Re: [netmod] Question about acl-type in draft-ietf-netmod-acl-model-08
Jeff Tantsura <jefftant.ietf@gmail.com> Tue, 23 August 2016 07:37 UTC
Return-Path: <jefftant.ietf@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9236F12D758 for <netmod@ietfa.amsl.com>; Tue, 23 Aug 2016 00:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4IEBbSZ08Ie for <netmod@ietfa.amsl.com>; Tue, 23 Aug 2016 00:37:03 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 279D112B042 for <netmod@ietf.org>; Tue, 23 Aug 2016 00:37:03 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id f189so185245893oig.3 for <netmod@ietf.org>; Tue, 23 Aug 2016 00:37:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UJM0THFfiHrLOlA5VconNjlwSfNmVaII6pnmOuTCcrY=; b=SVPlWnNxz+1kpLnwAvVI+UfXy4gJpd1xmwO38N5EI9N4M6ByJMuvUVgkwpAmFN1q04 iELfsl7Cf0Zzc9Lh10IS7pWiekUs/qKMo+cJ0+HKvF1mf02vlSZ5fvOXCxM7PBMCsmH3 tgoKvmtBfVrjtd+eMSYGjt6kR4iQNDJZA0gYziDdxB7G2yq203LmdletYXpDMUCowxz7 bwSzqedEUEtJsYyPfYqTOcttdckM6fmv2/J8+AsJ7yVhbtUwCTw7pX/pP8zrOTzvwm47 LXODMR0AzkzAfuolumSXa7abzrr+4LkZsvtQaWEuIg9q4pqg7/yTUaQgtbTvLKWVf4XT ZOIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UJM0THFfiHrLOlA5VconNjlwSfNmVaII6pnmOuTCcrY=; b=HSvZ3yMpkZZxUMeFNHK9VuOXdw1p54cFMozvibcewx60XUqqqPloUwIGIcczuBtF+L OmGSewqzBHgqP6ITE0EtRatEv9PvJQJRHGgKWgry0jogGIQPmGlz2MAlUf23X1XjJGcD 60aqhCnleHVcrbuDJRWl3lpYakG7x+HSqmDj5DPTlwhJG+pJZ5uLsEp3saHAwvDNppr/ 3LMIngbptxNB6XlhUfh3iTJTeAupz7qjsFhnez4f6QW7SEUrJlPjcxGOQYDP5uOm6oG/ rCwTrRtf6tKiwPmOlmlDzrHCkHO2VwtsWxucAqf8DHFqSMIAxj3HXtJxpW+ZVW1Y+WoT mPOw==
X-Gm-Message-State: AEkoouvZ6Ii5S+kr0L6nifihLr7c8c255HverLeeuxuVwLhnGH4Rx55MwRwmdTdYrdTzeg==
X-Received: by 10.157.16.83 with SMTP id o19mr16653476oto.194.1471937822387; Tue, 23 Aug 2016 00:37:02 -0700 (PDT)
Received: from [10.250.45.108] (mobile-107-92-62-95.mycingular.net. [107.92.62.95]) by smtp.gmail.com with ESMTPSA id g56sm1129889otc.15.2016.08.23.00.37.00 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Aug 2016 00:37:01 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-1E490CAD-9266-43C4-A075-7009369F1684"
Mime-Version: 1.0 (1.0)
From: Jeff Tantsura <jefftant.ietf@gmail.com>
X-Mailer: iPhone Mail (13G35)
In-Reply-To: <CA+C0YO2mJiZbG0b3=4s+s4s9AmuR-ruYT8yJ7fXz5xwLP1zEfg@mail.gmail.com>
Date: Tue, 23 Aug 2016 15:36:56 +0800
Content-Transfer-Encoding: 7bit
Message-Id: <31EE1959-75BA-4B60-A0C2-8189C3B407D6@gmail.com>
References: <7F859F89F9B4DD4DB902232F9E2DAC083873C373@ESGSCMB103.ericsson.se> <B4BF42A6-9642-457D-9CA6-B22B3303A3FD@gmail.com> <7F859F89F9B4DD4DB902232F9E2DAC083873C9AD@ESGSCMB103.ericsson.se> <CA+C0YO2mJiZbG0b3=4s+s4s9AmuR-ruYT8yJ7fXz5xwLP1zEfg@mail.gmail.com>
To: Sam Aldrin <aldrin.ietf@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/2EBV6EYvJqKjoGf8H13qOtsoDVs>
Cc: "kkoushik@cisco.com" <kkoushik@cisco.com>, netmod WG <netmod@ietf.org>
Subject: Re: [netmod] Question about acl-type in draft-ietf-netmod-acl-model-08
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 07:37:05 -0000
+1 It should represent business logic rather than a subset of existing features. Regards, Jeff > On Aug 23, 2016, at 2:41 PM, Sam Aldrin <aldrin.ietf@gmail.com> wrote: > > Model design shouldn't be limited by the device capabilities, rather it should be agnostic. > The existing IETF model is more of a YANG version of CLI, which is rather limiting from operational perspective. > > How do we (operators) like to see ACL model should be? take a look at the model we published (work in progress) at <https://github.com/openconfig/public/tree/master/release/models/acl> > > -sam > >> On Mon, Aug 22, 2016 at 7:04 AM, Adrian Pan <adrian.pan@ericsson.com> wrote: >> Hi Dean, >> >> >> >> 3) With the model definition, even the acl-type is configured as Ethernet, the operator still can configure the matches of ace under the acl as ipv4 or ipv6, right? >> >> >> >> No, if ACL type is ethernet, then all ACEs are expected to be ethernet. >> >> [Adrian] I understand your point, but this is not reflected in the model, if according to the model, the operator still can configure the acl-type as Ethernet, while configure the ace of the acl as ipv4, and this should be valid configuration. >> >> >> is this the model