Re: [netmod] Fwd: New Version Notification for draft-ietf-netmod-acl-model-10.txt

Kent Watsen <> Thu, 15 June 2017 23:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CAFB6129C3B for <>; Thu, 15 Jun 2017 16:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 67DHfgIt2Eqh for <>; Thu, 15 Jun 2017 16:06:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 580891286D6 for <>; Thu, 15 Jun 2017 16:06:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Vtk9mc4QkYLAxlDp9blXOJOsIEsdGHgGla03sQgzWEo=; b=NsMCRiQQHZQg1P4+uDRdhlsII2Mn2/fix6eIMmPZgMbodL/k2Tn2SRVfeU0TFhQLdl775RlutT4LsUCHXbJWmIRa21L/0lkDoQ+xXZ/hP+hiEPN9Adl5Hlyj62lHZuurWB8A7/Qz31T8bRv6PbH487OIoNSD55mKM0QPuoeoOds=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1178.10; Thu, 15 Jun 2017 23:06:41 +0000
Received: from ([]) by ([]) with mapi id 15.01.1178.016; Thu, 15 Jun 2017 23:06:41 +0000
From: Kent Watsen <>
To: "" <>
Thread-Topic: [netmod] Fwd: New Version Notification for draft-ietf-netmod-acl-model-10.txt
Thread-Index: AQHSnSlHwAqIi04elk+0OsiclimezKGaqssAgAyBg4CAA4RCAIAPwKaAgGxpfgA=
Date: Thu, 15 Jun 2017 23:06:41 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1378; 7:uPD62LVYVVHm7R+v3RCL+w/lgWVS7q6/BkdRctkZqh5KglRUdTAgl7pjxrgBfqVIXPW1lJZe5DYdWw6pWyWGs3isj5kxNVyxv/HwOab1udsYVutJlArDsD1zn3xjiQ744/aE4G5Ml2N4tqUJZkP2dTB6TIxbxzm2VirDDCkgS94yuTnJ6eIm1iWjNhnU1Com3VMLM7HvfEErksRgdw3mtEupqIayua6wn7/yzuB1ZR2pDzdwxdl+C71M5dQYSa/IkvBM6DOaixjcJ62tgMWyhIWDEHJIxAxZaxioISIS7hpf0QgJs/W4B7PO7DIKfaPPpxX2UEl72b0I7iEfjxa8Iw==
x-ms-office365-filtering-correlation-id: 9dc9baf2-01ef-45f1-de3f-08d4b4432f57
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:BN3PR0501MB1378;
x-ms-traffictypediagnostic: BN3PR0501MB1378:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(120809045254105)(138986009662008)(95692535739014)(177428888720325)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(10201501046)(3002001)(93006095)(93001095)(6055026)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123562025)(20161123560025)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1378; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1378;
x-forefront-prvs: 0339F89554
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39850400002)(39860400002)(39450400003)(39840400002)(377454003)(377424004)(24454002)(76104003)(45074003)(14454004)(478600001)(50986999)(6506006)(54356999)(4001350100001)(3846002)(76176999)(2501003)(606005)(2351001)(7736002)(77096006)(6436002)(93886004)(230783001)(53936002)(14971765001)(122556002)(66066001)(6116002)(229853002)(102836003)(3280700002)(3660700001)(54896002)(99286003)(8676002)(33656002)(1730700003)(8936002)(2900100001)(81166006)(38730400002)(966005)(2906002)(10710500007)(110136004)(53386004)(5640700003)(2420400007)(6916009)(36756003)(6306002)(15650500001)(2950100002)(236005)(6512007)(5660300001)(7110500001)(25786009)(7906003)(189998001)(53546009)(86362001)(6486002)(82746002)(83716003)(83506001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1378;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_9B50C7141D1E4CF6B80B32F6B280F4CCjunipernet_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2017 23:06:41.5084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1378
Archived-At: <>
Subject: Re: [netmod] Fwd: New Version Notification for draft-ietf-netmod-acl-model-10.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Jun 2017 23:06:48 -0000


I know that it's been a long delay since the last update to the ACL draft, but here's
the current status, prefaced with some history:

  * The LC for draft-ietf-netmod-acl-model-09 ended on Oct 28, but then was
     extended to Dec 14
  * draft-ietf-netmod-acl-model-10 was posted Mar 13, but David Bannister still
     had some concerns (see emails from March 28th)
  * In Chicago, some folks supporting various ACL implementations met to discuss
     and came to agree that the draft didn't meet some use cases.
  * At this point, Dean said that he didn't have the bandwidth to make the changes,
     and so the proverbial pen was transferred to others (thanks Mahesh and Sonal!)
  * The hope was that simple fixes could be made and an updated draft pushed out
     shortly (never works out the way we hope!)
  * There were 4-5 calls (and some PTOs) which have taken up the time until now.
  * David B. joined a call earlier this week and stated that the new model addresses
     his concerns (albeit with a couple tweaks that were agreed to)
  * A draft-ietf-netmod-acl-model-11 is expected to be posted eminently
  * Given the substantive changes made, this draft will need to go back to the WG
     for a full review of changes and then, once ready, it will need go through another
     IPR call and then another Last Call.

Kent  // shepherd

On 4/7/17, 7:33 PM, "netmod on behalf of Kent Watsen" <<> on behalf of<>> wrote:

I received some additional off-list comments regarding the concerns David
raised below.  There is a small group of folks that are formulating a response.
I was hoping to send the response itself to the list by now, but it's not ready
yet.  So, instead, I'm just sending this message to let you know that a response
is forthcoming.

Kent  // shepherd

On 3/28/17, 2:59 PM, "David Bannister" <<>> wrote:

I would agree that the mix of L2 and L3 in the same operational ACL is a bit out of the ordinary.  I could see where a combined approach may be appealing to some.  As a network operator I do not see this as a negative.  It would be nice to give the vendor the option to defer the L2/3 combination but it does not look attainable in the current model.

"augmented by each vendor"  There are many things missing in IETF models and some things which are not under the IETF umbrella.  In this discussion the first that comes to mind is an 802.x model.  It is good to see there is currently an IEEE effort to develop one.  However, it does not exist today.  The various ether types are covered in some of the vendor models I have seen.  We take the Newco example in the draft which typedefs an enum of 'known-ether-type.'  Meanwhile Oldco is using a typedef of 'ethertype.'  Both New and Old co both augment this draft. In this scenario the network operator is stuck sorting out the logic in which vendor model to use and having to deal with two data structures for the same entity (ether-type).   Using models this way does nothing to simplify network coding and management.  I am against augmentation from vendor models for common items but it is ok for vendor unique items.  Ether-type is not vendor unique.  Augmentation has its place but it appears to be overused even within the context of IETF only models.

Not sure if pointing out ietf-routing was a good idea. Five years in the making and 42 augmenting models. :-)

If we can get the well known IETF standardized missing bits from L3, L4 for v4 and v6 into this it would work for me but I think the IETF may have missed the boat on this one.

On Sun, Mar 26, 2017 at 1:17 PM, Kent Watsen <<>> wrote:
HI David,

I believe an analogy to the ietf-routing module can and should be made here.  In both cases, the module provides a minimal skeleton that is intended to be extended by augmentations.   If anything, I could argue that the acl module doesn't go far enough, in that there is no feature statement on the "ace-ip" and "ace-eth" case statements, as if it's assuming that all servers implement L3 and L2 ACLs, which I find suspicious...

You write below "augmented by each vendor", but I don't believe that this is the intent, so much as (just like with the ietf-routing) that future IETF modules will be defined to flesh it out.  In particular, the existing "ace-ip" and "ace-eth" case statements can be augmented, as well as brand new case statements added.   I agree that, in its current form, this draft is of limited use, but keep in my that the ietf-routing module now has 42 other modules augmenting it, so there's hope that the ietf-access-control-list module will similarly be fleshed out in short order.

What do you think?  Do you think we should put feature statements on the two case statements, or even move these into other modules (in the same draft) so that there is no specialness imparted on them?

What about others?  I'm concerned that we may not have sufficient domain expertise in the NETMOD WG - similar to the routing-cfg draft, until the rtgwg started to focus on it.

Kent  // shepherd

On 3/18/17, 9:18 AM, "David Bannister" <<>> wrote:

(second try)
There were no changes to the model so my concerns remain the same.  Augmentation is not a scalable solution when dealing with a mutli-vendor or in some instances a multi-business-unit environment.  The 'newco' example in the draft illustrates this problem.  The IETF produces a 'standard' for an ACL draft which is so sparse in nature that it must be augmented by each vendor.  In the best case this gives me a unique model per vendor because we know the vendors are not going to get together to define the missing pieces.  The vendors will use a variety of mechanisms to complete the model from using a script to build their models from source code, handling the missing pieces as arbitrary code (anyxml), or everything as a string.  Then there is the worse case where a vendor has no internal standardization (you know who you are) and their own product lines will not align into a common model.  The object here, for me, is to get to a single model for all vendors barring a unique feature that belongs to one vendor in which case augmentation is acceptable.

Could you add to this in the future and rev up the RFC?  Sure.  However, I am not sure what value that brings to the community.  In its current form I would not ask any of my vendors to implement this draft.  Instead I would push them towards the OpenConfig ACL model.

On Tue, Mar 14, 2017 at 9:12 PM, Kent Watsen <<>> wrote:
Hi David,

Can you please confirm that the additional examples address your concern?  And, if not, please
explain if there is any reason why what you're looking for couldn't be added or augmented in
in the future.

Kent // shepherd

On 3/13/17, 5:57 AM, "netmod on behalf of Dean Bogdanovic" <<> on behalf of<>> wrote:

Here is the new version of the ACL draft. Since December and some additional comments about the ACL model, I spoke with many operators and how they use ACLs. I have also received lot of detailed ACL configurations. In most cases, the model is easily adapted to the current use cases in operations. But to answer the comments, the authors have added a detailed example in the addendum section how the model can be extended and how this model can be used.



Begin forwarded message:

Subject: New Version Notification for draft-ietf-netmod-acl-model-10.txt
Date: March 13, 2017 at 10:52:38 AM GMT+1
To: <<>>, "Kiran Koushik" <<>>, "Lisa Huang" <<>>, "Dean Bogdanovic" <<>>, "Dana Blair" <<>>, "Kiran Agrahara Sreenivasa" <<>>

A new version of I-D, draft-ietf-netmod-acl-model-10.txt
has been successfully submitted by Dean Bogdanovic and posted to the
IETF repository.

Name: draft-ietf-netmod-acl-model
Revision: 10
Title: Network Access Control List (ACL) YANG Data Model
Document date: 2017-03-13
Group: netmod
Pages: 32

  This document describes a data model of Access Control List (ACL)
  basic building blocks.

  Editorial Note (To be removed by RFC Editor)

  This draft contains many placeholder values that need to be replaced
  with finalized values at the time of publication.  This note
  summarizes all of the substitutions that are needed.  Please note
  that no other RFC Editor instructions are specified anywhere else in
  this document.

  Artwork in this document contains shorthand references to drafts in
  progress.  Please apply the following replacements

  o  "XXXX" --> the assigned RFC value for this draft.

  o  Revision date in model (Oct 12, 2016) needs to get updated with
     the date the draft gets approved.  The date also needs to get
     reflected on the line with <CODE BEGINS>.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at<>.

The IETF Secretariat