Last Call Review of draft-ietf-netconf-rfc6536bis-04
I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the operational area directors.
Document editors and WG chairs should treat these comments just like any other last call comments.
Reviewer: Linda Dunbar
Review result: Has issues.
Section 2.1 Access Control Points (first sentence)
NETCONF is a protocol. What does it mean by saying NETCONF allow other new protocols operations? Can you provide some examples?
Do you mean the operations other than Create, Read, Update and Delete?
Here is the description of the <action> operation defined by RFC7950. I would think that the client should have the “update” privilege (not just “read) to trigger it, should it?
More general question:
The document is to specify the mechanism to restrict NETCONF for particular users.
Intuitively, I would think that the restriction should be applied to specific data store (or data model) on servers.
For example, for the data model specified by “draft-ietf-netmod-acl-model-11”, can’t you set up the (CRUD) permission right for setting up <access-lists> by specific user id?
Best Regards, Linda Dunbar