============================================================= NETCONF Data Modeling Language WG (netmod) IETF #86, Orlando, USA Tuesday, March 12th, 2013, 15:20-16:50, Caribbean Minutes Balazs Lengyel, Lisandro Granville, Juergen Schoenwaelder ============================================================= WG Chairs: David Kessens Juergen Schoenwaelder WG URL: http://tools.ietf.org/wg/netmod/ Jabber: xmpp:netmod@jabber.ietf.org Agenda: 1) Administrivia (chairs) [ 5 min] - minutes scribe {volunteers welcome in advance!} - jabber scribe {volunteers welcome in advance!} - blue sheets - agenda bashing - status and milestones 2) Core interface data model (Martin) [ 5 min] - draft-ietf-netmod-rfc6021-bis-00 - draft-ietf-netmod-iana-if-type-04 - draft-ietf-netmod-interfaces-cfg-09 - draft-ietf-netmod-ip-cfg-09 3) Core routing data model (Ladislav) [ 5 min] - draft-ietf-netmod-routing-cfg-09 4) Core system data model (Andy, Martin) [30 min] - draft-ietf-netmod-iana-timezones-00 - draft-ietf-netmod-system-mgmt-05 5) SNMP configuration data model (Martin) [10 min] - draft-ietf-netmod-snmp-cfg-01 6) Access Control List (ACL) data model (Alex) [20 min] - draft-huang-netmod-acl-02 7) Modeling JSON text with YANG (Ladislav) [10 min] - draft-lhotka-netmod-yang-json-00 8) Open mike [ 5 min] {please identify issues in advance} Summary: The NETMOD working group has met for 1.5 hours on Tuesday, March 12th, during the 86th IETF meeting. The meeting was attended by ~40 people. * The following documents draft-ietf-netmod-interfaces-cfg-09, draft-ietf-netmod-ip-cfg-09, draft-ietf-netmod-rfc6021-bis-00, and draft-ietf-netmod-iana-if-type-04 have been sent Benoit for processing them through the IESG. The routing document draft-ietf-netmod-routing-cfg-09 is to follow (waiting for David to finish the writeup). * The system data model draft-ietf-netmod-system-mgmt-05 is in WG last call and a number of issues have been brought up. WG meeting time was used to find out which issues require changes to the document. Once there is a revised I-D, we will need to run a 2nd WG last call. * The SNMP configuration data model draft-ietf-netmod-snmp-cfg-01 is in WG last call. A few minor issues have been identified that Martin and Juergen will work on. This document needs further reviews and likely a 2nd WG last call when a revised I-D is available. * A revised proposal for a set of data models for stateless packet filters was presented. Several people in the room expressed that they find this work is useful. * Ladislav presented briefly on the JSON mapping of YANG. Actors: - JS = Juergen Schoenwaelder - AB = Andy Bierman - MB = Martin Bjorklund - LL = Ladislav Lhotka - DK = David Kessens - BC = Benoit Claise - KW = Kent Watsen - AC = Alex Clemm - BF = Bill Fenner - BL = Balazs Lengyel - BH = Brian Headstrom - CM = Carl Moberg - SH = David Harrington Slides: http://www.ietf.org/proceedings/86/netmod.html Audio: http://www.ietf.org/audio/ietf86/ Meeting Notes (focusing on the open issues discussed): * Core interface data model no comments / discussion * Core routing data model http://www.ietf.org/proceedings/86/slides/slides-86-netmod-1.pdf no comments / discussion * Core system data model http://www.ietf.org/proceedings/86/slides/slides-86-netmod-5.pdf - Nobody spoke up for adding radius-eap and eap-method and hence they will not be added (slide 4) - Tail-f will support rounds in the future and is in favor of adding the rounds parameter to the crypt type (slide 5) - Choice of the crypt algorithm for cleartext passwords will be implementation dependent (slide 5) - Clarified text looks good and will be adopted (slide 6) - BF suggests to look at what the GeoPriv has been done (slide 7) People who want any of these strings should speak up on the mailing list. - MB suggests to only have the hostname as a configurable object. BF says this is what his system implements. The proposal is to change this to hostname and to remove sysname (slide 8) - AB likes introducing an enabled grouping, LL suggests it should be an empty disabled leaf since it works with all default modes and only clutters the instance data where needed (slide 8) - KW asks whether conditional enablement takes a long time? AB answers it usually does take a long time. AB states that conditional enablement (defined by the operator) solves a slightly different problem than enabled leaves (defined by the data model writer) (slide 8) - Additional NTP config knobs will not be added unless people make a strong point on the mailing lists (slide 8) - AB says that people who want additional RADIUS support should speak up now otherwise what we have is considered complete and sufficient. BH asks why Radius and not also TACACS+? AB says RADIUS is an IETF standard. (slide 9) - BH ask what about provisioning FTP servers, HTTP servers / clients, TELNET servers / clients? Where do you draw the line? DK says that we are aiming for 90% and we need to agree what this set of features is. JS adds that it helps to have concrete proposals, I want TACACS+ is not very actionable. BF says adding TACACS+ requires someone who knows TACACS+ to help. KW says authentication is an open can of worms. JS says that our task is to finish a document in a certain time frame. DK adds that more stuff can always be added later. - KW says $9$ is a reversible encoding used for obfuscation. MB says obfuscation is very different from hashing. It seems $9$ is a proprietary invention (slide 9) - Phil Shafer's comments concerning SSH keys needs clarification on the mailing list (slide 10) - KW asks whether NACM can model an access control policy allowing a user to reboot but not to shutdown? AB responds that you loose the ability to distinguish these operations if they are merged. LL remarks that a reboot is very different form a shutdown where you afterwards have to visit the box to turn it on again (slide 10) - KW asks whether we can standardize roles like cluster or master. AB says this is complicated and likely does not belong into the first version of the system model. KW agrees that cluster support may be a separate effort (slide 12) Editors will produce another revision and hopefully we are then ready for final WGLC. * SNMP configuration data model http://www.ietf.org/proceedings/86/slides/slides-86-netmod-4.pdf - MB and JS will work on a solution for the certificate mapping list that is currently duplicated into the NETCONF over TLS document. Editors will produce a revised document but in general this document needs more review. * Spontaneous Meta Discussion - BC is concerned about the number of people who have read the drafts and contribute. BH likes to contribute more but has no funding for it. - CM says that there are still relatively few implementations but YANG is gaining very much traction for new implementations, which however is slow. - Some lady would like to hear from operators and vendors about their plans, what are you trying to achieve that SNMP did not? - KW says we do not have many domain experts in the room, even though they contribute on the mailing list. Juniper is considering creating a mapping between standard data models and native device data models. - AB says NETCONF is about replacing the CLI with a programmable interface, and this is an order of magnitude harder than monitoring (what most SNMP MIB modules focus on). - AB says that not having the experts in the room is not critical as long as we manage to work with domain experts on the mailing list. - BH says that provisioning a cable device is not feasible with SNMP. We should not be discussing this question anymore. - BC says we need to get sufficient review from the domain experts. - DK sees more review on the mailing list than in the room. - AC says more data models will make NETCONF more attractive to implement. * Access Control List (ACL) data model http://www.ietf.org/proceedings/86/slides/slides-86-netmod-3.pdf - KW was trying to get domain experts of the company involved, part of the problem was a confusion caused by the name ACL - DH (via Jabber) states that the DMTF top down while the IETF designs bottom up. - Shaen (?) says this is only for the network data plane. Please make it clearer what this document is about to avoid confusion. Otherwise important work that we (Level 3) support. - KW asks how Diameter ACLs are related? AC explains that we want to make sure that we model the same filter mechanisms. KW requests that more clarity is provided that this is about stateless firewall ACLs. * Modeling JSON text with YANG http://www.ietf.org/proceedings/86/slides/slides-86-netmod-2.pdf - AB says implementation is straight forward. The generic JSON tools obviously never force arrays. LL explains that generic tools lack a data model - AB did run into issues with nodesets that must be handled as an array. AB is interested in alternate encodings in order to be faster. - JS thinks anyxml needs to be handled since is a part of YANG. LL is primarily interested in validation and anyxml is skipped anyway when it comes to validation. AB says that his code supports anyxml in JSON but it is probably not worth the effort.