=20 >=20 > Phil Shafer wrote: > > Andy Bierman writes: > >> We should learn from VACM and move on. > >=20 > > IMHO we should learn this isn't a problem we will solve=20 > in the next > > little while and our efforts will be better spent on other issues > > where we can bear fruit that people will need and use. > >=20 >=20 > If NETCONF is going to be a real replacement/supplement to CLI > then it needs at least some of the ACM features used in CLI. > Some operators use Radius and TACACS+ for CLI access control. > Some just use 2 types of passwords -- root user and everybody else. >=20 > IMO, we should support these CLI access control modes in=20 > NETCONF standard. >=20 >=20 > > Thanks, > > Phil > >=20 >=20 > Andy > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf >=20 >=20 >=20 > -------------------------------------------------------------- > ---------------- >=20 >=20 >=20 > Geen virus gevonden in het binnenkomende-bericht. > Gecontroleerd door AVG - www.avg.com=20 > Versie: 9.0.733 / Virusdatabase: 271.1.1/2697 - datum van=20 > uitgifte: 02/19/10 08:34:00 >=20 >=20 >=20 > -------------------------------------------------------------- > ------------------ >=20 >=20 > > _______________________________________________ > > Netconf mailing list > > Netconf@ietf.org > > https://www.ietf.org/mailman/listinfo/netconf > >=20 >=20 > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf >=20 From mehmet.ersue@nsn.com Sun Feb 21 06:35:28 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A97028C1DA for ; Sun, 21 Feb 2010 06:35:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.367 X-Spam-Level: X-Spam-Status: No, score=-2.367 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axFFuhlVShMa for ; Sun, 21 Feb 2010 06:35:27 -0800 (PST) Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by core3.amsl.com (Postfix) with ESMTP id 6B46628C1D8 for ; Sun, 21 Feb 2010 06:35:26 -0800 (PST) Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o1LEbItZ025232 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 21 Feb 2010 15:37:18 +0100 Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o1LEbHPU001119; Sun, 21 Feb 2010 15:37:18 +0100 Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Sun, 21 Feb 2010 15:37:17 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sun, 21 Feb 2010 15:37:16 +0100 Message-ID: <80A0822C5E9A4440A5117C2F4CD36A644D7846@DEMUEXC006.nsn-intra.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Entry for Netconf in IetfOperations Thread-Index: AcquV5D3XQbO80CBQjOERom03sR5/ABn3xWA From: "Ersue, Mehmet (NSN - DE/Munich)" To: X-OriginalArrivalTime: 21 Feb 2010 14:37:17.0830 (UTC) FILETIME=[5E16B260:01CAB303] Subject: [Netconf] Entry for Netconf in IetfOperations X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Feb 2010 14:35:28 -0000 Hi All, I think we should discuss shortly before we change=20 the entry for NETCONF on IetfOutcomes page (at http://trac.tools.ietf.org/misc/outcomes/wiki/IetfOperations).=20 Any opinions? Mehmet IETF Origin: No =09 Years to Develop: 3 years (from 2003) =20 Date Issued: December 2006 =20 Adoption: 0 (outcome still pending) Target Segment: operators, NMS vendors, configuration management RFCs: 4741-4744, 5277, 5539, 5717=09 Comments: based on JunoScript, use of YANG as modeling language From andyb@iwl.com Sun Feb 21 07:47:05 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F329E28C11B for ; Sun, 21 Feb 2010 07:47:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.077 X-Spam-Level: X-Spam-Status: No, score=-2.077 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6AOA6LaTWVk for ; Sun, 21 Feb 2010 07:47:04 -0800 (PST) Received: from smtp134.dfw.emailsrvr.com (smtp134.dfw.emailsrvr.com [67.192.241.134]) by core3.amsl.com (Postfix) with ESMTP id 385783A82FA for ; Sun, 21 Feb 2010 07:47:04 -0800 (PST) Received: from relay3.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay3.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id DE8E15D8356; Sun, 21 Feb 2010 10:48:58 -0500 (EST) Received: by relay3.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 92E165D8331; Sun, 21 Feb 2010 10:48:58 -0500 (EST) Message-ID: <4B815626.80007@iwl.com> Date: Sun, 21 Feb 2010 07:49:58 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: "Ersue, Mehmet (NSN - DE/Munich)" References: <80A0822C5E9A4440A5117C2F4CD36A644D7846@DEMUEXC006.nsn-intra.net> In-Reply-To: <80A0822C5E9A4440A5117C2F4CD36A644D7846@DEMUEXC006.nsn-intra.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: netconf@ietf.org Subject: Re: [Netconf] Entry for Netconf in IetfOperations X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Feb 2010 15:47:05 -0000 Ersue, Mehmet (NSN - DE/Munich) wrote: > Hi All, > > I think we should discuss shortly before we change > the entry for NETCONF on IetfOutcomes page > (at http://trac.tools.ietf.org/misc/outcomes/wiki/IetfOperations). > Any opinions? > looks good to me; 0 == outcome still pending. For those people looking for an almost meaningless summary of work they know nothing about, it is just fine. > Mehmet Andy > > IETF Origin: No > > Years to Develop: 3 years (from 2003) > > Date Issued: December 2006 > > Adoption: 0 (outcome still pending) > > Target Segment: operators, NMS vendors, > configuration management > > RFCs: 4741-4744, 5277, 5539, 5717 > > Comments: based on JunoScript, > use of YANG as modeling language > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > From calle@tail-f.com Sun Feb 21 10:17:49 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5831B3A7FB0 for ; Sun, 21 Feb 2010 10:17:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.046 X-Spam-Level: X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVq8HJC8PoSC for ; Sun, 21 Feb 2010 10:17:48 -0800 (PST) Received: from mail.tail-f.com (de-0316.d.ipeer.se [213.180.79.212]) by core3.amsl.com (Postfix) with ESMTP id 0ACB53A8328 for ; Sun, 21 Feb 2010 10:17:46 -0800 (PST) Received: from calle-macbook.local (c83-250-192-57.bredband.comhem.se [83.250.192.57]) by mail.tail-f.com (Postfix) with ESMTPSA id 44371616002; Sun, 21 Feb 2010 19:19:41 +0100 (CET) Message-ID: <4B81793C.8000600@tail-f.com> Date: Sun, 21 Feb 2010 19:19:40 +0100 From: Carl Moberg User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.5) Gecko/20091121 Thunderbird/3.0 MIME-Version: 1.0 To: "Ersue, Mehmet (NSN - DE/Munich)" References: <80A0822C5E9A4440A5117C2F4CD36A644D7846@DEMUEXC006.nsn-intra.net> In-Reply-To: <80A0822C5E9A4440A5117C2F4CD36A644D7846@DEMUEXC006.nsn-intra.