Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

Mahesh Jethanandani <> Thu, 02 November 2017 00:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7445013F43E for <>; Wed, 1 Nov 2017 17:05:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ga4zZZtOsnCs for <>; Wed, 1 Nov 2017 17:05:30 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9580E13942C for <>; Wed, 1 Nov 2017 17:05:30 -0700 (PDT)
Received: by with SMTP id s75so3492985pgs.0 for <>; Wed, 01 Nov 2017 17:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=b0HxWBccIaMNyg/0HAWP4Kx6cgNLLVRFKSCNIDYZLKU=; b=Kao7cPtrn+ky3ZB1M/o/ol61nj0URANfT14NRdHPUgR7zbzNj1YH3/o5iIDKFPj4mu tu0+8LBDl3vnaHX08BllQytT/RQcP9kDJosEd1P9BCHnmY3b80XYtfP0fiUwZNb9VsOT 3Rh9D8C6HvkEZwQqx5glPxLurMV8+lCBVwgI6tLwMZp9qStV7wDrLDxlb2rgky6ZSFyq UrE90tvS9WqWqqKPBkNBs2h4Y6rx3w/5NF/dUCAE44nU/eeudy6Est1MIRaiYhnk9F3k QsexVMMXo6ZBOI9MlRncwe6Q8bADzJgls3efF3ARx8DMz4j8okNutOYjN2fYjiqf9XY8 YUxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=b0HxWBccIaMNyg/0HAWP4Kx6cgNLLVRFKSCNIDYZLKU=; b=BIRpue0Sy1WLv+kzSQXXAHc01gCpNgk/1c63vFiWQke3xHxdqGWNmcoKUmGPtiNZE2 qspHUveZEd7fxj2nSDODeaMCVOlCoYGNSz1WlKB+KJOorw2gVkMJ63h3m4Nt5/ZtbC0b qPyk7o9ZOemLpjPdab78eoBWl5OVUSqS1yKU3daCfSuJlDPDZEvMA6HkI3Znh9bOZTzV La5sGq+eLaHifIy0gZH0RqfemvT9i74ELxbnpdqLSFs7SWNVAs8vv2CmgVSmxZrlTj3l 9+aDEi2DcFbfECGYpW17GvyiLan3NW1N1St0UzjYb5fZ6UsrWmDH/3QJPid/yU+OL5uT bB4g==
X-Gm-Message-State: AMCzsaUcS4QVNkhUNiEm8Hz38o46dErCuUHB0dsWo8pSi9M9PoYhuEm2 VDENYlI1CBje/Z+dMFgOkA8=
X-Google-Smtp-Source: ABhQp+QRrFadKEuIl633wvXra++I0JPkk9yLGc/lNKFFJReNShqfNZeLJM1sjFAXzaO/Q7bDMDyTaA==
X-Received: by with SMTP id g6mr1288375pll.148.1509581130050; Wed, 01 Nov 2017 17:05:30 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id h67sm3475509pfh.74.2017. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 01 Nov 2017 17:05:28 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_B3FB1FA1-4A1B-4C35-BC18-E00946D1969A"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mahesh Jethanandani <>
In-Reply-To: <>
Date: Thu, 02 Nov 2017 06:35:25 +0630
Cc: "" <>
Message-Id: <>
References: <> <> <> <> <>
To: Kristian Larsson <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Nov 2017 00:05:33 -0000


> On Nov 1, 2017, at 10:27 PM, Kristian Larsson <> wrote:
> I think there's a problem with the current approach for features
> where it conflates the limitations of the device with the
> limitations of an attachment point.  Ultimately it is the
> limitations of the attachment point that matter. Creating an ACL
> in config on a device doesn't actually mean anything until you
> attach it somewhere.
> It's not hard to imagine a device where different limitations
> apply, let's say a fairly simple Ethernet switch built on some
> commodity chip. It consists of, say:
> * 24 * 10GE on a commodity chip
> * some control plane (a x86 PC) connected to that commodity chip
> The commodity chip supports matching ethernet headers, so ACLs
> attached to those ports are "eth-acl". The control plane on the
> other hand supports complex matching on anything you can imagine.
> What YANG features should such a device advertise?

The feature statement is a “static” statement that a particular implementation defines for what it supports across the entire device. YANG does not allow for a feature to be defined for a particular node in the model. 

For the behavior you desire, one would define a feature statement that covers everything the device supports, and will have to use must statements to control what parts of the model get supported by the ports and what parts of the model are supported in the control plane. That will usually be a implementation level detail that this model cannot cover.


>   kll
> On Wed, Nov 01, 2017 at 02:26:31PM +0100, Kristian Larsson wrote:
>> Mahesh,
>> On Wed, Nov 01, 2017 at 05:13:18PM +0630, Mahesh Jethanandani wrote:
>>> I think there is confusion in how the ACL model is going to be
>>> implemented by vendors and used by customers.
>>> As Eliot alluded to, the model is trying to address the issue
>>> of the capabilities of each platform as they exist across the
>>> industry but also within each vendor. So the first thing an
>>> implementation would do is to pick which feature they do
>>> support. A low end platform that supports only layer 2 ACL will
>>> pick l2-acl as their feature, while a high end router capable
>>> of support l2 and l3, ipv4 and ipv6 ACL will declare
>>> l2-l3-ipv4-ipv6 as the feature they support. That pretty much
>>> takes out all the other containers in the matches container.
>>> The additional features they might want to choose include
>>> support for TCP, UDP and ICMP. For a high end router this boils
>>> down to having definitions for
>>> - ethernet
>>> - ipv4
>>> - ipv6
>>> - tcp
>>> - udp
>>> - icmp
>>> which is the list you have in mind, but this time making sure
>>> that the platform is capable of supporting each one of the
>>> definitions. Imagine if the low end platform advertised a model
>>> for all the above capabilities only to reject them when you
>>> tried to configure a ipv6 address that it already knows it
>>> cannot support.
>> You imply that the low end platform would advertise features that
>> it doesn't support. Why would it do that?
>> I don't suggest removing features - only restructure where the
>> data is held.  In my example, under the ethernet container I can
>> do: if-feature "eth-acl or eth-ipv4-acl..."; to check if the
>> device supports a given feature so why are you saying that we
>> need different containers for the ethernet matching part of an
>> ACL of type eth-acl vs say eth-ipv4-acl?
>> Right now the features themselves affect the structure of the
>> model and thus the data, which I rather dislike. The config to
>> match e.g. ethernet headers should always go in the same place.
>> The model gives the illusion of supporting "unified" ACLs but
>> actually doesn't at all.
>>> Similarly the condition on tcp/udp/icmp container is to make
>>> sure the platform is capable of supporting them. Only if the
>>> platform declares tcp-acl, udp-acl, and icmp-acl feature, will
>>> those containers be visible from a configuration perspective.
>> And if the device supports all of those features I can write an
>> ACE that matches on TCP flags at and ICMP types.. and it would
>> validate according to the model but cleary makes no sense.
>>> The acl-type is used as a check to make sure the user is aware
>>> what kind of ACL the platform supports and the ACL they are
>>> trying to configure matches the acl-type. If the platform
>>> declared the feature l2-acl and if the user tries to set the
>>> ACL type to l2-l3-ipv4-ipv6 then the configuration would be
>>> rejected.
>> Another way of structuring this is to have completely different
>> lists of ACLs where each type of ACL is its own list, e.g.
>> * eth-acl
>> * ipv4-acl
>> * ipv6-acl
>> * eth-ipv4-ipv6-acl
>> What advantage do you think your currently proposed model holds
>> over such an approach?
>> What are your thoughts on the attachment point using two leaves?
>> Are you satisfied with this?
>>> In the Linux/nftables case, the platform should
>>> declare the feature l2-l3-ipv4-ipv6, tcp-acl, udp-acl, and
>>> icmp-acl if that is what it wants to support. The interface
>>> attachment point has been defined but it is not mandatory that
>>> a configuration has to define it. So if in Linux, the ACL list
>>> is global, one would not define a attachment point, which
>>> implies it is a global list.
>> Naturally one has to define an attachment point or the system
>> wouldn't know which one of potentially multiple ACLs to apply to
>> nftables. It might however be up to another YANG model to define
>> that attachment point.
>> The list of features seem to align poorly with reality. How can
>> we have a list of attachment points in the model but without
>> if-feature wrapping it? Surely a Linux machine must be able to
>> announce that it doesn't support per-interface ACLs? A side
>> question is why that attachment list exists in the first place -
>> why isn't it an augmentation of the interfaces module?
>>   kll
>> -- 
>> Kristian Larsson                                        KLL-RIPE
>> +46 704 264511                      
>> _______________________________________________
>> netmod mailing list
> -- 
> Kristian Larsson                                        KLL-RIPE
> +46 704 264511                      

Mahesh Jethanandani