Re: [netmod] Question about acl-type in draft-ietf-netmod-acl-model-08
Adrian Pan <adrian.pan@ericsson.com> Mon, 22 August 2016 14:04 UTC
Return-Path: <adrian.pan@ericsson.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30BD512D534 for <netmod@ietfa.amsl.com>; Mon, 22 Aug 2016 07:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.321
X-Spam-Level:
X-Spam-Status: No, score=-1.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MANY_SPAN_IN_TEXT=2.899, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0_oK6lUnZrf for <netmod@ietfa.amsl.com>; Mon, 22 Aug 2016 07:04:32 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 899BB12D512 for <netmod@ietf.org>; Mon, 22 Aug 2016 07:04:31 -0700 (PDT)
X-AuditID: c1b4fb2d-903ff700000019a3-86-57bb066b4731
Received: from ESGSCHC005.ericsson.se (Unknown_Domain [146.11.116.80]) by (Symantec Mail Security) with SMTP id A4.CB.06563.C660BB75; Mon, 22 Aug 2016 16:04:29 +0200 (CEST)
Received: from ESGSCMB103.ericsson.se ([169.254.3.181]) by ESGSCHC005.ericsson.se ([146.11.116.80]) with mapi id 14.03.0301.000; Mon, 22 Aug 2016 22:04:27 +0800
From: Adrian Pan <adrian.pan@ericsson.com>
To: Dean Bogdanovic <ivandean@gmail.com>
Thread-Topic: Question about acl-type in draft-ietf-netmod-acl-model-08
Thread-Index: AdH8PD4i48XDLWwOTSWOv9sixPEsCv//s0+A//85uMA=
Date: Mon, 22 Aug 2016 14:04:26 +0000
Message-ID: <7F859F89F9B4DD4DB902232F9E2DAC083873C9AD@ESGSCMB103.ericsson.se>
References: <7F859F89F9B4DD4DB902232F9E2DAC083873C373@ESGSCMB103.ericsson.se> <B4BF42A6-9642-457D-9CA6-B22B3303A3FD@gmail.com>
In-Reply-To: <B4BF42A6-9642-457D-9CA6-B22B3303A3FD@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [146.11.116.8]
Content-Type: multipart/alternative; boundary="_000_7F859F89F9B4DD4DB902232F9E2DAC083873C9ADESGSCMB103erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrNIsWRmVeSWpSXmKPExsUyibskQDeXbXe4wfIP+hZrF/1ntdj58hWL Rcv0mYwWTTv7WC3mX2xkdWD1mPJ7I6vHzll32T2WLPnJFMAcxWWTkpqTWZZapG+XwJXR9e86 a8GhtWwVT5/eZWpgPDCDrYuRk0NCwESib/9uli5GLg4hgfWMEgsav7JDOEsYJY7PnMIEUsUm oCVx9MgqVhBbREBD4tXp+2BFzCBFi27OYgZJCAu4Sbz8/Ywdoshd4s6n6YxdjBxAtpXEhfW2 IGEWAVWJi19OgG3mFfCVWPTlOjPEsgZGiV2Pv4Et4BSwldhzZgrYHEYBMYnvp9aAHcEsIC5x 68l8JoizBSSW7DnPDGGLSrx8/I8VwlaQOLBoCVR9vsT871eglglKnJz5hGUCo8gsJKNmISmb haRsFtDZzAKaEut36UOUKEpM6X7IDmFrSLTOmcuOLL6AkX0Vo2hxanFxbrqRsV5qUWZycXF+ nl5easkmRmAUHtzyW3cH4+rXjocYBTgYlXh4Fd7sDBdiTSwrrsw9xCjBwawkwjuXdXe4EG9K YmVValF+fFFpTmrxIUZpDhYlcV7/l4rhQgLpiSWp2ampBalFMFkmDk6pBsbkN0eeJn9jmazi umKu6/UdqzZ/5RRUajbdcMSGceqCpa9nyPtv6D4VsDOowJK5zfbG68L/p+sCW14lNe173mcr KhO5++2OK7VaPLobsjxmvJWaxfL8Ob/eNIXENz9SFbe/2176/l3gNON3wisP8MUrph4Ie5M3 l9N039bjpbPybpwVy1bbIjJXiaU4I9FQi7moOBEAMmCZZb4CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/KpzwZtAOblVNpiE-_H4hq-7Yvrc>
Cc: "kkoushik@cisco.com" <kkoushik@cisco.com>, netmod WG <netmod@ietf.org>
Subject: Re: [netmod] Question about acl-type in draft-ietf-netmod-acl-model-08
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 14:04:34 -0000
Hi Dean,
3) With the model definition, even the acl-type is configured as Ethernet, the operator still can configure the matches of ace under the acl as ipv4 or ipv6, right?
No, if ACL type is ethernet, then all ACEs are expected to be ethernet.
[Adrian] I understand your point, but this is not reflected in the model, if according to the model, the operator still can configure the acl-type as Ethernet, while configure the ace of the acl as ipv4, and this should be valid configuration.
is this the model design intention?
If acl-type is of one family, then only ace with match condition from that family are expected to be in the acl. If you want to combine them, please use mixed type.
[Adrian] if it’s only expected to be the same as the acl-type, but without the restriction in the model, you can’t avoid the operator configuration to mix the acl-type and the ace matches. So my thinking is that, can we add the restriction in the model for this as below to better reflect the model design intention?
container matches {
description
"Definitions for match criteria for this Access List
Entry.";
container ace-ipv4 {
when "../../acl-type='ipv4-acl'";
description "IPv4 Access List Entry.";
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv4-header-fields;
}
container ace-ipv6 {
when "../../acl-type='ipv6-acl'";
description "IPv6 Access List Entry.";
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv6-header-fields;
}
container ace-eth {
when "../../acl-type='eth-acl'";
description
"Ethernet Access List entry.";
uses packet-fields:acl-eth-header-fields;
}
}
Thanks
Adrian
From: Dean Bogdanovic [mailto:ivandean@gmail.com]
Sent: Monday, August 22, 2016 5:39 PM
To: Adrian Pan <adrian.pan@ericsson.com>
Cc: kkoushik@cisco.com; lyihuang16@gmail.com; dblair@cisco.com; netmod WG <netmod@ietf.org>
Subject: Re: Question about acl-type in draft-ietf-netmod-acl-model-08
(+netmod mailing list)
Adrian,
Please see inline
On Aug 22, 2016, at 2:27 AM, Adrian Pan <adrian.pan@ericsson.com<mailto:adrian.pan@ericsson.com>> wrote:
Dear authors,
I have some questions about ietf acl model as below, your reply is appreciated.
1) In the model definition acl-type is one key of the acl, also in the description it says that the acl-type could be ethernet, IPv4, IPv6, mixed, in case the acl-type is mixed, what’s the identifier should be?
Should it be augmented by different vendor? Since I don’t see the definition about it.
As mixed ACLs are not supported by all vendors, those are not part of the standard model. Iit is up to the vendor to augment the ace-type and select an identifier to their liking.
2) In the “mix” case, the “matches” the ace list can be the combination of Ethernet,ipv4,ipv6 for different ace, right?
Or another combination, again depends on what that particular vendor supports.
3) With the model definition, even the acl-type is configured as Ethernet, the operator still can configure the matches of ace under the acl as ipv4 or ipv6, right?
No, if ACL type is ethernet, then all ACEs are expected to be ethernet.
is this the model design intention?
If acl-type is of one family, then only ace with match condition from that family are expected to be in the acl. If you want to combine them, please use mixed type.
Dean
module: ietf-access-control-list
+--rw access-lists
+--rw acl* [acl-type acl-name]
+--rw acl-name string
+--rw acl-type acl-type
+--ro acl-oper-data
+--rw access-list-entries
+--rw ace* [rule-name]
+--rw rule-name string
+--rw matches
| +--rw (ace-type)?
leaf acl-type {
type acl-type;
description
"Type of access control list. Indicates the primary intended
type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc)
used in the list instance.";
}
Thanks
Adrian
- Re: [netmod] Question about acl-type in draft-iet… Dean Bogdanovic
- Re: [netmod] Question about acl-type in draft-iet… Adrian Pan
- Re: [netmod] Question about acl-type in draft-iet… Sam Aldrin
- Re: [netmod] Question about acl-type in draft-iet… Jeff Tantsura