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: netconf@ietf.org Subject: Re: [Netconf] Entry for Netconf in IetfOperations X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Feb 2010 18:17:49 -0000 On 2010-02-21 15:37 PM, Ersue, Mehmet (NSN - DE/Munich) wrote: > > Hi All, > > I think we should discuss shortly before we change > the entry for NETCONF on IetfOutcomes page > (at http://trac.tools.ietf.org/misc/outcomes/wiki/IetfOperations). > Any opinions? > > Mehmet > > > IETF Origin: No > > Years to Develop: 3 years (from 2003) > > Date Issued: December 2006 > > Adoption: 0 (outcome still pending) Are there any guiding criteria for "gained significant usefulness"? > Target Segment: operators, NMS vendors, > configuration management And "network equipment providers". > RFCs: 4741-4744, 5277, 5539, 5717 > > Comments: based on JunoScript, > use of YANG as modeling language > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf From wjhns1@hardakers.net Mon Feb 22 07:09:36 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C9A728C1F4 for ; Mon, 22 Feb 2010 07:09:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CerP9yaM7-2h for ; Mon, 22 Feb 2010 07:09:36 -0800 (PST) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id C3D3028C1EE for ; Mon, 22 Feb 2010 07:09:35 -0800 (PST) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 1F3C5997FD; Mon, 22 Feb 2010 07:11:34 -0800 (PST) From: Wes Hardaker To: andyb@iwl.com Organization: Sparta References: <4B760CBD.1050906@iwl.com> <4B7AED56.5030000@iwl.com> <4B7B2DAC.6000305@iwl.com> <4B7ECE0F.7030904@iwl.com> Date: Mon, 22 Feb 2010 07:11:33 -0800 In-Reply-To: <4B7ECE0F.7030904@iwl.com> (Andy Bierman's message of "Fri, 19 Feb 2010 09:44:47 -0800") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2010 15:09:36 -0000 >>>>> On Fri, 19 Feb 2010 09:44:47 -0800, Andy Bierman said: AB> I disagree that it is too late to add access control to NETCONF. You seem to be in the habit of reading a lot of things from the statements I make. Maybe I'm not projecting my thoughts well. I suspect, however, that defining access control may require protocol modifications. -- Wes Hardaker Cobham Analytic Solutions From wjhns1@hardakers.net Mon Feb 22 07:17:42 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2522128C1D3 for ; Mon, 22 Feb 2010 07:17:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kuwjJeszngXu for ; Mon, 22 Feb 2010 07:17:41 -0800 (PST) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 3E0963A83E3 for ; Mon, 22 Feb 2010 07:17:41 -0800 (PST) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id A26E099804; Mon, 22 Feb 2010 07:19:39 -0800 (PST) From: Wes Hardaker To: "Bert Wijnen \(IETF\)" Organization: Sparta References: <81C2B03F5F0343E0B8817BEEA3401E9A@BertLaptop> Date: Mon, 22 Feb 2010 07:19:39 -0800 In-Reply-To: <81C2B03F5F0343E0B8817BEEA3401E9A@BertLaptop> (Bert Wijnen's message of "Sat, 20 Feb 2010 00:00:29 +0100") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2010 15:17:42 -0000 >>>>> On Sat, 20 Feb 2010 00:00:29 +0100, "Bert Wijnen (IETF)" said: BW> - We should not over-engineer. We did that with VACM. Nodbody uses/wants it, BW> It was mainly a theorethical exercise. Well, I'm not about to say that I've been happy with how the VACM is defined, needs-to-be-implemented or needs-to-be-used. I actually started designing a different ACM years ago that I thought would better meet the needs of what I found people wanted to do. However, I will say that the comments surrounding "it has been deployed or isn't being used" aren't anywhere near correct. Based on the user population I deal with, it's being used very very heavily. And many do use exclusion/inclusion trees to get what they want. That being said, they're often very confused when they start and that's definitely a problem. -- Wes Hardaker Cobham Analytic Solutions From randy_presuhn@mindspring.com Mon Feb 22 13:33:54 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA98728C3D4 for ; Mon, 22 Feb 2010 13:33:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TyuQrd8q48LY for ; Mon, 22 Feb 2010 13:33:53 -0800 (PST) Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by core3.amsl.com (Postfix) with ESMTP id BB3D428C3BE for ; Mon, 22 Feb 2010 13:33:53 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=ql2TNod0HoLnV31VgYWKkLHJXA0ZjMhQITibWSFCrhIFNshXdJW2oJYA0bJJfLCN; h=Received:Message-ID:From:To:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP; Received: from [99.30.227.0] (helo=oemcomputer) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1NjfwX-00041G-DE for netconf@ietf.org; Mon, 22 Feb 2010 16:35:53 -0500 Message-ID: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> From: "Randy Presuhn" To: Date: Mon, 22 Feb 2010 13:40:42 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-ELNK-Trace: 4488c18417c9426da92b9037bc8bcf44d4c20f6b8d69d888494b88d665f13b4011a3fad2dd1641ed8219249e5a6cca62350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 99.30.227.0 Subject: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2010 21:33:55 -0000 Hi - Does anyone think that Netconf would find use in this, or is the thinking still that Netconf's usage would be limited to routers, bridges, and the like? If the NIST definition is correct, then the supporting access control model(s) would need to be rather expressive. Randy > From: "Dave CROCKER" > To: "Melinda Shore" > Cc: ; "David Chadwick" ; > Sent: Monday, February 22, 2010 1:08 PM > Subject: Re: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim,CA) > > > On 2/22/2010 12:59 PM, Melinda Shore wrote: > > On Feb 22, 2010, at 11:52 AM, Brian E Carpenter wrote: > >> My thought exactly. The distinction between cloud computing and open grid > >> computing is very small (or possibly zero) > > > > With all due respect, Brian, it's really not. With cloud > > computing you're typically dealing with multitenanting issues > > and a bunch of other layer 8-9 stuff that tends (of necessity) > > to be reflected down the stack, and I think I can see an > > argument for cloud computing belonging in the RAI space, > > or at least having substantial overlap. > > > Having recently gone through the exercise of trying to understand what these > different terms actually meant, I discovered that the underlying problem is that > you are both right, as are a variety of other people who have other views... > > As already noted, the term 'cloud' is now used in many different ways, including > as a synonym for 'network' and for 'Internet', even amongst technical folk. > (Really.) > > There are some people who have very specific and nuanced technical definitions, > including distinguishing cloud from grid. But no set of definitions seems to > have a broad base of support. > > For defining 'cloud', one group I'm participating in decided it was happy with > the NIST language: > > ... From andyb@iwl.com Mon Feb 22 19:43:57 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A36D28C511 for ; Mon, 22 Feb 2010 19:43:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.088 X-Spam-Level: X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[AWL=0.177, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBkNRFBwnEqy for ; Mon, 22 Feb 2010 19:43:56 -0800 (PST) Received: from smtp144.dfw.emailsrvr.com (smtp144.dfw.emailsrvr.com [67.192.241.144]) by core3.amsl.com (Postfix) with ESMTP id B114828C510 for ; Mon, 22 Feb 2010 19:43:56 -0800 (PST) Received: from relay4.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay4.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 394AD10CC0E1; Mon, 22 Feb 2010 22:45:57 -0500 (EST) Received: by relay4.relay.dfw.