Re: [netmod] Fwd: New Version Notification for draft-ietf-netmod-acl-model-10.txt

David Bannister <dpb@netflix.com> Tue, 28 March 2017 18:59 UTC

Return-Path: <dbannister@netflix.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 634931293E3 for <netmod@ietfa.amsl.com>; Tue, 28 Mar 2017 11:59:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netflix.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8n0Df6-__r2 for <netmod@ietfa.amsl.com>; Tue, 28 Mar 2017 11:59:38 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD6D112943C for <netmod@ietf.org>; Tue, 28 Mar 2017 11:59:37 -0700 (PDT)
Received: by mail-vk0-x231.google.com with SMTP id s68so99655388vke.3 for <netmod@ietf.org>; Tue, 28 Mar 2017 11:59:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netflix.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=F90f0AqIKU5/zqNr+eN+fPW+fsX+fWZIbuM0UsZ0B/k=; b=ZRVgcA5NWdcFlRO0o/AlWaZagtUPXcTTG9xuZG21PsCOO0yNqcVGdIjkCDseLN/6Wj SvN+kiiYDrz+JWy40w2Pif7U0Qb8pDsBqS/9oOvowgnJNswRNPxxom9IWuFeKwJ2KoJF QmcU9Hndu+sdQ7hZtZqWDjS+ctDY4p/gqD0cA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=F90f0AqIKU5/zqNr+eN+fPW+fsX+fWZIbuM0UsZ0B/k=; b=r2D+87yGm9KN1G+nE9f818CQ1qYe+cob/mLVEwONUR1mKTtUbv5aix0lOn6JFGOwkx bJwPPO19Pa0ybmm0g7wjbRoro99/fIcxbm9uZAqyvxHt9rmYg0eZhJUvmlBMMKY9ks5s LzMvh2EdYu9zwIc2HJEyPjELDVsxblDl+07zz4hxk/LfssSXLS9S846u1oCjPcYdAIB7 5ocKzee1zrUkCM33G6IjvkovsZRJfSKwZRuN4MyB+47DHe81ZD/VRW2AZQEWySGsBH71 0jmj9YeIRAYLGAH3P4WAh1MOdGOllsFADD8meG5azVxpLm4pz3aMAzLn1KX8vq7oQU/e 5XYg==
X-Gm-Message-State: AFeK/H1TfxKO0mQPsqcascBi8ejKaInqFlPp/Gotgz46EBT9Uj6SObhNrczWRGp9MqOQkso6mK8QdctPAAoYaJnp
X-Received: by 10.176.3.231 with SMTP id 94mr7795909uau.10.1490727576646; Tue, 28 Mar 2017 11:59:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.33.72 with HTTP; Tue, 28 Mar 2017 11:59:36 -0700 (PDT)
In-Reply-To: <86AA35DF-0D22-45E7-A954-E766133ED49D@juniper.net>
References: <148939875845.17039.4017763838166134753.idtracker@ietfa.amsl.com> <FB5820F3-D98B-40B3-A427-22F6D2B9BD6B@gmail.com> <4D50BFD4-0E59-4DF8-BEC9-0D9BE50F5BA6@juniper.net> <CAPhzzaZ8X9qSJzn_OBuKjjw+EdHaTDk-C7uQJuOONsCk_ibJRw@mail.gmail.com> <86AA35DF-0D22-45E7-A954-E766133ED49D@juniper.net>
From: David Bannister <dpb@netflix.com>
Date: Tue, 28 Mar 2017 14:59:36 -0400
Message-ID: <CAPhzzaY=wt3dfKFowcJbkKL1z36cDw6rgvDia94z+OrGHUENAg@mail.gmail.com>
To: Kent Watsen <kwatsen@juniper.net>
Cc: Dean Bogdanovic <ivandean@gmail.com>, NetMod WG <netmod@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c056802aa292a054bcf0f12
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/ZQ41P9n_tegYxcJSXcmWZdZKito>
Subject: Re: [netmod] Fwd: New Version Notification for draft-ietf-netmod-acl-model-10.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 18:59:41 -0000

I would agree that the mix of L2 and L3 in the same operational ACL is a
bit out of the ordinary.  I could see where a combined approach may be
appealing to some.  As a network operator I do not see this as a negative.
It would be nice to give the vendor the option to defer the L2/3
combination but it does not look attainable in the current model.

"augmented by each vendor"  There are many things missing in IETF models
and some things which are not under the IETF umbrella.  In this discussion
the first that comes to mind is an 802.x model.  It is good to see there is
currently an IEEE effort to develop one.  However, it does not exist
today.  The various ether types are covered in some of the vendor models I
have seen.  We take the Newco example in the draft which typedefs an enum
of 'known-ether-type.'  Meanwhile Oldco is using a typedef of 'ethertype.'
 Both New and Old co both augment this draft. In this scenario the network
operator is stuck sorting out the logic in which vendor model to use and
having to deal with two data structures for the same entity (ether-type).
Using models this way does nothing to simplify network coding and
management.  I am against augmentation from vendor models for common items
but it is ok for vendor unique items.  Ether-type is not vendor unique.
Augmentation has its place but it appears to be overused even within the
context of IETF only models.

Not sure if pointing out ietf-routing was a good idea. Five years in the
making and 42 augmenting models. :-)

If we can get the well known IETF standardized missing bits from L3, L4 for
v4 and v6 into this it would work for me but I think the IETF may have
missed the boat on this one.




On Sun, Mar 26, 2017 at 1:17 PM, Kent Watsen <kwatsen@juniper.net> wrote:

> HI David,
>
>
>
> I believe an analogy to the ietf-routing module can and should be made
> here.  In both cases, the module provides a minimal skeleton that is
> intended to be extended by augmentations.   If anything, I could argue that
> the acl module doesn't go far enough, in that there is no feature statement
> on the "ace-ip" and "ace-eth" case statements, as if it's assuming that all
> servers implement L3 and L2 ACLs, which I find suspicious...
>
>
>
> You write below "augmented by each vendor", but I don't believe that this
> is the intent, so much as (just like with the ietf-routing) that future
> IETF modules will be defined to flesh it out.  In particular, the existing
> "ace-ip" and "ace-eth" case statements can be augmented, as well as brand
> new case statements added.   I agree that, in its current form, this draft
> is of limited use, but keep in my that the ietf-routing module now has 42
> other modules augmenting it, so there's hope that the
> ietf-access-control-list module will similarly be fleshed out in short
> order.
>
>
>
> What do you think?  Do you think we should put feature statements on the
> two case statements, or even move these into other modules (in the same
> draft) so that there is no specialness imparted on them?
>
>
>
> What about others?  I'm concerned that we may not have sufficient domain
> expertise in the NETMOD WG - similar to the routing-cfg draft, until the
> rtgwg started to focus on it.
>
>
>
> Kent  // shepherd
>
>
>
>
>
> On 3/18/17, 9:18 AM, "David Bannister" <dpb@netflix.com> wrote:
>
>
>
> (second try)
>
> There were no changes to the model so my concerns remain the same.
> Augmentation is not a scalable solution when dealing with a mutli-vendor or
> in some instances a multi-business-unit environment.  The 'newco' example
> in the draft illustrates this problem.  The IETF produces a 'standard' for
> an ACL draft which is so sparse in nature that it must be augmented by each
> vendor.  In the best case this gives me a unique model per vendor because
> we know the vendors are not going to get together to define the missing
> pieces.  The vendors will use a variety of mechanisms to complete the model
> from using a script to build their models from source code, handling the
> missing pieces as arbitrary code (anyxml), or everything as a string.  Then
> there is the worse case where a vendor has no internal standardization (you
> know who you are) and their own product lines will not align into a common
> model.  The object here, for me, is to get to a single model for all
> vendors barring a unique feature that belongs to one vendor in which case
> augmentation is acceptable.
>
>
>
> Could you add to this in the future and rev up the RFC?  Sure.  However, I
> am not sure what value that brings to the community.  In its current form I
> would not ask any of my vendors to implement this draft.  Instead I would
> push them towards the OpenConfig ACL model.
>
>
>
> On Tue, Mar 14, 2017 at 9:12 PM, Kent Watsen <kwatsen@juniper.net> wrote:
>
> Hi David,
>
>
>
> Can you please confirm that the additional examples address your concern?
> And, if not, please
>
> explain if there is any reason why what you're looking for couldn't be
> added or augmented in
>
> in the future.
>
>
>
> Thanks,
>
> Kent // shepherd
>
>
>
> On 3/13/17, 5:57 AM, "netmod on behalf of Dean Bogdanovic" <
> netmod-bounces@ietf.org on behalf of ivandean@gmail.com> wrote:
>
>
>
> Here is the new version of the ACL draft. Since December and some
> additional comments about the ACL model, I spoke with many operators and
> how they use ACLs. I have also received lot of detailed ACL configurations.
> In most cases, the model is easily adapted to the current use cases in
> operations. But to answer the comments, the authors have added a detailed
> example in the addendum section how the model can be extended and how this
> model can be used.
>
>
>
> Cheers,
>
>
>
> Dean
>
>
>
>
>
> Begin forwarded message:
>
>
>
> *From: *internet-drafts@ietf.org
>
> *Subject: New Version Notification for draft-ietf-netmod-acl-model-10.txt*
>
> *Date: *March 13, 2017 at 10:52:38 AM GMT+1
>
> *To: *<netmod-chairs@ietf.org>rg>, "Kiran Koushik" <kkoushik@cisco.com>om>,
> "Lisa Huang" <lyihuang16@gmail.com>om>, "Dean Bogdanovic" <ivandean@gmail.com>om>,
> "Dana Blair" <dblair@cisco.com>om>, "Kiran Agrahara Sreenivasa" <
> kkoushik@cisco.com>
>
>
>
>
> A new version of I-D, draft-ietf-netmod-acl-model-10.txt
> has been successfully submitted by Dean Bogdanovic and posted to the
> IETF repository.
>
> Name: draft-ietf-netmod-acl-model
> Revision: 10
> Title: Network Access Control List (ACL) YANG Data Model
> Document date: 2017-03-13
> Group: netmod
> Pages: 32
> URL:            https://www.ietf.org/internet-drafts/draft-
> ietf-netmod-acl-model-10.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-
> netmod-acl-model/
> Htmlized:       https://tools.ietf.org/html/draft-ietf-netmod-acl-model-10
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-
> netmod-acl-model-10
>
> Abstract:
>   This document describes a data model of Access Control List (ACL)
>   basic building blocks.
>
>   Editorial Note (To be removed by RFC Editor)
>
>   This draft contains many placeholder values that need to be replaced
>   with finalized values at the time of publication.  This note
>   summarizes all of the substitutions that are needed.  Please note
>   that no other RFC Editor instructions are specified anywhere else in
>   this document.
>
>   Artwork in this document contains shorthand references to drafts in
>   progress.  Please apply the following replacements
>
>   o  "XXXX" --> the assigned RFC value for this draft.
>
>   o  Revision date in model (Oct 12, 2016) needs to get updated with
>      the date the draft gets approved.  The date also needs to get
>      reflected on the line with <CODE BEGINS>.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
>