Re: [netmod] IETF ACL model

Kristian Larsson <kll@dev.terastrm.net> Thu, 30 November 2017 09:00 UTC

Return-Path: <kll@dev.terastrm.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEE50124217 for <netmod@ietfa.amsl.com>; Thu, 30 Nov 2017 01:00:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wiXfumv3pLd5 for <netmod@ietfa.amsl.com>; Thu, 30 Nov 2017 01:00:43 -0800 (PST)
Received: from smtp.dev.terastrm.net (smtp.dev.terastrm.net [IPv6:2003:1f0b:ffde::101]) by ietfa.amsl.com (Postfix) with ESMTP id 18CEB1200C5 for <netmod@ietf.org>; Thu, 30 Nov 2017 01:00:43 -0800 (PST)
Received: from lingloi.dev.terastrm.net (unknown [IPv6:2003:1b3b:ffde:1::5]) by smtp.dev.terastrm.net (Postfix) with ESMTPSA id 845143A0303; Thu, 30 Nov 2017 09:00:41 +0000 (UTC)
References: <98e29a71-f6dd-7b42-7c8c-f704ba5b8826@spritelink.net> <1354F18F-43E6-43D5-BFAA-C26BCF47AC56@juniper.net> <5D85F296-FB9F-4BA6-B395-B8CD80ED6864@gmail.com> <20171122.093904.670536605936490886.mbj@tail-f.com> <e1fe6796-c124-b663-8e9f-e66c23b10eea@cisco.com> <87y3mr3loc.fsf@dev.terastrm.net> <d8bae954-9d58-4ea3-b0d5-6516f81fec7d@cisco.com>
User-agent: mu4e 0.9.18; emacs 25.1.1
From: Kristian Larsson <kll@dev.terastrm.net>
To: Robert Wilton <rwilton@cisco.com>
Cc: Martin Bjorklund <mbj@tail-f.com>, mjethanandani@gmail.com, jhaas@juniper.net, agarwaso@cisco.com, netmod@ietf.org, kll@spritelink.net
In-reply-to: <d8bae954-9d58-4ea3-b0d5-6516f81fec7d@cisco.com>
Date: Thu, 30 Nov 2017 10:00:40 +0100
Message-ID: <871skg2laf.fsf@dev.terastrm.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/-qZ_ge-Pfr3TyBbGHUvhDtYZ6Fs>
Subject: Re: [netmod] IETF ACL model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2017 09:00:50 -0000

Robert Wilton <rwilton@cisco.com> writes:

> On 27/11/2017 13:17, Kristian Larsson wrote:
>> Robert Wilton <rwilton@cisco.com> writes:
>>
>>> Thinking about this some more. I'm not sure what it means for the "ACL
>>> Type" to be "any-acl". It seems that the "match any packet" should be a
>>> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a
>>> type of ACL.
>> Yes, I agree as so far that any-acl makes no sense as an acl-type. The
>> way I understood acl-type, and the way that vendors have told me it will
>> be used, is to say "this is an IPv4 ACL" and then on an attachment point
>> you can specify that only ACLs of acl-type ipv4-acl can be attached to
>> the interface. That makes perfect sense. I do not see how any-acl can
>> map into this.
>>
>> I agree that any-acl is logically a type of ACE but we don't have an
>> ace-type and the exact same information can IMHO already be conveyed
>> WITHOUT the any-acl type and thus it has no reason to exist. Nor do we
>> need a feature for it.
>>
>> >From what I can tell the any-acl container in the ACE should be used to
>> explicitly signify a match on "any". Think of IOS style ipv4 acl:
>>    permit ip any any
>>
>> We have to provide a source and destination so this would be a rather
>> explicit mapping of that. However, our structure in this YANG model is
>> just completely different than an IOS command so I don't see why we
>> should try and mimic IOS in the YANg model.
>>
>> Not specifying a destination IP address means we match on any
>> destination IP address. The same is true for any other field we can
>> match on. Not setting a match implies we don't try to match on that
>> field, thus we allow "any" value. I think the logical continuation of
>> this is that for an ACE with no matches defined at all, we match any
>> packet. I think we can update the text to better explain this.
>
>>
>>
>>
>>> Otherwise if the ACL type is "any-acl" then this only allows two types
>>> of ACLs to be defined, neither of which seem to be particularly useful:
>>> (1) An ACL that matches all traffic and permits it, i.e. the same as
>>> having no ACL at all.
>>> (2) An ACL that matches all traffic and drops.
>>>
>>> So I think perhaps the answer here is to define neither ACL type
>>> "any-acl" nor leaf "any". The presumption could be that any ACE that is
>>> configured to match no fields implicitly matches all packets (because
>>> all non specified fields are treated as wildcards), and then applies the
>>> permit/deny rule associated with the ACE. This logic can apply to all
>>> ACL types.
>> Yes yes yes :)
> Another area of the current model that I'm not quite convinced about is 
> about the L4 matches (UDP, TCP, ICMP).
>
> Currently the model assumes that if a device can support matching on say 
> UDP fields that they can apply to any type of ACL. However, I think 
> that it is plausible that the UCP, TCP and ICMP fields might only apply 
> to IP ACLs and not Ethernet ACLs.

Indeed, I agree with you. It's IMHO not just plausible but probable.
I think the model is a compromise between reality and perfectly
expressed constraints.

As I've alluded to I think the matches you can use are really not a
condition of the device but of the attachment point. Depending on where
you attach the ACL you will have different capabilities. Accurately
modeling this however, is very difficult and so the use of YANG features
limiting the ACLs themselves (and not what ACL can be attached
somewhere) to convey roughly what things are supported by the device is
a reasonable approximation.

For example, if we have two types of attachment points and one supports
matching on everything whereas the other does not, naturally our YANG
feature set must be the superset of the features supported by the two
attachment points or we could not even define those matches in the ACLs.
Trying to attach an ACL that matches on things that this attachment
point doesn't support will result in a run-time error. Similarly, the
match conditions supported is likely different based on what type of
linecard we have installed, which is AFAIK impossible to express in a
YANG model. We cannot condition this on the type of line card, since
that is state data and we can't do constraints from config to state.

I bet a bunch of the potential match conditions on IP header fields are
not supported by most devices today (think cheap commodity chips). Or
being able to match on TCP and a given port but not on TCP-flags...
there are lots of cases. The question is which ones are important and
"large" enough to distinguish through different acl-types.

Would it be reasonable to put L4 in the acl-type as well? Yes, I think
so, although I'll admit I don't feel strongly about it :)

   kll


> Hence, I was wondering if there should be "acl match type" identity 
> defined for the "l4" field matches?
>
> This would then cause there to be twice as many ACL types identities and 
> features defined, e.g.
>
> eth,
> ipv4,
> ipv6,
> l4
> eth-l4,
> eth-ipv4,
> eth-ipv4-l4,
> eth-ipv6,
> eth-ipv6-l4,
> eth-ipv4-ipv6,
> eth-ipv4-ipv6-l4
> ipv4
> ipv4-l4
> ipv6
> ipv6-l4,
> ipv4-ipv6
> ipv4-ipv6-l4
>
> So, trading off my ACL type combinations for more expressiveness as to 
> what can actually be supported.
>
> Thanks,
> Rob
>
>
>>
>>     Kristian.
>> .
>>