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 0144110CC05F; Mon, 22 Feb 2010 22:45:56 -0500 (EST) Message-ID: <4B834F74.40005@iwl.com> Date: Mon, 22 Feb 2010 19:45:56 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Randy Presuhn References: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> In-Reply-To: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: netconf@ietf.org Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 03:43:57 -0000 Randy Presuhn wrote: > Hi - > > Does anyone think that Netconf would find use in this, or is > the thinking still that Netconf's usage would be limited to > routers, bridges, and the like? > I'll bite -- and recycle some electrons... When I first brought up the idea that unix .conf files might be applicable to NETCONF, I was laughed out of the room. We didn't have YANG then. The real issue isn't NETCONF, but rather NETCONF/YANG. Any idiot can design an XML protocol to ask a structured question and get a structured response. The interesting question is "Do you have an expressive schema language for all possible content that allows the protocol work to be automated, and all configuration files to be validated off-line?" That extra layer of abstraction -- the use of any formal data modeling language at all, seems to be the part that is completely lacking in most 1-off solutions. The favored design seems to be to use an example configuration file with comments in it instead. There is only 1 protocol operation to consider (load config). At some point in the future, when YANG is finally published, NETCONF might be of interest outside the NM area, but probably not until then. > If the NIST definition is correct, then the supporting access > control model(s) would need to be rather expressive. > I wish them good luck with that. Ignore the KISS Principle at your own risk. ;-) > Randy > Andy From calle@tail-f.com Mon Feb 22 22:13:22 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D06AF3A8445 for ; Mon, 22 Feb 2010 22:13:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.046 X-Spam-Level: X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kIt3TY-j7lFo for ; Mon, 22 Feb 2010 22:13:20 -0800 (PST) Received: from mail.tail-f.com (de-0316.d.ipeer.se [213.180.79.212]) by core3.amsl.com (Postfix) with ESMTP id 3F2513A843A for ; Mon, 22 Feb 2010 22:13:19 -0800 (PST) Received: from calle-macbook.local (c83-250-192-57.bredband.comhem.se [83.250.192.57]) by mail.tail-f.com (Postfix) with ESMTPSA id 6B1BF616005; Tue, 23 Feb 2010 07:15:19 +0100 (CET) Message-ID: <4B837276.7040301@tail-f.com> Date: Tue, 23 Feb 2010 07:15:18 +0100 From: Carl Moberg User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.5) Gecko/20091121 Thunderbird/3.0 MIME-Version: 1.0 To: Randy Presuhn References: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> In-Reply-To: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: netconf@ietf.org Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 06:13:22 -0000 Randy, We have experiences with real applications of NETCONF outside the realm of network elements. The various management activities I've seen for "the cloud" (both internal to vendors and in emerging standard activities) seems to be coming from the enterprise programming side and be leaning heavily on SOA (WSDL, SOAP) and REST technologies. Having said that I think there defnitely is a role to play for NETCONF for the packet/frame infrastructure of "the cloud". Many types of provisioning scenarios includes making fairly complex changes the configuration state of N network boxes (where N > 2). This is an area where NETCONF shines with its formal modeling language, and validation and transaction components. On 2010-02-22 22:40 PM, Randy Presuhn wrote: > Hi - > > Does anyone think that Netconf would find use in this, or is > the thinking still that Netconf's usage would be limited to > routers, bridges, and the like? > > If the NIST definition is correct, then the supporting access > control model(s) would need to be rather expressive. > > Randy > >> From: "Dave CROCKER" >> To: "Melinda Shore" >> Cc:; "David Chadwick"; >> Sent: Monday, February 22, 2010 1:08 PM >> Subject: Re: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim,CA) >> >> >> On 2/22/2010 12:59 PM, Melinda Shore wrote: >>> On Feb 22, 2010, at 11:52 AM, Brian E Carpenter wrote: >>>> My thought exactly. The distinction between cloud computing and open grid >>>> computing is very small (or possibly zero) >>> >>> With all due respect, Brian, it's really not. With cloud >>> computing you're typically dealing with multitenanting issues >>> and a bunch of other layer 8-9 stuff that tends (of necessity) >>> to be reflected down the stack, and I think I can see an >>> argument for cloud computing belonging in the RAI space, >>> or at least having substantial overlap. >> >> >> Having recently gone through the exercise of trying to understand what these >> different terms actually meant, I discovered that the underlying problem is that >> you are both right, as are a variety of other people who have other views... >> >> As already noted, the term 'cloud' is now used in many different ways, including >> as a synonym for 'network' and for 'Internet', even amongst technical folk. >> (Really.) >> >> There are some people who have very specific and nuanced technical definitions, >> including distinguishing cloud from grid. But no set of definitions seems to >> have a broad base of support. >> >> For defining 'cloud', one group I'm participating in decided it was happy with >> the NIST language: >> >> > ... > > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf From andyb@iwl.com Mon Feb 22 22:35:41 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E74F3A844E for ; Mon, 22 Feb 2010 22:35:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3i9-YY+KzzPN for ; Mon, 22 Feb 2010 22:35:40 -0800 (PST) Received: from smtp244.iad.emailsrvr.com (smtp244.iad.emailsrvr.com [207.97.245.244]) by core3.amsl.com (Postfix) with ESMTP id 821FE3A73B2 for ; Mon, 22 Feb 2010 22:35:39 -0800 (PST) Received: from relay14.relay.iad.mlsrvr.com (localhost [127.0.0.1]) by relay14.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id B506E23A7FA for ; Tue, 23 Feb 2010 01:37:40 -0500 (EST) Received: by relay14.relay.iad.mlsrvr.com (Authenticated sender: andyb-AT-iwlcorp.com) with ESMTPSA id 6C30023A7E4 for ; Tue, 23 Feb 2010 01:37:40 -0500 (EST) Message-ID: <4B8377B5.2060704@iwl.com> Date: Mon, 22 Feb 2010 22:37:41 -0800 From: Andy Bierman Organization: Interworking Labs, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: NETCONF Content-Type: multipart/mixed; boundary="------------080308040800060305050109" Subject: [Netconf] [Fwd: I-D Action:draft-bierman-netconf-access-control-00.txt] X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: andyb@iwl.com List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 06:35:41 -0000 This is a multi-part message in MIME format. --------------080308040800060305050109 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, I would like some time at the IETF #77 NETCONF meeting to discuss this draft and NETCONF access control in general. That is, if there is time at the end of the meeting, after all the chartered work items have been discussed. thanks, Andy --------------080308040800060305050109 Content-Type: message/rfc822; name="I-D Action:draft-bierman-netconf-access-control-00.txt.eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename*0="I-D Action:draft-bierman-netconf-access-control-00.txt.eml" X-Account-Key: account8 X-Mozilla-Keys: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on www.netconfcentral.com X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=FH_DATE_PAST_20XX, RCVD_IN_DNSWL_MED autolearn=failed version=3.2.5 Delivered-To: andy@netconfcentral.com Return-Path: Received: from mail.ietf.org (mail.ietf.org [::ffff:64.170.98.32]) by www.netconfcentral.org with esmtp; Mon, 22 Feb 2010 22:40:00 -0800 id 00170590.4B837840.00000A4A Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E48228C405; Mon, 22 Feb 2010 22:30:32 -0800 (PST) X-Original-To: i-d-announce@ietf.org Delivered-To: i-d-announce@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id D15213A73B2; Mon, 22 Feb 2010 22:30:08 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D