Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15

[Robert Wilton <rwilton@cisco.com>]

On 02/02/2018 07:48, Eliot Lear wrote:
> Hi Kristian,
>
>
> On 02.02.18 08:44, Kristian Larsson wrote:
>> Mahesh,
>>
>> I've reviewed this model, I think I largely caused the last couple of
>> updates to it late last year. Overall I think it is a good model.
>> Placement of feature-statements could be debated - no clear answers.
>> object groupings is something I would like to see in the model but it
>> was always deferred.
>>
>>
>> On 2018-01-22 16:50, Kent Watsen wrote:
>>> Hi Mahesh,
>>>
>>> Thanks, it doesn't get much more concrete then a pull request  ;)
>>>
>>> Okay, so from a chair/shepherd perspective, can folks please consider
>>> this update to -15 as the LC solution to removing the open issue
>>> Juergen found in the draft?
>>>
>>> As a contributor, I don't think the name of the groupings or their
>>> description statements should allude to something that doesn't exist
>>> yet.  Rather than e.g. "source-or-group", could it be instead
>>> something like "source-type"?
>> +1
>>
>>> Also, the update seems to be for both when specifying networks as
>>> well as when specifying port-ranges, but the original issue (see
>>> below) only mentioned addresses - is the pull-request actually what's
>>> needed and the description of the issue in Section 8 is incomplete?
>>>
>>>       8.  Open Issues
>>>
>>>          o  The current model does not support the concept of
>>> "containers"
>>>
>>>               used to contain multiple addresses per rule entry.
>> Object groupings are useful whenever there are many of something.
>> There are usually more address entries than ports, so perhaps more
>> useful for addresses, but it can still be useful to say "NFS-PORTS"
>> and mean all the ports that NFS use (god knows what they are).
>>
>> Other have mentioned scale ACL and that it can be solved in other
>> ways. To me, this sort of object-groupings is not about optimising
>> things for the hardware but rather making it easy for me to write
>> rules. I think it is paramount for security that ACLs can be easily
>> read and understood. If we do not understand them, then we cannot say
>> they are effective and secure. Object groupings greatly improves the
>> readability of ACLs and thus makes it easier to write secure ACLs.
>>
>> I understand the authors wishes to get the first version out the door
>> but I can't help but wonder if it isn't just easier to add in object
>> groupings now. It's not that damn complicated (they are just lists).
>> If not, I'm happy to work with them on the next version which could
>> include object groupings.
> Please let's aim for the next version.  This document just completed
> what I think is its FIFTH last call, which to me is nothing short of insane.
+1 for publishing the draft now.

If there are further bells and whistles that need to be added then 
ideally they would be covered by an ACL-extensions model that augments 
the base ACL model.  If tweaks are required to the base model to achieve 
it then I think that creating a v2 version of the ACL model is also OK.

Thanks,
Rob