IETF Logo Mail Archive

Re: Gen-art LC review: draft-mm-netconf-time-capability-05

Andy Bierman <andy@yumaworks.com> Fri, 10 July 2015 16:23 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5EF91A00A8 for <ietf@ietfa.amsl.com>; Fri, 10 Jul 2015 09:23:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1GMi8-RmcnHB for <ietf@ietfa.amsl.com>; Fri, 10 Jul 2015 09:23:18 -0700 (PDT)
Received: from mail-lb0-f174.google.com (mail-lb0-f174.google.com [209.85.217.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD3F51A001B for <ietf@ietf.org>; Fri, 10 Jul 2015 09:23:17 -0700 (PDT)
Received: by lblf12 with SMTP id f12so25937416lbl.2 for <ietf@ietf.org>; Fri, 10 Jul 2015 09:23:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DDF3ZIAbcetqI+tXYZCddrsabh2Ya42O325ckjfoeys=; b=cy4KwlrRiTpsysOsj0HcNn1j57qlcYcpmtoPwd/H6vIaaAeUu9QdzZq0X3pPwVXBs8 xpmmc38jiu/YFNAvr8FZOiAt1ocWOpF2jS2MM1pLghBvvEltwBrEnrxGJgfuX2jKs1XJ 1OQi/tfHB9XHe4NVHU4iFX9tGxbHJgFeSzMWKcRcWwqRSTTORk9iB0Em2VfJ/H2TQ8Iy j0n6M8rj3SxcLUgKZE2JOiLUb/Q1B04mpohm/sb+0J3N/3CwOGaJ3M5zqifvNnFwBlsx 8mG5bbrGxiiVyOaAYNMmFVDyQbYP9bTfeoWjdwda+ZpiFZZctXVB7t1GusFMwx54MQLr NBNg==
X-Gm-Message-State: ALoCoQlSioGLhnkCg6dq3VsFba6/G8LCSEW9nCVtiiiBjHxHROaC62cesmjVgx7q0AkhY40FPacl
MIME-Version: 1.0
X-Received: by 10.112.46.130 with SMTP id v2mr13520401lbm.119.1436545396189; Fri, 10 Jul 2015 09:23:16 -0700 (PDT)
Received: by 10.112.200.102 with HTTP; Fri, 10 Jul 2015 09:23:16 -0700 (PDT)
In-Reply-To: <559D98AC.7040403@nostrum.com>
References: <559D98AC.7040403@nostrum.com>
Date: Fri, 10 Jul 2015 09:23:16 -0700
Message-ID: <CABCOCHQ7d9Sh9b7jujKipJjRAH16vxTYW9GkRF_30PdoSAGw_Q@mail.gmail.com>
Subject: Re: Gen-art LC review: draft-mm-netconf-time-capability-05
From: Andy Bierman <andy@yumaworks.com>
To: Robert Sparks <rjsparks@nostrum.com>
Content-Type: multipart/alternative; boundary="001a1134aee80b43ef051a87ca3b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/PRIg6spSIF4hSZhL3b8bLokjwDQ>
Cc: General Area Review Team <gen-art@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, draft-mm-netconf-time-capability.all@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 16:23:20 -0000

On Wed, Jul 8, 2015 at 2:39 PM, Robert Sparks <rjsparks@nostrum.com> wrote:

> I am the assigned Gen-ART reviewer for this draft. For background on
> Gen-ART, please see the FAQ at
>
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please resolve these comments along with any other Last Call comments
> you may receive.
>
> Document: draft-mm-netconf-time-capability-05
> Reviewer: Robert Sparks
> Review Date: 8 Jul 2015
> IETF LC End Date: 29 Jul 2015
> IESG Telechat date: not yet scheduled
>
> Summary: This draft has open issues to address before publication
>
> This draft adds two separable concepts to netconf
> * Asking for and receiving knowledge of when a command was executed
> * Requesting that a command be executed at a particular time
>
> The utility of the first is obvious, and I have no problems with the
> specification of that part of this extension. Would it be better to pull
> these apart and progress them separately?
>
> The utility of the second would be more obvious if the draft didn't limit
> the time to be "near future scheduling". It punts on most of the hard
> problems with scheduling things outside a very tight range (15 seconds in
> the future by default), without motivating the advantages of saying "wait
> until 5 seconds from now before you do this".
>
> So:
>
> Why was 15 seconds chosen? Could you add a motivating example that shows
> why being able to say "now is not good, but 5 seconds from now is better"
> is useful? (Something like having a series of things happen as close to
> simultaneously without the network delay of sending the requests impacting
> how they are separated perhaps?)
>
> Given the punt, why isn't there a statement that sched-max-future MUST NOT
> be configured for more than some small value (twice the default, or 30
> seconds, perhaps), especially while this is targeted for Experimental?
> Without something like that, I think the document needs to talk about more
> of the issues it is trying to avoid with longer term scheduling, even if it
> doesn't solve those issues. (If I have a fast pipe, I can make a server
> keep a lot of queued requests, eating a lot of state, even if the window is
> only 15 seconds. Pointing to how netconf protects against state-exhaustion
> abuse might be useful).
>
>

Picking some arbitrary small sched-max-future value only lowers the
probability that
something goes wrong, so it is not a very good punt.



> The security considerations section talks about malicious parties
> attempting to cause sched-max-future to be configured to "a small value".
> Could you more clearly characterize  "small", given that the default is 15
> seconds?
>
> Even with the near-future limit, there are issues to discuss introduced
> with the ability to cancel a request:
>
> * What prevents a 3rd party from cancelling a request? I think it's only
> that the 3rd party would have to obtain the right id to put in the cancel
> message. If so, the document should talk about how you keep eavesdroppers
> from seeing those ids, and that the servers that generate them should make
> ids that are hard to guess.
>


Since the scheduled rpc event is sent to every client that is listening
for notifications, there is no possibility for security through
hard-to-guess token,
as is done with the "persist-id"  for cancelling a confirmed-commit.

NETCONF has no support for sending a notification to just 1 session or user.



> * Especially given the near-future limitation, you run a high risk that
> the cancel arrives after the identified request has been executed. It's not
> clear in the current text what the server should do. I assume you want the
> server to reply to the cancel with a "I couldn't cancel that" rather than
> to do something like try to undo the request. The document should be
> explicit.
>
* The document should explicitly disallow adding <scheduled-time> to
> <cancel-schedule>
>
> One editorial comment: It would help to move the concept of the
> near-future limitation much earlier in the document, perhaps even into the
> introduction and abstract.
>
> And for the shepherding AD: The document has no shepherd or shepherd
> writeup. While a writeup is not required, one would have been useful in
> this case to discuss the history of (lack of) discussion of the document on
> the group's list and the group's reaction to progressing as Experimental as
> an Individual Submission.
>
>

Andy

v2.23.0 | Report a Bug | By Email