Action:draft-bierman-netconf-access-control-00.txt Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_www.netconfcentral.com-2634-1266907200-0001-2" Message-Id: <20100223063008.D15213A73B2@core3.amsl.com> Date: Mon, 22 Feb 2010 22:30:08 -0800 (PST) X-BeenThere: i-d-announce@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: internet-drafts@ietf.org List-Id: Internet Draft Announcements only List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: i-d-announce-bounces@ietf.org Errors-To: i-d-announce-bounces@ietf.org This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_www.netconfcentral.com-2634-1266907200-0001-2 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Network Configuration Protocol Access Control Model Author(s) : A. Bierman Filename : draft-bierman-netconf-access-control-00.txt Pages : 46 Date : 2010-02-22 The standardization of network configuration interfaces for use with the NETCONF protocol requires a structured and secure operating environment, which promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF protocol access for particular users to a pre- configured subset of all available NETCONF operations and content. This document discusses requirements for a suitable access control model, and provides one solution which meets these requirements. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-bierman-netconf-access-control-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --=_www.netconfcentral.com-2634-1266907200-0001-2 Content-Type: message/external-body; name="draft-bierman-netconf-access-control-00.txt"; site="ftp.ietf.org"; access-type=anon-ftp; directory=internet-drafts Content-Transfer-Encoding: 7bit Content-Type: text/plain Content-ID: <2010-02-22222713.I-D@ietf.org> --=_www.netconfcentral.com-2634-1266907200-0001-2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt --=_www.netconfcentral.com-2634-1266907200-0001-2-- --------------080308040800060305050109-- From randy_presuhn@mindspring.com Mon Feb 22 23:15:52 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E31D28C193 for ; Mon, 22 Feb 2010 23:15:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id miQF8kiM6L40 for ; Mon, 22 Feb 2010 23:15:51 -0800 (PST) Received: from elasmtp-mealy.atl.sa.earthlink.net (elasmtp-mealy.atl.sa.earthlink.net [209.86.89.69]) by core3.amsl.com (Postfix) with ESMTP id 20C573A70FC for ; Mon, 22 Feb 2010 23:15:51 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=ZwdN6XStiifJOH7lGNnFoITPViEYoR838Xe5IIH3RGNAgLvATevf9toZpYEskGwE; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP; Received: from [99.30.227.0] (helo=oemcomputer) by elasmtp-mealy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1Njp1k-0006eJ-8n for netconf@ietf.org; Tue, 23 Feb 2010 02:17:52 -0500 Message-ID: <002e01cab458$f9f3b2e0$6801a8c0@oemcomputer> From: "Randy Presuhn" To: References: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> <4B837276.7040301@tail-f.com> Date: Mon, 22 Feb 2010 23:22:36 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-ELNK-Trace: 4488c18417c9426da92b9037bc8bcf44d4c20f6b8d69d888494b88d665f13b4016d49f4c0ea39dc37fd6f0c4e4c6f2b4350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 99.30.227.0 Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 07:15:52 -0000 Hi - > From: "Carl Moberg" > To: "Randy Presuhn" > Cc: > Sent: Monday, February 22, 2010 10:15 PM > Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) ... > We have experiences with real applications of NETCONF outside the realm > of network elements. > > The various management activities I've seen for "the cloud" (both > internal to vendors and in emerging standard activities) seems to be > coming from the enterprise programming side and be leaning heavily > on SOA (WSDL, SOAP) and REST technologies. > > Having said that I think there defnitely is a role to play for NETCONF > for the packet/frame infrastructure of "the cloud". Many types of > provisioning scenarios includes making fairly complex changes the > configuration state of N network boxes (where N > 2). This is an area > where NETCONF shines with its formal modeling language, and validation > and transaction components. ... Care to share any "lessons learned" with access control models to support this environment? I think it would be helpful to have both minimum requirements, as well as cases of "we thought we'd need such-and-such, but it turned out to be overkill." Randy From bwijnen@bwijnen.net Fri Feb 19 14:55:34 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9639628C186 for ; Fri, 19 Feb 2010 14:55:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.765 X-Spam-Level: X-Spam-Status: No, score=0.765 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mAdPYsdATKdh for ; Fri, 19 Feb 2010 14:55:33 -0800 (PST) Received: from relay.versatel.net (relay56.tele2.vuurwerk.nl [62.250.3.56]) by core3.amsl.com (Postfix) with ESMTP id 1805828B23E for ; Fri, 19 Feb 2010 14:55:32 -0800 (PST) Received: from [87.215.199.34] (helo=BertLaptop) by relay.versatel.net with smtp (Exim 4.69) (envelope-from ) id 1Nibmf-0006vv-JT; Fri, 19 Feb 2010 23:57:17 +0100 Message-ID: <89594085C50641C289981B27F5EF6861@BertLaptop> From: "Bert Wijnen" To: , "Phil Shafer" References: <201002191909.o1JJ9wa2051930@idle.juniper.net> <4B7EE897.6000602@iwl.com> In-Reply-To: <4B7EE897.6000602@iwl.com> Date: Fri, 19 Feb 2010 23:55:03 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_2150_01CAB1BE.F4659100" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18005 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005 X-Mailman-Approved-At: Tue, 23 Feb 2010 08:08:54 -0800 Cc: NETCONF Subject: Re: [Netconf] NETCONF replace operation X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 22:55:34 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_2150_01CAB1BE.F4659100 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have learned from VACM two things: - We should not over-engineer. We did that with VACM. Nodbody uses/wants = it, It was mainly a theorethical exercise. - Even though VACM can be configerd in a simple way (like just read and = write acces), it is not being used in a simple way... mostly (I think) because we = overengineered it and so it looks/feels compliated to do even the simple thing. my 2 cents, Bert ----- Original Message -----=20 From: Andy Bierman=20 To: Phil Shafer=20 Cc: NETCONF=20 Sent: Friday, February 19, 2010 8:37 PM Subject: Re: [Netconf] NETCONF replace operation Phil Shafer wrote: > Andy Bierman writes: >> We should learn from VACM and move on. >=20 > IMHO we should learn this isn't a problem we will solve in the next > little while and our efforts will be better spent on other issues > where we can bear fruit that people will need and use. >=20 If NETCONF is going to be a real replacement/supplement to CLI then it needs at least some of the ACM features used in CLI. Some operators use Radius and TACACS+ for CLI access control. Some just use 2 types of passwords -- root user and everybody else. IMO, we should support these CLI access control modes in NETCONF = standard. > Thanks, > Phil >=20 Andy _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf -------------------------------------------------------------------------= ----- Geen virus gevonden in het binnenkomende-bericht. Gecontroleerd door AVG - www.avg.com=20 Versie: 9.0.733 / Virusdatabase: 271.1.1/2697 - datum van uitgifte: = 02/19/10 08:34:00 ------=_NextPart_000_2150_01CAB1BE.F4659100 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have learned from VACM two things:
 
