From nobody Mon Nov 3 00:03:45 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D42001A6FD9 for ; Mon, 3 Nov 2014 00:03:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.805 X-Spam-Level: X-Spam-Status: No, score=0.805 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_52=0.6, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x9XvbLAO1alk for ; Mon, 3 Nov 2014 00:03:42 -0800 (PST) Received: from mail.tail-f.com (mail.tail-f.com [83.241.162.140]) by ietfa.amsl.com (Postfix) with ESMTP id D0BF71A6FAC for ; Mon, 3 Nov 2014 00:03:41 -0800 (PST) Received: from localhost (x15.tail-f.com [192.168.1.60]) by mail.tail-f.com (Postfix) with ESMTPSA id 90D591280098; Mon, 3 Nov 2014 09:03:40 +0100 (CET) Date: Mon, 03 Nov 2014 09:03:40 +0100 (CET) Message-Id: <20141103.090340.1192037256809849296.mbj@tail-f.com> To: dai.xianxian@zte.com.cn From: Martin Bjorklund In-Reply-To: References: X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/9VyvZS4jL9PBU4tjYianjB8xlO0 Cc: rob.enns@gmail.com, dai_sissi@126.com, netconf@ietf.org, andy.bierman@brocade.com Subject: Re: [Netconf] some issues , like subtree filtering(RFC5277 & RFC6241 ) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 08:03:44 -0000 dai.xianxian@zte.com.cn wrote: > RFC5277 editors: > > > On RFC5277, The fifth section does not provide definition, just provides > some simple examples to illustrate the various > methods of filtering content on an event notification subscription. > > I want to know, about subtree filtering whether there is a correlation > between RFC6241 (Chapter 6)and RFC5277 (Chapter 5). > In my opinion, the two are in conflict.And I am confused. See RFC 5277, Section 3.6: If a filter element is specified to look for data of a particular value, and the data item is not present within a particular event notification for its value to be checked against, the notification will be filtered out. The idea is that if the filter would select *any* node in an event, then the event is sent, in its entirety. Thus, the filter acts a boolean switch, whether to send the event or not. /martin > Here are some specific questions. > 1.RFC5277,Chapter 5 > notification example defines like this: > event container > |-----eventClass leaf enum > |-----reportingEntity anyxml > |-----choice > |-------severity leaf enum > |-------operState leaf enum/boolean > > The filtering criteria evaluation is as follows:( state | config | ( fault > & ( card=Ethernet0))) > subscription like this: > xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0"> > xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> > > > state > > > config > > > fault > > Ethernet0 > > > > > > > If some service-reported notifications like these: > xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> > 2007-07-08T00:10:00Z > > state > > Ethernet1 > > major > > > > xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> > 2007-07-08T00:10:00Z > > fault > > Ethernet0 > > major > > > > In accordance with RFC6241 rules, the second notification > "major" should be skipped. > xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> > 2007-07-08T00:10:00Z > > state > > Ethernet1 > > major > > > > xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> > 2007-07-08T00:10:00Z > > fault > > Ethernet0 > > > > > As previous implementations, "filter" statement is only used as judgment > to meet the requirements of the rules,it does not act on output. > > > 2.subscription like this: > xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0"> > xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> > > > > > > > > > In accordance with RFC6241 rules, the expected output like this: > xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> > 2007-07-08T00:10:00Z > > fault > > > > Is it reasonable? > > > > > > > > > > -------------------------------------------------------- > ZTE Information Security Notice: The information contained in this mail (and any attachment transmitted herewith) is privileged and confidential and is intended for the exclusive use of the addressee(s). If you are not an intended recipient, any disclosure, reproduction, distribution or other dissemination or use of the information contained is strictly prohibited. If you have received this mail in error, please delete it and notify us immediately. From nobody Mon Nov 3 00:47:22 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADC881A0010 for ; Mon, 3 Nov 2014 00:47:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.744 X-Spam-Level: X-Spam-Status: No, score=-1.744 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jUJK2_qfO8sM for ; Mon, 3 Nov 2014 00:47:18 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFA611A000F for ; Mon, 3 Nov 2014 00:47:16 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml404-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BLF47559; Mon, 03 Nov 2014 08:47:15 +0000 (GMT) Received: from nkgeml409-hub.china.huawei.com (10.98.56.40) by lhreml404-hub.china.huawei.com (10.201.5.218) with Microsoft SMTP Server (TLS) id 14.3.158.1; Mon, 3 Nov 2014 08:47:12 +0000 Received: from NKGEML501-MBS.china.huawei.com ([169.254.2.21]) by nkgeml409-hub.china.huawei.com ([10.98.56.40]) with mapi id 14.03.0158.001; Mon, 3 Nov 2014 16:47:06 +0800 From: Qin Wu To: "dai.xianxian@zte.com.cn" , "rob.enns@gmail.com" , "mbj@tail-f.com" , "j.schoenwaelder@jacobs-university.de" , "andy.bierman@brocade.com" Thread-Topic: [Netconf] some issues , like subtree filtering(RFC5277 & RFC6241 ) Thread-Index: AQHP9Yzh8i9g3PSgbUuV07YEngpuHZxOmSjQ Date: Mon, 3 Nov 2014 08:47:06 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.138.41.180] Content-Type: multipart/alternative; boundary="_000_B8F9A780D330094D99AF023C5877DABA846265F4nkgeml501mbschi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/aR9U2ZeJ1hn5FD2LO_dDoeJdkdw Cc: "netconf@ietf.org" , "dai_sissi@126.com" Subject: Re: [Netconf] some issues , like subtree filtering(RFC5277 & RFC6241 ) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 08:47:20 -0000 --_000_B8F9A780D330094D99AF023C5877DABA846265F4nkgeml501mbschi_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 WW91IHNlZW1zIHRvIGdpdmUgYW4gZXhhbXBsZSBvbiBzZW5kaW5nIGV2ZW50IG5vdGlmaWNhdGlv biBpbiByZXNwb25zZSB0byBjcmVhdGUgc3Vic2NyaXB0aW9uLg0KQnV0IHRoYXQgaXMgbm90IHRo ZSBleGFtcGxlIGRlc2NyaWJlZCBpbiBSRkM1Mjc3IG9yIFJGQzYyNDEuDQpBbHNvIEkgZmFpbCB0 byB1bmRlcnN0YW5kIHlvdXIgZm9sbG93aW5nIHN0YXRlbWVudA0KobANCiJmaWx0ZXIiIHN0YXRl bWVudCBpcyBvbmx5IHVzZWQgYXMganVkZ21lbnQgdG8gbWVldCB0aGUgcmVxdWlyZW1lbnRzIG9m IHRoZSBydWxlcyxpdCBkb2VzIG5vdCBhY3Qgb24gb3V0cHV0Lg0KobENCg0KUmVnYXJkcyENCi1R aW4NCreivP7IyzogTmV0Y29uZiBbbWFpbHRvOm5ldGNvbmYtYm91bmNlc0BpZXRmLm9yZ10gtPqx 7SBkYWkueGlhbnhpYW5AenRlLmNvbS5jbg0Kt6LLzcqxvOQ6IDIwMTTE6jEx1MIxyNUgMTI6MzIN CsrVvP7Iyzogcm9iLmVubnNAZ21haWwuY29tOyBtYmpAdGFpbC1mLmNvbTsgai5zY2hvZW53YWVs ZGVyQGphY29icy11bml2ZXJzaXR5LmRlOyBhbmR5LmJpZXJtYW5AYnJvY2FkZS5jb20NCrOty806 IG5ldGNvbmZAaWV0Zi5vcmc7IGRhaV9zaXNzaUAxMjYuY29tDQrW98ziOiBbTmV0Y29uZl0gc29t ZSBpc3N1ZXMgLGxpa2Ugc3VidHJlZSBmaWx0ZXJpbmcoUkZDNTI3NyAmIFJGQzYyNDEgKQ0KDQoN ClJGQzUyNzcgZWRpdG9yczoNCg0KDQpPbiBSRkM1Mjc3LCBUaGUgZmlmdGggc2VjdGlvbiBkb2Vz IG5vdCBwcm92aWRlIGRlZmluaXRpb24sIGp1c3QgcHJvdmlkZXMgc29tZSBzaW1wbGUgZXhhbXBs ZXMgdG8gaWxsdXN0cmF0ZSB0aGUgdmFyaW91cw0KICAgbWV0aG9kcyBvZiBmaWx0ZXJpbmcgY29u dGVudCBvbiBhbiBldmVudCBub3RpZmljYXRpb24gc3Vic2NyaXB0aW9uLg0KDQpJIHdhbnQgdG8g a25vdywgYWJvdXQgc3VidHJlZSBmaWx0ZXJpbmcgd2hldGhlciB0aGVyZSBpcyBhIGNvcnJlbGF0 aW9uIGJldHdlZW4gUkZDNjI0MSAoQ2hhcHRlciA2KWFuZCBSRkM1Mjc3IChDaGFwdGVyIDUpLg0K SW4gbXkgb3BpbmlvbiwgdGhlIHR3byBhcmUgaW4gY29uZmxpY3QuQW5kIEkgYW0gY29uZnVzZWQu DQoNCkhlcmUgYXJlIHNvbWUgc3BlY2lmaWMgcXVlc3Rpb25zLg0KMS5SRkM1Mjc3LENoYXB0ZXIg NQ0Kbm90aWZpY2F0aW9uIGV4YW1wbGUgZGVmaW5lcyBsaWtlIHRoaXM6DQpldmVudCBjb250YWlu ZXINCiAgfC0tLS0tZXZlbnRDbGFzcyAgICAgICAgIGxlYWYgZW51bQ0KICB8LS0tLS1yZXBvcnRp bmdFbnRpdHkgICAgYW55eG1sDQogIHwtLS0tLWNob2ljZQ0KICAgICAgICAgICB8LS0tLS0tLXNl dmVyaXR5ICBsZWFmIGVudW0NCiAgICAgICAgICAgfC0tLS0tLS1vcGVyU3RhdGUgbGVhZiBlbnVt L2Jvb2xlYW4NCg0KVGhlIGZpbHRlcmluZyBjcml0ZXJpYSBldmFsdWF0aW9uIGlzIGFzIGZvbGxv d3M6KCBzdGF0ZSB8IGNvbmZpZyB8ICggZmF1bHQgJiAoIGNhcmQ9RXRoZXJuZXQwKSkpDQpzdWJz Y3JpcHRpb24gbGlrZSB0aGlzOg0KPG5ldGNvbmY6cnBjIG5ldGNvbmY6bWVzc2FnZS1pZD0iMTAx Ig0KeG1sbnM6bmV0Y29uZj0idXJuOmlldGY6cGFyYW1zOnhtbDpuczpuZXRjb25mOmJhc2U6MS4w Ij4NCjxjcmVhdGUtc3Vic2NyaXB0aW9uDQp4bWxucz0idXJuOmlldGY6cGFyYW1zOnhtbDpuczpu ZXRjb25mOm5vdGlmaWNhdGlvbjoxLjAiPg0KPGZpbHRlciBuZXRjb25mOnR5cGU9InN1YnRyZWUi Pg0KICAgPGV2ZW50IHhtbG5zPSJodHRwOi8vZXhhbXBsZS5jb20vZXZlbnQvMS4wIj4NCiAgICAg IDxldmVudENsYXNzPnN0YXRlPC9ldmVudENsYXNzPg0KICAgPC9ldmVudD4NCiAgIDxldmVudCB4 bWxucz0iaHR0cDovL2V4YW1wbGUuY29tL2V2ZW50LzEuMCI+DQogICAgICA8ZXZlbnRDbGFzcz5j b25maWc8L2V2ZW50Q2xhc3M+DQogICA8L2V2ZW50Pg0KICAgPGV2ZW50IHhtbG5zPSJodHRwOi8v ZXhhbXBsZS5jb20vZXZlbnQvMS4wIj4NCiAgICAgIDxldmVudENsYXNzPmZhdWx0PC9ldmVudENs YXNzPg0KICAgICAgPHJlcG9ydGluZ0VudGl0eT4NCiAgICAgICAgIDxjYXJkPkV0aGVybmV0MDwv Y2FyZD4NCiAgICAgIDwvcmVwb3J0aW5nRW50aXR5Pg0KICAgIDwvZXZlbnQ+DQo8L2ZpbHRlcj4N CjwvY3JlYXRlLXN1YnNjcmlwdGlvbj4NCjwvbmV0Y29uZjpycGM+DQoNCklmIHNvbWUgc2Vydmlj ZS1yZXBvcnRlZCBub3RpZmljYXRpb25zIGxpa2UgdGhlc2U6DQo8bm90aWZpY2F0aW9uDQp4bWxu cz0idXJuOmlldGY6cGFyYW1zOnhtbDpuczpuZXRjb25mOm5vdGlmaWNhdGlvbjoxLjAiPg0KICAg PGV2ZW50VGltZT4yMDA3LTA3LTA4VDAwOjEwOjAwWjwvZXZlbnRUaW1lPg0KICAgPGV2ZW50IHht bG5zPSJodHRwOi8vZXhhbXBsZS5jb20vZXZlbnQvMS4wIj4NCiAgICAgIDxldmVudENsYXNzPnN0 YXRlPC9ldmVudENsYXNzPg0KICAgICAgPHJlcG9ydGluZ0VudGl0eT4NCiAgICAgICAgIDxjYXJk PkV0aGVybmV0MTwvY2FyZD4NCiAgICAgIDwvcmVwb3J0aW5nRW50aXR5Pg0KICAgICAgPHNldmVy aXR5Pm1ham9yPC9zZXZlcml0eT4NCjwvZXZlbnQ+DQo8L25vdGlmaWNhdGlvbj4NCg0KPG5vdGlm aWNhdGlvbg0KeG1sbnM9InVybjppZXRmOnBhcmFtczp4bWw6bnM6bmV0Y29uZjpub3RpZmljYXRp b246MS4wIj4NCiAgIDxldmVudFRpbWU+MjAwNy0wNy0wOFQwMDoxMDowMFo8L2V2ZW50VGltZT4N CiAgIDxldmVudCB4bWxucz0iaHR0cDovL2V4YW1wbGUuY29tL2V2ZW50LzEuMCI+DQogICAgICA8 ZXZlbnRDbGFzcz5mYXVsdDwvZXZlbnRDbGFzcz4NCiAgICAgIDxyZXBvcnRpbmdFbnRpdHk+DQog ICAgICAgICA8Y2FyZD5FdGhlcm5ldDA8L2NhcmQ+DQogICAgICA8L3JlcG9ydGluZ0VudGl0eT4N CiAgICAgIDxzZXZlcml0eT5tYWpvcjwvc2V2ZXJpdHk+DQo8L2V2ZW50Pg0KPC9ub3RpZmljYXRp b24+DQoNCkluIGFjY29yZGFuY2Ugd2l0aCBSRkM2MjQxIHJ1bGVzLCB0aGUgc2Vjb25kIG5vdGlm aWNhdGlvbiAiPHNldmVyaXR5Pm1ham9yPC9zZXZlcml0eT4iIHNob3VsZCBiZSBza2lwcGVkLg0K PG5vdGlmaWNhdGlvbg0KeG1sbnM9InVybjppZXRmOnBhcmFtczp4bWw6bnM6bmV0Y29uZjpub3Rp ZmljYXRpb246MS4wIj4NCiAgIDxldmVudFRpbWU+MjAwNy0wNy0wOFQwMDoxMDowMFo8L2V2ZW50 VGltZT4NCiAgIDxldmVudCB4bWxucz0iaHR0cDovL2V4YW1wbGUuY29tL2V2ZW50LzEuMCI+DQog ICAgICA8ZXZlbnRDbGFzcz5zdGF0ZTwvZXZlbnRDbGFzcz4NCiAgICAgIDxyZXBvcnRpbmdFbnRp dHk+DQogICAgICAgICA8Y2FyZD5FdGhlcm5ldDE8L2NhcmQ+DQogICAgICA8L3JlcG9ydGluZ0Vu dGl0eT4NCiAgICAgIDxzZXZlcml0eT5tYWpvcjwvc2V2ZXJpdHk+DQo8L2V2ZW50Pg0KPC9ub3Rp ZmljYXRpb24+DQoNCjxub3RpZmljYXRpb24NCnhtbG5zPSJ1cm46aWV0ZjpwYXJhbXM6eG1sOm5z Om5ldGNvbmY6bm90aWZpY2F0aW9uOjEuMCI+DQogICA8ZXZlbnRUaW1lPjIwMDctMDctMDhUMDA6 MTA6MDBaPC9ldmVudFRpbWU+DQogICA8ZXZlbnQgeG1sbnM9Imh0dHA6Ly9leGFtcGxlLmNvbS9l dmVudC8xLjAiPg0KICAgICAgPGV2ZW50Q2xhc3M+ZmF1bHQ8L2V2ZW50Q2xhc3M+DQogICAgICA8 cmVwb3J0aW5nRW50aXR5Pg0KICAgICAgICAgPGNhcmQ+RXRoZXJuZXQwPC9jYXJkPg0KICAgICAg PC9yZXBvcnRpbmdFbnRpdHk+DQo8L2V2ZW50Pg0KPC9ub3RpZmljYXRpb24+DQoNCkFzIHByZXZp b3VzIGltcGxlbWVudGF0aW9ucywgImZpbHRlciIgc3RhdGVtZW50IGlzIG9ubHkgdXNlZCBhcyBq dWRnbWVudCB0byBtZWV0IHRoZSByZXF1aXJlbWVudHMgb2YgdGhlIHJ1bGVzLGl0IGRvZXMgbm90 IGFjdCBvbiBvdXRwdXQuDQoNCg0KMi5zdWJzY3JpcHRpb24gbGlrZSB0aGlzOg0KPG5ldGNvbmY6 cnBjIG5ldGNvbmY6bWVzc2FnZS1pZD0iMTAxIg0KeG1sbnM6bmV0Y29uZj0idXJuOmlldGY6cGFy YW1zOnhtbDpuczpuZXRjb25mOmJhc2U6MS4wIj4NCjxjcmVhdGUtc3Vic2NyaXB0aW9uDQp4bWxu cz0idXJuOmlldGY6cGFyYW1zOnhtbDpuczpuZXRjb25mOm5vdGlmaWNhdGlvbjoxLjAiPg0KPGZp bHRlciBuZXRjb25mOnR5cGU9InN1YnRyZWUiPg0KICAgPGV2ZW50IHhtbG5zPSJodHRwOi8vZXhh bXBsZS5jb20vZXZlbnQvMS4wIj4NCiAgICAgIDxldmVudENsYXNzLz4NCiAgIDwvZXZlbnQ+DQo8 L2ZpbHRlcj4NCjwvY3JlYXRlLXN1YnNjcmlwdGlvbj4NCjwvbmV0Y29uZjpycGM+DQoNCkluIGFj Y29yZGFuY2Ugd2l0aCBSRkM2MjQxIHJ1bGVzLCB0aGUgZXhwZWN0ZWQgb3V0cHV0IGxpa2UgdGhp czoNCjxub3RpZmljYXRpb24NCnhtbG5zPSJ1cm46aWV0ZjpwYXJhbXM6eG1sOm5zOm5ldGNvbmY6 bm90aWZpY2F0aW9uOjEuMCI+DQogICA8ZXZlbnRUaW1lPjIwMDctMDctMDhUMDA6MTA6MDBaPC9l dmVudFRpbWU+DQogICA8ZXZlbnQgeG1sbnM9Imh0dHA6Ly9leGFtcGxlLmNvbS9ldmVudC8xLjAi Pg0KICAgICAgPGV2ZW50Q2xhc3M+ZmF1bHQ8L2V2ZW50Q2xhc3M+DQo8L2V2ZW50Pg0KPC9ub3Rp ZmljYXRpb24+DQoNCklzIGl0IHJlYXNvbmFibGU/DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQot LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0K DQpaVEUgSW5mb3JtYXRpb24gU2VjdXJpdHkgTm90aWNlOiBUaGUgaW5mb3JtYXRpb24gY29udGFp bmVkIGluIHRoaXMgbWFpbCAoYW5kIGFueSBhdHRhY2htZW50IHRyYW5zbWl0dGVkIGhlcmV3aXRo KSBpcyBwcml2aWxlZ2VkIGFuZCBjb25maWRlbnRpYWwgYW5kIGlzIGludGVuZGVkIGZvciB0aGUg ZXhjbHVzaXZlIHVzZSBvZiB0aGUgYWRkcmVzc2VlKHMpLiAgSWYgeW91IGFyZSBub3QgYW4gaW50 ZW5kZWQgcmVjaXBpZW50LCBhbnkgZGlzY2xvc3VyZSwgcmVwcm9kdWN0aW9uLCBkaXN0cmlidXRp b24gb3Igb3RoZXIgZGlzc2VtaW5hdGlvbiBvciB1c2Ugb2YgdGhlIGluZm9ybWF0aW9uIGNvbnRh aW5lZCBpcyBzdHJpY3RseSBwcm9oaWJpdGVkLiAgSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBt YWlsIGluIGVycm9yLCBwbGVhc2UgZGVsZXRlIGl0IGFuZCBub3RpZnkgdXMgaW1tZWRpYXRlbHku DQoNCg0KDQoNCg0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLQ0KDQpaVEUgSW5mb3JtYXRpb24gU2VjdXJpdHkgTm90aWNlOiBUaGUgaW5m b3JtYXRpb24gY29udGFpbmVkIGluIHRoaXMgbWFpbCAoYW5kIGFueSBhdHRhY2htZW50IHRyYW5z bWl0dGVkIGhlcmV3aXRoKSBpcyBwcml2aWxlZ2VkIGFuZCBjb25maWRlbnRpYWwgYW5kIGlzIGlu dGVuZGVkIGZvciB0aGUgZXhjbHVzaXZlIHVzZSBvZiB0aGUgYWRkcmVzc2VlKHMpLiAgSWYgeW91 IGFyZSBub3QgYW4gaW50ZW5kZWQgcmVjaXBpZW50LCBhbnkgZGlzY2xvc3VyZSwgcmVwcm9kdWN0 aW9uLCBkaXN0cmlidXRpb24gb3Igb3RoZXIgZGlzc2VtaW5hdGlvbiBvciB1c2Ugb2YgdGhlIGlu Zm9ybWF0aW9uIGNvbnRhaW5lZCBpcyBzdHJpY3RseSBwcm9oaWJpdGVkLiAgSWYgeW91IGhhdmUg cmVjZWl2ZWQgdGhpcyBtYWlsIGluIGVycm9yLCBwbGVhc2UgZGVsZXRlIGl0IGFuZCBub3RpZnkg dXMgaW1tZWRpYXRlbHkuDQoNCg0KDQo= --_000_B8F9A780D330094D99AF023C5877DABA846265F4nkgeml501mbschi_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

You seems = to give an example on sending event notification in response to create subs= cription.

But that i= s not the example described in RFC5277 or RFC6241.

Also I fai= l to understand your following statement

=A1=B0

"filt= er" statement is only used as judgment to meet the requirements of the= rules,it does not act on output.
=A1=B1

= ;

Regards!

-Qin<= /o:p>

=B7=A2=BC=FE=C8=CB: Netconf= [mailto:netconf-bounces@ietf.org] =B4=FA= =B1=ED dai.xianxian@zte.com.cn
=B7=A2= =CB=CD=CA=B1=BC=E4: 2014=C4=EA11=D4=C21=C8=D5 12:32
=CA=D5=BC=FE=C8=CB: rob.enns@gmail.com; mbj@tail-f.com; j.schoenwaelder@jacobs-universi= ty.de; andy.bierman@brocade.com
=B3=AD=CB=CD: netconf@ietf.org; dai_sissi@126.com
=D6=F7=CC=E2: [Netconf] some issues ,like subtree filtering(RFC5277 & RFC6241 )

RFC5277 editors:

On RFC5277, The fifth section does not pro= vide definition, just provides some simple examples to illustrate the vario= us
methods of filtering content = on an event notification subscription.

I want to know, about subtree filtering wh= ether there is a correlation between RFC6241 (Chapter 6)and RFC5277 (Chapte= r 5).
In my opinion, the two are in conflict.And= I am confused.

Here are some specific questions.
1.RFC5277,Chapter 5
notification example defines like this:
event container
|-----eventClass &nbs= p; leaf enum
|-----reportingEntity = anyxml
|-----choice
|= -------severity leaf enum
|= -------operState leaf enum/boolean
=
The filtering criteria evaluation is as fo= llows:( state | config | ( fault & ( card=3DEthernet0))) =
subscription like this:
<netconf:rpc netconf:message-id=3D"= ;101"
xmlns:netconf=3D"urn:ietf:params:xml:= ns:netconf:base:1.0">
<create-subscription
xmlns=3D"urn:ietf:params:xml:ns:netco= nf:notification:1.0">
<filter netconf:type=3D"subtree&qu= ot;>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>sta= te</eventClass>
</event>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>con= fig</eventClass>
</event>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>fau= lt</eventClass>
<reportingEntity&g= t;
<card= >Ethernet0</card>
</reportingEntity&= gt;
</event>
</filter>
</create-subscription>
</netconf:rpc>

If some service-reported notifications lik= e these:
<notification
xmlns=3D"urn:ietf:params:xml:ns:netco= nf:notification:1.0">
<eventTime>2007-07-08T0= 0:10:00Z</eventTime>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>sta= te</eventClass>
<reportingEntity&g= t;
<card= >Ethernet1</card>
</reportingEntity&= gt;
<severity>major= </severity>
</event>
</notification>

<notification
xmlns=3D"urn:ietf:params:xml:ns:netco= nf:notification:1.0">
<eventTime>2007-07-08T0= 0:10:00Z</eventTime>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>fau= lt</eventClass>
<reportingEntity&g= t;
<card= >Ethernet0</card>
</reportingEntity&= gt;
<severity>major= </severity>
</event>
</notification>

In accordance with RFC6241 rules, the seco= nd notification "<severity>major</severity>" should b= e skipped.
<notification
xmlns=3D"urn:ietf:params:xml:ns:netco= nf:notification:1.0">
<eventTime>2007-07-08T0= 0:10:00Z</eventTime>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>sta= te</eventClass>
<reportingEntity&g= t;
<card= >Ethernet1</card>
</reportingEntity&= gt;
<severity>major= </severity>
</event>
</notification>

<notification
xmlns=3D"urn:ietf:params:xml:ns:netco= nf:notification:1.0">
<eventTime>2007-07-08T0= 0:10:00Z</eventTime>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>fau= lt</eventClass>
<reportingEntity&g= t;
<card= >Ethernet0</card>
</reportingEntity&= gt;
</event>
</notification>

As previous implementations, "filter&= quot; statement is only used as judgment to meet the requirements of the ru= les,it does not act on output.

2.subscription like this:
<netconf:rpc netconf:message-id=3D"= ;101"
xmlns:netconf=3D"urn:ietf:params:xml:= ns:netconf:base:1.0">
<create-subscription
xmlns=3D"urn:ietf:params:xml:ns:netco= nf:notification:1.0">
<filter netconf:type=3D"subtree&qu= ot;>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass/>
</event>
</filter>
</create-subscription>
</netconf:rpc>

In accordance with RFC6241 rules, the expe= cted output like this:
<notification
xmlns=3D"urn:ietf:params:xml:ns:netco= nf:notification:1.0">
<eventTime>2007-07-08T0= 0:10:00Z</eventTime>
<event xmlns=3D"= http://example.com/event/1.0&qu= ot;>
<eventClass>fau= lt</eventClass>
</event>
</notification>

Is it reasonable?

 
----------------------------=
----------------------------
ZTE Information Security Not=
ice: The information contained in this mail (and any attachment transmitted=
 herewith) is privileged and confidential and is intended for the exclusive=
 use of the addressee(s).  If you are not an intended recipient, any d=
isclosure, reproduction, distribution or other dissemination or use of the =
information contained is strictly prohibited.  If you have received th=
is mail in error, please delete it and notify us immediately.
 
=
 
 
----------------------------=
----------------------------
ZTE Information Security Not=
ice: The information contained in this mail (and any attachment transmitted=
 herewith) is privileged and confidential and is intended for the exclusive=
 use of the addressee(s).  If you are not an intended recipient, any d=
isclosure, reproduction, distribution or other dissemination or use of the =
information contained is strictly prohibited.  If you have received th=
is mail in error, please delete it and notify us immediately.

