Re: [netmod] IETF ACL model
Kristian Larsson <kll@dev.terastrm.net> Thu, 30 November 2017 08:30 UTC
Return-Path: <kll@dev.terastrm.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03977126D45 for <netmod@ietfa.amsl.com>; Thu, 30 Nov 2017 00:30:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjDuaF38V55q for <netmod@ietfa.amsl.com>; Thu, 30 Nov 2017 00:30:54 -0800 (PST)
Received: from smtp.dev.terastrm.net (smtp.dev.terastrm.net [IPv6:2003:1f0b:ffde::101]) by ietfa.amsl.com (Postfix) with ESMTP id B03221200C5 for <netmod@ietf.org>; Thu, 30 Nov 2017 00:30:53 -0800 (PST)
Received: from lingloi.dev.terastrm.net (unknown [IPv6:2003:1b3b:ffde:1::5]) by smtp.dev.terastrm.net (Postfix) with ESMTPSA id 66C703A0077; Thu, 30 Nov 2017 08:30:52 +0000 (UTC)
References: <e1fe6796-c124-b663-8e9f-e66c23b10eea@cisco.com> <87y3mr3loc.fsf@dev.terastrm.net> <A6290183-E975-4BDA-83C3-640E237BD5F2@gmail.com> <20171128.111715.2283575031970124402.mbj@tail-f.com> <C872578A-CBA9-434B-B11E-C9F934627A1D@gmail.com> <D6448C06.E38FE%agarwaso@cisco.com> <3C87EF5F-2E1F-4C74-B8FA-28E380AD4C80@gmail.com>
User-agent: mu4e 0.9.18; emacs 25.1.1
From: Kristian Larsson <kll@dev.terastrm.net>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: "Sonal Agarwal (agarwaso)" <agarwaso@cisco.com>, NetMod WG <netmod@ietf.org>, Robert Wilton <rwilton@cisco.com>, Jeffrey Haas <jhaas@juniper.net>, Kristian Larsson <kll@spritelink.net>, Martin Bjorklund <mbj@tail-f.com>
In-reply-to: <3C87EF5F-2E1F-4C74-B8FA-28E380AD4C80@gmail.com>
Date: Thu, 30 Nov 2017 09:30:51 +0100
Message-ID: <87374w2mo4.fsf@dev.terastrm.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/NpbtnNr3e0okVgRHLrdTmoCfT30>
Subject: Re: [netmod] IETF ACL model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2017 08:30:56 -0000
Right, it's not about the concept as such, I think we've agreed that having a global attachment point is fine. It's just that we need to polish the actual implementation and seeing how it be good to merge the current PR I suggested we put the global attachment point in a separate PR. Eases the workflow :) kll Mahesh Jethanandani <mjethanandani@gmail.com> writes: > For now. > > Kristian and I discussed this, and agreed that we will pull it in in a new pull request. > >> On Nov 29, 2017, at 4:08 PM, Sonal Agarwal (agarwaso) <agarwaso@cisco.com> wrote: >> >> Are you removing the definition of “global” ACL? >> >> - >> leaf global { >> - >> if-feature global-attachment; >> - >> type >> empty; >> - >> description >> - >> "ACL rule is global"; >> - } >> >> The remaining changes look fine to me. >> >> Thanks, >> --- >> Sonal Agarwal >> >> From: Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> >> Date: Wednesday, November 29, 2017 at 12:11 PM >> To: NetMod WG <netmod@ietf.org <mailto:netmod@ietf.org>> >> Cc: "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" <rwilton@cisco.com <mailto:rwilton@cisco.com>>, Jeffrey Haas <jhaas@juniper.net <mailto:jhaas@juniper.net>>, Cisco Employee <agarwaso@cisco.com <mailto:agarwaso@cisco.com>>, Kristian Larsson <kll@spritelink.net <mailto:kll@spritelink.net>>, Kristian Larsson <kll@dev.terastrm.net <mailto:kll@dev.terastrm.net>>, Martin Bjorklund <mbj@tail-f.com <mailto:mbj@tail-f.com>> >> Subject: Re: [netmod] IETF ACL model >> >> The updated commit here <https://github.com/netmod-wg/acl-model/pull/19/commits/37e4c030180ae052a5fae26ca86813970fc6b4bf> takes care of restoring “type" to "acl-type", fixes some indentation issues, adds a choice for “l3" where either “ipv4" or “ipv6" can be selected, and a similar choice at “l4" that allows either “tcp", “udp" or “icmp" to be selected, and removes changes for “global" attachment point. Will add the last item as a separate commit. >> >> Unless I hear objections, I will roll the pr/18 changes into the master branch in 48 hours. >> >>> On Nov 28, 2017, at 2:17 AM, Martin Bjorklund <mbj@tail-f.com <mailto:mbj@tail-f.com>> wrote: >>> >>> Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> wrote: >>>> An updated version of the model has been posted as part of the PR here >>>> <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b>>. >>>> >>>> The particular change removes any-acl from the model, expands on eth >>>> (to ethernet), removes acl- prefix for things like acl-type and >>>> acl-name. Please review. >>> >>> I think 99% of the changes in this PR look good. The one >>> exception is the typedef that used to be called "acl-type". I think >>> it should still be called "acl-type". "type" is too broad. NOTE, >>> this is just the typedef; the leaf /access-lists/acl/type should keep >>> its name ("type"). >>> >>> >>> /martin >>> >>> >>> >>>> >>>>> On Nov 27, 2017, at 5:17 AM, Kristian Larsson <kll@dev.terastrm.net <mailto:kll@dev.terastrm.net>> >>>>> wrote: >>>>> >>>>> >>>>> Robert Wilton <rwilton@cisco.com <mailto:rwilton@cisco.com>> writes: >>>>> >>>>>> Thinking about this some more. I'm not sure what it means for the "ACL >>>>>> Type" to be "any-acl". It seems that the "match any packet" should be >>>>>> a >>>>>> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a >>>>>> type of ACL. >>>>> >>>>> Yes, I agree as so far that any-acl makes no sense as an acl-type. The >>>>> way I understood acl-type, and the way that vendors have told me it >>>>> will >>>>> be used, is to say "this is an IPv4 ACL" and then on an attachment >>>>> point >>>>> you can specify that only ACLs of acl-type ipv4-acl can be attached to >>>>> the interface. That makes perfect sense. I do not see how any-acl can >>>>> map into this. >>>>> >>>>> I agree that any-acl is logically a type of ACE but we don't have an >>>>> ace-type and the exact same information can IMHO already be conveyed >>>>> WITHOUT the any-acl type and thus it has no reason to exist. Nor do we >>>>> need a feature for it. >>>>> >>>>> From what I can tell the any-acl container in the ACE should be used >>>>> to >>>>> explicitly signify a match on "any". Think of IOS style ipv4 acl: >>>>> permit ip any any >>>>> >>>>> We have to provide a source and destination so this would be a rather >>>>> explicit mapping of that. However, our structure in this YANG model is >>>>> just completely different than an IOS command so I don't see why we >>>>> should try and mimic IOS in the YANg model. >>>>> >>>>> Not specifying a destination IP address means we match on any >>>>> destination IP address. The same is true for any other field we can >>>>> match on. Not setting a match implies we don't try to match on that >>>>> field, thus we allow "any" value. I think the logical continuation of >>>>> this is that for an ACE with no matches defined at all, we match any >>>>> packet. I think we can update the text to better explain this. >>>>> >>>>> >>>>> >>>>>> Otherwise if the ACL type is "any-acl" then this only allows two types >>>>>> of ACLs to be defined, neither of which seem to be particularly >>>>>> useful: >>>>>> (1) An ACL that matches all traffic and permits it, i.e. the same as >>>>>> having no ACL at all. >>>>>> (2) An ACL that matches all traffic and drops. >>>>>> >>>>>> So I think perhaps the answer here is to define neither ACL type >>>>>> "any-acl" nor leaf "any". The presumption could be that any ACE that >>>>>> is >>>>>> configured to match no fields implicitly matches all packets (because >>>>>> all non specified fields are treated as wildcards), and then applies >>>>>> the >>>>>> permit/deny rule associated with the ACE. This logic can apply to all >>>>>> ACL types. >>>>> >>>>> Yes yes yes :) >>>>> >>>>> Kristian. >>>> >>>> Mahesh Jethanandani >>>> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> >>>> >> >> Mahesh Jethanandani >> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> > > Mahesh Jethanandani > mjethanandani@gmail.com
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Robert Wilton
- Re: [netmod] IETF ACL model Martin Bjorklund
- Re: [netmod] IETF ACL model Robert Wilton
- Re: [netmod] IETF ACL model Kristian Larsson
- Re: [netmod] IETF ACL model Robert Wilton
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Martin Bjorklund
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Kristian Larsson
- Re: [netmod] IETF ACL model Kristian Larsson
- Re: [netmod] IETF ACL model Mahesh Jethanandani