NETCONF Notes from the Working Group meeting, IETF 70, 2007-12-05 NETCONF is 4.5 years old! Notification document passed WG last call. Pending proto writeup (can be by one of the new chairs or someone else - Dan Romascanu), to then be handed to the IESG. Dan Romascanu: applause for outgoing chairs! Ongoing process for selecting new chairs. Bert Wijnen: shouldn't the proto write-up be written by one of the outgoing chairs? Simon: might be an option. New charter accepted November. Mailing lists: many mailing lists right now, including the APPS area. One proposal: move all netconf-related discussions into the main netconf list. Sharon Chisholm: keep netconf for chartered items, and keep NGO for non-chartered discussion. Axe all the others. After discussion, the new proposal is to keep everything except the netmod list at Nortel. New security advisor: Charlie Kaufmann (editor: spelling?) New charter items: Goal of the day: determine whether input documents are in a good enough state to move change control to the working group. --------------------------------------------------------------- NETCONF over TLS (Mohamad Badra) (slide info not reproduced) Balazs Lengyel: The authentication part is welcome, but access control is outside our current charter. Dan Romascanu: This is the document that drew the most attention from the IESG when the charter came up. There was an early review in the IESG to make sure that there weren't any red flags. Simon Leinen: how many have read? 8-10. Who thinks it should be added as a wg item? Almost the same number. No one objected. Will confirm this decision on the mailing list. Not terribly wide review. --------------------------------------------------------------- Balazs Lengyel on partial locking (slide info not reproduced) Balazs Lengyel spent a more time explaining the YANG module that he has written for maintaining configuration of the locks on a system. Sharon Chisholm: have sent a bunch of comments to the list. One of them is around XPath: "if you don't support XPath, then you can support this smaller subset". Should we just mandate XPath if you support this capability? Andy Bierman: absolutely doesn't want to use full XPath. The XPath expression can be dynamic. Balazs: the XPath is only evaluated once. Andy: that's a security hole -- if you don't apply it when it's evaluated. Andy wants the Dan Romascanu: about the use of YANG. Not sure where it'll be in the draft, but as long as it's not normative. Phil Shafer: talk about the interactions between partial locks, get-config, commit. Phil thinks there are interactions that Balazs doesn't. If two users have locked two different parts of the database with dependencies between the two, and I change mine based on your values which then are not committed, what happens? Balazs: there are issues; we need to describe this carefully. Wes Hardaker: if you do a partial lock on part of the config but then try to edit outside that part that you've locked, do you get feedback on that? Balazs: no, not at this point. Wes: only an interesting management error to consider. Wes Hardaker reiterates that he's worried about evaluation of XPath expressions taking place at a time other than when it's being applied. Andy: what if one of the things you are changing is in the lock expression? Balazs: having a very dynamic lock has its own set of problems. Phil Shafer: Lifespan of the lock, in terms of how long they're supposed to last. The global lock was intended to cover the duration of your edit, whereas you are talking about longer times. Balazs: it would be possible to add a timeout to the partial lock. Phil: are you intending this to be short-term or long-term locks? Balazs: I can't control it, but my intention is that they be short-term. Balazs will add a comment to the draft. Wes Hardaker: one question about the partial lock of a tree. If I lock the user table, can someone else add a user? Balazs: no. Mark Scott: why can a lock only be unlocked in the same session? Balazs: even today, if you have locked (the global lock) in one session, you can't unlock it in a different user session and we're continuing that. David Harrington: What session does SNMP lock? Balazs: one idea is that all non-NETCONF protocols might have a reserved session id range. Sharon: the monitoring draft is a good place to report these sessions. Phil Shafer: you mentioned being able to do locks on startup configuration, but that config is not writable. Balazs: you're probably right. Simon Leinen: who's read it? 11-12. Should be WG draft? Approx the same number. Should not? 1. --------------------------------------------------------------- Mark Scott on monitoring NETCONF (did not reproduce slide information) Balazs Lengyel: the GUI / CLI / locks inside is very much needed. Consider locks that are "internal" like a backup process. Why aren't counters included? Mark: simply because it's a different area and would be hard to get it standardized in the short term. We don't think that the operational data is not relevant to making the configuration process more bug-free. There is a minimal set still included. Simon: who's read it? 8-ish. Ready for the WG? 6-ish. Not ready? 0. --------------------------------------------------------------- Hideki Okita: advertisement with WSDL and XSD. (did not reproduce slide information) Rohan Mahy: Are you assuming that schemas be transient? Hideki Okita: mostly interested in knowing where the information is and how to get to it. Rohan: if I go to my device and ask it about its schemas, and there are YANG modules, XSD, and there's a RelaxNG schema. Will the query tell me about all three or only one of them? Simon: are you saying it would be useful to be able to get the schemas in different forms? Rohan: yes, it'd be useful. David Perkins: the user wants to know what the device does, not what the standards document says it's supposed to do. If the device doesn't fully comply, you want to know that. Simon Leinen: who's read it? 11. Dan Romascanu: Please do not put company name on slides. Please resubmit. --------------------------------------------------------------- Mark Scott on schema query (did not reproduce slide information) Scope perhaps a bit narrower than the previous co Balazs: are you opposed to merging the two drafts? Mark: not opposed. Hideki Okita: what is the use case for the work Phil Shafer: have we abandoned dedicated RPCs and gone to the all-powerful get? Balazs: I have some rules in my mind when to use them. Can the normal RPCs accomplish them, then why not use it? Mark: I had the same question. Maybe we should write down when it should be new ones and when not. David Harrington: I thought NETCONF was going to be "task-based" and I think it would make it unfortunate if this became Andy: when you are actually adding a new verb, then do so. If you're just changing what you're getting, then don't add a new verb. Sharon: CLIs have a single verb for a show but not for changes. I agree that there are cases where we should create new verbs. Don't see that this is a case where a new verb is needed. David Perkins: How do you specify that a device has implemented a subset of a schema? Mark: you'd have to put your own sub-set schema somewhere and publish that subset somewhere. Sharon: not sure that we need this for our requirements unless they're non-conformant. The manager should be able to handle that non-mandatory objects aren't there. For the most part, the high-level information (name, version number) is sufficient. We're getting 90% of the value without getting into the specifics. Wes: David Perkins is absolutely right. NM applications can't figure out how things are broken. David Harrington: concerned that this sounds like agent capabilities, which failed. Dan Romascanu: looks more like the RMON capabilities stuff. Simon Leinen: How many have read it? 10-11. Hesitant to call for a show of hands since we have two drafts, but we will do so anyway. Should Hideki's draft be part of the working group? 5. Mark's? 6-7. Dan Romascanu: suggestion as a contributor. No clear-cut answer. Try to work together? Andy Bierman: concerned that a NETCONF agent must use http. A lot of overhead for not much information instead of using NETCONF to get it. David Harrington: concerned about introducing dependencies to other protocols. Hideki Okita: we have HTTP already, so it's not a concern to us, but I understand your concern. Simon: it's clear why your approach is attractive given that you've used SOAP. Phil Shafer: operators often do not enable http on their devices. --------------------------------------------------------------- Sharon: there's some work that's not in the charter because we didn't know if this would be a new WG or if it'd be in a 1. Clarifications of implementation issues in a bis of the NETCONF RFC 2. Update on transport documents --------------------------------------------------------------- Tomoyuki Iijima on experience of implementing a SOAP-based NETCONF client-server. (slide information not reproduced) Please contact him if you'd like to see a demonstration.