Re: [netmod] IETF ACL model

[Robert Wilton <rwilton@cisco.com>]

On 27/11/2017 13:17, Kristian Larsson wrote:
> Robert Wilton <rwilton@cisco.com> writes:
>
>> Thinking about this some more. I'm not sure what it means for the "ACL
>> Type" to be "any-acl". It seems that the "match any packet" should be a
>> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a
>> type of ACL.
> Yes, I agree as so far that any-acl makes no sense as an acl-type. The
> way I understood acl-type, and the way that vendors have told me it will
> be used, is to say "this is an IPv4 ACL" and then on an attachment point
> you can specify that only ACLs of acl-type ipv4-acl can be attached to
> the interface. That makes perfect sense. I do not see how any-acl can
> map into this.
>
> I agree that any-acl is logically a type of ACE but we don't have an
> ace-type and the exact same information can IMHO already be conveyed
> WITHOUT the any-acl type and thus it has no reason to exist. Nor do we
> need a feature for it.
>
> >From what I can tell the any-acl container in the ACE should be used to
> explicitly signify a match on "any". Think of IOS style ipv4 acl:
>    permit ip any any
>
> We have to provide a source and destination so this would be a rather
> explicit mapping of that. However, our structure in this YANG model is
> just completely different than an IOS command so I don't see why we
> should try and mimic IOS in the YANg model.
>
> Not specifying a destination IP address means we match on any
> destination IP address. The same is true for any other field we can
> match on. Not setting a match implies we don't try to match on that
> field, thus we allow "any" value. I think the logical continuation of
> this is that for an ACE with no matches defined at all, we match any
> packet. I think we can update the text to better explain this.

>
>
>
>> Otherwise if the ACL type is "any-acl" then this only allows two types
>> of ACLs to be defined, neither of which seem to be particularly useful:
>> (1) An ACL that matches all traffic and permits it, i.e. the same as
>> having no ACL at all.
>> (2) An ACL that matches all traffic and drops.
>>
>> So I think perhaps the answer here is to define neither ACL type
>> "any-acl" nor leaf "any". The presumption could be that any ACE that is
>> configured to match no fields implicitly matches all packets (because
>> all non specified fields are treated as wildcards), and then applies the
>> permit/deny rule associated with the ACE. This logic can apply to all
>> ACL types.
> Yes yes yes :)
Another area of the current model that I'm not quite convinced about is 
about the L4 matches (UDP, TCP, ICMP).

Currently the model assumes that if a device can support matching on say 
UDP fields that they can apply to any type of ACL.  However, I think 
that it is plausible that the UCP, TCP and ICMP fields might only apply 
to IP ACLs and not Ethernet ACLs.

Hence, I was wondering if there should be "acl match type" identity 
defined for the "l4" field matches?

This would then cause there to be twice as many ACL types identities and 
features defined, e.g.

eth,
ipv4,
ipv6,
l4
eth-l4,
eth-ipv4,
eth-ipv4-l4,
eth-ipv6,
eth-ipv6-l4,
eth-ipv4-ipv6,
eth-ipv4-ipv6-l4
ipv4
ipv4-l4
ipv6
ipv6-l4,
ipv4-ipv6
ipv4-ipv6-l4

So, trading off my ACL type combinations for more expressiveness as to 
what can actually be supported.

Thanks,
Rob


>
>     Kristian.
> .
>