Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

Kristian Larsson <kristian@spritelink.net> Wed, 01 November 2017 15:58 UTC

Return-Path: <kristian@spritelink.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D10F13F742 for <netmod@ietfa.amsl.com>; Wed, 1 Nov 2017 08:58:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StVYA09GdLuI for <netmod@ietfa.amsl.com>; Wed, 1 Nov 2017 08:58:04 -0700 (PDT)
Received: from Mail2.SpriteLink.NET (Mail2.SpriteLink.NET [195.182.5.83]) by ietfa.amsl.com (Postfix) with ESMTP id E34E213F781 for <netmod@ietf.org>; Wed, 1 Nov 2017 08:58:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by Mail2.SpriteLink.NET (Postfix) with ESMTP id 65149261846; Wed, 1 Nov 2017 16:58:03 +0100 (CET)
X-Virus-Scanned: amavisd-new at SpriteLink.NET
Received: from Mail2.SpriteLink.NET ([195.182.5.83]) by localhost (Mail2.SpriteLink.NET [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BUY1jmLCKOGg; Wed, 1 Nov 2017 16:58:00 +0100 (CET)
Received: from localhost (Mission-Control.SpriteLink.NET [195.182.5.153]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: kristian@SpriteLink.NET) by Mail2.SpriteLink.NET (Postfix) with ESMTPSA id C4EC0261838; Wed, 1 Nov 2017 16:58:00 +0100 (CET)
Date: Wed, 1 Nov 2017 16:57:58 +0100
From: Kristian Larsson <kristian@spritelink.net>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>
Message-ID: <20171101155758.GB12688@spritelink.se>
References: <51DBEB86-2482-4D37-9F97-5EEE76B38285@juniper.net> <20171031102523.GB25608@spritelink.se> <CDEF081E-C5AA-459B-8DBB-770D5065FD26@gmail.com> <20171101132631.GD25608@spritelink.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171101132631.GD25608@spritelink.se>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/-r2oH1f4UP_VBnwSokrEp77M-P0>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 15:58:07 -0000

I think there's a problem with the current approach for features
where it conflates the limitations of the device with the
limitations of an attachment point.  Ultimately it is the
limitations of the attachment point that matter. Creating an ACL
in config on a device doesn't actually mean anything until you
attach it somewhere.

It's not hard to imagine a device where different limitations
apply, let's say a fairly simple Ethernet switch built on some
commodity chip. It consists of, say:
 * 24 * 10GE on a commodity chip
 * some control plane (a x86 PC) connected to that commodity chip

The commodity chip supports matching ethernet headers, so ACLs
attached to those ports are "eth-acl". The control plane on the
other hand supports complex matching on anything you can imagine.
What YANG features should such a device advertise?

   kll




On Wed, Nov 01, 2017 at 02:26:31PM +0100, Kristian Larsson wrote:
> Mahesh,
> 
> On Wed, Nov 01, 2017 at 05:13:18PM +0630, Mahesh Jethanandani wrote:
> > I think there is confusion in how the ACL model is going to be
> > implemented by vendors and used by customers.
> >
> > As Eliot alluded to, the model is trying to address the issue
> > of the capabilities of each platform as they exist across the
> > industry but also within each vendor. So the first thing an
> > implementation would do is to pick which feature they do
> > support. A low end platform that supports only layer 2 ACL will
> > pick l2-acl as their feature, while a high end router capable
> > of support l2 and l3, ipv4 and ipv6 ACL will declare
> > l2-l3-ipv4-ipv6 as the feature they support. That pretty much
> > takes out all the other containers in the matches container.
> > The additional features they might want to choose include
> > support for TCP, UDP and ICMP. For a high end router this boils
> > down to having definitions for
> > 
> > - ethernet
> > - ipv4
> > - ipv6
> > - tcp
> > - udp
> > - icmp
> > 
> > which is the list you have in mind, but this time making sure
> > that the platform is capable of supporting each one of the
> > definitions. Imagine if the low end platform advertised a model
> > for all the above capabilities only to reject them when you
> > tried to configure a ipv6 address that it already knows it
> > cannot support.
> 
> You imply that the low end platform would advertise features that
> it doesn't support. Why would it do that?
> 
> I don't suggest removing features - only restructure where the
> data is held.  In my example, under the ethernet container I can
> do: if-feature "eth-acl or eth-ipv4-acl..."; to check if the
> device supports a given feature so why are you saying that we
> need different containers for the ethernet matching part of an
> ACL of type eth-acl vs say eth-ipv4-acl?
> 
> Right now the features themselves affect the structure of the
> model and thus the data, which I rather dislike. The config to
> match e.g. ethernet headers should always go in the same place.
> 
> The model gives the illusion of supporting "unified" ACLs but
> actually doesn't at all.
> 
> 
> > Similarly the condition on tcp/udp/icmp container is to make
> > sure the platform is capable of supporting them. Only if the
> > platform declares tcp-acl, udp-acl, and icmp-acl feature, will
> > those containers be visible from a configuration perspective.
> 
> And if the device supports all of those features I can write an
> ACE that matches on TCP flags at and ICMP types.. and it would
> validate according to the model but cleary makes no sense.
> 
> > The acl-type is used as a check to make sure the user is aware
> > what kind of ACL the platform supports and the ACL they are
> > trying to configure matches the acl-type. If the platform
> > declared the feature l2-acl and if the user tries to set the
> > ACL type to l2-l3-ipv4-ipv6 then the configuration would be
> > rejected.
> 
> Another way of structuring this is to have completely different
> lists of ACLs where each type of ACL is its own list, e.g.
>  * eth-acl
>  * ipv4-acl
>  * ipv6-acl
>  * eth-ipv4-ipv6-acl
> 
> What advantage do you think your currently proposed model holds
> over such an approach?
> 
> What are your thoughts on the attachment point using two leaves?
> Are you satisfied with this?
> 
> 
> > In the Linux/nftables case, the platform should
> > declare the feature l2-l3-ipv4-ipv6, tcp-acl, udp-acl, and
> > icmp-acl if that is what it wants to support. The interface
> > attachment point has been defined but it is not mandatory that
> > a configuration has to define it. So if in Linux, the ACL list
> > is global, one would not define a attachment point, which
> > implies it is a global list.
> 
> Naturally one has to define an attachment point or the system
> wouldn't know which one of potentially multiple ACLs to apply to
> nftables. It might however be up to another YANG model to define
> that attachment point.
> 
> The list of features seem to align poorly with reality. How can
> we have a list of attachment points in the model but without
> if-feature wrapping it? Surely a Linux machine must be able to
> announce that it doesn't support per-interface ACLs? A side
> question is why that attachment list exists in the first place -
> why isn't it an augmentation of the interfaces module?
> 
>    kll
> 
> -- 
> Kristian Larsson                                        KLL-RIPE
> +46 704 264511                                kll@spritelink.net
> 
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod

-- 
Kristian Larsson                                        KLL-RIPE
+46 704 264511                                kll@spritelink.net