Partial Locking of a Datastore in NETCONF

1
Partial Locking of a Datastorein NETCONF

• Martin Bjorklund, Tail-F
• Balazs Lengyel, Ericsson
• draft-lengyel-ngo-partial-lock-00
• IETF-69 Chicago, USA, 2007 July

2
What is the problem?

• Netconf has only global locking (per
  configuration datastore)
• Sometimes operators need to lock only part of the
  configuration

3
Why is this needed ?Use Cases

• Big nodes, multiple people responsible for
  configuration
• BT separate groups responsible for security,
  fault, performance, configuration management
• Nodes operated by multiple organizations,
  multiple sections of the same company
• Separate virtual routers operated by separate
  organizations
• Nodes configured using parallel sessions

4
Why is this needed ?Use Cases

• Nodes with subscriber data
• core configuration responsibility of network
  operator, experts
• subscriber data responsibility of customer care
  agent with very limited knowledge about the node
• Sub-agent architecture sometimes we want to lock
  only one sub-agent, not all

5
Partial Locking

• Lock part of a datastore
• Always lock full subtrees
• Based on XPATH filter
• Restricted XPATH using "Instance Identifier"
  syntax
• /interfaces/interfacename"eth0"
• Full XPATH if the XPATH capability is also
  supported
• Subtree filtering not suitable for locking
• Capability based

6
ltpartial-lockgt

• ltncrpc
• ncmessage-id"135"gt
• ltpartial-lockgt
• ltncrunning/gt
• ltfilter
• select"/ifinterfaceififIndex'2'"/gt
• lt/partial-lockgt
• lt/ncrpcgt
• Namespaces ignored in example

7
ltpartial-unlockgt

• ltncrpc
• ncmessage-id"136"gt
• ltpartial-unlockgt
• ltlock-idgt127lt/lock-idgt
• lt/partial-unlockgt
• lt/ncrpcgt
• Namespaces ignored in example

8
Follow base NETCONF

• Avoid major new concepts or incompatibilities
• Lock is multi-protocol, write lock
• Lock owner is the session
• Lock life-time connected to session
• Partial-lock does in no way change the basic lock
  functionality

9
Additional considerations

• Locking user MUST have some access rights, to
  locked parts
• Mitigates the risk of a lock based DOS attack

10
Open Issues

• Can non-existent parts be locked ?
• Operator Smith wants to create it later so leave
  it alone
• Define restricted XPATH precisely

11
Open Issues

• Interactions with locks from other access methods
  (CLI, SNMP, GUI, LDAP)
• If we lock less (only part of the datastore) we
  will have fever lock conflicts
• Mapping of naming systems needed anyway for
  configuration
• If another access method can not support fine
  grained locking it can still lock big chunks or a
  complete datastore

12
Next Steps

• Draft available
• Tail-F, Ericsson plans to implement/use partial
  locking in the near future
• Should be taken up by a working group or OPS-Area

13
Thank You !
14
Subtree Filtering Problem

• Leads to ambiguous, counter-intuitive results -gt
  BAD !!!
• Trying to lock a non-existing sub-element B of
  an existing element A would result in locking
  the existing element A instead of an error
• If someone can show how to get this to work
  properly, it may be added to the draft

15
Existing Configuration Data

• ltinterfacesgt
• ltinterfacegt
• ltnamegteth0lt/namegt
• ltmtugt1500lt/mtugt
• ltunitsgt
• ltunitgt
• ltidgt1lt/idgt
• ltvlan-idgt3lt/vlan-idgt
• lt/unitgt
• lt/unitsgt
• lt/interfacegt
• lt/interfacesgt

16
Filter

• ltfiltergt
• ltinterfacesgt
• ltinterfacegt
• ltnamegteth0lt/namegt // OK this
  exists
• ltunitsgt
• ltunitgt
• ltidgt2lt/idgt //
  NOK does not exist
• lt/unitgt
• lt/unitsgt
• lt/interfacegt
• lt/interfacesgt
• lt/filtergt

17
Result

• We locked the whole eth0 interface instead of
  giving back an error !!!
• ltdatagt
• ltinterfacesgt
• ltinterfacegt
• ltnamegteth0lt/namegt
• lt/interfacegt
• lt/interfacesgt
• lt/datagt