Re: [netmod] Must offline-validation of alone be valid?

Hi, Andy, all From: Andy Bierman [mailto:a...@yumaworks.com] Sent: Saturday, December 18, 2021 2:06 AM To: Kent Watsen Cc: maqiufang (A) ; netmod@ietf.org Subject: Re: [netmod] Must offline-validation of alone be valid? On Fri, Dec 17, 2021 at 7:11 AM Kent Watsen mailto:kent%2bi

Re: [netmod] Must offline-validation of alone be valid?

On Fri, Dec 17, 2021 at 7:11 AM Kent Watsen wrote: > Andy, et. al., > > > I cannot find any RFC text that says has only nodes created by a >> client. >> >> >> Really? Interesting. Still, I know it’s a mantra we’ve held closely >> for many year, right? >> > > No. Quite the opposite. > > > Th

Re: [netmod] Must offline-validation of alone be valid?

I cannot find any RFC text that says has only nodes created by a client. >>> >>> Really? Interesting. Still, I know it’s a mantra we’ve held closely >>> for many year, right? >>> >>> No. Quite the opposite. >> >> There was a brouhaha back when I proposed the "keystore” draft have

Re: [netmod] Must offline-validation of alone be valid?

Hi, Kent Watsen wrote: > Andy, et. al., > > > >> I cannot find any RFC text that says has only nodes created > >> by a client. > > > > Really? Interesting. Still, I know it’s a mantra we’ve held closely > > for many year, right? > > > > No. Quite the opposite. > > There was a brouhaha

Re: [netmod] Must offline-validation of alone be valid?

Andy, et. al., >> I cannot find any RFC text that says has only nodes created by a >> client. > > Really? Interesting. Still, I know it’s a mantra we’ve held closely for > many year, right? > > No. Quite the opposite. There was a brouhaha back when I proposed the "keystore” draft have

Re: [netmod] Must offline-validation of alone be valid?

On Tue, Dec 14, 2021 at 2:29 PM Jürgen Schönwälder < j.schoenwael...@jacobs-university.de> wrote: > On Tue, Dec 14, 2021 at 07:43:47PM +, Kent Watsen wrote: > > > > > > >> Right, and in both cases, the idea was that contains all > > >> data needed for the transformation into . So a client th

Re: [netmod] Must offline-validation of alone be valid?

On Tue, Dec 14, 2021 at 07:43:47PM +, Kent Watsen wrote: > > > >> Right, and in both cases, the idea was that contains all > >> data needed for the transformation into . So a client that > >> wants to do "offline" validation would need the data + the > >> transformation algorithms. But no

Re: [netmod] Must offline-validation of alone be valid?

>> Right, and in both cases, the idea was that contains all >> data needed for the transformation into . So a client that >> wants to do "offline" validation would need the data + the >> transformation algorithms. But no additional data. >> > > Having to know proprietary transformation algor

Re: [netmod] Must offline-validation of alone be valid?

Kent, all, >>> It is also notable that RFC 8341 say nothing about the fact that clients >>> effected by NACM may not be able to pass validation (it’s not even >>> mentioned). >> >> That a client with insufficient privileges may have trouble understanding or >> controlling a server is no surpri

Re: [netmod] Must offline-validation of alone be valid?

On Tue, Dec 14, 2021 at 01:14:17PM +0100, Martin Björklund wrote: > > Right, and in both cases, the idea was that contains all > data needed for the transformation into . So a client that > wants to do "offline" validation would need the data + the > transformation algorithms. But no additional

Re: [netmod] Must offline-validation of alone be valid?

Hi Jan, >> It is also notable that RFC 8341 say nothing about the fact that clients >> effected by NACM may not be able to pass validation (it’s not even >> mentioned). > > That a client with insufficient privileges may have trouble understanding or > controlling a server is no surprise to me.

Re: [netmod] Must offline-validation of alone be valid?

Hi Kent, >>> Of course, some will point to Section 5.1.3: >>> >>>However, MUST always be a valid configuration data tree, >>>as defined in Section 8.1 of [RFC7950] >>> . >>> >>> But it has to be obvious that this is a bug. For

Re: [netmod] Must offline-validation of alone be valid?

