Re: [netmod] ACL draft issues found during shepherd writeup

Eliot Lear <lear@cisco.com> Mon, 19 February 2018 08:22 UTC

Return-Path: <lear@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077B9127058; Mon, 19 Feb 2018 00:22:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52ctkrXBXgXc; Mon, 19 Feb 2018 00:22:54 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99F751201FA; Mon, 19 Feb 2018 00:22:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=55153; q=dns/txt; s=iport; t=1519028573; x=1520238173; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=MEBTWAELPYsYnxZk6aqi8+F9cGtzxK5XDj6wHkqg9hE=; b=XdRWy2xiCTDBZyA/UtUQo3PT/uffyjoG7J/YTrD7SqhhGDkerAjk0/cC Ud8jTMtnbbu19WmJ8wTqbpfi3/3au5XkqmMPB9/rulqX13DVUn7O1doVZ YGyprf/TH9ZMlSCZN33OdUDDbhVysSqqdZ0qVr2LpydIYKJ6cZoAO5z/k A=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B6AQDFiIpa/xbLJq1cGQEBAQEBAQEBAQEBAQcBAQEBAYQ1cCiDZ4sZjxGBF4d/jkqCEwMHAxgBCYRKTwIagwoXAQIBAQEBAQECayiFJAEBBAEBGAlLCxAJAg4KIAEGAwICAh8GHxEGAQwGAgEBigYDFRCMcJ10gicmhFuCMw2BMoITAQEBAQEBAQEBAQEBAQEBAQEBAQEBDg+FC4VmASmDBYJsRAEBAhmBbYMAgmUFmiyJVDUJhGyCMoEGhAiEU4ULgiBnhUODciaHZYsWgnBIiVGBPCEDNIFRMxoIGxU6gkMJgkscggdANwEBjAUsgh8BAQE
X-IronPort-AV: E=Sophos;i="5.46,534,1511827200"; d="asc'?scan'208,217";a="2157285"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Feb 2018 08:22:51 +0000
Received: from [10.61.241.21] ([10.61.241.21]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id w1J8Mofd007206; Mon, 19 Feb 2018 08:22:50 GMT
To: Mahesh Jethanandani <mjethanandani@gmail.com>, Kent Watsen <kwatsen@juniper.net>
Cc: "draft-ietf-netmod-acl-model@ietf.org" <draft-ietf-netmod-acl-model@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>
References: <14BA9086-69D4-4BAF-A7C7-0EB1F3F400BB@juniper.net> <2864E0CF-D038-4FDA-B69C-FD43F486BF17@gmail.com>
From: Eliot Lear <lear@cisco.com>
Message-ID: <80db8f1c-519d-d0f4-515e-e9e89f049e16@cisco.com>
Date: Mon, 19 Feb 2018 09:22:49 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <2864E0CF-D038-4FDA-B69C-FD43F486BF17@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="uqctt9kFWw0UGEpCdVMQApb6p0MQxlaRC"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/UUNLtTbrCJelDJ8UINHpJiaBLZ0>
Subject: Re: [netmod] ACL draft issues found during shepherd writeup
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2018 08:22:58 -0000


On 18.02.18 02:26, Mahesh Jethanandani wrote:
> Kent,
>
> Thanks for a detailed review. See inline.
>
>> On Feb 13, 2018, at 2:30 PM, Kent Watsen <kwatsen@juniper.net
>> <mailto:kwatsen@juniper.net>> wrote:
>>
>> [sorry, wrong WG, moving netconf to BCC!]
>>
>>
>> ACL Authors,
>>
>> Below are some issues I found while looking at doing the Shepherd
>> write-up today.  Please take a look.
>>
>> Also, with regards to the request for those having Last Call comments
>> to please verify that their comments were addressed, I only saw one
>> response from Kristian, but should we be expecting respeonses from
>> others too, perhaps Einar or Elliot?
>
> Eliot can confirm if he feels his issues have been addressed.

Yes, I do.  The changes below are equally acceptable.

