IETF Logo Mail Archive

Re: [netmod] [OPSAWG] Augmenting ACLs in mud-tls

tom petch <ietfc@btconnect.com> Mon, 17 October 2022 16:02 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6FBC15271D; Mon, 17 Oct 2022 09:02:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZbrygAOVkCH; Mon, 17 Oct 2022 09:02:44 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2098.outbound.protection.outlook.com [40.107.20.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2299EC15271B; Mon, 17 Oct 2022 09:02:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hKFgKwyOc2rLLk5sM1WsqOxjDgZqIDa3J1icrf1/TduCO4Y9dxOeWb8bWdWhIXIcNU2PS8QIIfZ8PwD0JQ+2VXCiiVYsVKb/hAsTTIUo6Z5g79Jc5kgNpneLpT5DaqTA/W+W09Wpclyyx42HhIgXKvwQcG6WSY9oTrUffKVGjmYTkXYTQM1vIIdON4BBZklgOKDmYR+v70Fkci65Vw86NUtSMrMYRSoxqnxSjoX9NlbpehlfNPBSjiOUjLdmvtaho7/6UN/LvGWQshcYNEzf+uhl6MhhcGKFz8XWlU5V2L6uiLdRQVzypAxk4kqopz6kP5JLfMi4gdtntt4ZawO8ZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JxCpH50BTcxRN0f2rnX1tHmDWhb43v4IHPvTOUdipdA=; b=HI27fjY1xJLXiMrdZoajes9o+wZAgXOvj9P4fkoYQOx9hAWvoBUycbfAHwrlfeXzuzqHfYT1bljUXqf+BbdSxegKSqPylsNdsn8r6wiyKBXMIEul2amOXNrzHTQHjHDqnEqHjWFX204P0ixL+R0YKYy5XxZh+F1/pbVkwxUD2apBLyeQrlaqh44GItXetTdtiRWcs1ynBMckSDmJQZnUsSBfbLOCpjOAxJuo9H+GV9iCsd3HCriYlFQaT0YVCiTy5+NxoftE+7k0yktzYlqF7Qv9RtZxYPK4RKWueozOfFxujlxqMVXOKhltIOfP2J7WombK+21fOSshZ+UgxwNRPg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JxCpH50BTcxRN0f2rnX1tHmDWhb43v4IHPvTOUdipdA=; b=H3AuKJTJYYsmu9q+dN5NgG2KOsEM6Rur0lBlRRKE0ii8XQF+Xr7dGoSkgmSw9eE0OqNxsmtSVFYNEbNGzi6qapX3tFhF/H5P6xOi/Aw3C9NL0QHfpIgxp1FIEbr4qlY8U99JWhxgEkZKRjF9K9POX7QAUsqqzVQsq6CXd+BYDUc=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by DU2PR07MB9410.eurprd07.prod.outlook.com (2603:10a6:10:498::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.8; Mon, 17 Oct 2022 16:02:40 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::f3b4:258e:4f7:66fd]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::f3b4:258e:4f7:66fd%7]) with mapi id 15.20.5723.032; Mon, 17 Oct 2022 16:02:40 +0000
From: tom petch <ietfc@btconnect.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Mahesh Jethanandani <mjethanandani@gmail.com>, "netmod@ietf.org" <netmod@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] Augmenting ACLs in mud-tls
Thread-Index: AQHY4j+xwgEZT8Pl6kCY2sCqHUMFtQ==
Date: Mon, 17 Oct 2022 16:02:39 +0000
Message-ID: <AM7PR07MB6248B9A8A9CC8E9A31025F5DA0299@AM7PR07MB6248.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM7PR07MB6248:EE_|DU2PR07MB9410:EE_
x-ms-office365-filtering-correlation-id: c0c7591a-c136-4dda-029f-08dab059047b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Es7K/3oMvAQT1vglMiQmvWCZM02FMj/WsAAgyfFdUEm0HvD1t4s7bqWNrdWPXMMZsLr+w0QnpwxSleUaZx9kgEVE59Tvq7ptJGR9auSJ9WG16KFIfTL9URW0fH+0IxRs2fbP/n7iCpHkae/75upzJU7ri/1DBeXXNWCQ40cPAi3w9nTgjPWlE2WBCuwl3fvQd+Y8SYwUDNtAzDYuyPQH8FH3z40JfQXIdyhpcZy3CJPyf2ue1Z+/kpgtdFVCM3e1mj0FYdijcgPHW7J7pHW3KyRIKzwVGw7KbpGegTw40d1W14RtOoTt/P28BBHJRzB662C0kwFjoOykRXMLWDdS3wrH2WB2KUVHs9mtAnQGTAxsobsUvOGWUWB+c9/wDSMVmZ2esk5rnEE1u2d8cSxzDrRh2H7PYWMlsD6i29vsDyjh+MyKpuxH3tz7qUNAkh+xb/4k3ht9K5tN0QxA5lIsyuS+3UIR6OXqm43JI5ntAvAqEpTvudgocHD4h/HHubuBpItbeysJXsE1DDXTzpLDCjg5Lx/7NN/f9x5JG2uv3T+xM20mSxoKxcPQaPXlVzmr7VMGCr4cl/9qQT+cvzvfJRjbOxDaIuNMhegul6QafQvj+xc3aZjELmIUAQkXXyShQXZ+Ld/rsXEw6siqbeaRPvnoSTC1gOwddphTTWm2bpNX75e62GmVG89YWGUXdrX7VjfDdMsjUNPXXBFJqyl0Mh/P+tjtZ7QLBhuXaN3ebghzNpLvYxSq1NI5NIwVzoSgARnf/1Oiqyx4HhDIz/JZnkGAF/RzanXi3CFhga6dq5bYXOPRJWtuQeuei+6yOKhE
