Re: [netmod] A few comments on draft-dbb-netmod-acl
mohamed.boucadair@orange.com Fri, 04 November 2022 13:58 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBBDDC14F73E for <netmod@ietfa.amsl.com>; Fri, 4 Nov 2022 06:58:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0Abs_9fpfSf for <netmod@ietfa.amsl.com>; Fri, 4 Nov 2022 06:58:11 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.36]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FB98C14F743 for <netmod@ietf.org>; Fri, 4 Nov 2022 06:57:33 -0700 (PDT)
Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr22.francetelecom.fr (ESMTP service) with ESMTPS id 4N3hyf6c5rz10nb; Fri, 4 Nov 2022 14:57:30 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1667570250; bh=y3bQ26wRdePGc0mIlSdXKhl3UgxU+sORs6+4ryRAjYs=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=F2qUrdLe7JCl6zG7De1AvhWzrzXzLk6Zi4Jz3xkDHHtL7hNmUxKXpwrzCpTlRylQQ iKr+qN5r1A8E/TzTQHF1aHca9CkVGEbzYMDXaBldAz0zLPgbM0UrVfVz8q4O2U+NZd 8KubOTiqfZ28DLsDsUqtSrgO3W4vbXqBjrRGF7u8imSDpTENzbclZslqgPYj/hbbv9 Qiwtqoi3qq+C1tFRcnqA/jMR/BL8p20UMzENwCyP0jkeCjosFcF0gcNrYV9MYSywRT 9f/9JmMtNvOGMoxeB77fiCfsWM5CyxJ/NOJJkR1QCI96UJTQlpjO+ipRmdJmHDvLTA /lWqjuCf8pQyQ==
From: mohamed.boucadair@orange.com
To: Qin Wu <bill.wu=40huawei.com@dmarc.ietf.org>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: A few comments on draft-dbb-netmod-acl
Thread-Index: AdjpykvImtd2QRsaSL2XTLp2D+x4QQGiFCfg
Content-Class:
Date: Fri, 04 Nov 2022 13:57:30 +0000
Message-ID: <2358_1667570250_63651A4A_2358_209_6_5673c04a41bc4c799a8580973f9675a2@orange.com>
References: <e350e50aef7c45c5b51768b8c9d8df2f@huawei.com>
In-Reply-To: <e350e50aef7c45c5b51768b8c9d8df2f@huawei.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-11-04T13:39:22Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=a109b254-5a7b-4c8f-b21f-19fb5b5c6e27; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.27.53]
Content-Type: multipart/alternative; boundary="_000_5673c04a41bc4c799a8580973f9675a2orangecom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/-IuWUsHU2nVdsMn7ODMGwnAdRTw>
Subject: Re: [netmod] A few comments on draft-dbb-netmod-acl
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 13:58:16 -0000
Hi Qin, Thanks for the comments. Please see inline. Cheers, Med De : netmod <netmod-bounces@ietf.org> De la part de Qin Wu Envoyé : jeudi 27 octobre 2022 08:08 À : netmod@ietf.org Objet : [netmod] A few comments on draft-dbb-netmod-acl Hi, Oscar: I have read the latest version of draft-dbb-netmod-acl, the problem statement and gap analysis are interesting, here are a few comments on this draft: 1.For problem statement in section 4.3 and section 4.5, I am wondering how do you feel encrypted traffic at the transport layer, e.g., TLS layer or QUIC layer, I feel it is hard, you might read one of presentation slides for IAB MTEN workshop, one gap we identify is ACL fall short to deal with encrypted traffic. [Med] I guess this falls under a match-based on the payload: == 3.7. Payload-based Filtering Some transport protocols use existing protocols (e.g., TCP or UDP) as substrate. The match criteria for such protocols may rely upon the 'protocol' under 'l3', TCP/UDP match criteria, part of the TCP/UDP payload, or a combination thereof. [RFC8519] does not support matching based on the payload. Likewise, the current version of the ACL model does not support filtering of encapsulated traffic. === The full augmentation is augment /ietf-acl:acls/ietf-acl:acl/ietf-acl:aces/ietf-acl:ace /ietf-acl:matches: +--rw (payload)? +--:(prefix-pattern) +--rw prefix-pattern {match-on-payload}? +--rw offset? identityref +--rw offset-end? uint64 +--rw operator? operator +--rw prefix? binary Please let us know if you think this does not address the case you have in mind. Thanks. But for unencrypted traffic, yes, the ACL extension provide fine granularity access control. 2.For section 3.2, I feel the solution seems not complete, how defined set is used, in the match, it lack a example to explain how it is used. [Med] We will consider adding more examples, but the defined sets can be called under the l3/l4 match conditions. Here is, for example, how a set can be referenced under l3/ipv4: augment /ietf-acl:acls/ietf-acl:acl/ietf-acl:aces/ietf-acl:ace /ietf-acl:matches/ietf-acl:l3/ietf-acl:ipv4: +--rw next-header-set? leafref 3.For section 3.1, it is a good extension, but I understand the idea is to apply the same action to a set of prefixes, let's say two prefixes, since the destination-ipv6-network is defined as an array, I am wondering whether the action should be changes into 2 actions in an array: [Med] Not sure to get this comment. The proposal is to have the same action for all the addresses in a set/list. { "ietf-access-control-list:acls": { "acl": [ { "name": "prefix-list-support", "type": "ipv6-acl-type", "aces": { "ace": [ { "name": "my-test-ace", "matches": { "ipv6": { "destination-ipv6-network": [ "2001:db8:6401:1::/64", "2001:db8:6401:c::/64" ], "source-ipv6-network": "2001:db8:1234::/96", "protocol": 17, "flow-label": 10000 }, }, "actions": { "forwarding": [ "accept","accept"] } } ] } } ] } } Maybe one alternative solution is to use template, if we want to Manipulate Lists of Prefixes 4.I feel flags defined in RFC9519 is confusing, how does the controller know which packet is the last fragment, which packet is not, which packet needs to be fragmented, which one not,the fragment action is controlled by the ingress node, configuring flags seems wrong to me. [Med] Agree that the handling of flags in 8519 is problematic. The draft includes examples how to fix this and align with other tools such as flow spec. 5. For section 3.3 "Bind ACLs to Devices, Not Only Interfaces", do we have solution to this problem? If not, I think draft-ma-opsawg-ucl-acl-00 provide excatly the solution you are looking for if my understanding is correct, to address the limitation of IP address based access control, no need to tie to the specific interface of the device, or a single device. [Med] No solution is included for 3.3 because we think that it will be better addressed in a network model, not a device model. Also, agree that draft-ma-opsawg-ucl-acl is a good candidate. Thanks. -Qin _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [netmod] A few comments on draft-dbb-netmod-acl Qin Wu
- Re: [netmod] A few comments on draft-dbb-netmod-a… mohamed.boucadair
- Re: [netmod] A few comments on draft-dbb-netmod-a… Qin Wu
- Re: [netmod] A few comments on draft-dbb-netmod-a… mohamed.boucadair