Hi Jan, >> Of course, some will point to Section 5.1.3: >> >>However, MUST always be a valid configuration data tree, >>as defined in Section 8.1 of [RFC7950] >> . >> >> But it has to be obvious that this is a bug. For instanc

Re: [netmod] Must offline-validation of alone be valid?

Kent, >> Here you are introducing two concepts that the RFCs (6020, 7950, 8342) are >> never mentioning: online and offline validation. Then you say that because >> the RFCs don't talk about these concepts, the behavior is undefined. I >> strongly disagree. The RFCs talk about validation, and d

Re: [netmod] Must offline-validation of alone be valid?

Kent, all, > Of course, some will point to Section 5.1.3: > >However, MUST always be a valid configuration data tree, >as defined in Section 8.1 of [RFC7950] > . > > But it has to be obvious that this is a bug. For instance, >

Re: [netmod] Must offline-validation of alone be valid?

Hi, Kent Watsen wrote: > Hi Andy, > > I cannot find any RFC text that says system-injected config is > > special, especially since > > server implementations exist that treat these edits as just another > > client > > (although probably a 'root' user client). > > Very true (and Juergen’s point

Re: [netmod] Must offline-validation of alone be valid?

On Mon, Dec 13, 2021 at 11:44:31PM +, Kent Watsen wrote: > Juergen/Andy, > > > > Option #3 > > > > There is a client on the system that makes changes to running just > > like any other remote clients can make changes to running. System > > generate config that is not editable explicit config

Re: [netmod] Must offline-validation of alone be valid?

On Mon, Dec 13, 2021 at 6:55 PM Kent Watsen wrote: > Hi Andy, > > I do not have any problem with containing active and inactive > nodes. > That's what has been in place for over 10 years. That's what is written in > NMDA. > > > For posterity, it’s been “in place” only in proprietary implementati

Re: [netmod] Must offline-validation of alone be valid?

Hi Andy, >> Legacy clients are failing offline validation today. If running config has a >> leafref to system config, and doesn't return that system config >> (which it doesn't in some implementations), then the instance data returned >> to the client doesn't validate against the YANG model.

Re: [netmod] Must offline-validation of alone be valid?

Hi Andy, >> Andy - about use cases. Here is a problem we're trying to address: >> >> >> >> There are at least several major router implementations that have this >> concept of "hidden config" (i.e. list entries that can be referenced in a >> leafref by explicit user config, but those list

Re: [netmod] Must offline-validation of alone be valid?

Hi Andy, > I do not have any problem with containing active and inactive nodes. > That's what has been in place for over 10 years. That's what is written in > NMDA. For posterity, it’s been “in place” only in proprietary implementations. It would be nice to resurrect the “conditional-enableme

Re: [netmod] Must offline-validation of alone be valid?

On Mon, Dec 13, 2021 at 5:31 PM Kent Watsen wrote: > > > On Dec 8, 2021, at 5:50 PM, Andy Bierman wrote: > > Andy - about use cases. Here is a problem we're trying to address: >> >> >> >> There are at least several major router implementations that have this >> concept of "hidden config" (i.e.

Re: [netmod] Must offline-validation of alone be valid?

> On Dec 8, 2021, at 5:50 PM, Andy Bierman wrote: > > Andy - about use cases. Here is a problem we're trying to address: > > > > There are at least several major router implementations that have this > concept of "hidden config" (i.e. list entries that can be referenced in a > leafref by

Re: [netmod] Must offline-validation of alone be valid?

Hi, On Mon, Dec 13, 2021 at 4:43 PM Kent Watsen wrote: > > Hi Jason, > > > I'm not following your "In the meanwhile" thoughts. > > Legacy clients are failing offline validation today. If running config has > a leafref to system config, and doesn't return that system > config (which it doesn't

Re: [netmod] Must offline-validation of alone be valid?

On Mon, Dec 13, 2021 at 3:44 PM Kent Watsen wrote: > Juergen/Andy, > > > Option #3 >> >> There is a client on the system that makes changes to running just >> like any other remote clients can make changes to running. System >> generate config that is not editable explicit config in running goes

Re: [netmod] Must offline-validation of alone be valid?