- We should not over-engineer. We did that with = VACM. Nodbody=20 uses/wants it,
  It was mainly a theorethical = exercise.
- Even though VACM can be configerd in a simple way = (like just=20 read and write acces),
  it is not being used in a simple way... = mostly (I=20 think) because we overengineered it and
  so it looks/feels compliated to do even the = simple=20 thing.
 
my 2 cents,
Bert
----- Original Message -----
From:=20 Andy = Bierman
Cc: NETCONF
Sent: Friday, February 19, 2010 = 8:37=20 PM
Subject: Re: [Netconf] NETCONF = replace=20 operation

Phil Shafer wrote:
> Andy Bierman = writes:
>> We=20 should learn from VACM and move on.
>
> IMHO we should = learn this=20 isn't a problem we will solve in the next
> little while and our = efforts=20 will be better spent on other issues
> where we can bear fruit = that=20 people will need and use.
>

If NETCONF is going to be a = real=20 replacement/supplement to CLI
then it needs at least some of the = ACM=20 features used in CLI.
Some operators use Radius and TACACS+ for CLI = access=20 control.
Some just use 2 types of passwords -- root user and = everybody=20 else.

IMO, we should support these CLI access control modes in = NETCONF=20 standard.


> Thanks,
>  Phil
>=20 =

Andy
_______________________________________________
Netcon= f=20 mailing list
Netconf@ietf.org
https://www.ietf.o= rg/mailman/listinfo/netconf


Geen virus gevonden in het = binnenkomende-bericht.
Gecontroleerd=20 door AVG - www.avg.com
Versie: = 9.0.733 /=20 Virusdatabase: 271.1.1/2697 - datum van uitgifte: 02/19/10=20 08:34:00
------=_NextPart_000_2150_01CAB1BE.F4659100-- From root@core3.amsl.com Tue Feb 23 12:15:01 2010 Return-Path: X-Original-To: netconf@ietf.org Delivered-To: netconf@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id D834B28C103; Tue, 23 Feb 2010 12:15:01 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20100223201501.D834B28C103@core3.amsl.com> Date: Tue, 23 Feb 2010 12:15:01 -0800 (PST) Cc: netconf@ietf.org Subject: [Netconf] I-D Action:draft-ietf-netconf-monitoring-12.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 20:15:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Configuration Working Group of the IETF. Title : YANG Module for NETCONF Monitoring Author(s) : M. Scott, M. Bjorklund Filename : draft-ietf-netconf-monitoring-12.txt Pages : 38 Date : 2010-02-23 This document defines a NETCONF data model to be used to monitor the NETCONF protocol. The monitoring data model includes information about NETCONF datastores, sessions, locks and statistics. This data facilitates the management of a NETCONF server. This document also defines methods for NETCONF clients to discover data models supported by a NETCONF server and defines a new NETCONF operation to retrieve them. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-netconf-monitoring-12.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-netconf-monitoring-12.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2010-02-23121052.I-D@ietf.org> --NextPart-- From mehmet.ersue@nsn.com Tue Feb 23 12:49:54 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24B6A28C0DE for ; Tue, 23 Feb 2010 12:49:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfgCdHQQgDhj for ; Tue, 23 Feb 2010 12:49:53 -0800 (PST) Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by core3.amsl.com (Postfix) with ESMTP id 9DBCE3A8458 for ; Tue, 23 Feb 2010 12:49:52 -0800 (PST) Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o1NKpr70023052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 23 Feb 2010 21:51:53 +0100 Received: from demuexc024.nsn-intra.net (demuexc024.nsn-intra.net [10.159.32.11]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o1NKprhb032526; Tue, 23 Feb 2010 21:51:53 +0100 Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by demuexc024.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Tue, 23 Feb 2010 21:51:52 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 23 Feb 2010 21:51:52 +0100 Message-ID: <80A0822C5E9A4440A5117C2F4CD36A6450AC73@DEMUEXC006.nsn-intra.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: The Term Schema WAS:FW: [Netconf] I-D Action:draft-ietf-netconf-monitoring-12.txt Thread-Index: Acq0xXDjkBonyElfTrKvSkB3belU4QAAliMA From: "Ersue, Mehmet (NSN - DE/Munich)" To: X-OriginalArrivalTime: 23 Feb 2010 20:51:52.0707 (UTC) FILETIME=[06FC4530:01CAB4CA] Subject: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netconf-monitoring-12.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 20:49:54 -0000 =20 Hi All, just before we go to AD review there is one issue we=20 should clarify and get the WG consensus. -> Where is the correct place to define the term "schema"? Originally we had this in Monitoring draft. Based on Juergen's proposal to do it in YANG Mark deleted=20 in the Monitoring draft. The new proposal is to define it in 4741bis since it is=20 a basic term, which can be used in different NETCONF-related=20 documents. I as a contributor support if it is done in 4741bis. Please state your opinion by choosing one of the options=20 by Feb 26 EOB PT. Mehmet -----Original Message----- From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf Of ext Internet-Drafts@ietf.org Sent: Tuesday, February 23, 2010 9:15 PM To: i-d-announce@ietf.org Cc: netconf@ietf.org Subject: [Netconf] I-D Action:draft-ietf-netconf-monitoring-12.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Configuration Working Group of the IETF. Title : YANG Module for NETCONF Monitoring Author(s) : M. Scott, M. Bjorklund Filename : draft-ietf-netconf-monitoring-12.txt Pages : 38 Date : 2010-02-23 This document defines a NETCONF data model to be used to monitor the NETCONF protocol. The monitoring data model includes information about NETCONF datastores, sessions, locks and statistics. This data facilitates the management of a NETCONF server. This document also defines methods for NETCONF clients to discover data models supported by a NETCONF server and defines a new NETCONF operation to retrieve them. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-netconf-monitoring-12.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. From bertietf@bwijnen.net Tue Feb 23 13:08:55 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE7063A84FE for ; Tue, 23 Feb 2010 13:08:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.115 X-Spam-Level: X-Spam-Status: No, score=-0.115 tagged_above=-999 required=5 tests=[AWL=0.327, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqdS5Nz5SVpA for ; Tue, 23 Feb 2010 13:08:54 -0800 (PST) Received: from relay.versatel.net (relay56.tele2.vuurwerk.nl [62.250.3.56]) by core3.amsl.com (Postfix) with ESMTP id 510713A84FC for ; Tue, 23 Feb 2010 13:08:54 -0800 (PST) Received: from [87.215.199.34] (helo=BertLaptop) by relay.versatel.net with smtp (Exim 4.69) (envelope-from ) id 1Nk21x-0004tW-Q8; Tue, 23 Feb 2010 22:10:58 +0100 Message-ID: <986D120F986F43E882965353F0F66016@BertLaptop> From: "Bert Wijnen \(IETF\)" To: "Ersue, Mehmet \(NSN - DE/Munich\)" , References: <80A0822C5E9A4440A5117C2F4CD36A6450AC73@DEMUEXC006.nsn-intra.net> In-Reply-To: <80A0822C5E9A4440A5117C2F4CD36A6450AC73@DEMUEXC006.nsn-intra.net> Date: Tue, 23 Feb 2010 22:10:04 +0100 Organization: Consultant MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_2B05_01CAB4D4.F3C104A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18005 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005 Subject: Re: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netconf-monitoring-12.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 21:08:55 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_2B05_01CAB4D4.F3C104A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I am fine with describing Schema in RFC4741bis Bert ----- Original Message -----=20 From: Ersue, Mehmet (NSN - DE/Munich)=20 To: netconf@ietf.org=20 Cc: ext Bert (IETF) Wijnen=20 Sent: Tuesday, February 23, 2010 9:51 PM Subject: The Term Schema WAS:FW: [Netconf] I-D = Action:draft-ietf-netconf-monitoring-12.txt Hi All, just before we go to AD review there is one issue we=20 should clarify and get the WG consensus. -> Where is the correct place to define the term "schema"? Originally we had this in Monitoring draft. Based on Juergen's proposal to do it in YANG Mark deleted=20 in the Monitoring draft. The new proposal is to define it in 4741bis since it is=20 a basic term, which can be used in different NETCONF-related=20 documents. I as a contributor support if it is done in 4741bis. Please state your opinion by choosing one of the options=20 by Feb 26 EOB PT. Mehmet -----Original Message----- From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf Of ext Internet-Drafts@ietf.org Sent: Tuesday, February 23, 2010 9:15 PM To: i-d-announce@ietf.org Cc: netconf@ietf.org Subject: [Netconf] I-D Action:draft-ietf-netconf-monitoring-12.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Configuration Working Group = of the IETF. Title : YANG Module for NETCONF Monitoring Author(s) : M. Scott, M. Bjorklund Filename : draft-ietf-netconf-monitoring-12.txt Pages : 38 Date : 2010-02-23 This document defines a NETCONF data model to be used to monitor the NETCONF protocol. The monitoring data model includes information about NETCONF datastores, sessions, locks and statistics. This data facilitates the management of a NETCONF server. This document also defines methods for NETCONF clients to discover data models supported by a NETCONF server and defines a new NETCONF operation to retrieve them. A URL for this Internet-Draft is: = http://www.ietf.org/internet-drafts/draft-ietf-netconf-monitoring-12.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. -------------------------------------------------------------------------= ----- Geen virus gevonden in het binnenkomende-bericht. Gecontroleerd door AVG - www.avg.com=20 Versie: 9.0.733 / Virusdatabase: 271.1.1/2705 - datum van uitgifte: = 02/23/10 08:34:00 ------=_NextPart_000_2B05_01CAB4D4.F3C104A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I am fine with describing Schema in = RFC4741bis
 
Bert
----- Original Message -----
From:=20 Ersue, Mehmet=20 (NSN - DE/Munich)
Sent: Tuesday, February 23, = 2010 9:51=20 PM
Subject: The Term Schema = WAS:FW:=20 [Netconf] I-D Action:draft-ietf-netconf-monitoring-12.txt


Hi All,

just before we go to AD review there = is one=20 issue we
should clarify and get the WG consensus.

-> = Where is=20 the correct place to define the term "schema"?

Originally we = had this=20 in Monitoring draft.
Based on Juergen's proposal to do it in YANG = Mark=20 deleted
in the Monitoring draft.

The new proposal is to = define it=20 in 4741bis since it is
a basic term, which can be used in = different=20 NETCONF-related
documents. I as a contributor support if it is = done in=20 4741bis.

Please state your opinion by choosing one of the = options=20
by Feb 26 EOB PT.

Mehmet


-----Original=20 Message-----
From: netconf-bounces@ietf.org=20 [mailto:netconf-bounces@ietf.org] On
Behalf Of ext Internet-Drafts@ietf.org
= Sent:=20 Tuesday, February 23, 2010 9:15 PM
To: i-d-announce@ietf.org
Cc: = netconf@ietf.org
Subject: = [Netconf] I-D=20 Action:draft-ietf-netconf-monitoring-12.txt

A New = Internet-Draft is=20 available from the on-line Internet-Drafts
directories.
This = draft is a=20 work item of the Network Configuration Working Group of
the=20 = IETF.


Title        &nb= sp; =20 : YANG Module for NETCONF=20 Monitoring
Author(s)       : M. = Scott, M.=20 Bjorklund
Filename        :=20 = draft-ietf-netconf-monitoring-12.txt
Pages    &nbs= p;     =20 : = 38
Date          &nb= sp;=20 : 2010-02-23

This document defines a NETCONF data model to be = used to=20 monitor the
NETCONF protocol.  The monitoring data model = includes=20 information
about NETCONF datastores, sessions, locks and = statistics. =20 This data
facilitates the management of a NETCONF server.  = This=20 document also
defines methods for NETCONF clients to discover data = models=20 supported
by a NETCONF server and defines a new NETCONF = <get-schema>=20 operation
to retrieve them.

A URL for this Internet-Draft = is:
http://www.ietf.org/internet-drafts/draft-ietf-netconf-monitorin= g-12.txt

Internet-Drafts=20 are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-= drafts/

Below=20 is the data which will enable a MIME compliant mail = reader
implementation=20 to automatically retrieve the ASCII version of = the
Internet-Draft.