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(376002)(136003)(396003)(346002)(366004)(451199015)(41300700001)(26005)(186003)(9686003)(478600001)(38070700005)(2906002)(6506007)(7696005)(86362001)(52536014)(53546011)(8936002)(5660300002)(33656002)(91956017)(82960400001)(110136005)(316002)(122000001)(38100700002)(71200400001)(66446008)(64756008)(8676002)(66946007)(76116006)(66556008)(66476007)(55016003)(19627405001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: W1CsF0IFLWApK20qwkv+YJ1YbEBSGzvlKNqRM5DXsj7HynP84B73PVkVcFsfXtaxsGuQw7bGXaPAbMBkFAg1+YcQy2LrkTFAUx8QOTcojCquxZY6KaTxGOzNwj/MrVe0yS06WI+0auk8/wOOgLJd6n/drlAkmMpB/j7TpK17ugYlqQ6KVv8BjiM5TbLyzCeu1x0lL5h8dYUX5zSYqIYLuFfGegiL0D+96dfzh8qIgRzaWvy7Dyg6RlsuK77Ce+jpuipjn7NZa188SqusUJDtTujdfU6kTLYjLg1HPJWYZuM8GWAG4Iye09b2q01qNP24lnz3Ml9P6npCEAgxAAJuZHyOlc4RG0ang89RV0jMk9CqaxSZP18WfU61Mai18P/glG7v6a2OJ6GAa+EfR1Y9PQ+Dd0ooXLor7B0EmxVA2m1vdBzKPhdrewn4JLIgbsoRXl1eGk7uwEc/NrzdAmNLve39ZWZtUHqA/7lXzUAfKAZGLqgYlyIlQCZLlNuEeo98mCyf2zX3MJDOmbE4XhKe5fBLKSTh4XwHb1BAqqZSwDwb+vunSElRi2NPVHtJ+cvy9C20D5YinzikV7z2FhzD1wzWf6iZCz41DXVx+7BKonz0r+yWuy/KG63jrF7ks25WxeKLEFwJT+4KOC+OL1wgOV8OFnz+sO3G6jQBpzsDAAYMpZvKSaz22nn2KooQDv8jRJfR+ukxzoVMdTYVbSEctWi0fFTLbLY3fexUKAOCJfFm+L8PbUGsPZ5wucZTUUzaudTbpEX8zvR1VQ8EkmhGBDU8RXF8Za7WfREv/1FiqWEEUlIUI+SEUA35CvXX8yBSqQ6V5Fn75SaMUN01i1x5maVbkJ8q3ky9Nkarp+xyLWJf/BR900apRkxo1uAVYj8Tc59SIgI0dazsBcCk0QYTSPettrwY2eun9slG+MA+eDF42bhiI4ZRjeL41R5GxWc85XRwOo84FlN36b+8gxJq8igVkwf5pZQQdOF2/CN5nGzUD1vx4I/A1Ns7COEK2ExR9FlD25xV7aAWMauus4yAEB9DTPKolfiO71UDWYua+C/MZeap7yac02U8t1N5H1gt8ytygVemYVWZWfDyNeTbpgXukeZ+PwTV5JhwTF6KqaB1koT6vHhYryzHeaU3PD/qDzIy5WvsyGnluZ9P6Ws0br3tefGdS5dU+lBjiNCCEW261lPatQE8uURecbUzyNrDHurwu1heUVakbiIMNtRc6WXzXzUkTca+gawjJUvqwJZlEZ0h37ugGrx9izl83i+ZJb5revwP4OnyOeyxMgjP1yr525LrqKIdGltbJm+nr6F1yVY79Iq8uc7wXiyme+1aEemK1S/VPDIh+qcfxKG7o/hu9/07UtZV5S1vJ3eJu0edbhqPfEofgXhhfjlAXbEnYdNjljjBNaN9y8QcLthxTFyGkHcpi3sik+/HzDTnFCPxEF2IFi/Pr+a2p/CwdfMQT5+vWs6LCaMEV9cxVlS8Gzxnnc6DsKJ34faVpZQgXWw6BeJa5xNMrUMPMI/BwkPySzclopEQIT64csWteSAE1PkRbAj9QnLiYM2p7wVUo1QnMpk+oL6sP7JbNwVOLKna
Content-Type: multipart/alternative; boundary="_000_AM7PR07MB6248B9A8A9CC8E9A31025F5DA0299AM7PR07MB6248eurp_"
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c0c7591a-c136-4dda-029f-08dab059047b
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Oct 2022 16:02:39.9626 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: v2sU2ImrLhgqFoddGKXpJyP72AgcjWs++VVYuNLAsXSAqOhOmr2YGl6evQ91QDmyrjGw5UbkjQiWz8ZsKqqXbg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2PR07MB9410
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/1U9YAmbougiM57xD0M7Tm9z5rA4>
Subject: Re: [netmod] [OPSAWG] Augmenting ACLs in mud-tls
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2022 16:02:45 -0000

From: Michael Richardson
Sent: Monday, October 17, 2022 14:24
To: tom petch; Mahesh Jethanandani; netmod@ietf.org; opsawg@ietf.org
Subject: Re: [OPSAWG] Augmenting ACLs in mud-tls

tom petch <ietfc@btconnect.com> wrote:
    > draft-ietf-opsawg-mud-tls augments RFC8519 but while the RFC
    > structures its matches as a series of choices, the augmentation
    > does not.  Should it?

What in practice does this mean for the YANG?

<tp>
RFC8519 has
container matches {
  choice l2 { container eth
...
  choice l3 {
and so on.

This I-D has
  augment "/acl:acls/acl:acl/acl:aces/acl:ace/acl:matches" {
    container client-profile {

By contrast, when
  draft-ietf-teas-yang-te-30
is augmented by
  draft-ietf-ccamp-flexigrid-tunnel-yang-01
then the augment is
  augment "/te:te/te:globals/te:named-path-constraints/" +
  "te:named-path-constraint/" +
  "te:explicit-route-objects-always/" +
  "te:route-object-exclude-always/te:type/te:label/" +
  "te:label-hop/te:te-label/te:technology"
     case flexi-grid {
     uses l0-types:flexi-grid-label-hop;

where te:technology from RFC8776 is
  choice technology { default "generic";
     case generic {
ie a case is being augmented to a choice alongside other cases and there are many such instances in CCAMP and TEAS of adding case for different technology.

This I-D augments 'container matches' with a YANG container so the choice/case as used in other uses of ACLs is not used; legal YANG but I do not know if that is the intent of the authors of RFC8519.

Tom Petch



    > The I-D has passed WGLC but has been delayed by me making
    > editorial comments.  AFAICT the I-D has not had a YANG Doctor
    > review.

Seems that this should have happened.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email