Hi Jason, > I'm not following your "In the meanwhile" thoughts. > > Legacy clients are failing offline validation today. If running config has a > leafref to system config, and doesn't return that system config > (which it doesn't in some implementations), then the instance data returned >

Re: [netmod] Must offline-validation of alone be valid?

Hi Jason, > I think we have a potential solution for this system config that keeps the > running valid. But I'm far more worried about configuration templates. I > don't see how we can possibly keep valid with config templates. > That seems like a major problem to me. But if we ever declare th

Re: [netmod] Must offline-validation of alone be valid?

Juergen/Andy, > Option #3 > > There is a client on the system that makes changes to running just > like any other remote clients can make changes to running. System > generate config that is not editable explicit config in running goes > straight into the applied config in operational. This does

Re: [netmod] Must offline-validation of alone be valid?

Hi Jan, > Here you are introducing two concepts that the RFCs (6020, 7950, 8342) are > never mentioning: online and offline validation. Then you say that because > the RFCs don't talk about these concepts, the behavior is undefined. I > strongly disagree. The RFCs talk about validation, and des

Re: [netmod] Must offline-validation of alone be valid?

is no need to create a new datastore and rewrite YANG to use a new datastore. > > Jason > Andy > > > *From:* Andy Bierman > *Sent:* Wednesday, December 8, 2021 5:50 PM > *To:* Sterne, Jason (Nokia - CA/Ottawa) > *Cc:* Juergen Schoenwaelder ; Jan > Lindblad ; Kent

Re: [netmod] Must offline-validation of alone be valid?

To: Sterne, Jason (Nokia - CA/Ottawa) > Cc: maqiufang (A) ; Andy Bierman > ; Jan Lindblad ; Kent Watsen > ; netmod@ietf.org > Subject: Re: [netmod] Must offline-validation of alone be valid? > > On Thu, Dec 09, 2021 at 03:15:24PM +, Sterne, Jason (Nokia - CA/Ottawa) > wrot

Re: [netmod] Must offline-validation of alone be valid?

Ottawa) Cc: Juergen Schoenwaelder ; Jan Lindblad ; Kent Watsen ; maqiufang (A) ; netmod@ietf.org Subject: Re: [netmod] Must offline-validation of alone be valid? On Wed, Dec 8, 2021 at 2:31 PM Sterne, Jason (Nokia - CA/Ottawa) mailto:jason.ste...@nokia.com>> wrote: Hi guys, Andy - about

Re: [netmod] Must offline-validation of alone be valid?

On Thu, Dec 09, 2021 at 03:15:24PM +, Sterne, Jason (Nokia - CA/Ottawa) wrote: > > A server accepting and returning non-valid config is also a surprise > > and inconvenience. > > Andy made a similar point in his reply but it is currently implemented today > and there are some desirable aspec

Re: [netmod] Must offline-validation of alone be valid?

wa) ; Jan Lindblad ; > Kent Watsen ; netmod@ietf.org > Subject: Re: [netmod] Must offline-validation of alone be valid? > > On Thu, Dec 09, 2021 at 01:07:09PM +, maqiufang (A) wrote: > > > > Regarding open #3, it is natural for the clients to believe that what they >

Re: [netmod] Must offline-validation of alone be valid?

On Thu, Dec 09, 2021 at 01:07:09PM +, maqiufang (A) wrote: > > Regarding open #3, it is natural for the clients to believe that what they > read back from the server is exactly what they sent to the server. > If there is a "system client" playing a role, this would require some extra > handl

Re: [netmod] Must offline-validation of alone be valid?

d@ietf.org Subject: Re: [netmod] Must offline-validation of alone be valid? On Wed, Dec 8, 2021 at 2:31 PM Sterne, Jason (Nokia - CA/Ottawa) mailto:jason.ste...@nokia.com>> wrote: Hi guys, Andy - about use cases. Here is a problem we're trying to address: There are at least

Re: [netmod] Must offline-validation of alone be valid?

a "read-back" and see exactly what was sent previously. > > > > I think we have a potential solution for this system config that keeps the > running valid. But I'm far more worried about configuration templates. I > don't see how we can possibly keep valid wi

Re: [netmod] Must offline-validation of alone be valid?

