Juergen and Martin: Your question is appropriate at this point. These Yang Modules are I2RS Yang Modules. Knowing whether these are attached to the configuration data store or a control plane data store is important. For that answer, I must await Benoit and the NETMOD Chairs.
However, the security involved in these data models still has the same security issues whether it is ephemeral state attached to the configuration data store or the control plane data store. The solution is just different. The 6 issues for I2RS security considerations are: 1) different mandatory-to-implement transport for NETCONF, 2) priority resolving multiple client writes, 3) non-secure transport, 4 ) different validations with rpc actions, 5) different NACM, RACM, and SACM policy, 6) different data store behavior (ephemeral/configuration or ephemeral/Control Plane data store). Only #6 would operate different between the two data store choices. To recap our discussion: Any I2RS YANG module MUST have security comments on #1 and #2 if it contains writes. The topology modules particular module does not use #3 and #4 beyond the regular YANG module section. #5 - The NACM policy may be the same, but the policy toward the routing system (RACM) or system information (SACM) is different as the L3 topology models may load information from routing protocols. The proposal for I2RS Yang module security considerations has 3 parts: A) Basic Yang Security considerations, B) I2RS Security considerations for secure transport, and C) non-secure security considerations . A+B are all that is needed for these drafts. Cheerily, Sue Hares -----Original Message----- From: Juergen Schoenwaelder [mailto:[email protected]] Sent: Tuesday, January 24, 2017 6:52 AM To: Susan Hares Cc: [email protected]; 'Martin Bjorklund'; [email protected]; [email protected]; 'Robert Varga'; [email protected]; [email protected] Subject: Re: [i2rs] Kathleen Moriarty's No Objection on draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT) Susan, so are these YANG models regular YANG models or are these YANG models specific to the yet to be defined I2RS protocol and yet to be defined datastores? I think this is the core of Martin's and my question. A simple clear and concise answer would be nice. /js On Tue, Jan 24, 2017 at 06:42:30AM -0500, Susan Hares wrote: > Juergen: > > Yep. That's the charter. draft-ietf-i2rs-yang-network-topo-10.txt is > a generic topology model. draft-ietf-i2rs-yang-l3-topology-08.txt is a > generic topology for L3 unicast. These support topology extension for > non-I2RS user. We met the milestone and deliver the YANG Modules to the > IESG. We discussed the "write" feature during WG LC and in the WG. We > passed this by AD Benoit Claise who agreed to the reasons present by > the draft authors. > > Kinda' missed your comments in the normal comment period (WG LC, IETF LC). > > Sue > > -----Original Message----- > From: i2rs [mailto:[email protected]] On Behalf Of Juergen > Schoenwaelder > Sent: Monday, January 23, 2017 5:15 PM > To: Susan Hares > Cc: [email protected]; 'Martin Bjorklund'; > [email protected]; [email protected]; > 'Robert Varga'; [email protected]; [email protected] > Subject: Re: [i2rs] Kathleen Moriarty's No Objection on > draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT) > > Perhaps just adding to the confusion, here is what the WG charter > says: > > o The ability to extract information about topology from the network. > Injection and creation of topology will not be considered as a work > item. Such topology-related models will be based on a generic > topology model to support multiple uses; the generic topology model > should support topology extension for non-I2RS uses. > > And as a milestone: > > Dec 2016 - Request Publication of Protocol Independent Topology Data > Models > > /js > > On Mon, Jan 23, 2017 at 05:06:04PM -0500, Susan Hares wrote: > > Robert and Martin: > > > > I agree with Robert that the current implementations of the ODL > > topology models are handled as part of the configuration data store > > with > ephemeral > > state. I will point out that these implementation are pre-standards > > implementations of the I2RS YANG Data model. > > > > While standardizing the topology data models, the I2RS WG have been > > asked to align with the draft-ietf-netmod-revised-datastores-00.txt > > NETMOD WG document. This NETMOD WG document moves the I2RS > > ephemeral data > store from > > configuration data store to a Control Plane data store. If we follow > this > > draft, the I2RS Topology models are part of the I2RS ephemeral data store. > > If you disagree with the placement of the Topology data models, > > please indicate this to the NETMOD WG and to Benoit. Could you > > propose a way that you would see the ephemeral state working with > > the configuration data > store > > to the NETMOD WG? > > > > Quite frankly, I feel a bit of whip-lash on this topic. NETMOD WG asks > for > > Control Plane Data store. You ask for configuration data store (which was > > the I2RS initial proposal). It is possible for either one to work for > I2RS > > Topology models - if the right details are taken care of. How do we make > > progress on choosing one method so we can write the I2RS Topology > > Models security considerations.? > > > > Sue > > > > -----Original Message----- > > From: Robert Varga [mailto:[email protected]] > > Sent: Monday, January 23, 2017 4:11 PM > > To: Martin Bjorklund; [email protected] > > Cc: [email protected]; [email protected]; > > [email protected]; [email protected]; > > [email protected]; [email protected] > > Subject: Re: [i2rs] Kathleen Moriarty's No Objection on > > draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT) > > > > On 01/23/2017 09:26 PM, Martin Bjorklund wrote: > > >> I'm pulling your questions to the top of this email. > > >> > > >> > > >> > > >> Question 1: Ok. Just to make sure I understand this correctly - > > >> these topology models are intended to be I2RS-specific, and they > > >> cannot be used for any other purpose. If anyone needs a general > > >> topology model outside of the I2RS protocol, they will have to > > >> design their own model. Is this correct? > > >> > > >> > > >> > > >> Response 1: Not really. > > > Ok, so are you saying that the models are in fact generic, and can > > > be used outside of I2RS? I.e., they *can* be used with the normal > > > configuration datastores? > > > > > > > From implementation experience, yes, they can be used for storing > > configuration. OpenDaylight uses (an ancient predecessor of) > > yang-network-topo to store configure details about devices in its > > managed networks. > > > > Regards, > > Robert > > > > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > > _______________________________________________ > i2rs mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i2rs > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ i2rs mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2rs
