On Fri, Jan 13, 2023 at 3:32 AM Italo Busi <italo.b...@huawei.com> wrote:
> Andy, Carsten, Jürgen, Tom, > > > > Thanks for your feedbacks > > > > If I understand correctly: > > - Andy, Carsten and Jürgen agree that using unrestricted string for > non-key attributes makes sense > - Andy has a concern only about using unrestricted string for key > attributes and his proposal is to use the yang-identifier (which does not > bound the maximum length of the string) instead > > > > Is my understanding correct? > I would say that yang-identifier SHOULD be used instead of string for key leafs. That does not mean yang-identifier is always the most appropriate type to use for a key. > > > I think that what I have understood would make sense > > > > Any other opinion or suggestion? > > > > Thanks, Italo > Andy > > > *From:* Andy Bierman <a...@yumaworks.com> > *Sent:* giovedì 12 gennaio 2023 19:24 > *To:* Jürgen Schönwälder <j.schoenwael...@jacobs-university.de>; Andy > Bierman <a...@yumaworks.com>; Italo Busi <italo.b...@huawei.com>; > netmod@ietf.org > *Subject:* Re: [netmod] Use of unrestricted string in YANG (was RE: > naming scope of a grouping which uses a grouping) > > > > > > > > On Thu, Jan 12, 2023 at 8:33 AM Jürgen Schönwälder < > j.schoenwael...@jacobs-university.de> wrote: > > On Thu, Jan 12, 2023 at 07:08:05AM -0800, Andy Bierman wrote: > > > > Just because the escaped string is "safe" inside a NETCONF protocol > message > > does not mean it is safe to use in other tools. Data (especially list > keys) > > gets moved > > between software programs. Unrestricted strings increase the risk of data > > injection attacks. > > > > Sorry, broken code that does not handle inputs of unexpected length > can't be secured by standardizing arbitrary limits. The only option is > to fix the broken code. Code that fails to validate its inputs can't > be fixed by arbitrary limits and the pure hope that the broken code > will never see something causing it to crash. > > > > > > My statement is about the risk of using unconstrained values in strings, > not the length. > > It is my preference to avoid characters in leaf keys that are known to > cause problems > > with shells and other tools. > > > > It is a tradeoff. You can have the freedom to construct all-whitespace key > leafs, > > but at the risk of implementations not handling it correctly. The > designer(s) should pick the most > > appropriate type, based on priorities. > > > > /js > > > > Andy > > > > -- > Jürgen Schönwälder Constructor University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > >
_______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