PM To: Jan Lindblad Cc: maqiufang (A) ; netmod@ietf.org Subject: Re: [netmod] Must offline-validation of alone be valid? Hi Jan, On Nov 23, 2021, at 12:56 PM, Jan Lindblad mailto:j...@tail-f.com>> wrote: Sergio, Qiufang, Hi Jan, You correctly wrote: Then the choices become:

Re: [netmod] Must offline-validation of alone be valid?

netmod On Behalf Of Andy Bierman Sent: Friday, December 3, 2021 6:01 AM To: Juergen Schoenwaelder ; Jan Lindblad ; Kent Watsen ; maqiufang (A) ; netmod@ietf.org Subject: Re: [netmod] Must offline-validation of alone be valid? On Fri, Dec 3, 2021 at 2:26 AM Jürgen Schönwälder mailto:j.schoenwa

Re: [netmod] Must offline-validation of alone be valid?

On Fri, Dec 3, 2021 at 2:26 AM Jürgen Schönwälder < j.schoenwael...@jacobs-university.de> wrote: > On Fri, Dec 03, 2021 at 10:59:12AM +0100, Jan Lindblad wrote: > > > I made some proposals earlier, both on the interim and privately to the > draft authors, along these lines: > > > > Option #1 > > +

Re: [netmod] Must offline-validation of alone be valid?

On Fri, Dec 03, 2021 at 10:59:12AM +0100, Jan Lindblad wrote: > I made some proposals earlier, both on the interim and privately to the draft > authors, along these lines: > > Option #1 > + We could have a new system datastore that technically is a part of running. > Everything in system would

Re: [netmod] Must offline-validation of alone be valid?

Kent, Qiufang, all, >>> Offline validation of alone IS required >>> Options: >>> Clients MUST copy/paste any referenced system configuration into , >>> even though it goes against our objective of avoiding-copy when possible. >>> Defer work to be a YANG-next effort. >> >> In order to move forwa

Re: [netmod] Must offline-validation of alone be valid?

Hi Jan, > On Nov 23, 2021, at 12:56 PM, Jan Lindblad wrote: > > Sergio, Qiufang, > >> Hi Jan, >> You correctly wrote: >> >> Then the choices become: >> Offline validation of alone is NOT required >> Servers internally validate via validating >> >> SB> but in fact this is what declared

Re: [netmod] Must offline-validation of alone be valid?

ang (A) mailto:maqiufang1=40huawei@dmarc.ietf.org>>; netmod@ietf.org<mailto:netmod@ietf.org> Subject: Re: [netmod] Must offline-validation of alone be valid? Sergio, Qiufang, Hi Jan, You correctly wrote: Then the choices become: oOffline validation of alone is NOT r

Re: [netmod] Must offline-validation of alone be valid?

Sergio, Qiufang, > Hi Jan, > You correctly wrote: > > Then the choices become: > Offline validation of alone is NOT required > Servers internally validate via validating > > SB> but in fact this is what declared, for my understanding, in RFC 8342, for > which “validation” is done on “inten

Re: [netmod] Must offline-validation of alone be valid?

ing-copy when possible. * Defer work to be a YANG-next effort. Thanks Sergio From: netmod On Behalf Of Jan Lindblad Sent: Tuesday, November 23, 2021 10:59 AM To: maqiufang (A) Cc: netmod@ietf.org Subject: Re: [netmod] Must offline-validation of alone be valid? Qiufang, Regarding

Re: [netmod] Must offline-validation of alone be valid?

Qiufang, > Regarding the presentation of “system-defined > configuration(draft-ma-netmod-with-system)” in IETF 112, I would like to > initiate a separate thread to discuss “MUST offline-validation of > alone be valid”. Thank you for bringing this up again. > This is unknown if any RFC requir

[netmod] Must offline-validation of alone be valid?

Hi, all Regarding the presentation of "system-defined configuration(draft-ma-netmod-with-system)" in IETF 112, I would like to initiate a separate thread to discuss "MUST offline-validation of alone be valid". This is unknown if any RFC requires offline validation of . Then the choices become: