IETF Logo Mail Archive

[netmod] A few comments on draft-dbb-netmod-acl

Qin Wu <bill.wu@huawei.com> Thu, 27 October 2022 06:08 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7560CC1527A8 for <netmod@ietfa.amsl.com>; Wed, 26 Oct 2022 23:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjOqW6B505Jb for <netmod@ietfa.amsl.com>; Wed, 26 Oct 2022 23:07:58 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00DEDC1527A0 for <netmod@ietf.org>; Wed, 26 Oct 2022 23:07:58 -0700 (PDT)
Received: from fraeml736-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4MyZrL3PN8z67KPY; Thu, 27 Oct 2022 14:04:18 +0800 (CST)
Received: from canpemm100005.china.huawei.com (7.192.105.21) by fraeml736-chm.china.huawei.com (10.206.15.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 27 Oct 2022 08:07:53 +0200
Received: from canpemm500005.china.huawei.com (7.192.104.229) by canpemm100005.china.huawei.com (7.192.105.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 27 Oct 2022 14:07:51 +0800
Received: from canpemm500005.china.huawei.com ([7.192.104.229]) by canpemm500005.china.huawei.com ([7.192.104.229]) with mapi id 15.01.2375.031; Thu, 27 Oct 2022 14:07:51 +0800
From: Qin Wu <bill.wu@huawei.com>
To: "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: A few comments on draft-dbb-netmod-acl
Thread-Index: AdjpykvImtd2QRsaSL2XTLp2D+x4QQ==
Date: Thu, 27 Oct 2022 06:07:51 +0000
Message-ID: <e350e50aef7c45c5b51768b8c9d8df2f@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.100.16]
Content-Type: multipart/alternative; boundary="_000_e350e50aef7c45c5b51768b8c9d8df2fhuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/ZI2FXqThxfAIh6AMFHKRTi5l9PM>
Subject: [netmod] A few comments on draft-dbb-netmod-acl
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 06:08:02 -0000

Hi, Oscar:
I have read the latest version of draft-dbb-netmod-acl, the problem statement and gap analysis are interesting, here are a few comments on this draft:
1.For problem statement in section 4.3 and section 4.5, I am wondering how  do you feel encrypted traffic at the transport layer, e.g., TLS layer or QUIC layer,
I feel it is hard, you might read one of presentation slides for IAB MTEN workshop, one gap we identify is ACL fall short to deal with encrypted traffic.
But for unencrypted traffic, yes, the ACL extension provide fine granularity access control.

2.For section 3.2, I feel the solution seems not complete, how defined set is used, in the match, it lack a example to explain how it is used.

3.For section 3.1, it is a good extension, but I understand the idea is to apply the same action to a set of prefixes, let's say two prefixes, since the destination-ipv6-network is defined as an array, I am wondering whether the action should be changes into 2 actions in an array:
   {
     "ietf-access-control-list:acls": {
       "acl": [
         {
           "name": "prefix-list-support",
           "type": "ipv6-acl-type",
           "aces": {
             "ace": [
               {
                 "name": "my-test-ace",
                 "matches": {
                   "ipv6": {
                     "destination-ipv6-network": [
                       "2001:db8:6401:1::/64",
                       "2001:db8:6401:c::/64"
                     ],
                     "source-ipv6-network":
                       "2001:db8:1234::/96",
                     "protocol": 17,
                     "flow-label": 10000
                   },
                 },
                 "actions": {
                   "forwarding": [ "accept","accept"]
                 }
               }
             ]
           }
         }
       ]
     }
   }
Maybe one alternative solution is to use template, if we want to Manipulate Lists of Prefixes

4.I feel flags defined in RFC9519 is confusing, how does the controller know which packet is the last fragment, which packet is not, which packet needs to be fragmented, which one not,the fragment action is controlled by the ingress node, configuring flags seems wrong to me.

5. For section 3.3 "Bind ACLs to Devices, Not Only Interfaces", do we have solution to this problem? If not, I think draft-ma-opsawg-ucl-acl-00 provide excatly the solution you are looking for if my understanding is correct, to address the limitation of IP address based access control, no need to tie to the specific interface of the device, or a single device.

-Qin

v2.23.0 | Report a Bug | By Email