Re: [netmod] IETF ACL model

[Martin Bjorklund <mbj@tail-f.com>]

Mahesh Jethanandani <mjethanandani@gmail.com> wrote:
> An updated version of the model has been posted as part of the PR here
> <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b>.
> 
> The particular change removes any-acl from the model, expands on eth
> (to ethernet), removes acl- prefix for things like acl-type and
> acl-name. Please review.

I think 99% of the changes in this PR look good.  The one
exception is the typedef that used to be called "acl-type".  I think
it should still be called "acl-type".  "type" is too broad.  NOTE,
this is just the typedef; the leaf /access-lists/acl/type should keep
its name ("type").


/martin



> 
> > On Nov 27, 2017, at 5:17 AM, Kristian Larsson <kll@dev.terastrm.net>
> > wrote:
> > 
> > 
> > Robert Wilton <rwilton@cisco.com> writes:
> > 
> >> Thinking about this some more. I'm not sure what it means for the "ACL
> >> Type" to be "any-acl". It seems that the "match any packet" should be
> >> a
> >> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a 
> >> type of ACL.
> > 
> > Yes, I agree as so far that any-acl makes no sense as an acl-type. The
> > way I understood acl-type, and the way that vendors have told me it
> > will
> > be used, is to say "this is an IPv4 ACL" and then on an attachment
> > point
> > you can specify that only ACLs of acl-type ipv4-acl can be attached to
> > the interface. That makes perfect sense. I do not see how any-acl can
> > map into this.
> > 
> > I agree that any-acl is logically a type of ACE but we don't have an
> > ace-type and the exact same information can IMHO already be conveyed
> > WITHOUT the any-acl type and thus it has no reason to exist. Nor do we
> > need a feature for it.
> > 
> > From what I can tell the any-acl container in the ACE should be used
> > to
> > explicitly signify a match on "any". Think of IOS style ipv4 acl:
> >  permit ip any any
> > 
> > We have to provide a source and destination so this would be a rather
> > explicit mapping of that. However, our structure in this YANG model is
> > just completely different than an IOS command so I don't see why we
> > should try and mimic IOS in the YANg model.
> > 
> > Not specifying a destination IP address means we match on any
> > destination IP address. The same is true for any other field we can
> > match on. Not setting a match implies we don't try to match on that
> > field, thus we allow "any" value. I think the logical continuation of
> > this is that for an ACE with no matches defined at all, we match any
> > packet. I think we can update the text to better explain this.
> > 
> > 
> > 
> >> Otherwise if the ACL type is "any-acl" then this only allows two types
> >> of ACLs to be defined, neither of which seem to be particularly
> >> useful:
> >> (1) An ACL that matches all traffic and permits it, i.e. the same as 
> >> having no ACL at all.
> >> (2) An ACL that matches all traffic and drops.
> >> 
> >> So I think perhaps the answer here is to define neither ACL type 
> >> "any-acl" nor leaf "any". The presumption could be that any ACE that
> >> is
> >> configured to match no fields implicitly matches all packets (because 
> >> all non specified fields are treated as wildcards), and then applies
> >> the
> >> permit/deny rule associated with the ACE. This logic can apply to all 
> >> ACL types.
> > 
> > Yes yes yes :)
> > 
> >   Kristian.
> 
> Mahesh Jethanandani
> mjethanandani@gmail.com
>