design intention? >> >> >> >> If acl-type is of one family, then only ace with match condition from that family are expected to be in the acl. If you want to combine them, please use mixed type. >> >> [Adrian] if it’s only expected to be the same as the acl-type, but without the restriction in the model, you can’t avoid the operator configuration to mix the acl-type and the ace matches. So my thinking is that, can we add the restriction in the model for this as below to better reflect the model design intention? >> >> >> >> >> >> >> >> container matches { >> >> description >> >> "Definitions for match criteria for this Access List >> >> Entry."; >> >> >> >> container ace-ipv4 { >> >> when "../../acl-type='ipv4-acl'"; >> >> description "IPv4 Access List Entry."; >> >> uses packet-fields:acl-ip-header-fields; >> >> uses packet-fields:acl-ipv4-header-fields; >> >> } >> >> container ace-ipv6 { >> >> when "../../acl-type='ipv6-acl'"; >> >> description "IPv6 Access List Entry."; >> >> uses packet-fields:acl-ip-header-fields; >> >> uses packet-fields:acl-ipv6-header-fields; >> >> } >> >> container ace-eth { >> >> when "../../acl-type='eth-acl'"; >> >> description >> >> "Ethernet Access List entry."; >> >> uses packet-fields:acl-eth-header-fields; >> >> } >> >> } >> >> >> >> >> >> Thanks >> >> Adrian >> >> >> >> From: Dean Bogdanovic [mailto:ivandean@gmail.com] >> Sent: Monday, August 22, 2016 5:39 PM >> To: Adrian Pan <adrian.pan@ericsson.com> >> Cc: kkoushik@cisco.com; lyihuang16@gmail.com; dblair@cisco.com; netmod WG <netmod@ietf.org> >> Subject: Re: Question about acl-type in draft-ietf-netmod-acl-model-08 >> >> >> >> (+netmod mailing list) >> >> Adrian, >> >> >> >> Please see inline >> >> On Aug 22, 2016, at 2:27 AM, Adrian Pan <adrian.pan@ericsson.com> wrote: >> >> >> >> Dear authors, >> >> >> >> I have some questions about ietf acl model as below, your reply is appreciated. >> >> >> >> 1) In the model definition acl-type is one key of the acl, also in the description it says that the acl-type could be ethernet, IPv4, IPv6, mixed, in case the acl-type is mixed, what’s the identifier should be? >> >> Should it be augmented by different vendor? Since I don’t see the definition about it. >> >> >> >> As mixed ACLs are not supported by all vendors, those are not part of the standard model. Iit is up to the vendor to augment the ace-type and select an identifier to their liking. >> >> >> >> >> 2) In the “mix” case, the “matches” the ace list can be the combination of Ethernet,ipv4,ipv6 for different ace, right? >> >> >> >> Or another combination, again depends on what that particular vendor supports. >> >> >> 3) With the model definition, even the acl-type is configured as Ethernet, the operator still can configure the matches of ace under the acl as ipv4 or ipv6, right? >> >> >> >> No, if ACL type is ethernet, then all ACEs are expected to be ethernet. >> >> >> is this the model design intention? >> >> >> >> If acl-type is of one family, then only ace with match condition from that family are expected to be in the acl. If you want to combine them, please use mixed type. >> >> >> >> Dean >> >> >> >> >> module: ietf-access-control-list >> +--rw access-lists >> +--rw acl* [acl-type acl-name] >> +--rw acl-name string >> +--rw acl-type acl-type >> +--ro acl-oper-data >> +--rw access-list-entries >> +--rw ace* [rule-name] >> +--rw rule-name string >> +--rw matches >> | +--rw (ace-type)? >> >> >> leaf acl-type { >> >> type acl-type; >> >> description >> >> "Type of access control list. Indicates the primary intended >> >> type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc) >> >> used in the list instance."; >> >> } >> >> >> >> >> >> >> Thanks >> >> Adrian >> >> >> >> >> _______________________________________________ >> netmod mailing list >> netmod@ietf.org >> https://www.ietf.org/mailman/listinfo/netmod > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod
- Re: [netmod] Question about acl-type in draft-iet… Dean Bogdanovic
- Re: [netmod] Question about acl-type in draft-iet… Adrian Pan
- Re: [netmod] Question about acl-type in draft-iet… Sam Aldrin
- Re: [netmod] Question about acl-type in draft-iet… Jeff Tantsura