Geen virus gevonden in het = binnenkomende-bericht.
Gecontroleerd=20 door AVG - www.avg.com
Versie: = 9.0.733 /=20 Virusdatabase: 271.1.1/2705 - datum van uitgifte: 02/23/10=20 08:34:00
------=_NextPart_000_2B05_01CAB4D4.F3C104A0-- From mbj@tail-f.com Tue Feb 23 13:14:36 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E5133A84F1 for ; Tue, 23 Feb 2010 13:14:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.302 X-Spam-Level: X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[AWL=0.744, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uH3lIn067bjG for ; Tue, 23 Feb 2010 13:14:35 -0800 (PST) Received: from mail.tail-f.com (de-0316.d.ipeer.se [213.180.79.212]) by core3.amsl.com (Postfix) with ESMTP id BC5A63A84DA for ; Tue, 23 Feb 2010 13:14:34 -0800 (PST) Received: from localhost (c213-100-167-236.swipnet.se [213.100.167.236]) by mail.tail-f.com (Postfix) with ESMTPSA id 85512616005; Tue, 23 Feb 2010 22:16:37 +0100 (CET) Date: Tue, 23 Feb 2010 22:16:37 +0100 (CET) Message-Id: <20100223.221637.210895985.mbj@tail-f.com> To: bertietf@bwijnen.net From: Martin Bjorklund In-Reply-To: <986D120F986F43E882965353F0F66016@BertLaptop> References: <80A0822C5E9A4440A5117C2F4CD36A6450AC73@DEMUEXC006.nsn-intra.net> <986D120F986F43E882965353F0F66016@BertLaptop> X-Mailer: Mew version 6.2.51 on Emacs 22.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netconf@ietf.org Subject: Re: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netconf-monitoring-12.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 21:14:36 -0000 "Bert Wijnen \(IETF\)" wrote: > I am fine with describing Schema in RFC4741bis +1 /martin From dromasca@avaya.com Wed Feb 24 05:37:47 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CDCD28C17E for ; Wed, 24 Feb 2010 05:37:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.539 X-Spam-Level: X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YC4nCxnwRdi3 for ; Wed, 24 Feb 2010 05:37:46 -0800 (PST) Received: from de307622-de-outbound.net.avaya.com (de307622-de-outbound.net.avaya.com [198.152.71.100]) by core3.amsl.com (Postfix) with ESMTP id 0999028C154 for ; Wed, 24 Feb 2010 05:37:45 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.49,532,1262581200"; d="scan'208";a="177809166" Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by de307622-de-outbound.net.avaya.com with ESMTP; 24 Feb 2010 08:39:38 -0500 X-IronPort-AV: E=Sophos;i="4.49,532,1262581200"; d="scan'208";a="449186061" Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.15]) by co300216-co-erhwest-out.avaya.com with ESMTP; 24 Feb 2010 08:39:37 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 24 Feb 2010 14:39:29 +0100 Message-ID: In-Reply-To: <20100223.221637.210895985.mbj@tail-f.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netconf-monitoring-12.txt Thread-Index: Acq0zX/3hcfCs27IR+2vZQuwFGCbUQAiTmjA References: <80A0822C5E9A4440A5117C2F4CD36A6450AC73@DEMUEXC006.nsn-intra.net><986D120F986F43E882965353F0F66016@BertLaptop> <20100223.221637.210895985.mbj@tail-f.com> From: "Romascanu, Dan (Dan)" To: "Martin Bjorklund" , Cc: netconf@ietf.org Subject: Re: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netconf-monitoring-12.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2010 13:37:47 -0000 +1=20 Dan (speaking as contributor) > -----Original Message----- > From: netconf-bounces@ietf.org=20 > [mailto:netconf-bounces@ietf.org] On Behalf Of Martin Bjorklund > Sent: Tuesday, February 23, 2010 11:17 PM > To: bertietf@bwijnen.net > Cc: netconf@ietf.org > Subject: Re: [Netconf] The Term Schema WAS:FW: I-D=20 > Action:draft-ietf-netconf-monitoring-12.txt >=20 > "Bert Wijnen \(IETF\)" wrote: > > I am fine with describing Schema in RFC4741bis >=20 > +1 >=20 >=20 > /martin > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf >=20 From calle@tail-f.com Thu Feb 25 07:28:08 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B43328C338 for ; Thu, 25 Feb 2010 07:28:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.046 X-Spam-Level: X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RSNyeuYpSX35 for ; Thu, 25 Feb 2010 07:28:07 -0800 (PST) Received: from mail.tail-f.com (de-0316.d.ipeer.se [213.180.79.212]) by core3.amsl.com (Postfix) with ESMTP id 21BB728C332 for ; Thu, 25 Feb 2010 07:28:07 -0800 (PST) Received: from [192.168.1.143] (138.162.241.83.in-addr.dgcsystems.net [83.241.162.138]) by mail.tail-f.com (Postfix) with ESMTPSA id 13D33616008; Thu, 25 Feb 2010 16:30:17 +0100 (CET) Message-ID: <4B869784.6020103@tail-f.com> Date: Thu, 25 Feb 2010 16:30:12 +0100 From: Carl Moberg User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.5) Gecko/20091121 Thunderbird/3.0 MIME-Version: 1.0 To: Randy Presuhn References: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> <4B837276.7040301@tail-f.com> <002e01cab458$f9f3b2e0$6801a8c0@oemcomputer> In-Reply-To: <002e01cab458$f9f3b2e0$6801a8c0@oemcomputer> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: netconf@ietf.org Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2010 15:28:08 -0000 On 2010-02-23 8:22 AM, Randy Presuhn wrote: > Hi - > >> From: "Carl Moberg" >> To: "Randy Presuhn" >> Cc: >> Sent: Monday, February 22, 2010 10:15 PM >> Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) > ... >> We have experiences with real applications of NETCONF outside the realm >> of network elements. >> >> The various management activities I've seen for "the cloud" (both >> internal to vendors and in emerging standard activities) seems to be >> coming from the enterprise programming side and be leaning heavily >> on SOA (WSDL, SOAP) and REST technologies. >> >> Having said that I think there defnitely is a role to play for NETCONF >> for the packet/frame infrastructure of "the cloud". Many types of >> provisioning scenarios includes making fairly complex changes the >> configuration state of N network boxes (where N> 2). This is an area >> where NETCONF shines with its formal modeling language, and validation >> and transaction components. > ... > > Care to share any "lessons learned" with access control models to support > this environment? I think it would be helpful to have both minimum requirements, > as well as cases of "we thought we'd need such-and-such, but it turned out > to be overkill." My response was perhaps more to the question about experience with non-router/bridge experience in general than with specific focus on access control. However, my simple input on the application of NETCONF on the infrastructure part of "cloud" deployments (which, in my mind, is an operational model) is that it seems to have the same expectations on the network as any "service oriented" network in the service provider world. For example a network that provides end-customer VPNs: - One set of people, support systems and checklists/processes that work on keeping the network running smoothly and ready for service (IS-IS is stable, full iBGP visibility for VPLS, etc) - The NOC team - Another set of people, support systems and checklists that provisions customer-oriented "services", e.g. makes