IETF Logo Mail Archive

Re: [netmod] IETF ACL model

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 27 November 2017 17:47 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0279F128D19 for <netmod@ietfa.amsl.com>; Mon, 27 Nov 2017 09:47:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ql4RJh0l8poe for <netmod@ietfa.amsl.com>; Mon, 27 Nov 2017 09:47:21 -0800 (PST)
Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88B2F126557 for <netmod@ietf.org>; Mon, 27 Nov 2017 09:47:21 -0800 (PST)
Received: by mail-pf0-x234.google.com with SMTP id r68so11532486pfe.10 for <netmod@ietf.org>; Mon, 27 Nov 2017 09:47:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=T3F0a/MWxKTtm9vuKOp9x/vE2WkonRWs7M1hKqEKrD0=; b=Z/eygYnvnuaegTyrchJrZe5eoheGZjL+/zcQhXalG/cnQtZEM26KV5abE04SzGpxb7 GwJaAAHPOiBvtgcCRiH7PjssXvldXmya1TqqQmqMz4SSX1MMqv1vIEB5ZIqhC/Sh8yW5 bLgdkLftW117amOgQm2NHAEYqSgFOdod85M5zYnlkKsJ8HGzgbeUg145vk/YvLsyikmT 5H0DL475yLfQOIRAW9c1FRnv0QabBFghBTFOVOsMFgigKObO1VqbmCueLz9A1EG8WM4x qzrTVxTaUVKnEifXg7QBaPQmvlt64QKrzqz2VSjB4aftA+QP1C/nJESpqJfVYLOsHAE4 aGgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=T3F0a/MWxKTtm9vuKOp9x/vE2WkonRWs7M1hKqEKrD0=; b=SDyXK01YkKHXdazEgMS5Ee4Zot8QpKHWWGyQ3ayOLBpcth2CRg49RkNuPojy4XKAJ9 RZFtbdA4JpeAqhuIufr/Lib7JFYfjqevqZ0n8UkI7l6OhaRT0/YUyvKB4pRxoMmHufu9 VnKgORTWjZuy5gVgFxkAL1VY23Dy662nOP+M1KK4Irq4nDE5yXtAdWgDNlEIH+j+jzEH w8B+0ElxqXP/CfI1E5SEasUKwNFwRuopgiPsPvCvHDayBW2gx8kH1iQu3si07cxZpUte FKS/x8yFVoLVoPV7Zo2rYaIiwE07U3usaLTt6fHuIAIAiTdtR+Avz7hKz1qCQ1Y6j2tv 2NKw==
X-Gm-Message-State: AJaThX5hCRoYv8/QB2SngEDiwGJD85rXsUsjk857NFJq+njM/dyJWFP3 Ej3R3v2PXSF4jKiPdT+hlO6xoRLs
X-Google-Smtp-Source: AGs4zMYN2/GqfDohuWpShoStBt9/LMRUiregyLbxG7GB0q6WquMbHeqxlFS6l/mCqSe4K+8SUlEreQ==
X-Received: by 10.101.93.134 with SMTP id f6mr37321958pgt.89.1511804840523; Mon, 27 Nov 2017 09:47:20 -0800 (PST)
Received: from mahesh-m-m8d1.attlocal.net ([2600:1700:edb0:8fd0:c9c7:4c2b:674a:1f86]) by smtp.gmail.com with ESMTPSA id u68sm49117388pfu.154.2017.11.27.09.47.19 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 27 Nov 2017 09:47:19 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C9822A9A-6C16-4BB1-A56A-BFCAF2D73760"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <87y3mr3loc.fsf@dev.terastrm.net>
Date: Mon, 27 Nov 2017 09:47:16 -0800
Cc: Robert Wilton <rwilton@cisco.com>, Martin Bjorklund <mbj@tail-f.com>, Jeffrey Haas <jhaas@juniper.net>, "Sonal Agarwal (agarwaso)" <agarwaso@cisco.com>, Kristian Larsson <kll@spritelink.net>, Kristian Larsson <kll@dev.terastrm.net>
Message-Id: <A6290183-E975-4BDA-83C3-640E237BD5F2@gmail.com>
References: <98e29a71-f6dd-7b42-7c8c-f704ba5b8826@spritelink.net> <1354F18F-43E6-43D5-BFAA-C26BCF47AC56@juniper.net> <5D85F296-FB9F-4BA6-B395-B8CD80ED6864@gmail.com> <20171122.093904.670536605936490886.mbj@tail-f.com> <e1fe6796-c124-b663-8e9f-e66c23b10eea@cisco.com> <87y3mr3loc.fsf@dev.terastrm.net>
To: NetMod WG <netmod@ietf.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/V8PM2A5XWRqxHXV9kTVOPEGmBXM>
Subject: Re: [netmod] IETF ACL model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 17:47:23 -0000

An updated version of the model has been posted as part of the PR here <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b>.

The particular change removes any-acl from the model, expands on eth (to ethernet), removes acl- prefix for things like acl-type and acl-name. Please review.

> On Nov 27, 2017, at 5:17 AM, Kristian Larsson <kll@dev.terastrm.net> wrote:
> 
> 
> Robert Wilton <rwilton@cisco.com> writes:
> 
>> Thinking about this some more. I'm not sure what it means for the "ACL 
>> Type" to be "any-acl". It seems that the "match any packet" should be a 
>> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a 
>> type of ACL.
> 
> Yes, I agree as so far that any-acl makes no sense as an acl-type. The
> way I understood acl-type, and the way that vendors have told me it will
> be used, is to say "this is an IPv4 ACL" and then on an attachment point
> you can specify that only ACLs of acl-type ipv4-acl can be attached to
> the interface. That makes perfect sense. I do not see how any-acl can
> map into this.
> 
> I agree that any-acl is logically a type of ACE but we don't have an
> ace-type and the exact same information can IMHO already be conveyed
> WITHOUT the any-acl type and thus it has no reason to exist. Nor do we
> need a feature for it.
> 
> From what I can tell the any-acl container in the ACE should be used to
> explicitly signify a match on "any". Think of IOS style ipv4 acl:
>  permit ip any any
> 
> We have to provide a source and destination so this would be a rather
> explicit mapping of that. However, our structure in this YANG model is
> just completely different than an IOS command so I don't see why we
> should try and mimic IOS in the YANg model.
> 
> Not specifying a destination IP address means we match on any
> destination IP address. The same is true for any other field we can
> match on. Not setting a match implies we don't try to match on that
> field, thus we allow "any" value. I think the logical continuation of
> this is that for an ACE with no matches defined at all, we match any
> packet. I think we can update the text to better explain this.
> 
> 
> 
>> Otherwise if the ACL type is "any-acl" then this only allows two types 
>> of ACLs to be defined, neither of which seem to be particularly useful:
>> (1) An ACL that matches all traffic and permits it, i.e. the same as 
>> having no ACL at all.
>> (2) An ACL that matches all traffic and drops.
>> 
>> So I think perhaps the answer here is to define neither ACL type 
>> "any-acl" nor leaf "any". The presumption could be that any ACE that is 
>> configured to match no fields implicitly matches all packets (because 
>> all non specified fields are treated as wildcards), and then applies the 
>> permit/deny rule associated with the ACE. This logic can apply to all 
>> ACL types.
> 
> Yes yes yes :)
> 
>   Kristian.

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email