--_000_B8F9A780D330094D99AF023C5877DABA846265F4nkgeml501mbschi_-- From nobody Mon Nov 3 03:40:13 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FB201A0092 for ; Mon, 3 Nov 2014 03:40:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.809 X-Spam-Level: X-Spam-Status: No, score=0.809 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7mzmDYasQHlU for ; Mon, 3 Nov 2014 03:40:10 -0800 (PST) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0768.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::768]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C2631A0076 for ; Mon, 3 Nov 2014 03:40:09 -0800 (PST) Received: from pc6 (86.184.62.161) by DB3PR07MB060.eurprd07.prod.outlook.com (10.242.137.151) with Microsoft SMTP Server (TLS) id 15.1.6.9; Mon, 3 Nov 2014 11:34:55 +0000 Message-ID: <015901cff759$d7405020$4001a8c0@gateway.2wire.net> From: t.petch To: Alan Luchuk , References: <201410311419.s9VEJQWY009047@mainfs.snmp.com> Date: Mon, 3 Nov 2014 11:32:14 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [86.184.62.161] X-ClientProxiedBy: AM3PR01CA046.eurprd01.prod.exchangelabs.com (10.141.191.36) To DB3PR07MB060.eurprd07.prod.outlook.com (10.242.137.151) X-MS-Exchange-Transport-FromEntityHeader: Hosted X-Microsoft-Antispam: UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DB3PR07MB060; X-Exchange-Antispam-Report-Test: UriScan:; X-Forefront-PRVS: 0384275935 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(377454003)(13464003)(199003)(51444003)(51704005)(107046002)(46102003)(92566001)(23756003)(19580395003)(50466002)(50226001)(89996001)(87286001)(116806002)(44716002)(44736004)(61296003)(120916001)(105586002)(77096003)(77156002)(99396003)(106356001)(101416001)(95666004)(42186005)(14496001)(88136002)(93916002)(102836001)(92726001)(104166001)(40100003)(81816999)(81686999)(76176999)(122386002)(66066001)(21056001)(86362001)(87976001)(84392001)(19580405001)(31966008)(64706001)(20776003)(50986999)(47776003)(33646002)(62966003); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR07MB060; H:pc6; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:0; LANG:en; X-OriginatorOrg: btconnect.com Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/vPod3JHT9ytHZzAjLCVHKL2tUuo Subject: Re: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 11:40:12 -0000 ----- Original Message ----- From: "Alan Luchuk" To: Cc: ; ; Sent: Friday, October 31, 2014 2:19 PM > Also, included below is the following new proposed text for Section 2.4.1, > and a new section 2.4.2. The new section 2.4.2 would displace the existing > section 2.4.2 to have 2.4.3, and so on. Thoughts on this? Alan I am unclear on what you are proposing For me, there is a clear split between the validation of X.509 certificates and the use then made of the contents thereof, something which I do not see in the paragraphs you propose. Thus the procedures of RFC5280 section 6 apply to all X.509 certificates and require the client to be configured with suitable trust anchors. If the client is configured with the server certificate per se, then that is a degenerate case thereof. I think that RFC5539 s.3.1 paragraph 4 gets that about right and little if anything needs changing with that (except putting it first!). Once the certificate has been validated, then it is a question of extracting the identifier of the server from it and comparing that to a reference identifier configured in the client. I think that RFC6125 does us no favours; it limits itself to "service identities associated with fully-qualified DNS domain names" preferably with SRV-IDs, which I think too restrictive - we have to reference it, but need to qualify the use thereof. So we cannot reuse the other paragraphs of RFC5539 but need to say something like 'SHOULD use RFC6125' but then go on to qualify it. Tom Petch > Regards, > --Alan > > Section 2.4.1 Verifying the NETCONF Server Identity > ---------------------------------------------------- > > The NETCONF client MUST verify the identity of the NETCONF server. > The NETCONF client MAY use the procedure documented in Section 2.4.2 > to verify the identify of the NETCONF server. The NETCONF client MAY > use an alternate procedure to verify the identity the NETCONF server. > > If the NETCONF client uses an alternate procedure to verify the identity > of the NETCONF server, then the alternate procedure must > provide a level of verification comparable to the procedure documented > in Section 2.4.2. One example of an alternate procedure for verifying > the NETCONF server's identity would be to compare the X.509 certificate > presented by the NETCONF server against a local store of > already-verified X.509 certificates and identity bindings. > > If the NETCONF client attempts to connect to a NETCONF server, and the > NETCONF server fails the identity verification step, then the NETCONF > client MUST notify the user that the NETCONF server identity > verification failed, and 1) either terminate the connection, or > 2) request user confirmation to proceed with the connection. > > > Section 2.4.2 Standard Procedure for Verifying the NETCONF Server Identity > ---------------------------------------------------------------------- ----- > > If the NETCONF client uses this documented procedure to verify the > identify of the NETCONF server, then the NETCONF client MUST follow > follow this procedure completely. > > The NETCONF client MUST verify the integrity of the X.509 certificate > presented by the NETCONF server. To do this, the NETCONF client MUST: > > - Use the certificate path validation algorithm described in > Section 6 of [RFC 5280]. > > - Validate the X.509 certificate presented by the NETCONF server > to a trust anchor configured in the NETCONF client. > > To prevent man-in-the-middle attacks, after verifying the integrity of > X.509 certificate presented by the NETCONF server, the NETCONF > client MUST verify the identity of the NETCONF server. To verify the > identity of the NETCONF server: > > - The NETCONF client MUST have information about the expected identity > of the NETCONF server to which it connected, and from which it received > a presented X.509 certificate. This NETCONF server identity information > MUST be pre-configured in the NETCONF client before it initiates the > connection to the NETCONF server. > > - The X.509 certificate presented by the NETCONF server must contain > information about the NETCONF server's identity. > > - The NETCONF client MUST extract the NETCONF server identity information > from the X.509 certificate presented by the server. The NETCONF client > MUST compare the extracted server identity to the pre-configured server > identity information according to the rules and guidelines defined in > [RFC 6125]. If the comparison succeeds, then the NETCONF server > identity is verified, and the connection can proceed. If the comparison > fails, then the NETCONF server identity verification has failed. The > NETCONF client must handle the NETCONF server identity verification > failure as documented above. > From nobody Mon Nov 3 05:20:11 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1306E1A01A5; Mon, 3 Nov 2014 05:20:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.377 X-Spam-Level: X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EF8cXOw4JU8d; Mon, 3 Nov 2014 05:20:06 -0800 (PST) Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F19C11A0199; Mon, 3 Nov 2014 05:20:05 -0800 (PST) Received: by mail-yh0-f45.google.com with SMTP id f10so1265255yha.18 for ; Mon, 03 Nov 2014 05:20:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:cc:content-type; bh=3WK49IDoLiMI/pX1s8U8ySnv5xLeIPF5NzQX7Mg+5is=; b=NXNTknKY8qNLPb6uDaQ5Irlv1AcbuewBNiqIk++apu5lXx9oah4L0sg0wpEJ2aAw/W 1SlTbjUCJBqkmSG+zlWDxU0JtkGcyx34sFikIbILNotiV/J0g12OGvtqUj/n9hv+/uXn GNBtW+ZCfHb232N4uAwfO1gVcUPAmCfyUf48aQ2IsmpLevomT0vwmmXYOFoF1DZYsALX Q61ISWIm6AJFgUVloQpliysuXGznZMv5HpeDuYrKfdRyAn4Xx6E9Ch6ZOvrTo+yLjxNi YrDLzdct8IWlnNuxJBoQc+8Rg5Aw6Ny19rGNsxxmr3ztGxtn5M44KBWqOSnYyCt0Gwqm UnYA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yale.edu; s=googleprd; h=mime-version:sender:from:date:message-id:subject:to:cc:content-type; bh=3WK49IDoLiMI/pX1s8U8ySnv5xLeIPF5NzQX7Mg+5is=; b=epu3mdZQsFsGdq9AqqPPqApVtfnpBhm+VOXjCFnktpfa/PFyP3gT/ta5Xj5yorskOd uHI0iM2Uu0XfX5xS+8HilG8RlGMQSlEL/qKWIx3tJ/usr8zc/EKjnKmhDqG3pgJXaEqw Sj1UszZA7oqcrP8vwyp+qRgFFTzRo97D0Lql4= X-Received: by 10.170.56.197 with SMTP id 188mr1634939yky.117.1415020805287; Mon, 03 Nov 2014 05:20:05 -0800 (PST) MIME-Version: 1.0 Sender: boxs.jq@gmail.com Received: by 10.170.221.193 with HTTP; Mon, 3 Nov 2014 05:19:45 -0800 (PST) From: Xiao SHI Date: Mon, 3 Nov 2014 08:19:45 -0500 X-Google-Sender-Auth: tdSLgCGExLO7aEnrkGxMv6L3HYo Message-ID: To: Netconf , "netmod@ietf.org" Content-Type: multipart/alternative; boundary=001a11398cb072f7080506f434cf Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/f8AZAZri-AZXkTwrJvoJdRpUJIY Cc: Richard Yang Subject: [Netconf] Specification on netconf modifications to xpath filtering X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 13:20:08 -0000 --001a11398cb072f7080506f434cf Content-Type: text/plain; charset=UTF-8 Hi folks, I was looking into the xpath filtering capabilities in netconf, especially the part in Section 8.9.5.1 ( https://tools.ietf.org/html/rfc6241#section-8.9.5.1) ===Question 1=== The RFC reads: All ancestor nodes of the result node MUST be encoded first, so the element returned in the reply contains only fully specified subtrees, according to the underlying data model. How does this interact with XPATH union? For example, if we had a data model: list top { leaf server-id; leaf user-count; list user { key name; leaf name; } } If I would like to select any user whose name is Fred and include the server they are on as well as the user-count on those servers, I would use XPATH query filter such as the following:

Say the node set returned by the XPATH result is the following: myServer1

fred

myServer3

123

fred According to the NETCONF modification, the ancestor nodes of each node in this node set will be encoded first, meaning the returned XML contains only fully specified subtrees. "For each such subtree, the path from the data model root node down to the subtree, including any elements or attributes necessary to uniquely identify the subtree, are included in the response message." (Sec 8.9.1) I see two options depending on how this modification process is evaluated in netconf: Option 1: each node/subtree in the node set is evaluated individually and produced the following output:

myServer1

fred

myServer3

123

fred Option 2: each node is put into context of the data model, and yields the following output:

myServer1

fred

myServer3

123

fred Which one would NETCONF server produce? ===Question 2=== The second paragraph reads: If any sibling or ancestor nodes of the result node are needed to identify a particular instance within a conceptual data structure, then these nodes MUST also be encoded in the response. I was wondering how a server would know whether a node is needed to "identify the instance within a conceptual data structure," i.e. is there a detailed specification for that (other than the key of a list)? Thank you! Xiao --001a11398cb072f7080506f434cf Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi folks,

I was looking into the xpath = filtering capabilities in netconf, especially the part in Section 8.9.5.1 (= https://tools.ietf.org/html/rfc6241#section-8.9.5.1)

<= br>

=3D=3D=3DQuestion 1=3D=3D=3D

The RFC reads: All anc= estor nodes of the result node MUST be encoded first, so the <data> e= lement returned in the reply contains only fully specified subtrees, accord= ing to the underlying data model.

How does this in= teract with XPATH union?

For example, if we had a = data model:

list top {

=C2=A0 leaf server-id;

=C2=A0 leaf user-count;

=C2=A0 list user {

=C2=A0 =C2= =A0 key name;

=C2=A0 =C2=A0 leaf name;

=C2=A0 }

}

If I would like to select any user whose = name is Fred and include the server they are on as well as the user-count o= n those servers, I would use XPATH query filter such as the following:

<rpc message-id=3D"101"

= =C2=A0 =C2=A0 =C2=A0xmlns=3D"urn:ietf:params:xml:ns:netconf:base:1.0&q= uot;>

=C2=A0 =C2=A0 <get-config>

=C2=A0 =C2=A0= =C2=A0 =C2=A0 <source>

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 <running/>

=C2=A0 =C2=A0 =C2=A0 =C2=A0 </source&g= t;

=C2=A0 =C2=A0 =C2=A0 =C2=A0 <filter xmlns:t=3D"http://example.com/schema/1.2/con= fig"

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 type=3D"xpath"

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 select=3D"/t:top/t:user[t:name=3D'fred= 9;]/../server-id | /t:top/t:users/t:user[t:name=3D'fred']/../user-c= ount | /t:top/t:users/t:user[t:name=3D'fred']"/>

= =C2=A0 =C2=A0 </get-config>

</rpc>

Say the node set returned by the XPATH result is the following= :

<server-id>myServer1</server-id>

<= ;user-count>99</user-count>

<server-id>myServer3</server-= id>

<user-count>123</user-count>

<use= r><name>fred</name></user>

<= div>According to the NETCONF modification, the ancestor nodes of each node = in this node set will be encoded first, meaning the returned XML contains o= nly fully specified subtrees. "For each such subtree, the path from th= e data model root node down to the subtree, including any elements or attri= butes necessary to uniquely identify the subtree, are included in the respo= nse message." (Sec 8.9.1)

I see two options d= epending on how this modification process is evaluated in netconf:

Option 1: each node/subtree in the node set is evaluated individually and= produced the following output:

<top><server-id>= myServer1</server-id></top>

<top><= ;server-id>myServer3</server-id></top>

Option 2: each node is put into context of the data m= odel, and yields the following output:

<top>

=C2=A0 <server-id>myServer1</server-id>

=C2=A0 <u= ser-count>99</user-count>

=C2=A0 <user><name>= ;fred</name></user>

</top>

<top>= ;

=C2=A0 <server-id>myServer3</server-id>

= =C2=A0 <user-count>123</user-count>

=C2=A0 <user&g= t;<name>fred</name></user>

</top>

Which one would NETCONF server produce?

<= br>

=3D=3D=3DQuestion 2=3D=3D=3D

The second paragraph r= eads: If any sibling or ancestor nodes of the result node are needed to ide= ntify a particular instance within a conceptual data structure, then these = nodes MUST also be encoded in the response.

I was = wondering how a server would know whether a node is needed to "identif= y the instance within a conceptual data structure," i.e. is there a de= tailed specification for that (other than the key of a list)?

Thank you!

Xiao

--001a11398cb072f7080506f434cf-- From nobody Mon Nov 3 05:35:30 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E2C21A014C for ; Mon, 3 Nov 2014 05:35:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.495 X-Spam-Level: X-Spam-Status: No, score=-2.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yzeDqmNvSNEU for ; Mon, 3 Nov 2014 05:35:27 -0800 (PST) Received: from mail.tail-f.com (mail.tail-f.com [83.241.162.140]) by ietfa.amsl.com (Postfix) with ESMTP id 690911A0070 for ; Mon, 3 Nov 2014 05:35:27 -0800 (PST) Received: from localhost (x15.tail-f.com [192.168.1.60]) by mail.tail-f.com (Postfix) with ESMTPSA id 47DBC1280098; Mon, 3 Nov 2014 14:35:26 +0100 (CET) Date: Mon, 03 Nov 2014 14:35:26 +0100 (CET) Message-Id: <20141103.143526.286924497828608419.mbj@tail-f.com> To: xiao.shi@yale.edu From: Martin Bjorklund In-Reply-To: References: X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/i0GCxrDhw2DN-za_JuzV0yTdMf0 Cc: yry@cs.yale.edu, netconf@ietf.org Subject: Re: [Netconf] Specification on netconf modifications to xpath filtering X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 13:35:29 -0000 [removing netmod cc since this is a netconf question] Xiao SHI wrote: > Hi folks, > > I was looking into the xpath filtering capabilities in netconf, especially > the part in Section 8.9.5.1 ( > https://tools.ietf.org/html/rfc6241#section-8.9.5.1) > > ===Question 1=== > The RFC reads: All ancestor nodes of the result node MUST be encoded first, > so the element returned in the reply contains only fully specified > subtrees, according to the underlying data model. > > How does this interact with XPATH union? > > For example, if we had a data model: > list top { > leaf server-id; > leaf user-count; > list user { > key name; > leaf name; > } > } I think you mean that 'server-id' is key in list 'top': list top { key server-id; ... > If I would like to select any user whose name is Fred and include the > server they are on as well as the user-count on those servers, I would use > XPATH query filter such as the following: > > xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> > > > > > type="xpath" > select="/t:top/t:user[t:name='fred']/../server-id | > /t:top/t:users/t:user[t:name='fred']/../user-count | > /t:top/t:users/t:user[t:name='fred']"/> > > > > Say the node set returned by the XPATH result is the following: > myServer1 > 99 > fred > myServer3 > 123 > fred > > According to the NETCONF modification, the ancestor nodes of each node in > this node set will be encoded first, meaning the returned XML contains only > fully specified subtrees. "For each such subtree, the path from the data > model root node down to the subtree, including any elements or attributes > necessary to uniquely identify the subtree, are included in the response > message." (Sec 8.9.1) > > I see two options depending on how this modification process is evaluated > in netconf: > Option 1: each node/subtree in the node set is evaluated individually and > produced the following output: >

myServer1

> fred >

myServer3

123

> fred > > Option 2: each node is put into context of the data model, and yields the > following output: > > myServer1 > 99 > fred > > > myServer3 > 123 > fred > > > Which one would NETCONF server produce? Option 2. Note that w/o any filter you would get option 2 (+ lots more, potentially). With the filter you get a proper subset of the whole thing. > ===Question 2=== > The second paragraph reads: If any sibling or ancestor nodes of the result > node are needed to identify a particular instance within a conceptual data > structure, then these nodes MUST also be encoded in the response. > > I was wondering how a server would know whether a node is needed to > "identify the instance within a conceptual data structure," i.e. is there a > detailed specification for that (other than the key of a list)? If the data modelling language for the server is YANG, then this is the keys in lists. But it depends on the DML. /martin From nobody Mon Nov 3 11:04:11 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E3AA1A6F84 for ; Mon, 3 Nov 2014 11:04:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.704 X-Spam-Level: * X-Spam-Status: No, score=1.704 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_210=0.6, J_CHICKENPOX_22=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_26=0.6, J_CHICKENPOX_62=0.6, J_CHICKENPOX_64=0.6, J_CHICKENPOX_65=0.6, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSQ9T9LlTP9c for ; Mon, 3 Nov 2014 11:04:07 -0800 (PST) Received: from mailbox.snmp.com (mailbox.snmp.com [192.147.142.80]) by ietfa.amsl.com (Postfix) with ESMTP id 29FA91A1B99 for ; Mon, 3 Nov 2014 11:04:07 -0800 (PST) Received: from mainfs.snmp.com (mainfs.snmp.com [192.147.142.124]) by mailbox.snmp.com (8.9.3p2-20030922/m.0080228) with ESMTP id OAA15372; Mon, 3 Nov 2014 14:04:00 -0500 (EST) Received: from mainfs.snmp.com (localhost [127.0.0.1]) by mainfs.snmp.com (8.14.5/8.14.5) with ESMTP id sA3J41Kg040214; Mon, 3 Nov 2014 14:04:01 -0500 (EST) (envelope-from luchuk@mainfs.snmp.com) Received: (from luchuk@localhost) by mainfs.snmp.com (8.14.5/8.14.5/Submit) id sA3J400U040213; Mon, 3 Nov 2014 14:04:00 -0500 (EST) (envelope-from luchuk) Date: Mon, 3 Nov 2014 14:04:00 -0500 (EST) From: Alan Luchuk Message-Id: <201411031904.sA3J400U040213@mainfs.snmp.com> To: , X-Mailer: mail (GNU Mailutils 2.2) Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/f0q457S-c_jqOvLFVt2zjClIGpQ Cc: netconf@ietf.org Subject: Re: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 19:04:09 -0000 Hello, Kent, Tom, thanks for the helpful feedback. kw>I'm not sure if adding more sections or more words is needed - maybe this kw>is a case where less is more? Maybe we *only* need to 1) state that kw>server authentication MUST be via PKIX as defined in RFCs 5280 and 6125 kw>and 2) state anything not already covered by RFCs 5280 and 6125. I agree that less can be more, and that it is unproductive to duplicate text when a reference to existing text might be satisfactory. That said, are you suggesting: 1) Keep the existing section 2.4.1 text; 2) Replace the existing section 2.4.1 text with something much briefer that simply references RFCs 5280 and 6125; or 3) Refine the proposed text to make it briefer? The intent for the proposed replacement text for section 2.4.1 was to clarify the existing text in section 2.4.1, to address: tpetch>I think that this still needs a tweak. tpetch> tpetch>In s.2.4.1, the sentence tpetch>"If tpetch> the NETCONF client has external information as to the expected tpetch> identity of the NETCONF server, the hostname check MAY be omitted. tpetch>" tpetch>has been moved, to be immediately after the comment about performing tpetch>certificate validation as per RFC5280. Which does not make good sense tpetch>since RFC5280 is not about hostname checks. The sentence used to come tpetch>after the references to RFC6125 which is about hostnames and so made tpetch>more sense. tpetch> tpetch>But more fundamentally, I am unclear what this is saying. 'hostname tpetch>check' does not appear anywhere else. There is talk of matching but I tpetch>am unclear if that is intended. As it stands, the sentence would seem tpetch>to say, get a certificate and then ignore its contents, in which case, I tpetch>think that an example, or list, of suitable conditions needs to be there tpetch>alongside the sentence, whereever the sentence is. tpetch> To tell the truth, I find the section still confusing. There are too tpetch> many MUST and MAYs interacting here. I also see that the second tpetch> paragraph says MUST ask for user confirmation or terminate the tpetch> connection. This also seems to conflict with the notion of I think the proposed section 2.4.1 should be revised if necessary and kept because it states clearly: - that NETCONF clients using TLS must verify the server's identity; - that alternate verification mechanisms are acceptable; and - What happens if the identity verificatioN CHeck fails. The proposed new section 2.4.2 resulted from what seemed like a logical split of the replacement text for the original section 2.4.1. It attempts to clarify statements in original section 2.4.1 such as: "by the server to determine if it meets the client's expectations. If the NETCONF client has external information as to the expected identity of the NETCONF server, the hostname check MAY be omitted." I can align with any NETCONF WG consensus about the proposed replacement sections being unhelpful, too verbose, or need revision or deletion. kw>Also, I noticed that you didn't touch the original section 2.4.2. (Client kw>Identity). This is the section that is currently missing a statements kw>along the lines of: kw> - the client MUST present a X.509 certificate kw> - the client MAY also present a chain of intermediate certs to a trust kw>anchor the server is expected to trust kw> - the server MUST authenticate the client's certificate kw> - the server MAY authenticate the client's certificate using PKIX to a kw>configured trust anchor kw> - the server MAY authenticate the client's certificate if it's an exact kw>match to a previously trusted client certificate. Yes. Partly this omission was to address rfc5539bis-06 one section at a time, and partly to leave the section as-is to address the comment: kw> One last point, I'm opposed to 5539bis using kw> draft-ietf-netconf-server-model as a Normative Reference. I believe kw> that 5539bis should define the protocol on its own, and view kw> draft-ietf-netconf-server-model as just one data-model that could kw> configure it. FWIW, neither 6242 nor draft-ietf-netconf-call-home kw> have a Normative Reference draft-ietf-netconf-server-model. The idea was to have rfc5539bis simply say that the NETCONF server derives a NETCONF username from the X.509 certificate presented by the client. Draft-ietf-netconf-server-model would define one possible mechanism for deriving the NETCONF username from the X.509 certificate. If it is the WG's consensus that the existing sections 2.4.2/2.4.3 from rfc5539bis-06 need work, I can massage the bullet points you suggested into replacement text. tpetch>I am unclear on what you are proposing tpetch> tpetch>For me, there is a clear split between the validation of X.509 tpetch>certificates and the use then made of the contents thereof, tpetch>something which I do not see in the paragraphs you propose. I hope this E-mail answers these and at least explains the reason for the omission. Is understanding the mechanism for deriving NETCONF usernames from X.509 certs the primary problem you see with rfc5539bis-06? Regards, --Alan ------------------------------------------------------------------------------ Alan Luchuk SNMP Research, Inc. Voice: +1 865 573 1434 Senior Software Engineer 3001 Kimberlin Heights Road FAX: +1 865 573 9197 luchuk at snmp.com Knoxville, TN 37920-9716 http://www.snmp.com/ ------------------------------------------------------------------------------ From nobody Wed Nov 5 02:50:35 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74D8F1A885D for ; Wed, 5 Nov 2014 02:50:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.598 X-Spam-Level: X-Spam-Status: No, score=0.598 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, J_CHICKENPOX_61=0.6, SPF_HELO_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13jogQ7owLTP for ; Wed, 5 Nov 2014 02:50:30 -0800 (PST) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0725.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::725]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 024481A885A for ; Wed, 5 Nov 2014 02:50:29 -0800 (PST) Received: from pc6 (86.184.62.161) by DB3PR07MB060.eurprd07.prod.outlook.com (10.242.137.151) with Microsoft SMTP Server (TLS) id 15.1.6.9; Wed, 5 Nov 2014 10:37:30 +0000 Message-ID: <01ed01cff8e4$2576ac40$4001a8c0@gateway.2wire.net> From: t.petch To: Alan Luchuk , References: <201411031904.sA3J400U040213@mainfs.snmp.com> Date: Wed, 5 Nov 2014 10:34:46 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [86.184.62.161] X-ClientProxiedBy: DB4PR05CA0034.eurprd05.prod.outlook.com (25.160.40.44) To DB3PR07MB060.eurprd07.prod.outlook.com (10.242.137.151) X-MS-Exchange-Transport-FromEntityHeader: Hosted X-Microsoft-Antispam: UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DB3PR07MB060; X-Forefront-PRVS: 0386B406AA X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(13464003)(377454003)(199003)(51704005)(33646002)(61296003)(47776003)(20776003)(87976001)(81686999)(64706001)(21056001)(95666004)(554214002)(106356001)(105586002)(14496001)(107046002)(50986999)(99396003)(102836001)(120916001)(50466002)(15202345003)(97736003)(31966008)(89996001)(62966003)(77156002)(46102003)(44716002)(62236002)(76176999)(81816999)(101416001)(116806002)(77096003)(15975445006)(40100003)(92566001)(50226001)(42186005)(1941001)(4396001)(19580405001)(66066001)(23756003)(86362001)(87286001)(88136002)(104166001)(84392001)(92726001)(122386002)(93916002)(19580395003)(44736004)(7059028)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR07MB060; H:pc6; FPR:; MLV:nov; PTR:InfoNoRecords; MX:1; A:0; LANG:en; X-OriginatorOrg: btconnect.com Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/a0E4SXHXZph90KqOS0GTfTmf76I Cc: netconf@ietf.org Subject: Re: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 10:50:32 -0000 ----- Original Message ----- From: "Alan Luchuk" To: ; Cc: ; Sent: Monday, November 03, 2014 7:04 PM > Hello, > > tpetch>I am unclear on what you are proposing > tpetch> > tpetch>For me, there is a clear split between the validation of X.509 > tpetch>certificates and the use then made of the contents thereof, > tpetch>something which I do not see in the paragraphs you propose. > > I hope this E-mail answers these and at least explains the reason for > the omission. Is understanding the mechanism for deriving NETCONF > usernames from X.509 certs the primary problem you see with > rfc5539bis-06? No. I am reasonably comfortable with that having been through it before for SNMP and RFC5539. It is what comes earlier (or should do in my model). First, being clear that we are only covering X.509 certificates. I referred to this vaguely, Kent gave chapter and verse of text in 5539bis-06 which still hints at other things, so I need to see an I-D that makes (or doesn't) those changes (and yes, I have to wait at least for the window to open). This to me has been the biggest stumbling block. Second, I want to separate the certificate validation as a distinct step. It seems wrong, perhaps a breach of security, to talk of what to do with the contents before checking that the certificate is valid and here I refer to RFC5280, not to RFC6125. As I said, RFC5539 does a good job, I would just like that paragraph first, it seems the only sequence to make sense. If validation may consist of checking against pre-stored certificates, then I would count that as part of this step as RFC5539 does. Third comes the RFC6125 step (or variants thereon since that RFC is so HTTP focussed). We have a valid certificate but is it a relevant one, does it match, for some sense of that word, the party we are trying to set up a TLS channel with? Then, at last, we can get on with determining a user id to use with NETCONF. I am looking for that sort of structure and find it hard to discern. And yes, I agree, less is often more, when we can assume a certain familiarity with existing concepts and standards in the mind of the reader. Tom Petch > > Regards, > --Alan > > --------------------------------------------------------------------- --------- > Alan Luchuk SNMP Research, Inc. Voice: +1 865 573 1434 > Senior Software Engineer 3001 Kimberlin Heights Road FAX: +1 865 573 9197 > luchuk at snmp.com Knoxville, TN 37920-9716 http://www.snmp.com/ > --------------------------------------------------------------------- --------- > From nobody Wed Nov 5 08:08:44 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C2F1A87E8 for ; Wed, 5 Nov 2014 00:22:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZC2DJbuPQvNA for ; Wed, 5 Nov 2014 00:22:06 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 43CA71A8820 for ; Wed, 5 Nov 2014 00:22:01 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: netconf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.7.2.p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141105082201.11485.47642.idtracker@ietfa.amsl.com> Date: Wed, 05 Nov 2014 00:22:01 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/hzXqhLTnCj3dXRRLtYomZhP_TyM X-Mailman-Approved-At: Wed, 05 Nov 2014 08:08:39 -0800 Subject: [Netconf] Milestones changed for netconf WG X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 08:22:07 -0000 Changed milestone "Submit initial WG draft for RFC5539bis", set state to active from review, accepting new milestone. Changed milestone "Submit initial WG draft for server configuration data model", set state to active from review, accepting new milestone. Changed milestone "Submit initial WG draft for NETCONF call home mechanism", set state to active from review, accepting new milestone. Changed milestone "WGLC for NETCONF call home mechanism", set state to active from review, accepting new milestone. Changed milestone "Submit NETCONF call home mechanism to AD/IESG for consideration as Proposed Standard", set state to active from review, accepting new milestone. Changed milestone "Submit server configuration data model to AD/IESG for consideration as Proposed Standard", set state to active from review, accepting new milestone. URL: http://datatracker.ietf.org/wg/netconf/charter/ From nobody Wed Nov 5 18:57:16 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4F31A0210 for ; Wed, 5 Nov 2014 18:57:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.794 X-Spam-Level: X-Spam-Status: No, score=-4.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KbtGGVo4rxrz for ; Wed, 5 Nov 2014 18:57:12 -0800 (PST) Received: from dfwrgout.huawei.com (dfwrgout.huawei.com [206.16.17.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C13A01A014A for ; Wed, 5 Nov 2014 18:57:11 -0800 (PST) Received: from 172.18.9.243 (EHLO lhreml403-hub.china.huawei.com) ([172.18.9.243]) by dfwrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id AYZ30252; Wed, 05 Nov 2014 20:57:11 -0600 (CST) Received: from nkgeml409-hub.china.huawei.com (10.98.56.40) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.158.1; Thu, 6 Nov 2014 02:57:08 +0000 Received: from NKGEML506-MBX.china.huawei.com ([169.254.3.162]) by nkgeml409-hub.china.huawei.com ([10.98.56.40]) with mapi id 14.03.0158.001; Thu, 6 Nov 2014 10:56:58 +0800 From: "Liubing (Leo)" To: "Ersue, Mehmet (NSN - DE/Munich)" , "Bert Wijnen (IETF)" , netconf Thread-Topic: RFC5539bis Issues to decide in IETF 91 Thread-Index: Ac/zd5aR4K2jd/eAQYepD66aNjzxlwF8tuFw Date: Thu, 6 Nov 2014 02:56:57 +0000 Message-ID: <8AE0F17B87264D4CAC7DE0AA6C406F45589E494C@nkgeml506-mbx.china.huawei.com> References: In-Reply-To: Accept-Language: en-US, zh-CN Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.98.132] Content-Type: multipart/alternative; boundary="_000_8AE0F17B87264D4CAC7DE0AA6C406F45589E494Cnkgeml506mbxchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/dRYKePOxkemzvCQKPjDB257UZig Cc: Zhengguangying , Yangang Subject: Re: [Netconf] RFC5539bis Issues to decide in IETF 91 X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2014 02:57:15 -0000 --_000_8AE0F17B87264D4CAC7DE0AA6C406F45589E494Cnkgeml506mbxchi_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Dear all, Please see replies inline. From: Netconf [mailto:netconf-bounces@ietf.org] On Behalf Of Ersue, Mehmet = (NSN - DE/Munich) Sent: Wednesday, October 29, 2014 8:55 PM To: netconf Subject: [Netconf] RFC5539bis Issues to decide in IETF 91 Dear NETCONF WG, unfortunately the authors of the rfc5539bis draft will not be in IETF 91 me= eting. Below are two issues Juergen and the co-chairs would like to clarify. As a preparation for the IETF 91 meeting please answer the questions below = by November 8, 2014 EOB PT. The co-chairs will lead to a conclusion and finalize the decision taking in= IETF 91 NETCONF session. Especially, please state for a) and b) separately, which options you prefer= and why. I.e. add your motivation/reasoning for your choices/answers. a) Should the document become "NC over TLS with mutual X.509 authentication" and hence a different auth scheme requires another "NC over TLS with FOOBAR authentication" document or should the document be NC over TLS and we find some other way to say "if you do X.509 mutual authentication, then you have to do what is defined here; other forms of authentication may be defined in future documents". [Bing] We don't have a strong feeling on this issue. Ideally, we think it's good to have a generic authentication mechanism defi= ned in this document, but maybe it's unrealistic, so it's ok to explicitly = limit the draft to X.509. b) Should RFC 5539bis detail the algorithm how to extract a username from a certificate and then the server config model refers to that algorithm (this allows someone to implement RFC 5539bis without having to have the server config model implemented) or shall we leave the way a username is extract to the server config model document. [Bing] We tend to include it in 5539bis. This make 5539bis itself complete.= And it's more clear to explain the algorithm in the 5539bis context. Regards, Mehmet and Bert --_000_8AE0F17B87264D4CAC7DE0AA6C406F45589E494Cnkgeml506mbxchi_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Dear al= l,

= ;

Please see= replies inline.

= ;

From: Netconf [mailto:netconf-bounces@ietf.org] On Behalf Of Ersue, Mehmet (NSN - DE/Munich)
Sent: Wednesday, October 29, 2014 8:55 PM
To: netconf
Subject: [Netconf] RFC5539bis Issues to decide in IETF 91=

Dear NETCON= F WG,

unfortunate= ly the authors of the rfc5539bis draft will not be in IETF 91 meeting.

Below are t= wo issues Juergen and the co-chairs would like to clarify.

As a prepar= ation for the IETF 91 meeting please answer the questions below by November= 8, 2014 EOB PT.

The co-chai= rs will lead to a conclusion and finalize the decision taking in IETF 91 NE= TCONF session.

Especially,= please state for a) and b) separately, which options you prefer and why.

I.e. add yo= ur motivation/reasoning for your choices/answers.

a) Should t= he document become "NC over TLS with mutual X.509

= ; authentication" and hence a different auth scheme requires another

= ; "NC over TLS with FOOBAR authentication" document or should the=

= ; document be NC over TLS and we find some other way to say "if you

= ; do X.509 mutual authentication, then you have to do what is defined

= ; here; other forms of authentication may be defined in future

= ; documents".

[Bing] We = don’t have a strong feeling on this issue.

Ideally, w= e think it’s good to have a generic authentication mechanism defined = in this document, but maybe it’s unrealistic, so it’s ok to exp= licitly limit the draft to X.509.

= ;

b) Should R= FC 5539bis detail the algorithm how to extract a username

= ; from a certificate and then the server config model refers to that=

= ; algorithm (this allows someone to implement RFC 5539bis without

= ; having to have the server config model implemented) or shall we

= ; leave the way a username is extract to the server config model

= ; document.

[Bing] We = tend to include it in 5539bis. This make 5539bis itself complete. And it= 217;s more clear to explain the algorithm in the 5539bis context.

Regards,

Mehmet and = Bert

--_000_8AE0F17B87264D4CAC7DE0AA6C406F45589E494Cnkgeml506mbxchi_-- From nobody Thu Nov 6 02:41:52 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 041CD1A1AD0 for ; Thu, 6 Nov 2014 02:41:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id amQ3Sq5_DZ4u for ; Thu, 6 Nov 2014 02:41:48 -0800 (PST) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0739.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::739]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67F01A1AB0 for ; Thu, 6 Nov 2014 02:41:47 -0800 (PST) Received: from DBXPR07MB063.eurprd07.prod.outlook.com (10.242.147.22) by DBXPR07MB414.eurprd07.prod.outlook.com (10.141.14.144) with Microsoft SMTP Server (TLS) id 15.1.6.9; Thu, 6 Nov 2014 10:12:09 +0000 Received: from pc6 (86.184.62.161) by DBXPR07MB063.eurprd07.prod.outlook.com (10.242.147.22) with Microsoft SMTP Server (TLS) id 15.1.11.14; Thu, 6 Nov 2014 10:12:08 +0000 Message-ID: <00be01cff9a9$c0bdfee0$4001a8c0@gateway.2wire.net> From: t.petch To: "Ersue, Mehmet (NSN - DE/Munich)" , netconf References: Date: Thu, 6 Nov 2014 10:09:20 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [86.184.62.161] X-ClientProxiedBy: DB4PR02CA0014.eurprd02.prod.outlook.com (10.242.174.142) To DBXPR07MB063.eurprd07.prod.outlook.com (10.242.147.22) X-MS-Exchange-Transport-FromEntityHeader: Hosted X-Microsoft-Antispam: UriScan:;UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR07MB063; X-Forefront-PRVS: 0387D64A71 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(13464003)(377454003)(15584002)(101416001)(14496001)(120916001)(81686999)(97736003)(44736004)(42186005)(106356001)(99396003)(21056001)(95666004)(4396001)(102836001)(105586002)(87286001)(86362001)(33646002)(61296003)(107886001)(107046002)(122386002)(87976001)(23756003)(89996001)(88136002)(19580395003)(15975445006)(19580405001)(46102003)(50466002)(20776003)(81816999)(76176999)(116806002)(50226001)(77156002)(62966003)(50986999)(84392001)(44716002)(93916002)(31966008)(104166001)(62236002)(64706001)(66066001)(47776003)(92726001)(77096003)(92566001)(40100003)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:DBXPR07MB063; H:pc6; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:0; LANG:en; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR07MB414; X-OriginatorOrg: btconnect.com Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/C3xr82lUZ5liaD50Dkt34b-5xAk Subject: Re: [Netconf] RFC5539bis Issues to decide in IETF 91 X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2014 10:41:50 -0000 ----- Original Message ----- From: "Ersue, Mehmet (NSN - DE/Munich)" To: "netconf" Sent: Wednesday, October 29, 2014 12:55 PM b) Should RFC 5539bis detail the algorithm how to extract a username from a certificate and then the server config model refers to that algorithm (this allows someone to implement RFC 5539bis without having to have the server config model implemented) or shall we leave the way a username is extract to the server config model document. Re-reading this as people reply to it, I think the logic is false. Putting the algorithm into netconf-server in no way requires people to implement the whole of netconf-server. It only requires them to go off and read netconf-server in order to write the code that presents an interface to the Internet that will interwork with other boxes. Our RFC often contain words to the effect that here is how to do it but there is no need whatsoever to do it this way as long as the implementation presents the same appearance to the outside world. That is, we define protocols, whether you can peer inside a box and see a perfect replica of a data structure that appears in an RFC is irrelevant (ever seen an RMON MIB Module?). So there is a point to resolve, whether 5539bis is complete in itself and so will get updated or contradicted by other I-D as time goes by, or we take the relational database approach and put information in just the one place and have others link to it. I have been a fan of relational databases for about 40 years now. Tom Petch Regards, Mehmet and Bert ------------------------------------------------------------------------ -------- > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > From nobody Thu Nov 6 14:09:31 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D993C1A923C for ; Thu, 6 Nov 2014 14:09:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jRQsRKO0JjnT for ; Thu, 6 Nov 2014 14:09:13 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0103.outbound.protection.outlook.com [65.55.169.103]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12D2B1A9138 for ; Thu, 6 Nov 2014 14:09:12 -0800 (PST) Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.1.11.14; Thu, 6 Nov 2014 22:09:10 +0000 Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.166]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.166]) with mapi id 15.01.0011.000; Thu, 6 Nov 2014 22:09:10 +0000 From: Kent Watsen To: "Ersue, Mehmet (NSN - DE/Munich)" , netconf Thread-Topic: [Netconf] Draft Agenda for the IETF 91 NETCONF Session Thread-Index: AQHP+WhhmLI7Flw7akaGOaSh2crkCQ== Date: Thu, 6 Nov 2014 22:09:10 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.4.4.140807 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [66.129.239.10] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB458; x-exchange-antispam-report-test: UriScan:; x-forefront-prvs: 0387D64A71 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(164054003)(66066001)(106356001)(40100003)(21056001)(2656002)(31966008)(107046002)(122556002)(77156002)(105586002)(36756003)(4396001)(95666004)(99286002)(64706001)(106116001)(20776003)(107886001)(62966003)(86362001)(120916001)(87936001)(92566001)(83506001)(54356999)(77096003)(99396003)(46102003)(97736003)(16236675004)(50986999)(92726001)(101416001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: multipart/alternative; boundary="_000_D08015A987D1Ckwatsenjunipernet_" MIME-Version: 1.0 X-OriginatorOrg: juniper.net Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/re00ySAgMbvZaYodE-DMDmN0d3w Subject: Re: [Netconf] Draft Agenda for the IETF 91 NETCONF Session X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2014 22:09:21 -0000 --_000_D08015A987D1Ckwatsenjunipernet_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Mehmet, After reviewing my slides, it seems that the following times for my drafts = are good (saving 10 minutes): 1. NETCONF Call Home - K. Watsen (15 min.) 3. NETCONF Server Configuration Model - K. Watsen (15 min.) 6. Zero Touch Provisioning for NETCONF Call Home (ZeroTouch) - K. Wat= sen (10 min.) Thanks, Kent --_000_D08015A987D1Ckwatsenjunipernet_ Content-Type: text/html; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable

Hi Mehmet,

After reviewing my slides, it seems that the following times for my dr= afts are good (saving 10 minutes):

1. NETCONF Call Home - K. Watsen (15 min.)

3. NETCONF Server Configuration Model - K. Watsen= (15 min.)

6. Zero Touch Provisioning for NETCONF Call Home = (ZeroTouch) - K. Watsen (10 min.)

Thanks,

Kent

--_000_D08015A987D1Ckwatsenjunipernet_-- From nobody Fri Nov 7 05:32:35 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E7B1ACFD6 for ; Fri, 7 Nov 2014 05:32:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j_wxP19cfbQf for ; Fri, 7 Nov 2014 05:32:31 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0711.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::711]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EF201ACF79 for ; Fri, 7 Nov 2014 05:32:30 -0800 (PST) Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB460.namprd05.prod.outlook.com (10.141.72.152) with Microsoft SMTP Server (TLS) id 15.1.16.15; Fri, 7 Nov 2014 13:32:08 +0000 Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.166]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.166]) with mapi id 15.01.0011.000; Fri, 7 Nov 2014 13:32:08 +0000 From: Kent Watsen To: "Ersue, Mehmet (NSN - DE/Munich)" , netconf Thread-Topic: [Netconf] RFC5539bis Issues to decide in IETF 91 Thread-Index: AQHP+o864K2jd/eAQYepD66aNjzxlw== Date: Fri, 7 Nov 2014 13:32:08 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.4.4.140807 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [66.129.239.10] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB460; x-exchange-antispam-report-test: UriScan:; x-forefront-prvs: 03883BD916 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(164054003)(15584002)(189002)(199003)(77156002)(77096003)(62966003)(40100003)(66066001)(122556002)(64706001)(99286002)(95666004)(107886001)(107046002)(105586002)(106116001)(106356001)(99396003)(19625215002)(86362001)(92566001)(92726001)(120916001)(46102003)(101416001)(2656002)(87936001)(97736003)(54356999)(16236675004)(4396001)(31966008)(19580405001)(20776003)(83506001)(19580395003)(50986999)(36756003)(21056001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB460; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: multipart/alternative; boundary="_000_D0815CE388310kwatsenjunipernet_" MIME-Version: 1.0 X-OriginatorOrg: juniper.net Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/mO89VQZ5A-wnQov8y7ZXF1F7rpA Subject: Re: [Netconf] RFC5539bis Issues to decide in IETF 91 X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 13:32:33 -0000 --_000_D0815CE388310kwatsenjunipernet_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I said all this before, but am replying again now to ensure it's in this th= read as well. (a) yes, it reflects what 5539 was before, or at least I think it intended = to be, and it seems helpful to provide that clarity. Looking at it from a= nother angle, if we extend the scope to non-X.509 mechanisms, it would be h= ard support on the server-model draft, which I'm very much hoping to wrap u= p in the near term. (b) I'm a proponent for RFC5539bis being self-contained in describing what = is required. If it requires client-certificate based auth, then it should = say so (it doesn't currently). To the specific question regarding extracti= ng a username from a client cert, I think the question is, is it something = that is specific to 5539bis or a data-model? - stated another way, is ther= e an expectation that client-certificates work across NETCONF servers, rega= rdless which config model is used? I know that it's been mentioned that th= e reference to the server-model doesn't mean the server-model has to be imp= lemented, but to me there potential for confusion. Lastly, I don't foresee= this creating overlap as, if 5539bis had these requirements explained, the= server-model would remove that text, referencing the 5539bis section(s) in= stead. Putting this into perspective, I don't think we're talking about a = lot of text that would need to go into 5539bis, just enough to declare *wha= t* needs to be supported, and then let server-model describe *how* it is su= pported. Thanks, Kent From: , "Mehmet (NSN - DE/Munich)" > Date: Wednesday, October 29, 2014 at 7:55 AM To: NetConf > Subject: [Netconf] RFC5539bis Issues to decide in IETF 91 Dear NETCONF WG, unfortunately the authors of the rfc5539bis draft will not be in IETF 91 me= eting. Below are two issues Juergen and the co-chairs would like to clarify. As a preparation for the IETF 91 meeting please answer the questions below = by November 8, 2014 EOB PT. The co-chairs will lead to a conclusion and finalize the decision taking in= IETF 91 NETCONF session. Especially, please state for a) and b) separately, which options you prefer= and why. I.e. add your motivation/reasoning for your choices/answers. a) Should the document become "NC over TLS with mutual X.509 authentication" and hence a different auth scheme requires another "NC over TLS with FOOBAR authentication" document or should the document be NC over TLS and we find some other way to say "if you do X.509 mutual authentication, then you have to do what is defined here; other forms of authentication may be defined in future documents". b) Should RFC 5539bis detail the algorithm how to extract a username from a certificate and then the server config model refers to that algorithm (this allows someone to implement RFC 5539bis without having to have the server config model implemented) or shall we leave the way a username is extract to the server config model document. Regards, Mehmet and Bert --_000_D0815CE388310kwatsenjunipernet_ Content-Type: text/html; charset="us-ascii" Content-ID: <12BABAF73B500547962625C643E35260@namprd05.prod.outlook.com> Content-Transfer-Encoding: quoted-printable

I said all this before, but am replying again now to ensure it's in th= is thread as well.

(a) yes, it reflects what 5539 was before, or at least I think it inte= nded to be, and it seems helpful to provide that clarity. Looking at= it from another angle, if we extend the scope to non-X.509 mechanisms, it = would be hard support on the server-model draft, which I'm very much hoping to wrap up in the near term.

(b) I'm a proponent for RFC5539bis being self-contained in describing = what is required. If it requires client-certificate based auth, then = it should say so (it doesn't currently). To the specific question reg= arding extracting a username from a client cert, I think the question is, is it something that is specific to 5539bis= or a data-model? - stated another way, is there an expectation that = client-certificates work across NETCONF servers, regardless which config mo= del is used? I know that it's been mentioned that the reference to the server-model doesn't mean the server-model has t= o be implemented, but to me there potential for confusion. Lastly, I = don't foresee this creating overlap as, if 5539bis had these requirements e= xplained, the server-model would remove that text, referencing the 5539bis section(s) instead. Putting this = into perspective, I don't think we're talking about a lot of text that woul= d need to go into 5539bis, just enough to declare *what* needs to be suppor= ted, and then let server-model describe *how* it is supported.

Thanks,

Kent

From: <Ersue>, "Mehmet (= NSN - DE/Munich)" <mehmet.e= rsue@nsn.com>
Date: Wednesday, October 29, 2014 a= t 7:55 AM
To: NetConf <netconf@ietf.org>
Subject: [Netconf] RFC5539bis Issue= s to decide in IETF 91

Dear NETCONF WG,

unfortunately the authors of the rfc5539bis dr= aft will not be in IETF 91 meeting.

Below are two issues Juergen and the co-chairs= would like to clarify.

As a preparation for the IETF 91 meeting pleas= e answer the questions below by November 8, 2014 EOB PT.

The co-chairs will lead to a conclusion and fi= nalize the decision taking in IETF 91 NETCONF session.

Especially, please state for a) and b) separat= ely, which options you prefer and why.

I.e. add your motivation/reasoning for your ch= oices/answers.

a) Should the document become "NC over TL= S with mutual X.509

authentication" and hence a = different auth scheme requires another

"NC over TLS with FOOBAR aut= hentication" document or should the

document be NC over TLS and we fi= nd some other way to say "if you

do X.509 mutual authentication, t= hen you have to do what is defined

here; other forms of authenticati= on may be defined in future

documents".

b) Should RFC 5539bis detail the algorithm how= to extract a username

from a certificate and then the s= erver config model refers to that

algorithm (this allows someone to= implement RFC 5539bis without

having to have the server config = model implemented) or shall we

leave the way a username is extra= ct to the server config model

document.

Regards,

Mehmet and Bert

&nbs= p;

--_000_D0815CE388310kwatsenjunipernet_-- From nobody Wed Nov 12 01:14:57 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA61B1A1B1C for ; Wed, 12 Nov 2014 01:14:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, J_CHICKENPOX_29=0.6, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YL2X8-FIii-q for ; Wed, 12 Nov 2014 01:14:35 -0800 (PST) Received: from mail.tail-f.com (mail.tail-f.com [83.241.162.140]) by ietfa.amsl.com (Postfix) with ESMTP id 83AF31A883E for ; Wed, 12 Nov 2014 01:13:59 -0800 (PST) Received: from localhost (unknown [193.13.112.215]) by mail.tail-f.com (Postfix) with ESMTPSA id A69731280A11 for ; Wed, 12 Nov 2014 10:13:55 +0100 (CET) Date: Wed, 12 Nov 2014 10:13:55 +0100 (CET) Message-Id: <20141112.101355.423478429.mbj@tail-f.com> To: netconf@ietf.org From: Martin Bjorklund X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/nxSYx7B3_F1IaPMz7AbaPUqxZ00 Subject: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 09:14:40 -0000 Hi, At the meeting yesterday the issue of RESTCONF's usage of groupings to define data structures came up. I'd like to point out that it is perfectly legal to define groupings that are not being used. What is unorthodox is that RESTCONF ties the contents of these groupings to a YANG module name / namespace not by 'uses' but in english text in the document (this text needs to be clarified if we keep this construct). This isn't worse than defining the complete structure in plain text. The problem we're trying to solve is to have a single, formal, definition of these structures, than can be encoded in XML or JSON. If we were to use XSD it wouldn't work for JSON, and if we were to use JSON schema (or whatever) it wouldn't work for XML. One alternative to this is to define an extension statement: extension structure { argument name; description "Introduces a named data structure without any semantics attached. The data nodes in the structure are defined in the namespace of the module defining the structure." } Then we would replace the groupings with: rc:structure errors { container errors { ... } } rc:structure collection { container collection { .... } } and so on. Or even better, add such a statement to YANG 1.1. (incidentally, we have such an extension in our implementation that we use for this and similar purposes...) /martin From nobody Wed Nov 12 01:25:59 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F8A61A212D for ; Wed, 12 Nov 2014 01:25:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.544 X-Spam-Level: X-Spam-Status: No, score=-1.544 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_29=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1TXK59SwgeP for ; Wed, 12 Nov 2014 01:25:51 -0800 (PST) Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5043F1A873B for ; Wed, 12 Nov 2014 01:25:49 -0800 (PST) Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 64530100E; Wed, 12 Nov 2014 10:25:47 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id RiNdb9OCGJOq; Wed, 12 Nov 2014 10:25:33 +0100 (CET) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Wed, 12 Nov 2014 10:25:46 +0100 (CET) Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 7F08F20013; Wed, 12 Nov 2014 10:25:46 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id sX_0tGbePX1v; Wed, 12 Nov 2014 10:25:45 +0100 (CET) Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 711F82002C; Wed, 12 Nov 2014 10:25:45 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 936FA2F7CCFF; Wed, 12 Nov 2014 10:25:44 +0100 (CET) Date: Wed, 12 Nov 2014 10:25:43 +0100 From: Juergen Schoenwaelder To: Martin Bjorklund Message-ID: <20141112092543.GA54331@elstar.local> Mail-Followup-To: Martin Bjorklund , netconf@ietf.org References: <20141112.101355.423478429.mbj@tail-f.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141112.101355.423478429.mbj@tail-f.com> User-Agent: Mutt/1.4.2.3i Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/jzjuzPf3ClMWUlhUqQx6W2-QkQA Cc: netconf@ietf.org Subject: Re: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 09:25:56 -0000 Martin, is what you propose generally useful or are you just trying to solve a corner problem with the definition of RESTCONF? If the later, the price of adding a new construct may be high, no? Is the idea here to provide a mechanism to define arbitrary XML/JSON protocol messages in YANG? And why would this go into YANG 1.1? If this mechanism is needed at all, would it not be possible to define it separately as a proper YANG extension? (And you know that the YANG 1.1 issue collection ended months ago and this does not seem to qualify as a bug fix.) /js On Wed, Nov 12, 2014 at 10:13:55AM +0100, Martin Bjorklund wrote: > Hi, > > At the meeting yesterday the issue of RESTCONF's usage of groupings to > define data structures came up. > > I'd like to point out that it is perfectly legal to define groupings > that are not being used. > > What is unorthodox is that RESTCONF ties the contents of these > groupings to a YANG module name / namespace not by 'uses' but in > english text in the document (this text needs to be clarified if we > keep this construct). This isn't worse than defining the complete > structure in plain text. > > The problem we're trying to solve is to have a single, formal, > definition of these structures, than can be encoded in XML or JSON. > If we were to use XSD it wouldn't work for JSON, and if we were to use > JSON schema (or whatever) it wouldn't work for XML. > > One alternative to this is to define an extension statement: > > extension structure { > argument name; > description > "Introduces a named data structure without any semantics > attached. The data nodes in the structure are defined in the > namespace of the module defining the structure." > } > > Then we would replace the groupings with: > > rc:structure errors { > container errors { > ... > } > } > > rc:structure collection { > container collection { > .... > } > } > > and so on. > > Or even better, add such a statement to YANG 1.1. > > (incidentally, we have such an extension in our implementation that we > use for this and similar purposes...) > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From nobody Wed Nov 12 04:19:28 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C171A896A for ; Wed, 12 Nov 2014 04:19:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.495 X-Spam-Level: X-Spam-Status: No, score=-2.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RE-5Yy3Cwa_8 for ; Wed, 12 Nov 2014 04:19:24 -0800 (PST) Received: from mail.tail-f.com (mail.tail-f.com [83.241.162.140]) by ietfa.amsl.com (Postfix) with ESMTP id C683A1A895D for ; Wed, 12 Nov 2014 04:19:23 -0800 (PST) Received: from localhost (unknown [193.13.112.215]) by mail.tail-f.com (Postfix) with ESMTPSA id A8D6E1280471; Wed, 12 Nov 2014 13:19:18 +0100 (CET) Date: Wed, 12 Nov 2014 13:19:17 +0100 (CET) Message-Id: <20141112.131917.433419253.mbj@tail-f.com> To: kwatsen@juniper.net From: Martin Bjorklund In-Reply-To: References: <20140723.190110.325781546.mbj@tail-f.com> X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/XCa6jJBZlpoy4nOdHrEAI_hwrAU Cc: netconf@ietf.org Subject: Re: [Netconf] review of draft-ietf-netconf-zerotouch-00 X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 12:19:27 -0000 Hi, Kent Watsen wrote: > > A late response, but I've been focused on call-home and server-model...and > there were very few comments on zero-touch. Anyway, here goes! -01 takes care of most of my issues, thanks! See below for some remaining questions. > >o sec 4.2 > > > > The picture says "IDevID entity". What is this entity? > > The line is intended to be expanded to read "IDevID entity *certificate* > and associated intermediate certificates". I'm trying to economize space > so it'll fit within the 72-column limit. > > Or is your question more generally what is an IDevID, as defined in the > subsequent paragraph? No, the question was really what you mean with "IDevID entity". Maybe it would be better to replace "IDevID entity & associated intermediate certificate(s)" with simply "IDevID". The text below expands on what the IDevID contains. > >o sec 4.2 > > > > Devices supporting ZeroTouch MUST be pre-provisioned with one or more > > URIs for Internet-based Configuration Servers. > > > > Why is this a MUST? (or why "one or more"?). It seems to me that > > the DHCP option could be used instead of manual pre-provisioning. > > > > Do you expect these config server URIs to be part of the normal > > config? See more below. > > The DHCP option is only effective for the "locally administered network" > use case (see section 1.3). When the network is administered remotely, > the DHCP option is very unlikely to be set and therefore the device will > have no resource but to fallback to trying URIs. Makes sense? So a vendor can never build a device that is supposed to be used only in the "locally administered network", i.e., rely on DHCP? This MUST can never really be verified - one way for a device to comply with this MUST is to put a dummy URI there that doesn't resolve to anything useful. So why do we have this as a MUST? > >o sec 4.2 > > > > confidentially and not available outside the DevID module > > > > What is "DevID module"? > > This sentence is based on Section 6.2.5 (Storage) of the 802.1AR spec, > which that sentence references just before the section you clipped out. > It refers to the cryptographic boundary defined by the specification. > > Two options: > 1. Call out more specifically section 6.2.5 > 2. Replace the term "IDevID module" with simple text meaning the same thing In general I like documents that have clear terminology, and specifically a list of the terms they import, and the new terms they define. It minimizes the risk of confusion. In this particular case, the term "DevID Module" is defined in 802.1AR (note, not IDevID Module which -01 uses). As an alternative to a terminology section, maybe you can just write "outside the DevID module (as defined in [...])" > >o sec 5.1 > > > > You have the list of expected device identifiers in immutable > > storage - that seems to indicate that it not possible to ever add a > > new device! > > I think you mean section 5.2. Nonetheless, to your point, the diagram is > trying to express storage attributes from the perspective of an entity > outside the module (the NMS in this case). An outsider cannot write the > immutable storage and cannot read or write secure storage. Anyway, > that's what I meant by this diagram and also the one in section 4.2. Is > it OK? Hmm, maybe it is just me, but if I see the term "immutable" I think it means that the info cannot be changed at all. What you are really saying is that the list of trusted certs and uids should be protected. BTW, s/// in the figure, and s/This certificates/These certificates/ in the text. Also, you have: In order to authenticate the device, the NMS MUST possess the X.509 certificate for the trust anchor leading to the device's entity certificate. what is the "device's entity certificate"? (I couldn't find this term in the IEEE spec; I assume you mean the IDevID cert). > >o sec 7.2 > > > > The term "unique-identifier" is pretty generic. Should it simply be > > "device-identifier" instead? > > True, but "unique-identifier" or "UID" is used throughout the draft, and > both the text and the YANG module state exactly what it needs to be. The doc currently has "unique identifier", "unique device identifier" and "device unique identifier". I think the unqualified "unique identifier" should be avoided, and that the XML element in the Configlet should use be named "unique-device-identifier". BTW, remove section 7.2 - the YANG model is gone. > >o sec 7.5, leaf software-version > > > > "The device MUST must be running this version of software. > > The value for this field is device-specific, but it MUST > > be an exact match (e.g., 14.1R2.5)"; > > > > Why is this MUST be exact match? It seems inflexible to me. Since > > the field is vendor specific anyway, why not let the match > > algorithm be vendor specific as well? > > > > Also, should this really be mandatory? > > This is a tough question. > > On one hand, we have cases where the Configlet is using vendor-specific > data-models (not ietf-system and ietf-netconf-server), and hence is > specific to a software release...or at least generated using a specific > revision of the vendor-specific module. It *might* work with other > versions, we only know for sure that it will work on the specific version. > If the NETCONF server is namespace-aware, it likely results in it only > supporting exact matches. Of course, SDO-defined modules are used, there > is a greater likelihood that more than one version can support it. > > Then there is the case of expectations, the NMS very likely requires the > device to be running a very specific software version, as it is what has > been qualified for production. Maybe, or a set of versions. > If the device doesn't so up with an exact > match, the NMS will have to first push the correct image to the device. > Yes, it could be done, but why should NMSs have to do this if the network > infrastructure can do it for them? > > Thoughts? The question is if it is necessary for this spec to say MUST be exact match. I think we should leave this to vendors to define. > >o sec 8.2 > > > > Remove the text about how a timestamp *could* be used? > > > But this is the Security Considerations section and clock-based attacks > are not uncommon. What is your suggestion? The text is: However, it is possible to substitute a Configlet created for a device with a different Configlet created for the same device. Generally, unless imposed by the Configuration Signers, there is no limit to the number of Configlets that may be generated for a given device. This could be resolved, in part, by placing a timestamp into the Configlet and ensuring devices do not load Configlets older than some amount, but this requires the devices have an accurate clock when validating a Configlet and for Configuration Signers to not sign a Configlet when another Configlet is still active. So are you saying that any vendor can reolve this by placing a timestamp in the Configlet? I don't think so. I think you mean that this could have been resolved by placing a timestamp..., but since this would require devices to have accurate clocks, this solution was rejected. > >o signing / encrypting configlets > > > > I think you need to specify somewhere how the signature is inserted > > into the configlet XML document. Currently the only hint the reader > > get is from an example... > > > > Same for encryption, and in this case the example is also tbd. > > > Did you see sections 7.3 (Signature) and 7.4 (Encryption)? > > Are you looking for something like a tutorial that starts with an unsigned > Configlet and then signs it with a key and then shows the resulting signed > Configlet? No, I think this just shows how little I know about XML Signatures... Particularly, can the element be placed anywhere in the XML document? Are all Transforms supported? Are all DigestMethods supported? Etc. If the answer is that this obvious from the XML Signature spec, then that is fine. /martin From nobody Wed Nov 12 09:11:39 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6C51A8F3D for ; Wed, 12 Nov 2014 09:11:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.379 X-Spam-Level: X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_29=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4D1wV5U0s-ZY for ; Wed, 12 Nov 2014 09:11:28 -0800 (PST) Received: from mail-qc0-f174.google.com (mail-qc0-f174.google.com [209.85.216.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 782161A8F4B for ; Wed, 12 Nov 2014 09:08:56 -0800 (PST) Received: by mail-qc0-f174.google.com with SMTP id r5so9511039qcx.19 for ; Wed, 12 Nov 2014 09:08:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fjmBmuZQF1owba8SdLOEkJHIzrZnF+CQDQB1T45Ir/8=; b=Adyn4UYQAUgjo9VOSg0n7xkJK1rk711O6p0JEi6e6kMAVU5rTZ8KRaSYJb0pLKGjC2 wxfRPh7bTLJLKRyCJKyBiN3SpqFr3GTUgg0dmotZU4vHkuu80amfk29m7EaMz1IebVK6 qzYVCvcMQ+XUcy396W/JIZrOJ2KTDllexb4rMML30VVr8UDGPTsgGweTuJ0/nFSHbgTc Dr5Rwyfi4FtUJ/t11ZhPlNy4gxFM8P6UgYvc7BLolHsC7s3JT6m9+2a4b8YPUuwdWodY IJpX29cXZM7T4254VAyC9FuIQsyy7vG37GGppais1VkpPULMsM/rYnzBFW4GFaJgK0fi xe2A== X-Gm-Message-State: ALoCoQnk5+uWIkuILY6krhOxEUoF6BBug1H65O2DSaAlwPjtCPRtoUD+e6R0B/u/8HLT2FpqH52a MIME-Version: 1.0 X-Received: by 10.229.105.196 with SMTP id u4mr62474789qco.27.1415812135421; Wed, 12 Nov 2014 09:08:55 -0800 (PST) Received: by 10.140.37.52 with HTTP; Wed, 12 Nov 2014 09:08:55 -0800 (PST) In-Reply-To: <20141112.101355.423478429.mbj@tail-f.com> References: <20141112.101355.423478429.mbj@tail-f.com> Date: Wed, 12 Nov 2014 09:08:55 -0800 Message-ID: From: Andy Bierman To: Martin Bjorklund Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/NgPKMJAc1hSbyR37D2xeNZB_c0o Cc: Netconf Subject: Re: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 17:11:31 -0000 On Wed, Nov 12, 2014 at 1:13 AM, Martin Bjorklund wrote: > Hi, > > At the meeting yesterday the issue of RESTCONF's usage of groupings to > define data structures came up. > > I'd like to point out that it is perfectly legal to define groupings > that are not being used. > > What is unorthodox is that RESTCONF ties the contents of these > groupings to a YANG module name / namespace not by 'uses' but in > english text in the document (this text needs to be clarified if we > keep this construct). This isn't worse than defining the complete > structure in plain text. +1 I would like to keep using groupings for this purpose. What if I want to use these definitions in my data models? I cannot do that unless the definitions are in groupings. For example, let's say my app has a structured log file format and I want to log the in the response? It is perfectly reasonable to use the grouping instead of cut and pasting. For this purpose, a YANG extension is worthless. Only a grouping provides the reusable definitions without hacking or copying. Andy > > The problem we're trying to solve is to have a single, formal, > definition of these structures, than can be encoded in XML or JSON. > If we were to use XSD it wouldn't work for JSON, and if we were to use > JSON schema (or whatever) it wouldn't work for XML. > > One alternative to this is to define an extension statement: > > extension structure { > argument name; > description > "Introduces a named data structure without any semantics > attached. The data nodes in the structure are defined in the > namespace of the module defining the structure." > } > > Then we would replace the groupings with: > > rc:structure errors { > container errors { > ... > } > } > > rc:structure collection { > container collection { > .... > } > } > > and so on. > > Or even better, add such a statement to YANG 1.1. > > (incidentally, we have such an extension in our implementation that we > use for this and similar purposes...) > > > > /martin > > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf From nobody Wed Nov 12 09:43:40 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 998B31A010F for ; Wed, 12 Nov 2014 09:43:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.895 X-Spam-Level: X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_29=0.6, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULMU0Gp_Gb4t for ; Wed, 12 Nov 2014 09:43:35 -0800 (PST) Received: from mail.tail-f.com (mail.tail-f.com [83.241.162.140]) by ietfa.amsl.com (Postfix) with ESMTP id 355611A0394 for ; Wed, 12 Nov 2014 09:43:34 -0800 (PST) Received: from localhost (unknown [193.13.112.215]) by mail.tail-f.com (Postfix) with ESMTPSA id D7FEC1280B72; Wed, 12 Nov 2014 18:43:33 +0100 (CET) Date: Wed, 12 Nov 2014 18:43:33 +0100 (CET) Message-Id: <20141112.184333.431022222.mbj@tail-f.com> To: j.schoenwaelder@jacobs-university.de From: Martin Bjorklund In-Reply-To: <20141112092543.GA54331@elstar.local> References: <20141112.101355.423478429.mbj@tail-f.com> <20141112092543.GA54331@elstar.local> X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/7D465tM5ZVvcsf3pG4ih4MX2TpU Cc: netconf@ietf.org Subject: Re: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 17:43:37 -0000 Juergen Schoenwaelder wrote: > Martin, > > is what you propose generally useful or are you just trying to solve a > corner problem with the definition of RESTCONF? If the later, the > price of adding a new construct may be high, no? Is the idea here to > provide a mechanism to define arbitrary XML/JSON protocol messages in > YANG? I think this could be useful in other cases than RESTCONF. The goal is not to provide a mechanism to define arbitrary XML/JSON messages, but of course this might happen if people see that it can be used in this way. > And why would this go into YANG 1.1? If this mechanism is needed at > all, would it not be possible to define it separately as a proper YANG > extension? It is unclear if such an extension can be said to define a new type of data definition statement and as such make it possible to use normal augment - e.g., would this be ok with the error structure: augment /rc:errors { ... } > (And you know that the YANG 1.1 issue collection ended > months ago and this does not seem to qualify as a bug fix.) Sure... /martin > > /js > > On Wed, Nov 12, 2014 at 10:13:55AM +0100, Martin Bjorklund wrote: > > Hi, > > > > At the meeting yesterday the issue of RESTCONF's usage of groupings to > > define data structures came up. > > > > I'd like to point out that it is perfectly legal to define groupings > > that are not being used. > > > > What is unorthodox is that RESTCONF ties the contents of these > > groupings to a YANG module name / namespace not by 'uses' but in > > english text in the document (this text needs to be clarified if we > > keep this construct). This isn't worse than defining the complete > > structure in plain text. > > > > The problem we're trying to solve is to have a single, formal, > > definition of these structures, than can be encoded in XML or JSON. > > If we were to use XSD it wouldn't work for JSON, and if we were to use > > JSON schema (or whatever) it wouldn't work for XML. > > > > One alternative to this is to define an extension statement: > > > > extension structure { > > argument name; > > description > > "Introduces a named data structure without any semantics > > attached. The data nodes in the structure are defined in the > > namespace of the module defining the structure." > > } > > > > Then we would replace the groupings with: > > > > rc:structure errors { > > container errors { > > ... > > } > > } > > > > rc:structure collection { > > container collection { > > .... > > } > > } > > > > and so on. > > > > Or even better, add such a statement to YANG 1.1. > > > > (incidentally, we have such an extension in our implementation that we > > use for this and similar purposes...) > > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 > From nobody Wed Nov 12 09:44:31 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D5711A0102 for ; Wed, 12 Nov 2014 09:44:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.895 X-Spam-Level: X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_29=0.6, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1s32cX_zAnh1 for ; Wed, 12 Nov 2014 09:44:28 -0800 (PST) Received: from mail.tail-f.com (mail.tail-f.com [83.241.162.140]) by ietfa.amsl.com (Postfix) with ESMTP id 92FCE1A002C for ; Wed, 12 Nov 2014 09:44:28 -0800 (PST) Received: from localhost (unknown [193.13.112.215]) by mail.tail-f.com (Postfix) with ESMTPSA id D547C1280B72; Wed, 12 Nov 2014 18:44:27 +0100 (CET) Date: Wed, 12 Nov 2014 18:44:27 +0100 (CET) Message-Id: <20141112.184427.21336884.mbj@tail-f.com> To: andy@yumaworks.com From: Martin Bjorklund In-Reply-To: References: <20141112.101355.423478429.mbj@tail-f.com> X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/CM52n0-gKa_3ZA93ZtZkkTC7Vjg Cc: netconf@ietf.org Subject: Re: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 17:44:30 -0000 Andy Bierman wrote: > On Wed, Nov 12, 2014 at 1:13 AM, Martin Bjorklund wrote: > > Hi, > > > > At the meeting yesterday the issue of RESTCONF's usage of groupings to > > define data structures came up. > > > > I'd like to point out that it is perfectly legal to define groupings > > that are not being used. > > > > What is unorthodox is that RESTCONF ties the contents of these > > groupings to a YANG module name / namespace not by 'uses' but in > > english text in the document (this text needs to be clarified if we > > keep this construct). This isn't worse than defining the complete > > structure in plain text. > > +1 > > I would like to keep using groupings for this purpose. > What if I want to use these definitions in my data models? > I cannot do that unless the definitions are in groupings. > > For example, let's say my app has a structured log file format > and I want to log the in the response? > It is perfectly reasonable to use the grouping instead of > cut and pasting. > > For this purpose, a YANG extension is worthless. > Only a grouping provides the reusable definitions without > hacking or copying. Well, you can certainly have both: grouping errors { ... } rc:structure error { uses errors; } /martin > > > Andy > > > > > The problem we're trying to solve is to have a single, formal, > > definition of these structures, than can be encoded in XML or JSON. > > If we were to use XSD it wouldn't work for JSON, and if we were to use > > JSON schema (or whatever) it wouldn't work for XML. > > > > One alternative to this is to define an extension statement: > > > > extension structure { > > argument name; > > description > > "Introduces a named data structure without any semantics > > attached. The data nodes in the structure are defined in the > > namespace of the module defining the structure." > > } > > > > Then we would replace the groupings with: > > > > rc:structure errors { > > container errors { > > ... > > } > > } > > > > rc:structure collection { > > container collection { > > .... > > } > > } > > > > and so on. > > > > Or even better, add such a statement to YANG 1.1. > > > > (incidentally, we have such an extension in our implementation that we > > use for this and similar purposes...) > > > > > > > > /martin > > > > _______________________________________________ > > Netconf mailing list > > Netconf@ietf.org > > https://www.ietf.org/mailman/listinfo/netconf > From nobody Wed Nov 12 09:47:16 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 004091A0078 for ; Wed, 12 Nov 2014 09:47:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.345 X-Spam-Level: X-Spam-Status: No, score=-0.345 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, J_CHICKENPOX_29=0.6, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.594] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ll9XtKLzTzM4 for ; Wed, 12 Nov 2014 09:47:12 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C32A1A005C for ; Wed, 12 Nov 2014 09:47:12 -0800 (PST) Received: from t2001067c037001443dfe647d2c8d96bc.hotel-wired.v6.meeting.ietf.org (t2001067c037001443dfe647d2c8d96bc.hotel-wired.v6.meeting.ietf.org [IPv6:2001:67c:370:144:3dfe:647d:2c8d:96bc]) by mail.nic.cz (Postfix) with ESMTPSA id 806821400C9; Wed, 12 Nov 2014 18:47:09 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1415814430; bh=Ox5/hCk5yJD46yO6C3S0U1YjFV7ewfA7DVA6E1pFNiQ=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=M29nQQCr9bIJv41L+HBuFFIWpx4A2Ls4yuiVdoNgkgKjbW3TtiM0oGlhoeuYsUsv8 utr4OIbsCyGHsBUBzueNgZmDDXyvbAuJU5Kq++m8wq5yJCeJ4iAJU70bMbhcjRubnM ir/8qj9F4oO44xhcZfwUmqltARHmzdP1qPcqi/Co= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 $1878.6$) From: Ladislav Lhotka In-Reply-To: <20141112.101355.423478429.mbj@tail-f.com> Date: Wed, 12 Nov 2014 07:47:05 -1000 Content-Transfer-Encoding: quoted-printable Message-Id: <468243F2-87B2-4E0F-A6AE-E61AD4592578@nic.cz> References: <20141112.101355.423478429.mbj@tail-f.com> To: =?iso-8859-1?Q?Martin_Bj=F6rklund?= X-Mailer: Apple Mail (2.1878.6) X-Virus-Scanned: clamav-milter 0.98.1 at mail X-Virus-Status: Clean Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/symxokfcjj0VlaZ65stn-MDUJwE Cc: Netconf Subject: Re: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 17:47:14 -0000 On 11 Nov 2014, at 23:13, Martin Bjorklund wrote: > Hi, >=20 > At the meeting yesterday the issue of RESTCONF's usage of groupings to > define data structures came up. >=20 > I'd like to point out that it is perfectly legal to define groupings > that are not being used. This was not the point of my initial comment. >=20 > What is unorthodox is that RESTCONF ties the contents of these > groupings to a YANG module name / namespace not by 'uses' but in > english text in the document (this text needs to be clarified if we > keep this construct). This isn't worse than defining the complete > structure in plain text. I think we should think twice before doing that. The handling of = namespaces in groupings is tricky - people get often confused about the = fact that the namespace is assigned according to the module where the = grouping is used, not where it is defined. So breaking this rule and = saying that in this particular case the namespace is that of the module = where the grouping is defined is IMO very dubious.=20 >=20 > The problem we're trying to solve is to have a single, formal, > definition of these structures, than can be encoded in XML or JSON. > If we were to use XSD it wouldn't work for JSON, and if we were to use > JSON schema (or whatever) it wouldn't work for XML. I understand that. My proposal was to use augments instead with an = artificial target representing the HTTP response. Lada >=20 > One alternative to this is to define an extension statement: >=20 > extension structure { > argument name; > description > "Introduces a named data structure without any semantics > attached. The data nodes in the structure are defined in the > namespace of the module defining the structure." > } >=20 > Then we would replace the groupings with: >=20 > rc:structure errors { > container errors { > ... > } > } >=20 > rc:structure collection { > container collection { > .... > } > } >=20 > and so on. >=20 > Or even better, add such a statement to YANG 1.1. >=20 > (incidentally, we have such an extension in our implementation that we > use for this and similar purposes...) >=20 >=20 >=20 > /martin >=20 > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf -- Ladislav Lhotka, CZ.NIC Labs PGP Key ID: E74E8C0C From nobody Wed Nov 12 10:11:20 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725241A9146 for ; Wed, 12 Nov 2014 10:11:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.495 X-Spam-Level: X-Spam-Status: No, score=-2.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uOdYqNKQr97 for ; Wed, 12 Nov 2014 10:10:48 -0800 (PST) Received: from mail.tail-f.com (mail.tail-f.com [83.241.162.140]) by ietfa.amsl.com (Postfix) with ESMTP id 72B5F1A003B for ; Wed, 12 Nov 2014 10:10:46 -0800 (PST) Received: from localhost (unknown [193.13.112.215]) by mail.tail-f.com (Postfix) with ESMTPSA id A568A1280471; Wed, 12 Nov 2014 19:10:45 +0100 (CET) Date: Wed, 12 Nov 2014 19:10:45 +0100 (CET) Message-Id: <20141112.191045.165848815.mbj@tail-f.com> To: lhotka@nic.cz From: Martin Bjorklund In-Reply-To: <468243F2-87B2-4E0F-A6AE-E61AD4592578@nic.cz> References: <20141112.101355.423478429.mbj@tail-f.com> <468243F2-87B2-4E0F-A6AE-E61AD4592578@nic.cz> X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/VahrnwZMSMUJgM_1ggdKAiKRCi4 Cc: netconf@ietf.org Subject: Re: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 18:11:00 -0000 Ladislav Lhotka wrote: > > On 11 Nov 2014, at 23:13, Martin Bjorklund wrote: > > > Hi, > > > > At the meeting yesterday the issue of RESTCONF's usage of groupings to > > define data structures came up. > > > > I'd like to point out that it is perfectly legal to define groupings > > that are not being used. > > This was not the point of my initial comment. > > > > > What is unorthodox is that RESTCONF ties the contents of these > > groupings to a YANG module name / namespace not by 'uses' but in > > english text in the document (this text needs to be clarified if we > > keep this construct). This isn't worse than defining the complete > > structure in plain text. > > I think we should think twice before doing that. The handling of namespaces in > groupings is tricky - people get often confused about the fact that the > namespace is assigned according to the module where the grouping is used, not > where it is defined. So breaking this rule and saying that in this particular > case the namespace is that of the module where the grouping is defined is IMO > very dubious. The idea is not to break the rule. The idea is to express in text that we have the equivalent of "uses errors", i.e. the instantiation of the grouping that binds to the namespace. I agree that this is special and that is why I prefer to use an extension statement. > > The problem we're trying to solve is to have a single, formal, > > definition of these structures, than can be encoded in XML or JSON. > > If we were to use XSD it wouldn't work for JSON, and if we were to use > > JSON schema (or whatever) it wouldn't work for XML. > > I understand that. My proposal was to use augments instead with an artificial > target representing the HTTP response. IMO an artificial target is worse. Either you augment something that doesn't exist, or you have to define data nodes that aren't really data nodes. /martin From nobody Wed Nov 12 11:58:05 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5955F1A86EF for ; Wed, 12 Nov 2014 11:58:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.945 X-Spam-Level: X-Spam-Status: No, score=-0.945 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.594] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Je8anUPbKwIj for ; Wed, 12 Nov 2014 11:57:58 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B62AA1A797C for ; Wed, 12 Nov 2014 11:57:57 -0800 (PST) Received: from t2001067c03700160ecd2fdfc4a90b25a.wireless.v6.meeting.ietf.org (t2001067c03700160ecd2fdfc4a90b25a.wireless.v6.meeting.ietf.org [IPv6:2001:67c:370:160:ecd2:fdfc:4a90:b25a]) by mail.nic.cz (Postfix) with ESMTPSA id 431D214006C; Wed, 12 Nov 2014 20:57:54 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1415822276; bh=71SHx5rCr/ZM0lyeuscZB2ucxXMyLYpu160hDPt8Gpg=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=rRIeV+eABd7uxQi84ZYpC48nWXk3fVLwRNRFvTbUnhOoWp5NKe0NAHjfAPd+ytpRz QnCLN4GSIjWS/LENs/iPDdyVD/V6FQZONMtk6tEaqIjY+kpPjzaIufjSQABGXuLfqB uT5CS/WVqcs7POvZrH2gPOqpxT+R1rDCpDhKGHL4= Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 $1878.6$) From: Ladislav Lhotka In-Reply-To: <20141112.191045.165848815.mbj@tail-f.com> Date: Wed, 12 Nov 2014 09:57:51 -1000 Content-Transfer-Encoding: quoted-printable Message-Id: <3AEAF3D4-ADF8-41F0-BDE4-CE561BB0D95A@nic.cz> References: <20141112.101355.423478429.mbj@tail-f.com> <468243F2-87B2-4E0F-A6AE-E61AD4592578@nic.cz> <20141112.191045.165848815.mbj@tail-f.com> To: =?windows-1252?Q?Martin_Bj=F6rklund?= X-Mailer: Apple Mail (2.1878.6) X-Virus-Scanned: clamav-milter 0.98.1 at mail X-Virus-Status: Clean Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/0W3SlC45V6jpkswYyro8dik-7ig Cc: Netconf Subject: Re: [Netconf] usage of groupings X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 19:58:01 -0000 On 12 Nov 2014, at 08:10, Martin Bjorklund wrote: > Ladislav Lhotka wrote: >>=20 >> On 11 Nov 2014, at 23:13, Martin Bjorklund wrote: >>=20 >>> Hi, >>>=20 >>> At the meeting yesterday the issue of RESTCONF's usage of groupings = to >>> define data structures came up. >>>=20 >>> I'd like to point out that it is perfectly legal to define groupings >>> that are not being used. >>=20 >> This was not the point of my initial comment. >>=20 >>>=20 >>> What is unorthodox is that RESTCONF ties the contents of these >>> groupings to a YANG module name / namespace not by 'uses' but in >>> english text in the document (this text needs to be clarified if we >>> keep this construct). This isn't worse than defining the complete >>> structure in plain text. >>=20 >> I think we should think twice before doing that. The handling of = namespaces in >> groupings is tricky - people get often confused about the fact that = the >> namespace is assigned according to the module where the grouping is = used, not >> where it is defined. So breaking this rule and saying that in this = particular >> case the namespace is that of the module where the grouping is = defined is IMO >> very dubious. >=20 > The idea is not to break the rule. The idea is to express in text For instance, an example in the text shows that the =93collection=94 = element is in the namespace of the ietf-restconf module but nothing in = that module provides any reason for this. Phil was right when he said that if this was done in another WG, we = would think they don=92t understand how namespaces work in groupings. > that we have the equivalent of "uses errors", i.e. the instantiation > of the grouping that binds to the namespace. I agree that this is > special and that is why I prefer to use an extension statement. OK. >=20 >>> The problem we're trying to solve is to have a single, formal, >>> definition of these structures, than can be encoded in XML or JSON. >>> If we were to use XSD it wouldn't work for JSON, and if we were to = use >>> JSON schema (or whatever) it wouldn't work for XML. >>=20 >> I understand that. My proposal was to use augments instead with an = artificial >> target representing the HTTP response. >=20 > IMO an artificial target is worse. Either you augment something that > doesn't exist, or you have to define data nodes that aren't really > data nodes. Well, it is clear in any case that YANG is somewhat misused here as a = general schema language. I am all for making this use of YANG more = =93official=94 in YANG 1.1. Lada >=20 >=20 > /martin -- Ladislav Lhotka, CZ.NIC Labs PGP Key ID: E74E8C0C From nobody Wed Nov 12 13:54:31 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE5D61ACDEE for ; Wed, 12 Nov 2014 13:54:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.094 X-Spam-Level: X-Spam-Status: No, score=-15.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tng70dCLonhL for ; Wed, 12 Nov 2014 13:54:28 -0800 (PST) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 276481ACD9B for ; Wed, 12 Nov 2014 13:54:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5631; q=dns/txt; s=iport; t=1415829268; x=1417038868; h=message-id:date:from:mime-version:to:cc:subject; bh=0iNQo11pY+aeTU8NZD0yiFKy+LNcUMTLlPMc7oTs1Ns=; b=K5lueVjGoohpmK8no+zlHRmgSKpLpvfH3mcYvTz0tJF9CyCc5SBs4wcQ VzhEYjko6Shq1EQlE7STyAT7DZE1JTa6/Vo+5a3vae694XmYcrqchSmT3 F7kD6O25Gz4Kxf4eSdqrl2FFSDibnaKlbB/NhcmOZv1j95g7ya0pAjgVX Y=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ak0KANTVY1StJV2S/2dsb2JhbABbgw5UWYhhwWuBcIdNgR8WAQEBAQF9hQIfHTQCTA0BBwEBiD0N0C4BAQEBBgEBAQEBAQEbkDIRAVAQhEIFgV2VMIJIhFyBcYYMjmqEIBkwAYEOgTwBAQE X-IronPort-AV: E=Sophos;i="5.07,371,1413244800"; d="scan'208,217";a="371692968" Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-3.cisco.com with ESMTP; 12 Nov 2014 21:54:27 +0000 Received: from [10.21.90.27] (sjc-vpn5-539.cisco.com [10.21.90.27]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id sACLsQbl002518; Wed, 12 Nov 2014 21:54:26 GMT Message-ID: <5463D712.50802@cisco.com> Date: Wed, 12 Nov 2014 11:54:26 -1000 From: Benoit Claise User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0 MIME-Version: 1.0 To: NETCONF Content-Type: multipart/alternative; boundary="------------080206010504020406090600" Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/zBSWobG9SCfSiWtMSKofhdU7CWo Cc: "anima-chairs@tools.ietf.org" Subject: [Netconf] ANIMA and NETCONF zero touch X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2014 21:54:30 -0000 This is a multi-part message in MIME format. --------------080206010504020406090600 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dear all, As discussed today during the OPSAREA meeting, let me make the link between the NETCONF zero touch draft [1] and the individual ANIMA bootstrapping draft [2]. >From http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfra-00#section-4.1 Client behavior is as follows: 1. Discover a communication channel to the "closest" Registrar by trying the following steps in this order: A. Search for a Proxy on the local link using Neighbor Discovery. If multiple local proxies are discovered attempt communications with each before widening the search to other options. If this fails: B. Obtain an IP address using DHCP, and search for a local registrar using DNS service discovery. If this fails: C. Obtain an IP address using DHCP, and search for a pre-defined Factory provided global registrar using DNS. 2. Present IEEE 802.1AR credentials to the discovered Registrar (via a Proxy if necessary). Included is a generated nonce that is specific to this attempt. 3. Verify the MASA cloud service generated authorization token as provided by the contacted Registrar. The nonce information previously provided is also checked, if it was not removed by the Registrar. 4. If and only if step three is successful: Join Domain, by accepting the domain specific information from the registrar, and by enrolling a domain certificate from the registrar. 5. The New Entity is now a member of the domain and will only repeat the discovery aspects of bootstrapping if it is returned to factory default settings. [[EDNOTE: Step (1b and 1c) is similar to the vendor DNS mechanisms described indraft-kwatsen-netconf-zerotouch although the goal here is to contact a Registrar rather than a vendor supplied NMS] The goal of this email is simply to bring awareness, and to start a discussion. Note: I don't like WG cross-postings, so only the ANIMA chairs are copied. [1] tools.ietf.org/html/draft-kwatsen-netconf-zerotouch [2] http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfra-00 Regards, Benoit --------------080206010504020406090600 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Dear all,

