Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

Sonal Agarwal <sagarwal12@gmail.com> Thu, 14 December 2017 08:21 UTC

Return-Path: <sagarwal12@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 242AE12708C for <netmod@ietfa.amsl.com>; Thu, 14 Dec 2017 00:21:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.748
X-Spam-Level:
X-Spam-Status: No, score=-0.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKNG3YX8rpZn for <netmod@ietfa.amsl.com>; Thu, 14 Dec 2017 00:21:48 -0800 (PST)
Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40AB5126E64 for <netmod@ietf.org>; Thu, 14 Dec 2017 00:21:48 -0800 (PST)
Received: by mail-qt0-x22b.google.com with SMTP id f2so6986572qtj.4 for <netmod@ietf.org>; Thu, 14 Dec 2017 00:21:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rcehV3kulOI3gnRuXNsXaDUJR9lLst9HYCO/RBHnPVM=; b=f2aTehkfUnh8tzlR/mmH43ETl9iG8VefF1RLItBx9JXqk0jGqYGtiTGjxvpRX9FzCJ RTLfdo/zLu5BRE4NI41nWvAQ36Ner3sDqWzPWznrClFup3IcaSzrlgvX6AvSWUtYur+i nBIdt25JARnRb+QCONwpUI6ZSx1/0SmFoEfGaD8fN0qbzAEyCZTHONXqstRuWp+oJDt6 HCsCkTd+NVdTv1RfKctLwWxv7GNfXSXPJBV6AhxsJfJisJi41TBl1wnssz1kfKoXrdQ+ iILBraIN8oqa8XyaUvJnt8lfQHb65O+mbecQ8iD5rE8jC4cBaYTVvH7kRa6R0Vwj26Yq mIlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rcehV3kulOI3gnRuXNsXaDUJR9lLst9HYCO/RBHnPVM=; b=mW4jaWvUN+y/Cnw5Rhtv8D6g/hN1rXnfRSsjwQ5j/bBuGCE0VDUoyBHpSimuAYwCNL LSKkQS2APY6jRMAWJbTxB1kk3PHQF+F8D2KI7cQ8OLCBa3KurnN6dFy6MxKaUE5KOEQx puEA4GObCbiFb6SUSDkUlzTaFPnN4CiTUeY1+GVPu+kgeXtrcdvu2zmcSgMvIInvnXvx 79ihY2s85cwxVvWG4ZpByp2CZa2UiddAXhoAx7f09BQ0r8O1CaMsrNF2VhoNJ4pQAwx6 zBzoifxK2D8Ntx6vzbaFuVC/ccsU/4hFCwIqtJmfclgaoKttD4SSXf4Nc2A8w0znxlmb t/qg==
X-Gm-Message-State: AKGB3mI2UNF+iEj1KIsPI+TVRa/x4reQaft1xeO5tIMEtKd//Tf7qPVK ynkhWzoiLnpSxdDBAUAWbJ3WnYb89F0StpSiT84=
X-Google-Smtp-Source: ACJfBouBlUeUYnFTO2+tj08tpvG7mkxeRlO4fXPU0MAjRPJAl4SmytKQm492rvkrBGn4py0z9dTVIK07XwfoUkGotTk=
X-Received: by 10.200.54.236 with SMTP id b41mr16105114qtc.280.1513239707411; Thu, 14 Dec 2017 00:21:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.109.139 with HTTP; Thu, 14 Dec 2017 00:21:46 -0800 (PST)
In-Reply-To: <2C381B09-15D6-417D-A70D-7C6818306FFC@gmail.com>
References: <20171102074318.GC12688@spritelink.se> <6359CD50-0F0D-4315-A58B-1D4CF0583475@gmail.com> <ac9fc676-80f7-723d-9a85-c99fbb122476@cisco.com> <20171102.132634.1363976895007772742.mbj@tail-f.com> <c90aa6c1-340e-2225-f960-73c1395041c5@cisco.com> <20171102164149.GD12688@spritelink.se> <6d6a1b2a-23f8-8bff-a01e-6d13cc73d92f@cisco.com> <20171103084231.GE12688@spritelink.se> <B63D5700-C13B-4D2D-9439-0E4471906374@gmail.com> <a75cf59c-7f5e-0b3b-0ace-ec9be9f67116@cisco.com> <37FA28D8-6799-491C-94CB-04237766E4D3@cisco.com> <2C381B09-15D6-417D-A70D-7C6818306FFC@gmail.com>
From: Sonal Agarwal <sagarwal12@gmail.com>
Date: Thu, 14 Dec 2017 00:21:46 -0800
Message-ID: <CAMMHi8ge4cbrVgRK8=xtJLNYCG1+p+Jh6pFeCy9sEMZP674FHQ@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d07583867d10560489356"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/DQGmXjkUqfyhXIcP_mbItcofyBE>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 08:21:50 -0000

Hi Einar,

You had 3 questions for me on all the several e-mail threads.
1. Global attachment point
2. icmp-off
3. acl-aggregate-interface stats.

For (1), my first preference is to have the model define attachment point
for interfaces only. However, Kristian wants the global attachment point as
well so that he can add the ACL to the linux tables. If an ACL is attached
globally, does this mean it is per direction or does it mean it is across
directions? This global ACL may not be applicable to any of Cisco's service
provider routers as I don't see any platform actually replicating the ACL
to all line cards and attaching it in ingress and egress directions across
all interfaces.

For (2), I am ok with removing icmp-off.

For (3), this would have to be a combination of ACL stats across all
interfaces for all ACL's. Something like this is possible on an XR box
where ACES have counter names associated with it. Let's chat about this
offline tomorrow.

Sonal.


On Wed, Dec 13, 2017 at 12:10 PM, Mahesh Jethanandani <
mjethanandani@gmail.com> wrote:

> We want to support “global” attachment point down the line, and that
> “global” attachment point will be one of the choices (the other being the
> interface), what would this augment look like. Note, as far as I know, you
> cannot augment inside a choice node.
>
> On Dec 13, 2017, at 6:57 AM, Einar Nilsen-Nygaard (einarnn) <
> einarnn@cisco.com> wrote:
>
> Perhaps like this, as an augmentation to the interface:
>
>   augment /if:interfaces/if:interface:
>     +--rw ingress-acls
>     |  +--rw acl-sets
>     |     +--rw acl-set* [name]
>     |        +--rw name              -> /access-lists/acl/name
>     |        +--rw type?             -> /access-lists/acl/type
>     |        +--ro ace-statistics* [name] {interface-stats}?
>     |           +--ro name               -> /access-lists/acl/aces/ace/
> name
>     |           +--ro matched-packets?   yang:counter64
>     |           +--ro matched-octets?    yang:counter64
>     +--rw egress-acls
>        +--rw acl-sets
>           +--rw acl-set* [name]
>              +--rw name              -> /access-lists/acl/name
>              +--rw type?             -> /access-lists/acl/type
>              +--ro ace-statistics* [name] {interface-stats}?
>                 +--ro name               -> /access-lists/acl/aces/ace/
> name
>                 +--ro matched-packets?   yang:counter64
>                 +--ro matched-octets?    yang:counter64
>
>
> Could also put an “aces” container above both these & rename
> “ingress-acls" to “ingress”, etc. to give a single root for the
> augmentation if preferred.
>
> Cheers,
>
> Einar
>
>
> On 6 Dec 2017, at 19:43, Eliot Lear <lear@cisco.com> wrote:
>
>
>
> On 12/6/17 7:23 PM, Mahesh Jethanandani wrote:
>
> How does one move the interface attachment point, currently an
> 'interface-ref', to an augmentation of the if:interfaces/interface,
> inside of the ‘acl’  container? Down the line we might need to have an
> container for "attachment points" to accommodate the possibility of
> attaching an ACL either to an interface or “globally”.
>
>
> Keeping in mind that one use is that an ACL doesn't attach to an
> interface at all.
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod
>
>
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod
>
>