Re: [netmod] Request for improvement in ACL YANG Model: add prefix-list to the match
tom petch <ietfc@btconnect.com> Wed, 31 March 2021 16:02 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A993A2D6E for <netmod@ietfa.amsl.com>; Wed, 31 Mar 2021 09:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYgFXJL2lmD7 for <netmod@ietfa.amsl.com>; Wed, 31 Mar 2021 09:02:07 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0706.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::706]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82F4C3A2CBF for <netmod@ietf.org>; Wed, 31 Mar 2021 09:02:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ce9jJipSdWWAntzUw42IofGel+sFPrx5vbi3UL2vLKmxT3o4akHyEt0qYpvPHyMfNxu5ZqWnTWvGIt8AfVpn3MY8rp9jg/GJJVELBRzurD6trKQz7MHwIQGIBmimH+YqCO9dj9x4X5nUig8rtLEIVFIEYO5DmGzZmABuzbMoP5Bf/vSa0jCC2DO6f9bhb2QLMrABaJDpFMrP0rw9Qfa0kFXWNqRUVUbltd2K/vDgyIkn0N3OYerKKrBLC/xZ79rlIb/8UnVXq8fgaDsvyJIL7YA5DSCVpM0jM2DGlMGSIWQ/dPJEiyNPVnbxSbsX5kysDjf67WzT92/1X3fo/mJX1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rbE8shsKVtkzBucT2jJjVDKqEFLb7Nx9U6lZCdRXh/4=; b=ISUqmksyXmrJkCIwtgI0XTXbqsazRTks49k5rHiLqlVlZVJYS9wJsWbWRT7XvMYab4oeU8XBcIVkqU4kO35CK5yfFBtW+mcHhyGSYTdZKrmasVBiEx175ffOD0S0ZpyMLisCTKlR8Js8s7YpdDR4CFwe377cd2q/IS22Gz2ZXVrsVev2GPs/DSqXKREUfgovbr2fQdzf6C28pp9bROKd7yAa2YwXQXo2JVDxJOtWCvwqImjbZjSCtnGuIe8Qopix1MJZ+Rb8KJZpE3EPHnO2qEYclcw4F7KBq5zdhKLrraMuLhBztiQZxvHyOFTmvoF0eybQAyWE3Vqli5TUJ4JEZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rbE8shsKVtkzBucT2jJjVDKqEFLb7Nx9U6lZCdRXh/4=; b=JOqSnTWn4wv4PblHHgeodvAeGZMMCWHer6XZ1URXl7AJW4gPH2B4acnVYT8jWlDH8IbNMsqhzFkocaFTidT0McXa6A0PLh4tM/CMhO1kcsMMc76bGmj6tAKs3NTYGE6sZn4+vH1J9O2VjzUZ37Nak7ZK0fCYTs6TFItKmGKSWPQ=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM6PR07MB5702.eurprd07.prod.outlook.com (2603:10a6:20b:9d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.16; Wed, 31 Mar 2021 16:01:58 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::543d:497d:ba3f:5576]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::543d:497d:ba3f:5576%3]) with mapi id 15.20.3999.027; Wed, 31 Mar 2021 16:01:58 +0000
From: tom petch <ietfc@btconnect.com>
To: Oscar González de Dios <oscar.gonzalezdedios@telefonica.com>, "Aseem Choudhary (asechoud)" <asechoud@cisco.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] Request for improvement in ACL YANG Model: add prefix-list to the match
Thread-Index: AdcbGExc8OTG49eVSoeJejnhX1jHZwAENNWA///CiICAAHf9AP//j5kA/+nm8rCALIiQbA==
Date: Wed, 31 Mar 2021 16:01:58 +0000
Message-ID: <AM7PR07MB6248A945604D3FBD4420486CA07C9@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <AM6PR06MB565375016D8E2511BD94483BFD6A9@AM6PR06MB5653.eurprd06.prod.outlook.com> <20210317122907.x6v65uspqvls6p3p@anna.jacobs.jacobs-university.de> <327D2A1F-A646-42C9-BEE7-0A3EA73D537E@cisco.com> <20210317155834.nz6cv4mefwxrjgmq@anna.jacobs.jacobs-university.de> <4BBA1D6B-F2CC-4099-A640-88F003327529@cisco.com>, <PAXPR06MB78727F49ACA853AECA280C6EFD7C9@PAXPR06MB7872.eurprd06.prod.outlook.com>
In-Reply-To: <PAXPR06MB78727F49ACA853AECA280C6EFD7C9@PAXPR06MB7872.eurprd06.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: telefonica.com; dkim=none (message not signed) header.d=none;telefonica.com; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.146.121.140]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f69e4c94-8f4e-44a8-650d-08d8f45e5063