Thanks,

Eliot

>
>>
>>
>> 1 IDNITS
>>
>>  - some issues found by idnits
>>  - using
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_tools_idnits_&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=7Bx3hgofSFxvNRV7Xz7FuaJcKKfzEB0sBJzN_KOCtSg&s=_5f-lxCoJW2TidcrjW_KbDkdPhfxLoL67kn1A2okgs0&e=
>>  - without selecting "verbose output"
>>
>>
>> 1.1
>>
>>  ** There are 5 instances of too long lines in the document, the
>> longest one
>>     being 5 characters in excess of 72.
>
> Fixed.
>
>>
>>
>>  This "**" is being flagged as an "error".  
>>  Idnits label, not mine.  Please fix.
>>
>>
>> 1.2
>>
>>  == There are 7 instances of lines with non-RFC6890-compliant IPv4
>> addresses
>>     in the document.  If these are example addresses, they should be
>> changed.
>>
>>  This is just a warning, but given that there are seven occurrences, it
>>  might be a good idea to fix.  Please see Section 3, point #6 in this
>>  document for details:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_id-2Dinfo_checklist&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=7Bx3hgofSFxvNRV7Xz7FuaJcKKfzEB0sBJzN_KOCtSg&s=AYo8ZHPY4SAHMqcy1qV9yr7BjoxGy_C9zcJ_ZbwXBT4&e=.
>
> Fixed.
>
>>
>>
>> 1.3
>>
>>  ** The document seems to lack a both a reference to RFC 2119 and the
>>     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
>>     keywords.
>>
>>     RFC 2119 keyword, line 797: '...s-list. A device MAY restrict the
>> leng...'
>>
>>
>>  There needs to be a section that looks like RFC 8174, paragraph 11:
>>
>>     The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
>>     "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
>>     and "OPTIONAL" in this document are to be interpreted as
>>     described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
>>     appear in all capitals, as shown here.
>
> Added.
>
>>
>>
>> 1.4.
>>
>>  -- The document date (February 2, 2018) is 11 days in the past.  Is this
>>     intentional?
>>
>>  This is fine, ignore it.
>>
>> 1.5
>>
>>  ** Obsolete normative reference: RFC 2460
>>
>>  This needs to be fixed.
>
> Updated the reference to RFC 8200.
>
>>
>> 1.6
>>
>>  ** Downref: Normative reference to an Historic RFC: RFC 3540
>>
>>  Hmmmm, another HISTORIC document, but this time not due to an IESG
>>  action.  The question is how important this reference is, is this
>>  "ns" bit (ECN-nonce concealment protection) commonly used in the
>>  industry?   
>
> I do not know enough to know it is not used. If the consensus is that
> we do not use it, I can drop it from the model.
>
>>
>> 1.7
>>
>>  == Outdated reference: A later version (-06) exists of
>>     draft-ietf-netmod-yang-tree-diagrams-04
>>
>>  Please update to -06
>
> This might be because the draft was last published when -04 was
> around. I do not reference any particular version. My reference is to 
> <?rfc include='reference.I-D.ietf-netmod-yang-tree-diagrams’?>. The
> tool pulls in the latest when it generates the draft.
>
>>
>> 1.8
>>
>>  -- Obsolete informational reference (is this intentional?): RFC 5101
>>     (Obsoleted by RFC 7011)
>>
>>  Please update to RFC 7011
>
> Done.
>
>>
>>
>>
>> 2  YANG VALIDATION
>>
>> 2.1 Normative Modules
>>
>>  All of the following passed:
>>
>>    pyang --ietf ietf-access-control-list\@2018-02-02.yang
>>    pyang --ietf ietf-packet-fields\@2018-02-02.yang
>>    pyang --ietf ietf-ethertypes\@2018-02-02.yang
>>
>>    yanglint -s ietf-access-control-list\@2018-02-02.yang
>>    yanglint -s ietf-packet-fields\@2018-02-02.yang
>>    yanglint -s ietf-ethertypes\@2018-02-02.yang
>>
>> 2.2 Example Module
>>
>>  Example module passed `yanglint -s`, but not `pyang --lint`:
>>
>>    yanglint -s example-newco-acl.yang
>>    pyang --lint example-newco-acl.yang
>>
>>    example-newco-acl.yang:78: error: keyword "description" not in
>>    canonical order, expected "type", (See RFC 6020, Section 12)
>>
>>    example-newco-acl.yang:79: error: keyword "type" not in
>>    canonical order, (See RFC 6020, Section 12)
>>
>>    example-newco-acl.yang:82: error: keyword "default" not in
>>    canonical order, (See RFC 6020, Section 12)
>>
>>  Please fix.
>
> Fixed.
>
>>
>>
>> 2.3 XML Examples from Section 4.3
>>
>>  yanglint didn't find any issues:
>>
>>    yanglint ietf-access-control-list\@2018-02-02.yang ex-4.3.xml
>>
>>
>> 2.4 Examples from Section 4.4
>>
>>  I had to stitch these into the 4.3 example.  It found one issue, a typo
>>  in the last closing tag in the first example in this section:
>>
>>    yanglint ietf-access-control-list\@2018-02-02.yang ex-4.4++.xml
>>    err : Invalid (mixed names) opening
>> (source-port-range-or-operator) and closing (tcp) element tags.
>> (/data/access-lists/acl/aces/ace/matches/l4/tcp/source-port-range-or-operator/source-port-range-or-operator)
>>
>>  Please fix.
>
> Made them complete examples so you do not have to stitch them anymore.
> And made sure yanglint validated the examples before it includes it in
> the draft.
>
>>
>>
>>  PS: And this is not a shepherd directive, but I found the whole
>>      "source-port-range-or-operator" syntax clumsy.  I'm surprised
>>      it didn't look something like:
>>
>>          OLD
>>                <source-port-range-or-operator>
>>                   <port-range-or-operator>
>>                     <range>
>>                       <lower-port>16384</lower-port>
>>                       <upper-port>65535</upper-port>
>>                     </range>
>>                   </port-range-or-operator>
>>                </source-port-range-or-operator>
>>
>>                <source-port-range-or-operator>
>>                  <port-range-or-operator>
>>                    <operator>
>>                      <operator>eq</operator>
>>                      <port>21</port>
>>                    </operator>
>>                  </port-range-or-operator>
>>                </source-port-range-or-operator>
>>
>>          NEW
>>
>>                <source-port>
>>                  <range>
>>                    <lower>16384</lower>
>>                    <upper>65535</upper>
>>                  </range>
>>                </source-port>
>>
>>                <source-port>
>>                  <operator>
>>                    <operator>eq</operator>
>>                    <port>21</port>
>>                  </operator>
>>                </source-port>
>>
>
> Did you try making the change in the model to see if it work? It will
> complain that <range> is already used within the container and that it
> cannot be repeated (for destination-port).
>
>>
>>
>> 3 Key Draft Sections
>>
>>
>> 3.1 Abstract
>>
>>  First, I'm unsure if that first "sentence" is properly worded, but I
>>  definitely think that it is a bit too much on the terse side.  Can you
>>  embellish it a little?
>
> How about this:
>
> OLD:
> This document describes a data model of Access Control List (ACL)
> basic building blocks.
> NEW:
>
>   This document describes a data model for Access Control List (ACL).  
>   ACL is a ordered-by-user set of rules, used to configure the forwarding 
>   behavior in device.  Each rule is used to find a match on a packet, 
>   and define actions that will be performed on the packet.
>
>>
>>  Second, am I reading it correct? - is the "Editorial Note" in the
>>  Abstract section.  I strongly advise moving
>
> Moved it to Introduction section.
>
>>
>> 3.2 RFC Editor Note
>>
>>  There is no request to replace "I-D.ietf-netmod-yang-tree-diagrams" with
>>  the final RFC assignment.
>
> Added.
>
>>
>>  You might want to add what the current date value used in the draft is
>>  (i.e., 2018-02-02).   PS: my draft build tools, which I think you're
>>  using, should set the value for you automatically if you put YYYY-MM-DD
>>  into the text.
>
> Added text to replace the revision date in the model with the date the
> draft gets published.
>
>>
>> 3.3 Import statements missing references
>>
>>  All import statements in all modules are missing reference statements
>>     - why wasn't this caught by the tools?!
>>
>>  Please see rfc6087bis Section 4.7.  
>
> Adding reference implies import by revision, which we want to avoid,
> specially since we do not want to import by revision. Right?
>
>>
>>
>> 3.4 Security Considerations
>>
>>  Please reformat the last paragraph so the "aces" path is more
>> pronounced.
>>  Perhaps use hangText.
>
> What is hangText? I italicized it.
>
>>
>>
>> 3.5 IANA Considerations
>>
>>  This section is hard to read.
>>
>>  Consideration breaking up the "XML" and the "YANG Module Names" registry
>>  requests into two subsections.
>>
>>  Consider making the registration entry requests themselves artwork so
>>  they're line-spaced and indented as such.
>>
>>  The first paragraph of the "XML" registry request says "a URI", but it
>>  should be "two URIs"
>>
>>  The first paragraph of the "YANG Module Names" registry request says
>>  "a YANG module", but it should be "two YANG modules”
>
> Split into two sections and upped the count of URIs and YANG models to
> three (was missing the ietf-ethertypes module).
>
>>
>>
>> 3.6 References
>>
>>  I haven't checked yet, but please verify that all the references are
>>  properly sorted as to being Normative or Informative.
>>
>>
>> 3.7 Appendix A
>>
>>  It took me awhile to figure out what I was looking at.  The tree-diagram
>>  is poorly indented and there is no text preceding the example module. 
>
> I have moved the example module after the first paragraph, that
> describes the module. Let me know if that looks ok.
>
>>
>>  I recommend you fold the lines of your tree diagram at a certain column
>>  whilst adding a '\' character.  I've since added this ability to my
>> draft
>>  build tools, let me know if interested in an update.  You might also
>> want
>>  to look at draft-wu-netmod-yang-xml-doc-conventions.
>
> Shortened the prefix so the augment statement fits within 72 columns. 
>
> BTW, I use 'pyang  -f tree —tree-line-length=69' to generate the tree.
> Plus I use fold -w 71 to fold the diagram, but I guess it does not
> work for augment statement.
>
>>
>>  Also, please fix the example module's namespace per the end of
>>  rfc6087bis Section 4.9.
>
> Updated the namespace to “http://example.com/ns/example-newco-acl”
>
> Cheers.
>
>>
>>
>>
>> Thanks,
>> Kent
>>
>>
>>
>>
>> _______________________________________________
>> Netconf mailing list
>> Netconf@ietf.org <mailto:Netconf@ietf.org>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=7Bx3hgofSFxvNRV7Xz7FuaJcKKfzEB0sBJzN_KOCtSg&s=XknLqgAu3Z9t1ME6FO-_mZY2oCN61867VB0ubLeiv3Q&e=
>>
>>
>> _______________________________________________
>> netmod mailing list
>> netmod@ietf.org
>> https://www.ietf.org/mailman/listinfo/netmod
>
> Mahesh Jethanandani
> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>
>
>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod