IETF Logo Mail Archive

[netmod] [Errata Held for Document Update] RFC8519 (5908)

RFC Errata System <rfc-editor@rfc-editor.org> Fri, 12 January 2024 14:30 UTC

Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADCCC14F689; Fri, 12 Jan 2024 06:30:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.658
X-Spam-Level:
X-Spam-Status: No, score=-1.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHkTe91oX7jH; Fri, 12 Jan 2024 06:30:32 -0800 (PST)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79D21C14F60B; Fri, 12 Jan 2024 06:30:32 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 4666E1B315BD; Fri, 12 Jan 2024 06:30:32 -0800 (PST)
To: tony.kong@aviatnet.com, mjethanandani@gmail.com, sagarwal12@gmail.com, huangyi_99@yahoo.com, dana@blairhome.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: rwilton@cisco.com, iesg@ietf.org, netmod@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240112143032.4666E1B315BD@rfcpa.amsl.com>
Date: Fri, 12 Jan 2024 06:30:32 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/NFM4lzQbZoOkAWQaiihZRuKamPw>
Subject: [netmod] [Errata Held for Document Update] RFC8519 (5908)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2024 14:30:36 -0000

The following errata report has been held for document update 
for RFC8519, "YANG Data Model for Network Access Control Lists (ACLs)". 

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5908

--------------------------------------
Status: Held for Document Update
Type: Technical

Reported by: Fanqiang Kong <tony.kong@aviatnet.com>
Date Reported: 2019-11-14
Held by: Robert Wilton (IESG)

Section: section-4.1

Original Text
-------------
choice l2 {
              container eth {
                when "derived-from-or-self(/acls/acl/type, "
                   + "'acl:eth-acl-type')";
                if-feature "match-on-eth";
                uses pf:acl-eth-header-fields;
                description
                  "Rule set that matches Ethernet headers.";
              }
              description
                "Match Layer 2 headers, for example, Ethernet
                 header fields.";
            }

            choice l3 {
              container ipv4 {
                when "derived-from-or-self(/acls/acl/type, "
                   + "'acl:ipv4-acl-type')";
                if-feature "match-on-ipv4";
                uses pf:acl-ip-header-fields;
                uses pf:acl-ipv4-header-fields;
                description
                  "Rule set that matches IPv4 headers.";
              }

              container ipv6 {
                when "derived-from-or-self(/acls/acl/type, "
                   + "'acl:ipv6-acl-type')";
                if-feature "match-on-ipv6";
                uses pf:acl-ip-header-fields;
                uses pf:acl-ipv6-header-fields;
                description
                  "Rule set that matches IPv6 headers.";
              }
              description
                "Choice of either IPv4 or IPv6 headers";
            }

Corrected Text
--------------
choice l2 {
              container eth {
                when "derived-from-or-self(../../../../type, "
                   + "'acl:eth-acl-type')";
                if-feature "match-on-eth";
                uses pf:acl-eth-header-fields;
                description
                  "Rule set that matches Ethernet headers.";
              }
              description
                "Match Layer 2 headers, for example, Ethernet
                 header fields.";
            }

            choice l3 {
              container ipv4 {
                when "derived-from-or-self(../../../../type, "
                   + "'acl:ipv4-acl-type')";
                if-feature "match-on-ipv4";
                uses pf:acl-ip-header-fields;
                uses pf:acl-ipv4-header-fields;
                description
                  "Rule set that matches IPv4 headers.";
              }

              container ipv6 {
                when "derived-from-or-self(../../../../type, "
                   + "'acl:ipv6-acl-type')";
                if-feature "match-on-ipv6";
                uses pf:acl-ip-header-fields;
                uses pf:acl-ipv6-header-fields;
                description
                  "Rule set that matches IPv6 headers.";
              }
              description
                "Choice of either IPv4 or IPv6 headers";
            }

Notes
-----
In access-list-control yang definition, the absolute path was used in when derived-from-or-self. This mean it will check all the type in configured acl lists one by one the return the first matched result (If there is any). For examples, I have acls acl acl_test1 configured, and type is set to ipv4-acl-type. Then if I create acl_test2 with ipv6-acl-type, when choice happened in acl_test2, it starts from acl_test1 because it's the first entry for acl list. Choice found there is ipv4-acl-type, then it chooses containter ipv4 rather than ipv6. This is not the correct behivour, it should choose ipv6 container because current acl type is ipv6-acl-type.
I think it should only check the current acl type not the whole acl list. So I changed it to relevant path only match the type field in current acl.
Please review my change and corret me if my understanding is not match your design.
If you need more information, please contact me directly.

AD Note: I agree that the errata is valid, but we cannot update a YANG module revision through the errata process, hence I've moved this errata to "Held for Document Update" so that it can be fixed by publishing a new revision of the YANG module.

--------------------------------------
RFC8519 (draft-ietf-netmod-acl-model-21)
--------------------------------------
Title               : YANG Data Model for Network Access Control Lists (ACLs)
Publication Date    : March 2019
Author(s)           : M. Jethanandani, S. Agarwal, L. Huang, D. Blair
Category            : PROPOSED STANDARD
Source              : Network Modeling
Area                : Operations and Management
Stream              : IETF
Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email