x-ms-traffictypediagnostic: AM6PR07MB5702:
x-microsoft-antispam-prvs: <AM6PR07MB5702533B770C4A191DFF2196A07C9@AM6PR07MB5702.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gXOAQ2W+UfyGrGxvT/cgo/rNuuoWo9z/FX/YmZKB3L0osbh9xprnr46uVLzzLmTqUOidFWrjBQoXKHUgT1rFaHyogcankyfNccAOIrlIajaeotkU4SD9YNo0DnKvBtnzoZeEJXX7FXt1SdipGrUpc4CZ9erYzq6KeGm+toNhp/0OfNvTRpsq1Plo8WvjvQ2rg7CL6B8+IT8RRoAlXlnRUVeHC6TQGl+HTulV4SBDQVYk+L/F/EVU+wQ/FN8s1vpApxjSfGJSVH6JZMmO4RRphSL+U/S7rV1nuQ4DI+MDgtXWdqB4kHCW6rEDZ6n7fTCXJSIGNo2hOU6UFOQbxURpHeag463ptwQH+Gr2Bhsb20Jjrb28Uu0t63wrt/SIrpCX00UCt3by0VaD4A/tNTJGnnTrVUVsYk9rDovvGGmsRJz03LecSVeweuUoLvoNZIobFH/EF6MKLTVSpzC2fVy9q/R3G1+fzqauWDwFaL6p9cSdxMOS5fOScBEwbRxtPdx9lX5wLuWgg8FMTFvm5uvPXPHgcFNZjnH1PhFhkbbEIRgM0CcIrA+tajnLioXcSSrBJ8pfKcEypHt4Hp5xvZENH9p+1OsfVOT3cZYHCmatriu266mqL9Cfgf85U16VERW2hS0yaJvBmWn2M53RZFG9ie5T4gWMgStJ/Mp9XYgnyzE375l+s0YOwrSuxjlrw1P0YojqBrc2iOWyia7dgbAB4//SJCFI1wU3nERJpNmSJfM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(39860400002)(396003)(136003)(376002)(4326008)(55016002)(9686003)(38100700001)(83380400001)(66946007)(64756008)(26005)(66574015)(33656002)(186003)(66446008)(66556008)(296002)(316002)(478600001)(110136005)(52536014)(53546011)(6506007)(71200400001)(5660300002)(966005)(86362001)(8936002)(2906002)(76116006)(91956017)(66476007)(8676002)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 4BHsPaY7lstwWI45/Hqb1YX3LPp/YVMDbT5xL6AvSGfe8eG4/U/kdN9FpHRO6tz3zpzUKXXjoYjoHejr4IxZ+VxALjVcAilTqxPddsz84VBvpL1bbW3PvRFJUYBBUTJ8q24FfiT2JzdXah5BjdXWgublPc7pVEp+BDUuAOX+1WEfCaaB/pNlkGm6DKV76sEevErGI0aiVR37n8vOWjn1R+LLakfW+5FnsYarEo51SKmWeKobC/gRZQ5mwsQW3oB2oXu/IgJ/cEI74FCIhATT8WnHMbUHYFxVPWvLd7cJpHKKZEjH3UlItQjy70G4mpH6ujYCr6MMgm+DTjl2fLSUgqd/FTWomf8k9dcCT3G1NTwbrYkniKWaXTxq/0yCxuuwBW6VwKEnZucLHLEFanzFopI1zJhu+ctXJg7OnK3e7D7IJn/J/W06t4U7ixOVoDbvOaUciLDNBZe2TbteaXUFAlbYcTVXiKvDlisGH6ehbzWfsTqxq2HttVLfl5n0jwnvGh5aeu8kW982kPOSb91LRu2P6Em4ijLX2n/JUdVbmIzj8F80Eg3FRJ0l7xAg+e5ujBRiatBF6l4ufneoyQ1bZhuY4YCYEE7g2TpmAiuFVy03ElkbOSP8659tMn5zcAvXzxKB7EQVQpnDcEARwl5K2HjY/YQjYzvo3/J3HVFxAIHpym+gFP4THSRYucfhwfu8pQysDtGGTI0FYpp2elXSJoXYmIhPDRLVDcyse6UE0Yym3LmTo8eUW7hEoOWTWKE1AnR8Vlt8eIj9+VmFEtUZC7TtIVV5SpANRPbVNuvGI44zBitNqw9O3tg49YAY87i34kSQX7piNIHAVf4N1F0gsmr0Ubao8ls8DOITxf0LHI60IQy5JDCoHZHl9iPq0gouY6BakKrUwPoCEzI8NF6zCn1es/eTRnun0yRQSTCbohrU/+X012GsdKmdszOGvTthUBFIekenIFEyHX9WVWl26Bb1gdUKvkDq8T0uV1LAldi5AIoJsEWJ5eE0q89u1FRRb3sThub72fAQ4FiDprSUP93LjNGTPy+iZV/6ok7nWdjdpqEkkbyZGneVysVNycl9vbMp1RGtnoZKhujimLetHF6Im4RcDt+cVFPu6gQ+HeiiANzodINQO2fGOAl/dKf2KPaeAH3IZgC7hpitBKW4hCW2K17c/AmWklSYz3CMWoz65z1OkhWdkBGTLBUn3t9lrO3CkjiFFmYUwu26CrFilsHxl3NZmW/fImeFUrxYBiVEsCTUwofJOp3qywlFHS+7HjlErKBCzwdQBZfaiPw6oZz+SsbPwuOzlubr0j6hxn0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f69e4c94-8f4e-44a8-650d-08d8f45e5063
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2021 16:01:58.4355 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: er9tY68KsX7fbcS7+voa9G50f9PQ4HddWwzxF2SgZtQIyO/LixO18QZFb6Fr1r6rAbdAFxcsku3jKME2cYcv4A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5702