As discussed today during the OPSAREA meeting, let me make the link between the NETCONF zero touch draft [1] and the individual ANIMA bootstrapping draft [2].

From http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfra-00#section-4.1

  Client behavior is as follows:

   1.  Discover a communication channel to the "closest" Registrar by
       trying the following steps in this order:

       A.  Search for a Proxy on the local link using Neighbor
           Discovery.  If multiple local proxies are discovered attempt
           communications with each before widening the search to other
           options.  If this fails:

       B.  Obtain an IP address using DHCP, and search for a local
           registrar using DNS service discovery.  If this fails:

       C.  Obtain an IP address using DHCP, and search for a pre-defined
           Factory provided global registrar using DNS.

   2.  Present IEEE 802.1AR credentials to the discovered Registrar (via
       a Proxy if necessary).  Included is a generated nonce that is
       specific to this attempt.

   3.  Verify the MASA cloud service generated authorization token as
       provided by the contacted Registrar.  The nonce information
       previously provided is also checked, if it was not removed by the
       Registrar.

   4.  If and only if step three is successful: Join Domain, by
       accepting the domain specific information from the registrar, and
       by enrolling a domain certificate from the registrar.

   5.  The New Entity is now a member of the domain and will only repeat
       the discovery aspects of bootstrapping if it is returned to
       factory default settings.

   [[EDNOTE: Step (1b and 1c) is similar to the vendor DNS mechanisms
   described in draft-kwatsen-netconf-zerotouch although the goal here
   is to contact a Registrar rather than a vendor supplied NMS]

The goal of this email is simply to bring awareness, and to start a discussion.
Note: I don't like WG cross-postings, so only the ANIMA chairs are copied.

[1] tools.ietf.org/html/draft-kwatsen-netconf-zerotouch
[2] http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfra-00

Regards, Benoit
--------------080206010504020406090600-- From nobody Wed Nov 12 21:07:51 2014 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C0C1A1B81 for ; Wed, 12 Nov 2014 21:07:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIWZ0cxPWcVl for ; Wed, 12 Nov 2014 21:07:47 -0800 (PST) Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBD551A1B7F for ; Wed, 12 Nov 2014 21:07:46 -0800 (PST) Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd002.nsn-inter.net (8.14.3/8.14.3) with ESMTP id sAD57hcK015139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 13 Nov 2014 05:07:43 GMT Received: from DEMUHTC001.nsn-intra.net ([10.159.42.32]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id sAD57gVj016431 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 13 Nov 2014 06:07:42 +0100 Received: from DEMUHTC013.nsn-intra.net (10.159.42.44) by DEMUHTC001.nsn-intra.net (10.159.42.32) with Microsoft SMTP Server (TLS) id 14.3.195.1; Thu, 13 Nov 2014 06:07:42 +0100 Received: from DEMUMBX005.nsn-intra.net ([169.254.5.75]) by DEMUHTC013.nsn-intra.net ([10.159.42.44]) with mapi id 14.03.0195.001; Thu, 13 Nov 2014 06:07:42 +0100 From: "Ersue, Mehmet (NSN - DE/Munich)" To: ext Benoit Claise , netconf Thread-Topic: Summary of and AIs from the NETCONF Session in IETF #91 Thread-Index: AQHP/v/A0RV7p1iOEE6jjsWMtI6v8g== Date: Thu, 13 Nov 2014 05:07:41 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.159.42.116] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-purgate-type: clean X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: clean X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate-size: 3774 X-purgate-ID: 151667::1415855263-00001FC1-DE6DBED2/0/0 Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/WZSJ5b-4Ay6dkNfcf7Jvf0ZbM8A Subject: [Netconf] Summary of and AIs from the NETCONF Session in IETF #91 X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: