[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Named Profiles for notification configuration (unofficial issue #16)

To: Sharon Chisholm <schishol@nortel.com>
Subject: Re: Named Profiles for notification configuration (unofficial issue #16)
From: Andy Bierman <ietf@andybierman.com>
Date: Mon, 27 Mar 2006 09:27:03 -0800
Cc: "Netconf (E-mail)" <netconf@ops.ietf.org>
In-reply-to: <713043CE8B8E1348AF3C546DBE02C1B407926D61@zcarhxm2.corp.nortel.com>
References: <713043CE8B8E1348AF3C546DBE02C1B407926D61@zcarhxm2.corp.nortel.com>
User-agent: Thunderbird 1.5 (Windows/20051201)

Sharon Chisholm wrote:

hi

Access control is something the working group should definitely get to,
but I'm not sure how it specifically applies to this issue.

The named profile is intended to be a standard way for people to hook in

proprietary filtering.



Not sure how access control applies to opaque parameters? Yikes!


There aren't going to be any blatant proprietary hooks in NETCONF.
This needs to be fully specified or removed.  Independent
implementations must be able to interoperate based on this
specification.  An opaque "named profile" that just somehow magically
appears on the device is not inter-operable or secure.



It is not intended to specified in an

interoperable way, other than how you hook the name in. The more
standardized approach is what the Xpath and subtree (defined
consistently with other Netconf commands) is intended for.

Sharon


Andy

-----Original Message-----
From: owner-netconf@ops.ietf.org [mailto:owner-netconf@ops.ietf.org] On
Behalf Of Andy Bierman
Sent: Monday, March 27, 2006 10:59 AM
To: Netconf (E-mail)
Subject: Named Profiles for notification configuration

Hi,

IMO, the entire concept of the 'named-profile' configuration option in
the draft is broken.  From a standards POV, it is broken because there
is no way for 1 vendor to set a profile and another to use it.  The
content is unspecified.

More importantly, this is "just another data model".
We already have an architecture for defining, naming, and manipulating
data with standard RPC methods (e.g., <edit-config>). IMO, adding a new
'opaque' label-based configuration model on top of that is a bad idea.

As Wes would say, "Have you fully considered the access control
implications of this design?"  I don't think so.

Andy

--
to unsubscribe send a message to netconf-request@ops.ietf.org with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>



--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- RE: Named Profiles for notification configuration (unofficial issue #16)
  - From: "Sharon Chisholm" <schishol@nortel.com>

Prev by Date: Re: (unofficial issue 2) Subscription versus never-ending command
Next by Date: RE: Named Profiles for notification configuration (unofficial issue #16)
Previous by thread: RE: Named Profiles for notification configuration (unofficial issue #16)
Next by thread: RE: Named Profiles for notification configuration (unofficial issue #16)
Index(es):
- Date
- Thread