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/1JStLibQjdg5cyQ0jn5cssnISIE>
Subject: Re: [netmod] Request for improvement in ACL YANG Model: add prefix-list to the match
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 16:02:19 -0000
From: netmod <netmod-bounces@ietf.org> on behalf of Oscar González de Dios <oscar.gonzalezdedios@telefonica.com> Sent: 31 March 2021 12:07 Agree too, It makes sense to "generalize" the concept of sets that can be shared between ACLs, so they can be used with other fields beyond those already identified with our use cases (prefixes and ports/port ranges) . So, question for Netmod WG chairs, what would be the procedure to include such feature in the ACL module, given that it is defined in an already published RFC? Is it via a new draft describing just the extension and referencing the original RFC and including the updated yang? Or it is an update of the existing RFC adding the new functionality (full description and full yang)? I am assuming the work implies creating a new revision of the module. <tp. New revision or new module? RFC7950 lays down what can be changed in a new revision of a module and it would be good to see in summary what your revised YANG would look like. I suspect that it would go beyond what is permitted in a revision ie you are proposing a new module, new name (but I could be wrong:-(. Either way, it is an RFC. If the changes fall within those permitted then I would still expect a replacement RFC, as has happened with a number of YANG modules, e.g. those triggered by NMDA. The chairs can guide you on procedure but it is the WG members, you, me and everyone else who have to do the work and so declare their willingness, or not, to take up the work which the chairs then use to decide whether or not the work should happen in the WG. Tom Petch. Best Regards, Oscar -----Mensaje original----- De: Aseem Choudhary (asechoud) <asechoud@cisco.com> Enviado el: miércoles, 17 de marzo de 2021 17:16 Para: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> CC: Oscar González de Dios <oscar.gonzalezdedios@telefonica.com>; netmod@ietf.org Asunto: Re: [netmod] Request for improvement in ACL YANG Model: add prefix-list to the match I agree, a template based approach works well as it helps to share the set of fields between ACLs. -thanks, Aseem On 3/17/21, 8:58 AM, "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de> wrote: I now understand that the original request was about two things: - allowing sets of prefixes in an ACL (instead of just a single) - sharing of sets of prefixes between ACLs And yes, if the WG goes there, then of course the same questions will come up for all the other possible header fields... - allowing sets of ports/port ranges - sharing of sets of ports/port ranges between ACLs [...] /js On Wed, Mar 17, 2021 at 03:49:11PM +0000, Aseem Choudhary (asechoud) wrote: > Hi, > > Similarly, there is NxM issue when there are more than one source and destination port/port ranges. > > -thanks, > Aseem > > On 3/17/21, 5:29 AM, "netmod on behalf of Juergen Schoenwaelder" <netmod-bounces@ietf.org on behalf of j.schoenwaelder@jacobs-university.de> wrote: > > Hi, > > let me check whether I understand your request correctly: I heard you > saying that you would like to have > > leaf-list destination-ipv6-network { > type inet:ipv6-prefix; > description > "Destination IPv6 address prefix."; > } > > instead of just > > leaf destination-ipv6-network { > type inet:ipv6-prefix; > description > "Destination IPv6 address prefix."; > } > > (and similar changes for the other IP prefix related leafs). > > While such a direct change may be difficult, given that the header > fields are defined in a choice, it should be possible to add > additional choices for sets of prefixes. So from the YANG side, this > seems to be something possible to address without too much trouble. > > Whether implementors are happy with supporting such a change is > something others have to comment on. > > /js > > On Wed, Mar 17, 2021 at 10:31:10AM +0000, Oscar González de Dios wrote: > > Dear netmod wg colleagues, > > > > The ietf-acl YANG model defined in RFC 8519 allows to create rules, and for each a rule, in case of IPv4/IPv6 you can specify in the match the source-network and destination-network. The source-network (or equally the destination network) is in the model an address prefix. In our use case in Telefonica we are specifying a prefix-list for source network and another prefix list for destination network. If you had to create this behavior using the ACL model, you would need to create NxM rules. Besides, the management of those rules would be more complex. > > > > The routing policy model has the concept of prefix-sets, but is a separate model (and a different use case). > > > > The functionality of specifying a prefix list for source and destination in access control lists is available in most vendors that I am aware today. Hence, it's a pretty standard functionality. > > > > Do you think it is useful to add this functionality to the ACL YANG model? If yes, what would be the procedure, given that ACL is already defined in an existing RFC? > > > > Best Regards, > > > > Oscar > > > > > > > > > > > > ________________________________ > > > > Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. > > > > The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. > > > > Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição > > > _______________________________________________ > > netmod mailing list > > netmod@ietf.org > > https://www.ietf.org/mailman/listinfo/netmod > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/> ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição _______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
- [netmod] Request for improvement in ACL YANG Mode… Oscar González de Dios
- Re: [netmod] Request for improvement in ACL YANG … Juergen Schoenwaelder
- Re: [netmod] Request for improvement in ACL YANG … Oscar González de Dios
- Re: [netmod] Request for improvement in ACL YANG … Aseem Choudhary (asechoud)
- Re: [netmod] Request for improvement in ACL YANG … Juergen Schoenwaelder
- Re: [netmod] Request for improvement in ACL YANG … Aseem Choudhary (asechoud)
- Re: [netmod] Request for improvement in ACL YANG … Oscar González de Dios
- Re: [netmod] Request for improvement in ACL YANG … tom petch
- Re: [netmod] Request for improvement in ACL YANG … Kent Watsen