IETF Logo Mail Archive

Re: [netmod] Mirja Kühlewind's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS)

"Acee Lindem (acee)" <acee@cisco.com> Tue, 25 September 2018 22:37 UTC

Return-Path: <acee@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA5A0130DD7; Tue, 25 Sep 2018 15:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KunZqGJFW1c4; Tue, 25 Sep 2018 15:37:25 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36989126F72; Tue, 25 Sep 2018 15:37:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4266; q=dns/txt; s=iport; t=1537915045; x=1539124645; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=qMQKjTRuPRu5/6M1/B4qvm4HqVqjGo6EsnmOH8rBjxg=; b=faMEdnK+AfKG7IZlBTFgyZJ4NWR6gbax5KEvm2ErtkIMj322e+jBWp6k 7y2ylT8qRoyzr56YauqUrRjnlxd5C96Yj4LM94lchxWmk4EsOC/cRAU+I gE7mD1LC2FEtHSN2JTbu2aziF4BRvFoHpROPsjRfoQ8J1+RaXjcPTocVe E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ATAACft6pb/4QNJK1cGQEBAQEBAQEBAQEBAQcBAQEBAQGBUYFfL2V/KAqDaogVjhYleIJEkxKBegsYC4QDRgIXg08hNBgBAwEBAgEBAm0cDIU4AQEBAQIBAQEhEToLEAIBCBgCAiYCAgIlCxUFCwIEAQ0FgyEBgXkID6RWgS6KEwWBC4lvF4IAgRInDBOCFzWDGwEBgTo+gmoxgiYCiHQDimiJIAkCiQ46hl8RBoFFhFGJFoIOklQCERSBJR04gVVwFTsqAYJBgiUXEYhJhT5viz+BLoEeAQE
X-IronPort-AV: E=Sophos;i="5.54,303,1534809600"; d="scan'208";a="460492399"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Sep 2018 22:37:24 +0000
Received: from XCH-RTP-011.cisco.com (xch-rtp-011.cisco.com [64.101.220.151]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id w8PMbNsL019277 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 25 Sep 2018 22:37:24 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-011.cisco.com (64.101.220.151) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 25 Sep 2018 18:37:23 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1395.000; Tue, 25 Sep 2018 18:37:23 -0400
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, Eliot Lear <lear@cisco.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
CC: NetMod WG Chairs <netmod-chairs@ietf.org>, The IESG <iesg@ietf.org>, NetMod WG <netmod@ietf.org>, "draft-ietf-netmod-acl-model@ietf.org" <draft-ietf-netmod-acl-model@ietf.org>
Thread-Topic: [netmod] Mirja Kühlewind's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS)
Thread-Index: AQHUVFnPQ0cOTlOVSUG8x9YJmq7+saUA/7QAgACX24CAAB62AIAAIKcA///BBgA=
Date: Tue, 25 Sep 2018 22:37:23 +0000
Message-ID: <EA2626FF-DFDB-4276-8A2D-7F402DBFF2AF@cisco.com>
References: <153753763758.7269.9597830616255329217.idtracker@ietfa.amsl.com> <E957D368-88BA-442F-AB7F-F8464847C719@gmail.com> <53A51142-7568-473D-B309-E3A86459B5F9@kuehlewind.net> <8C4D59E2-0C6D-4570-B8B0-D27D6C74CA2C@gmail.com> <91758045-47c2-08f5-7cad-2f3ef333665c@cisco.com> <FA97A783-F454-4A0C-BCDF-0413A7AA889E@kuehlewind.net>
In-Reply-To: <FA97A783-F454-4A0C-BCDF-0413A7AA889E@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.196]
Content-Type: text/plain; charset="utf-8"
Content-ID: <AA9F1A6389D47B4CBF40114FACE58AEA@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.151, xch-rtp-011.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/O9pKv2DntTp8IvdtWkPRk2T28O8>
Subject: Re: [netmod] Mirja Kühlewind's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2018 22:37:28 -0000

Mirja, 

See inline. 

On 9/25/18, 6:29 PM, "netmod on behalf of Mirja Kuehlewind (IETF)" <netmod-bounces@ietf.org on behalf of ietf@kuehlewind.net> wrote:

    Hi Mahesh, hi Eliot,
    
    please see below.
    
    > Am 25.09.2018 um 22:25 schrieb Eliot Lear <lear@cisco.com>:
    > 
    > Just on this point:
    > 
    > On 25.09.18 20:35, Mahesh Jethanandani wrote:
    >>> That’s do bad. However, the document must at least say that it’s scope is
    
    (sorry for the type… I meant to say „too bad“.)
    
    >>> restricted to TCP and UDP only and it would also be nice to reason why that restriction is and what would need to be done to extend it in future.
    >> 
    >> To the contrary. The model is not restricted to TCP and UDP. In Section 2, the document states that:
    >> 
    >>    ACL implementations in every device may vary greatly in terms of the
    >>    filter constructs and actions that they support.  Therefore this
    >>    draft proposes a model that can be augmented by standard extensions
    >>    and vendor proprietary models.
    >> 
    >> 
    Yes, ACL implementations differ, however, the protocol spec for SCTP and DCCP don’t have different implementation; their are mostly fixed. Unfortunately, firewalls often just block any other traffic than TCP and UDP, and restricting such a model only to those protocols will definitely not help the situation.
    
    >> 
    >> It is a different matter that it has chosen not to support SCTP and DCCP. That is because implementations today have not felt the market need to add support for those protocols. But that does not prevent anyone from adding support for them.
    
    If your YANG model does not support long-existent and well-specified protocols, that doesn’t make it any easier to add support for these protocols to your firewall.
    
    >> 
    >> As far as an example for how the model can be extended in the future, see Appendix A - Extending ACL model examples.
    > 
    > It's important to not try to boil the ocean, and this model is already boiling a rather large river.  There's room for someone else to do more work.  I know I did ;-)
    
    I would think that adding another well-specified protocols is actually only a limited effort.

How many YANG models have you authored? This would be a great opportunity. 

   However, I don’t want to enforce a lot of additional work if people are not interested in that. What I still would like to see in the document is to make clear that these protocols have not just been    not considered but some reasoning why only the currently supported protocols have been selected (in order to make the reader aware that this is not a full set).

I would think pointing out that these protocols are out of scope would suffice. However, I'll leave that to the author.

Thanks,
Acee

    
    Mirja
    
    
    > 
    > Eliot
    
    _______________________________________________
    netmod mailing list
    netmod@ietf.org
    https://www.ietf.org/mailman/listinfo/netmod

v2.23.0 | Report a Bug | By Email