Re: [netmod] IETF ACL model
Mahesh Jethanandani <mjethanandani@gmail.com> Thu, 30 November 2017 00:19 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F3F31286B1 for <netmod@ietfa.amsl.com>; Wed, 29 Nov 2017 16:19:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwH_SKetIUwY for <netmod@ietfa.amsl.com>; Wed, 29 Nov 2017 16:19:56 -0800 (PST)
Received: from mail-pl0-x229.google.com (mail-pl0-x229.google.com [IPv6:2607:f8b0:400e:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C423312878D for <netmod@ietf.org>; Wed, 29 Nov 2017 16:19:54 -0800 (PST)
Received: by mail-pl0-x229.google.com with SMTP id f6so3132595pln.12 for <netmod@ietf.org>; Wed, 29 Nov 2017 16:19:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=Hi9oOLQGzOvLKo6koRdNFuUWISWJ+SU9UZXlZ5o59AM=; b=VHYL/Aa1tFq1W2FGvM4JS1pcMN71nKlmz2cCcRt8uIzxt5xFCeQMUYKM1iITSs5Rg1 LX+eXp6ETe/FdctL24hna022KWphznA07EUwKo8QrS0fKQtDPTbbaxcVWSS1Ne80yhQt wQ6IxqBZMSV2MrpGgzcjXrrMTctd9Uv7BKW0BvL7PkYDS41rGAyrYvA07f9sqXZdmj6K A4fmHLD9Xm3NzIfGkIE72yRj/nonBCrCGG6AhllZBWkO/zK8EZ0iUiwALXRGvr+PmvB5 fvwXblaclU0ylKwY0eqP5LrTXAJuah4C4rb6eAfUqzkxbifwBgX71EmJpU6zwj3Esb+K /Ezg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=Hi9oOLQGzOvLKo6koRdNFuUWISWJ+SU9UZXlZ5o59AM=; b=ZgKlRGiobqQCuiwrGfatzs3pE31WM+uYHL8nMowRtCFpMiDBceVAmSyrhfLrJPSCrI uIzfaNzL+l2C31Na70oydK2s/5LHg+POqoXhrJP1a/Z9eAYwsvQanMkkx9PVs+ouoyFf q5tswKfUW/FTovvjsn7L0tJks4WaesGq0iXwmyKmQf+9vURGOS7tyd0s+QhHTh/EyU6j g0x2jtv5wbvxTjnxjlLca7oFkVNdlnx6IVu6tpyGZG6rAdDD8rlgaHLpzTiTuPmDNcT/ d9SOukNXbQ6GH9p0LEozjLZXRD3rofCpmzlGI97T8tYDMF9ypF6X4Mv8bcmr5BQrJVoL khAg==
X-Gm-Message-State: AJaThX486R09p12+rSj14rCs5ip10GgkwiCGUzd3Ht3rFvKS0Wy/CAOo hXc74ASgqzJ3QGViiffL7CNbQJWR
X-Google-Smtp-Source: AGs4zMap37WIOtHqQG31XrqhIq5tUcjp3DA6AMsTRx+8LGmQwcjEclV6sbkJsJlIqJsi4ITMkJNaCw==
X-Received: by 10.84.128.47 with SMTP id 44mr635915pla.287.1512001194283; Wed, 29 Nov 2017 16:19:54 -0800 (PST)
Received: from mahesh-m-m8d1.attlocal.net ([2600:1700:edb0:8fd0:64e3:eccb:ea65:7763]) by smtp.gmail.com with ESMTPSA id n19sm4405884pgf.65.2017.11.29.16.19.50 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 29 Nov 2017 16:19:51 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_2BE08EF8-52D5-43E0-9C7D-42132B930567"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <D6448C06.E38FE%agarwaso@cisco.com>
Date: Wed, 29 Nov 2017 16:19:45 -0800
Cc: NetMod WG <netmod@ietf.org>, Robert Wilton <rwilton@cisco.com>, Jeffrey Haas <jhaas@juniper.net>, Kristian Larsson <kll@spritelink.net>, Kristian Larsson <kll@dev.terastrm.net>, Martin Bjorklund <mbj@tail-f.com>
Message-Id: <3C87EF5F-2E1F-4C74-B8FA-28E380AD4C80@gmail.com>
References: <e1fe6796-c124-b663-8e9f-e66c23b10eea@cisco.com> <87y3mr3loc.fsf@dev.terastrm.net> <A6290183-E975-4BDA-83C3-640E237BD5F2@gmail.com> <20171128.111715.2283575031970124402.mbj@tail-f.com> <C872578A-CBA9-434B-B11E-C9F934627A1D@gmail.com> <D6448C06.E38FE%agarwaso@cisco.com>
To: "Sonal Agarwal (agarwaso)" <agarwaso@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/Rz6jqTLstRxnCiCH9HR2xdYCPAs>
Subject: Re: [netmod] IETF ACL model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2017 00:19:59 -0000
For now. Kristian and I discussed this, and agreed that we will pull it in in a new pull request. > On Nov 29, 2017, at 4:08 PM, Sonal Agarwal (agarwaso) <agarwaso@cisco.com> wrote: > > Are you removing the definition of “global” ACL? > > - > leaf global { > - > if-feature global-attachment; > - > type > empty; > - > description > - > "ACL rule is global"; > - } > > The remaining changes look fine to me. > > Thanks, > --- > Sonal Agarwal > > From: Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> > Date: Wednesday, November 29, 2017 at 12:11 PM > To: NetMod WG <netmod@ietf.org <mailto:netmod@ietf.org>> > Cc: "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" <rwilton@cisco.com <mailto:rwilton@cisco.com>>, Jeffrey Haas <jhaas@juniper.net <mailto:jhaas@juniper.net>>, Cisco Employee <agarwaso@cisco.com <mailto:agarwaso@cisco.com>>, Kristian Larsson <kll@spritelink.net <mailto:kll@spritelink.net>>, Kristian Larsson <kll@dev.terastrm.net <mailto:kll@dev.terastrm.net>>, Martin Bjorklund <mbj@tail-f.com <mailto:mbj@tail-f.com>> > Subject: Re: [netmod] IETF ACL model > > The updated commit here <https://github.com/netmod-wg/acl-model/pull/19/commits/37e4c030180ae052a5fae26ca86813970fc6b4bf> takes care of restoring “type" to "acl-type", fixes some indentation issues, adds a choice for “l3" where either “ipv4" or “ipv6" can be selected, and a similar choice at “l4" that allows either “tcp", “udp" or “icmp" to