On 24/01/17 14:25, Susan Hares wrote:
Juergen and Martin:
Your question is appropriate at this point. These Yang Modules are I2RS
Yang Modules. Knowing whether these are attached to the configuration data
store or a control plane data store is important. For that answer, I must
await Benoit and the NETMOD Chairs.
However, the security involved in these data models still has the same
security issues whether it is ephemeral state attached to the configuration
data store or the control plane data store.
No it is not.
If it is the control plane you need a security model for the northbound
write access.
If that model is not necessary because there is no write access, then
the question is why do you need it to be in the config in the first place.
A.
The solution is just different.
The 6 issues for I2RS security considerations are: 1) different
mandatory-to-implement transport for NETCONF, 2) priority resolving multiple
client writes, 3) non-secure transport, 4 ) different validations with rpc
actions, 5) different NACM, RACM, and SACM policy, 6) different data store
behavior (ephemeral/configuration or ephemeral/Control Plane data store).
Only #6 would operate different between the two data store choices.
To recap our discussion: Any I2RS YANG module MUST have security comments
on #1 and #2 if it contains writes. The topology modules particular module
does not use #3 and #4 beyond the regular YANG module section. #5 - The
NACM policy may be the same, but the policy toward the routing system (RACM)
or system information (SACM) is different as the L3 topology models may load
information from routing protocols. The proposal for I2RS Yang module
security considerations has 3 parts: A) Basic Yang Security
considerations, B) I2RS Security considerations for secure transport, and
C) non-secure security considerations . A+B are all that is needed for
these drafts.
Cheerily,
Sue Hares
-----Original Message-----
From: Juergen Schoenwaelder [mailto:[email protected]]
Sent: Tuesday, January 24, 2017 6:52 AM
To: Susan Hares
Cc: [email protected]; 'Martin Bjorklund';
[email protected]; [email protected]; 'Robert
Varga'; [email protected]; [email protected]
Subject: Re: [i2rs] Kathleen Moriarty's No Objection on
draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)
Susan,
so are these YANG models regular YANG models or are these YANG models
specific to the yet to be defined I2RS protocol and yet to be defined
datastores?
I think this is the core of Martin's and my question. A simple clear and
concise answer would be nice.
/js
On Tue, Jan 24, 2017 at 06:42:30AM -0500, Susan Hares wrote:
Juergen:
Yep. That's the charter. draft-ietf-i2rs-yang-network-topo-10.txt is
a generic topology model. draft-ietf-i2rs-yang-l3-topology-08.txt is a
generic topology for L3 unicast. These support topology extension for
non-I2RS user. We met the milestone and deliver the YANG Modules to the
IESG. We discussed the "write" feature during WG LC and in the WG. We
passed this by AD Benoit Claise who agreed to the reasons present by
the draft authors.
Kinda' missed your comments in the normal comment period (WG LC, IETF LC).
Sue
-----Original Message-----
From: i2rs [mailto:[email protected]] On Behalf Of Juergen
Schoenwaelder
Sent: Monday, January 23, 2017 5:15 PM
To: Susan Hares
Cc: [email protected]; 'Martin Bjorklund';
[email protected]; [email protected];
'Robert Varga'; [email protected]; [email protected]
Subject: Re: [i2rs] Kathleen Moriarty's No Objection on
draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)
Perhaps just adding to the confusion, here is what the WG charter
says:
o The ability to extract information about topology from the network.
Injection and creation of topology will not be considered as a work
item. Such topology-related models will be based on a generic
topology model to support multiple uses; the generic topology model
should support topology extension for non-I2RS uses.
And as a milestone:
Dec 2016 - Request Publication of Protocol Independent Topology Data
Models
/js
On Mon, Jan 23, 2017 at 05:06:04PM -0500, Susan Hares wrote:
Robert and Martin:
I agree with Robert that the current implementations of the ODL
topology models are handled as part of the configuration data store
with
ephemeral
state. I will point out that these implementation are pre-standards
implementations of the I2RS YANG Data model.
While standardizing the topology data models, the I2RS WG have been
asked to align with the draft-ietf-netmod-revised-datastores-00.txt
NETMOD WG document. This NETMOD WG document moves the I2RS
ephemeral data
store from
configuration data store to a Control Plane data store. If we follow
this
draft, the I2RS Topology models are part of the I2RS ephemeral data
store.
If you disagree with the placement of the Topology data models,
please indicate this to the NETMOD WG and to Benoit. Could you
propose a way that you would see the ephemeral state working with
the configuration data
store
to the NETMOD WG?
Quite frankly, I feel a bit of whip-lash on this topic. NETMOD WG asks
for
Control Plane Data store. You ask for configuration data store (which
was
the I2RS initial proposal). It is possible for either one to work for
I2RS
Topology models - if the right details are taken care of. How do we
make
progress on choosing one method so we can write the I2RS Topology
Models security considerations.?
Sue
-----Original Message-----
From: Robert Varga [mailto:[email protected]]
Sent: Monday, January 23, 2017 4:11 PM
To: Martin Bjorklund; [email protected]
Cc: [email protected]; [email protected];
[email protected]; [email protected];
[email protected]; [email protected]
Subject: Re: [i2rs] Kathleen Moriarty's No Objection on
draft-ietf-i2rs-yang-l3-topology-08: (with COMMENT)
On 01/23/2017 09:26 PM, Martin Bjorklund wrote:
I'm pulling your questions to the top of this email.
Question 1: Ok. Just to make sure I understand this correctly -
these topology models are intended to be I2RS-specific, and they
cannot be used for any other purpose. If anyone needs a general
topology model outside of the I2RS protocol, they will have to
design their own model. Is this correct?
Response 1: Not really.
Ok, so are you saying that the models are in fact generic, and can
be used outside of I2RS? I.e., they *can* be used with the normal
configuration datastores?
From implementation experience, yes, they can be used for storing
configuration. OpenDaylight uses (an ancient predecessor of)
yang-network-topo to store configure details about devices in its
managed networks.
Regards,
Robert
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
_______________________________________________
i2rs mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i2rs
_______________________________________________
i2rs mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i2rs
