IETF Logo Mail Archive

Re: [netmod] derived-from() vs derived-from-or-self() in acl model

Per Hedeland <per@tail-f.com> Mon, 26 February 2018 22:44 UTC

Return-Path: <per@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D009212D87B; Mon, 26 Feb 2018 14:44:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hk0f1HzmMW4f; Mon, 26 Feb 2018 14:44:28 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 3E8B812D82F; Mon, 26 Feb 2018 14:44:28 -0800 (PST)
Received: from pluto.hedeland.org (81-228-155-109-no289.tbcn.telia.com [81.228.155.109]) by mail.tail-f.com (Postfix) with ESMTPSA id 66B871AE0488; Mon, 26 Feb 2018 23:44:27 +0100 (CET)
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>, "draft-ietf-netmod-acl-model@ietf.org" <draft-ietf-netmod-acl-model@ietf.org>
References: <35213d61-08b4-ce5b-f7b2-251d2d5c2e70@tail-f.com> <87y3jf51ed.fsf@nic.cz> <ed68a5f1-7854-3d7c-2ff7-ee71857707d9@tail-f.com> <E4EDCE65-70A1-41CD-ABFE-C46E758732A1@gmail.com> <ba77f688-0ffc-eb47-ba13-5ebebecea6ba@tail-f.com> <512EE203-D8C7-40FA-BA05-48D240666716@gmail.com>
From: Per Hedeland <per@tail-f.com>
Message-ID: <abcbf8c6-59f0-5543-64da-192b7c021cf4@tail-f.com>
Date: Mon, 26 Feb 2018 23:44:27 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <512EE203-D8C7-40FA-BA05-48D240666716@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/4mNq7sygraqzXe8UurzO6xBnXcg>
Subject: Re: [netmod] derived-from() vs derived-from-or-self() in acl model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2018 22:44:31 -0000

On 2018-02-26 23:02, Mahesh Jethanandani wrote:
> 
> 
>> On Feb 26, 2018, at 1:31 PM, Per Hedeland <per@tail-f.com> wrote:
>>
>> On 2018-02-26 20:20, Mahesh Jethanandani wrote:
>>>> On Feb 26, 2018, at 9:01 AM, Per Hedeland <per@tail-f.com <mailto:per@tail-f.com>> wrote:
>>>>
>>>> [Adding Cc todraft-ietf-netmod-acl-model@ietf.org <mailto:draft-ietf-netmod-acl-model@ietf.org>]
>>>>
>>>> On 2018-02-26 14:24, Ladislav Lhotka wrote:
>>>>> Per Hedeland <per@tail-f.com <mailto:per@tail-f.com>> writes:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> A customer of ours using one of the draft versions of the
>>>>>> ietf-access-control-list module reported that it was not possible to
>>>>>> configure an ethernet ace with type acl:eth-acl-type, due to the
>>>>>> derived-from() in
>>>>>>
>>>>>>               container eth {
>>>>>>                 when "derived-from(../../../../type, " +
>>>>>>                      "'acl:eth-acl-type')";
>>>>>>                 if-feature match-on-eth;
>>>>>>                 uses pf:acl-eth-header-fields;
>>>>>>                 description
>>>>>>                   "Rule set that matches ethernet headers.";
>>>>>>               }
>>>>>>
>>>>>> evaluating to "false". I pointed out that this is correct behavior of
>>>>>> our SW, since acl:eth-acl-type is not derived from acl:eth-acl-type, and
>>>>>> it would need to be derived-from-or-self() in order to evaluate to
>>>>>> "true". I also ventured a guess (not having followed the development of
>>>>>> the acl model in detail) that the intent was that vendors should define
>>>>>> their own identities, that actually *were* derived from acl:eth-acl-type
>>>>>> (and ditto for all the other *-acl-type identities, of course).
>>>>>>
>>>>>> However I'm not at all sure that the guess is correct, and if so why
>>>>>> this should be *enforced* by excluding the base identity. And having a
>>>>>> look at the example in section 4.3 of draft-ietf-netmod-acl-model-16, it
>>>>>> seems to be doing exactly what our customer tried, alhough with
>>>>>> ipv4-acl-type:
>>>>>>
>>>>>> <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
>>>>>>   <access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-access-control-list">
>>>>>>     <acl>
>>>>>>       <name>sample-ipv4-acl</name>
>>>>>>       <type>ipv4-acl-type</type>
>>>>>>       <aces>
>>>>>>         <ace>
>>>>>>           <name>rule1</name>
>>>>>>           <matches>
>>>>>>             <l3>
>>>>>>               <ipv4>
>>>>>>                 <protocol>tcp</protocol>
>>>>>>
>>>>>> As far as I can see, this snippet is invalid for the model, since the
>>>>>> 'ipv4' container has
>>>>>>
>>>>>>               container ipv4 {
>>>>>>                 when "derived-from(../../../../type, " +
>>>>>>                      "'acl:ipv4-acl-type')";
>>>>>>
>>>>>> - and ipv4-acl-type is *not* derived from ipv4-acl-type. (Of course
>>>>>> there shouldn't be any <l3> element either, but that's another thing.)
>>>>>>
>>>>>> So, is it the case that the derived-from()s should actually be
>>>>>> derived-from-or-self()s, or is the example wrong?
>>>>>
>>>>> This has to do with the irreflexivity property of identity derivation,
>>>>> which is, in my view, an unnecessary complication. It would be simpler
>>>>> but sufficient to define derivation as a reflexive relation, and have
>>>>> only one "derived-from()" XPath function.
>>>>
>>>> Be that as it may, it is obviously not what RFC 7950 says.
>>> I would agree that that is not how I am reading RFC 7950. For now my choice is to change all the derived-from() to derived-from-or-self().
>>
>> I think that is a useful change. FWIW, when I actually tried the example
>> as the payload of an <edit-config> towards our NETCONF server, I found
>> some other problems, which I believe are still relevant with the pull
>> request applied:
>>
>> 1) (Aldready mentioned) the <l3> element corresponding to the choice in
>> the model should not be present (RFC 7950 section 7.9.5).
> 
> Removed <l3>. Although I have say the tree diagram confused me. It identifies l3 as a node with a +rw next to it, while for ipv4 it says +.

Hm... - the tree diagram has

         |        |  +--rw (l3)?
         |        |  |  +--:(ipv4)
         |        |  |  |  +--rw ipv4 {match-on-ipv4}?

Where "(l3)?" is the choice, ":(ipv4)" is the case (not present in the
YANG module since it makes use of the "shorthand" per RFC 7950 section
7.9.2), and "ipv4" is the container (with its if-feature). The
latest/last tree diagram draft (-06) doesn't say anything in particular
about <flags> for choice/case, so it would seem that it should be "rw"
for both choice and case in configuration data. I.e. the case should be
shown as

         |        |  |  +--rw :(ipv4)

Latest pyang from github shows a 'case' as the first variant above
though, i.e. without both <flags> and whitespace before the name. I
guess Martin will fix...

--Per

>> 2) "tcp" is not a valid value for the 'protocol' leaf - from
>> ietf-packet-fields@2018-02-02.yang:
>>
>>     leaf protocol {
>>       type uint8;
>>       description
>>         "Internet Protocol number. Refers to the protocol of the
>>          payload. In IPv6, this field is known as 'next-header.";
>>       reference "RFC 719, RFC 2460.";
>>     }
>>
>> I.e. it should be "6". And the reference for this leaf, as well as for
>> 'length' and 'ttl', should presumably be RFC 791, not RFC 719.
> 
> Changed it to 6, and 719 to 791.
> 
>>
>> 3) 11.11.11.1/24 (for 'destination-ipv4-network') and 10.10.10.1/24 (for
>> 'source-ipv4-network') are not valid (canonical) values for
>> inet:ipv4-prefix - from ietf-inet-types.yang:
>>
>>       The canonical format of an IPv4 prefix has all bits of
>>       the IPv4 address set to zero that are not part of the
>>       IPv4 prefix.";
>>
>> And of course it doesn't make much sense to have bits outside the prefix
>> length set for a match specification. It seems the pull request changes
>> these prefixes to RFC 1918 / RFC 5737 space, but those prefixes have
>> the same issue.
> 
> Made the host part of the network address 0.
> 
>>
>> I'm attaching the output from a <get-config> towards our NETCONF server
>> with these issues fixed (and the derived-from() ->
>> derived-from-or-self() change made).
> 
> Thanks.
> 
>>
>> --Per
>>
>>>>
>>>>> Identities that are considered "abstract" should not be instantiated, and
>>>>> then derived-from() and derived-from-or-self() give the same result.
>>>>
>>>> So I guess your take is that the *-acl-type identities derived from
>>>> acl:acl-base in the ietf-access-control-list module should be considered
>>>> "abstract", and thus the example should not use ipv4-acl-type for the
>>>> 'type' leaf, but instead some other identity derived from
>>>> acl:ipv4-acl-type. Do the authors agree?
>>>>
>>>> --Per
>>>>
>>>>> Lada
>>>>>
>>>>>>
>>>>>> --Per Hedeland
>>>>>>
>>>>>> _______________________________________________
>>>>>> netmod mailing list
>>>>>> netmod@ietf.org <mailto:netmod@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/netmod
>>> Mahesh Jethanandani
>>> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>
>>
>> <example.xml>
> 
> Mahesh Jethanandani
> mjethanandani@gmail.com
>

v2.23.0 | Report a Bug | By Email