be selected, and removes changes for “global" attachment point. Will add the last item as a separate commit. > > Unless I hear objections, I will roll the pr/18 changes into the master branch in 48 hours. > >> On Nov 28, 2017, at 2:17 AM, Martin Bjorklund <mbj@tail-f.com <mailto:mbj@tail-f.com>> wrote: >> >> Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> wrote: >>> An updated version of the model has been posted as part of the PR here >>> <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b>>. >>> >>> The particular change removes any-acl from the model, expands on eth >>> (to ethernet), removes acl- prefix for things like acl-type and >>> acl-name. Please review. >> >> I think 99% of the changes in this PR look good. The one >> exception is the typedef that used to be called "acl-type". I think >> it should still be called "acl-type". "type" is too broad. NOTE, >> this is just the typedef; the leaf /access-lists/acl/type should keep >> its name ("type"). >> >> >> /martin >> >> >> >>> >>>> On Nov 27, 2017, at 5:17 AM, Kristian Larsson <kll@dev.terastrm.net <mailto:kll@dev.terastrm.net>> >>>> wrote: >>>> >>>> >>>> Robert Wilton <rwilton@cisco.com <mailto:rwilton@cisco.com>> writes: >>>> >>>>> Thinking about this some more. I'm not sure what it means for the "ACL >>>>> Type" to be "any-acl". It seems that the "match any packet" should be >>>>> a >>>>> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a >>>>> type of ACL. >>>> >>>> Yes, I agree as so far that any-acl makes no sense as an acl-type. The >>>> way I understood acl-type, and the way that vendors have told me it >>>> will >>>> be used, is to say "this is an IPv4 ACL" and then on an attachment >>>> point >>>> you can specify that only ACLs of acl-type ipv4-acl can be attached to >>>> the interface. That makes perfect sense. I do not see how any-acl can >>>> map into this. >>>> >>>> I agree that any-acl is logically a type of ACE but we don't have an >>>> ace-type and the exact same information can IMHO already be conveyed >>>> WITHOUT the any-acl type and thus it has no reason to exist. Nor do we >>>> need a feature for it. >>>> >>>> From what I can tell the any-acl container in the ACE should be used >>>> to >>>> explicitly signify a match on "any". Think of IOS style ipv4 acl: >>>> permit ip any any >>>> >>>> We have to provide a source and destination so this would be a rather >>>> explicit mapping of that. However, our structure in this YANG model is >>>> just completely different than an IOS command so I don't see why we >>>> should try and mimic IOS in the YANg model. >>>> >>>> Not specifying a destination IP address means we match on any >>>> destination IP address. The same is true for any other field we can >>>> match on. Not setting a match implies we don't try to match on that >>>> field, thus we allow "any" value. I think the logical continuation of >>>> this is that for an ACE with no matches defined at all, we match any >>>> packet. I think we can update the text to better explain this. >>>> >>>> >>>> >>>>> Otherwise if the ACL type is "any-acl" then this only allows two types >>>>> of ACLs to be defined, neither of which seem to be particularly >>>>> useful: >>>>> (1) An ACL that matches all traffic and permits it, i.e. the same as >>>>> having no ACL at all. >>>>> (2) An ACL that matches all traffic and drops. >>>>> >>>>> So I think perhaps the answer here is to define neither ACL type >>>>> "any-acl" nor leaf "any". The presumption could be that any ACE that >>>>> is >>>>> configured to match no fields implicitly matches all packets (because >>>>> all non specified fields are treated as wildcards), and then applies >>>>> the >>>>> permit/deny rule associated with the ACE. This logic can apply to all >>>>> ACL types. >>>> >>>> Yes yes yes :) >>>> >>>> Kristian. >>> >>> Mahesh Jethanandani >>> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> >>> > > Mahesh Jethanandani > mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> Mahesh Jethanandani mjethanandani@gmail.com
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Robert Wilton
- Re: [netmod] IETF ACL model Martin Bjorklund
- Re: [netmod] IETF ACL model Robert Wilton
- Re: [netmod] IETF ACL model Kristian Larsson
- Re: [netmod] IETF ACL model Robert Wilton
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Martin Bjorklund
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Mahesh Jethanandani
- Re: [netmod] IETF ACL model Kristian Larsson
- Re: [netmod] IETF ACL model Kristian Larsson
- Re: [netmod] IETF ACL model Mahesh Jethanandani