[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More confirmed-commit issues

To: Andy Bierman <ietf@andybierman.com>
Subject: Re: More confirmed-commit issues
From: Wes Hardaker <wjhns1@hardakers.net>
Date: Wed, 18 May 2005 14:04:14 -0700
Cc: Rob Enns <rpe@juniper.net>, netconf <netconf@ops.ietf.org>
In-reply-to: <428B5151.1080902@andybierman.com> (Andy Bierman's message of "Wed, 18 May 2005 07:29:37 -0700")
Organization: Sparta
References: <062B922B6EC55149B5A267ECE78E5D440A0038C4@photon.jnpr.net> <428B5151.1080902@andybierman.com>
User-agent: Gnus/5.110003 (No Gnus v0.3) XEmacs/21.4 (Jumbo Shrimp, linux)

Andy> It is astonishing to Mgr B who has no way of knowing a revert
Andy> timeout is pending. To me, the whole thing is just fragile. 
Andy> IMO, a configuration protocol should be robust, not fragile.

Andy> A protocol that can allow the possibility of severely detrimental
Andy> config changes (through unintended or malicious acts), by merely
Andy> dropping a connection, is fragile.

Andy> It's possible the security AD could have a problem with this
Andy> too, during the IESG review.

It's in line with all the other similar problems I've already
expressed so I wasn't going to bring it up.  confirmed-commits
actually exasperate something that already exists in the
global-config-store and locking problems.  Previously it was
acknowledged that you should always use locks to avoid multiple people
modifying parts of the config at the same time when all of a sudden
neither has the ability to actually perform a commit because the
permissions of either don't include all the changes that would be
required during the copy.  With a confirmed commit if the locking
session is lost intentionally or due to (potentially temporary)
network issues caused by the commit a second user could actually come
in, make a minor change to either running or candidate that would
prevent the original person from being able to roll back in the first
place.

Since that was impossible to follow in text:

  X = 1
  Y = 1

  A can modify X but not Y
  B can modify Y but not X

  A locks candidate
  A locks running
  A changes X=2 in candidate
  A issues confirming commit, timeout = 60
  A's session closes, losing both locks

  B opens session
  B modifies Y=2 in running
  B closes session

  A does *not* send a confirm

  At commit-time + 60, the box should revert running to X=1 Y=1 but
    can't because A doesn't have permission to change from current Y=2
    to Y=1.

Discussion of multiple overlapping confirming-commits left to the reader.

One alternative is to say that locks last even beyond the session
closure until the confirmed commit timer is finished.  That has other
ramifications too, but probably less-so.

I've said before that the notion of shared scratch spaces really makes
the protocol a root-only kind of protocol.  Many of these security
problems would go away if things were done via "delta"s instead of
all-or-nothing from a shared space.

-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- RE: More confirmed-commit issues
  - From: "Rob Enns" <rpe@juniper.net>
- Re: More confirmed-commit issues
  - From: Andy Bierman <ietf@andybierman.com>

Prev by Date: RE: More confirmed-commit issues
Next by Date: consecutive locks on the same session
Previous by thread: Re: More confirmed-commit issues
Next by thread: RE: More confirmed-commit issues
Index(es):
- Date
- Thread