Comparison of NMDA datastoresFuturewei2330 Central ExpresswaySanta Clara,USACA 95050ludwig@clemm.orgFuturewei2330 Central ExpresswaySanta Clara,USACA 95050yqu@futurewei.comApstrajefftant.ietf@gmail.comYumaWorksandy@yumaworks.com
This document defines an RPC operation to compare management datastores that comply with the NMDA architecture.
The revised Network Management Datastore Architecture (NMDA) introduces a set of new datastores that each hold YANG-defined data and represent a different “viewpoint” on the data that is maintained by a server. New YANG datastores that are introduced include <intended>, which contains validated configuration data that a client application intends to be in effect, and <operational>, which contains at least conceptually operational state data (such as statistics) as well as configuration data that is actually in effect.
NMDA introduces in effect a concept of “lifecycle” for management data, allowing to clearly distinguish between data that is part of a configuration that was supplied by a user, configuration data that has actually been successfully applied and that is part of the operational state, and overall operational state that includes both applied configuration data as well as status and statistics.
As a result, data from the same management model can be reflected in multiple datastores. Clients need to specify the target datastore to be specific about which viewpoint of the data they want to access. This way, an application can differentiate whether they are (for example) interested in the configuration that has been applied and is actually in effect, or in the configuration that was supplied by a client and that is supposed to be in effect.
Due to the fact that data can propagate from one datastore to another, it is possibly for differences between datastores to occur. Some of this is entirely expected, as there may be a time lag between when a configuration is given to the device and reflected in <intended>, until when it actually takes effect and is reflected in <operational>. However, there may be cases when a configuration item that was to be applied may not actually take effect at all or needs an unusually long time to do so. This can be the case due to certain conditions not being met, resource dependencies not being resolved, or even implementation errors in corner conditions.
When configuration that is in effect is different from configuration that was applied, many issues can result. It becomes more difficult to operate the network properly due to limited visibility of actual status which makes it more difficult to analyze and understand what is going on in the network. Services may be negatively affected (for example, breaking a service instance resulting in service is not properly delivered to a customer) and network resources be misallocated.
Applications can potentially analyze any differences between two datastores by retrieving the contents from both datastores and comparing them. However, in many cases this will be at the same time costly and extremely wasteful.
This document introduces a YANG data model which defines RPCs, intended to be used in conjunction with NETCONF or RESTCONF , that allow a client to request a server to compare two NMDA datastores and report any differences.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they
appear in all capitals, as shown here.
NMDA: Network Management Datastore ArchitectureRPC: Remote Procedure Call
At the core of the solution is a new management operation, <compare>, that allows to compare two datastores for the same data. The operation checks whether there are any differences in values or in data nodes that are contained in either datastore, and returns any differences as output. The output is returned in the format specified in YANG-Patch .
The YANG data model defines the <compare> operation as a new RPC. The operation takes the following input parameters:
source: The source identifies the datastore that will serve as reference for the comparison, for example <intended>.target: The target identifies the datastore to compare against the source.filter-spec: This is a choice between different filter constructs to identify the portions of the datastore to be retrieved. It acts as a node selector that specifies which data nodes are within the scope of the comparison and which nodes are outside the scope. This allows a comparison operation to be applied only to a specific portion of the datastore that is of interest, such as a particular subtree. (The filter dow not contain expressions that would match values data nodes, as this is not required by most use cases and would complicate the scheme, from implementation to dealing with race conditions.)all: When set, this parameter indicates that all differences should be included, including differences pertaining to schema nodes that exist in only one of the datastores. When this parameter is not included, a prefiltering step is automatically applied to exclude data from the comparison that does not pertain to both datastores: if the same schema node is not present in both datastores, then all instances of that schema node and all its descendants are excluded from the comparison. This allows client applications to focus on the differences that constitute true mismatches of instance data without needing to specify more complex filter constructs.exclude-origin: When set, this parameter indicates that origin metadata should not not
be included as part of RPC output. When this parameter is omitted, origin metadata in comparisons that involve
<operational> is by default included.
The operation provides the following output parameter:
differences: This parameter contains the list of differences. Those differences are encoded per YANG-Patch data model defined in RFC8072. When a datastore node in the source of the comparison is not present in the target of the comparison, this can be indicated either as a "delete" or as a "remove" in the patch as there is no differentiation between those operations for the purposes of the comparison. The YANG-Patch data model is augmented to indicate the value of source datastore nodes in addition to the patch itself that would need to be applied to the source to produce the target. When the target datastore is <operational>, "origin" metadata is included as part of the patch. Including origin metadata can help in some cases explain the cause of a difference, for example when a data node is part of <intended> but the origin of the same data node in <operational> is reported as "system".The data model is defined in the ietf-nmda-compare YANG
module. Its structure is shown in the following figure. The notation syntax
follows .
The following example compares the difference between <operational> and <intended> for a subtree under "interfaces". The subtree contains a subset of objects that are defined in a YANG data model for the management of interfaces defined in . The excerpt of the data model whose instantiation is basis of the comparison is as follows:
The contents of <intended> and <operational> datastores:
<operational> does not contain object "description" that is contained in <intended>. Another object, "enabled", has differences in values, being "true" in <operational> and "false" in <intended>. A third object, "name", is the same in both cases. The origin of the objects in <operational> is "learned", which may help explain the discrepancies.
RPC request to compare <operational> (source of the comparison) with <intended>(target of the comparison):
RPC reply, when a difference is detected:
The same request in RESTCONF (using JSON format):
The same response in RESTCONF (using JSON format):
The compare operation can be computationally expensive. While responsible client applications are expected to use the operation responsibly and sparingly only when warranted, implementations need to be aware of the fact that excessive invocation of this operation will burden system resources and need to ensure that system performance will not be adversely impacted. One possibility for an implementation to mitigate against such a possibility is to limit the number of requests that is served to a client, or to any number of clients, in any one time interval, rejecting requests made at a higher frequency than the implementation can reasonably sustain.It is conceivable to extend the compare operation with a number of possible additional features in the future.
Specifically, it is possible to define an extension with an optional feature for dampening. This will allow clients to specify a minimum time period for which a difference must persist for it to be reported. This will enable clients to distinguish between differences that are only fleeting from ones that are not and that may represent a real operational issue and inconsistency within the device.
For this purpose, an additional input parameter can be added to specify the dampening period. Only differences that pertain
for at least the dampening time are reported.
A value of 0 or omission of the parameter indicates no
dampening.
Reporting of differences MAY correspondingly be delayed by the dampening period from the time the request is received.
To implement this feature, a server implementation might run a comparison when the RPC is first invoked and temporarily store the result. Subsequently, it could wait until after the end of the dampening period to check whether the same differences are still observed. The differences that still persist are then returned.
This document registers one URI in the IETF XML registry . Following the format in , the following registration is requested:
URI: urn:ietf:params:xml:ns:yang:ietf-nmda-compareRegistrant Contact: The IESG.XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names
registry . Following the format in , the
following registration is requested:
name: ietf-nmda-comparenamespace: urn:ietf:params:xml:ns:yang:ietf-nmda-compareprefix: cmpreference: RFC XXXX
The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such
as NETCONF or RESTCONF . The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) . The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS .
The NETCONF access control model provides the means to
restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
The RPC operation defined in this YANG module, "compare", may be considered
sensitive or vulnerable in some network environments. It is thus
important to control access to this operation. This is the sensitivity/vulnerability of RPC operation "compare":
Comparing datastores for differences requires a certain amount of processing resources at the server. An attacker could attempt to attack a server by making a high volume of comparison requests. Server implementations can guard against such scenarios in several ways. For one, they can implement the NETCONF access control model in order to require proper authorization for requests to be made. Second, server implementations can limit the number of requests that they serve to a client in any one time interval, rejecting requests made at a higher frequency than the implementation can reasonably sustain.
We thank Rob Wilton, Martin Bjorklund, Mahesh Jethanandani, Lou Berger, Kent Watsen, Phil Shafer, Ladislav Lhotka, Tim Carey, and Reshad Rahman for valuable feedback and suggestions.