sure that all involved PE-routers are automatically and correctly configured for customer VPNs - The Service Provisioning team The NOC team typically and historically require full access to all configurables in the box and with the exception of some internal hierarchy (e.g. specific security clearance needed to reconfigure access control or standard filters) there no strong reason to change this. The Service Provisioning team on the other hand expects the networ to be up and stable and provisions services on the boxes through "APIs" (CLI-scrapers today) and have no reason to touch anything but the configuration parameters that are related to the provisioned services. In the cloud world, the "services" are "computational loads" and the big difference may be that the frequency of change can be quite high with the level of self-management/open APIs proposed by some of the participating companies. With this type of simple scenario I think the access control model can be made fairly simple (NOC->superuser, Services->Limited view of configurables and operationf). I like what I have seen in Andy's draft this far (one quick glance through it) and I think it makes for a good starting point for the discussion. From randy_presuhn@mindspring.com Thu Feb 25 11:28:41 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B15DD3A8551 for ; Thu, 25 Feb 2010 11:28:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.455 X-Spam-Level: X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nBjukodbPW3 for ; Thu, 25 Feb 2010 11:28:40 -0800 (PST) Received: from elasmtp-galgo.atl.sa.earthlink.net (elasmtp-galgo.atl.sa.earthlink.net [209.86.89.61]) by core3.amsl.com (Postfix) with ESMTP id 409633A8497 for ; Thu, 25 Feb 2010 11:27:51 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=Daow4WGQkM6DmADv35hZpDuUglCB+lW7e1XSPl/+NS94dPJC3zsHHBmeDpvB1YLm; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP; Received: from [99.60.5.228] (helo=oemcomputer) by elasmtp-galgo.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1NkjPO-0006MA-RF for netconf@ietf.org; Thu, 25 Feb 2010 14:30:03 -0500 Message-ID: <008901cab651$9b901e00$6801a8c0@oemcomputer> From: "Randy Presuhn" To: References: <002d01cab407$af86d3a0$6801a8c0@oemcomputer> <4B837276.7040301@tail-f.com> <002e01cab458$f9f3b2e0$6801a8c0@oemcomputer> <4B869784.6020103@tail-f.com> Date: Thu, 25 Feb 2010 11:34:53 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-ELNK-Trace: 4488c18417c9426da92b9037bc8bcf44d4c20f6b8d69d888494b88d665f13b4097d0b59f7cee92d20a3af812d4ea8ea4350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 99.60.5.228 Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2010 19:28:41 -0000 Hi - > From: "Carl Moberg" > To: "Randy Presuhn" > Cc: > Sent: Thursday, February 25, 2010 7:30 AM > Subject: Re: [Netconf] Fw: Announcing Clouds bar BoF during IETF-77 (March, 2010, Anaheim, CA) ... > However, my simple input on the application of NETCONF on the > infrastructure part of "cloud" deployments (which, in my mind, is an > operational model) is that it seems to have the same expectations on > the network as any "service oriented" network in the service provider > world. For example a network that provides end-customer VPNs: > - One set of people, support systems and checklists/processes that > work on keeping the network running smoothly and ready for service > (IS-IS is stable, full iBGP visibility for VPLS, etc) - The NOC team > - Another set of people, support systems and checklists that > provisions customer-oriented "services", e.g. makes sure that all > involved PE-routers are automatically and correctly configured > for customer VPNs - The Service Provisioning team > > The NOC team typically and historically require full access to all > configurables in the box and with the exception of some internal > hierarchy (e.g. specific security clearance needed to reconfigure > access control or standard filters) there no strong reason to change > this. > > The Service Provisioning team on the other hand expects the networ > to be up and stable and provisions services on the boxes through > "APIs" (CLI-scrapers today) and have no reason to touch anything but > the configuration parameters that are related to the provisioned > services. > > In the cloud world, the "services" are "computational loads" and the > big difference may be that the frequency of change can be quite high > with the level of self-management/open APIs proposed by some of the > participating companies. > > With this type of simple scenario I think the access control model > can be made fairly simple (NOC->superuser, Services->Limited view > of configurables and operationf). I like what I have seen in Andy's > draft this far (one quick glance through it) and I think it makes for > a good starting point for the discussion. Following up for clarification... (1) When you write "Services->Limited view", does that mean that all members of the "Service Provisioning team" have exactly the same access rights to exactly the same bits of information? (2) Where does the customer fit in this model? Randy From mark.scott@ericsson.com Fri Feb 26 10:46:50 2010 Return-Path: X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3BE9428C302 for ; Fri, 26 Feb 2010 10:46:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kbEfHHP4HH6 for ; Fri, 26 Feb 2010 10:46:49 -0800 (PST) Received: from imr1.ericy.com (imr1.ericy.com [198.24.6.9]) by core3.amsl.com (Postfix) with ESMTP id 628BE28C2F8 for ; Fri, 26 Feb 2010 10:46:49 -0800 (PST) Received: from eusaamw0707.eamcs.ericsson.se ([147.117.20.32]) by imr1.ericy.com (8.13.1/8.13.1) with ESMTP id o1QIp9Bo010195; Fri, 26 Feb 2010 12:51:10 -0600 Received: from EUSAACMS0714.eamcs.ericsson.se ([169.254.1.178]) by eusaamw0707.eamcs.ericsson.se ([147.117.20.32]) with mapi; Fri, 26 Feb 2010 13:48:55 -0500 From: Mark Scott To: Martin Bjorklund , "bertietf@bwijnen.net" Date: Fri, 26 Feb 2010 13:48:54 -0500 Thread-Topic: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netconf-monitoring-12.txt Thread-Index: Acq0zYvAs7Kqd62BT4eM7XS4PAc0YgCRsRMw Message-ID: <75C89D709A9670428520E1CF8DD1344F20868DDE74@EUSAACMS0714.eamcs.ericsson.se> References: <80A0822C5E9A4440A5117C2F4CD36A6450AC73@DEMUEXC006.nsn-intra.net> <986D120F986F43E882965353F0F66016@BertLaptop> <20100223.221637.210895985.mbj@tail-f.com> In-Reply-To: <20100223.221637.210895985.mbj@tail-f.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "netconf@ietf.org" Subject: Re: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netconf-monitoring-12.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2010 18:46:50 -0000 +1 Mark -----Original Message----- From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf = Of Martin Bjorklund Sent: February-23-10 4:17 PM To: bertietf@bwijnen.net Cc: netconf@ietf.org Subject: Re: [Netconf] The Term Schema WAS:FW: I-D Action:draft-ietf-netcon= f-monitoring-12.txt "Bert Wijnen \(IETF\)" wrote: > I am fine with describing Schema in RFC4741bis +1 /martin _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf