IETF Logo Mail Archive

Re: [netmod] Mirja Kühlewind's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS)

Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 25 September 2018 18:36 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF33128CB7; Tue, 25 Sep 2018 11:36:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7yRFYhQfYOej; Tue, 25 Sep 2018 11:36:03 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5E56128BAC; Tue, 25 Sep 2018 11:36:02 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id d4-v6so11831910pfn.0; Tue, 25 Sep 2018 11:36:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=mkYM18bzTh3lX8UDr8oTky0UhHsx0EnxcjWIUAcZQZg=; b=s8BuIlzXqewEjRvCcelWiYjaQEv+NM4QB4d4kFUQuBQk3DwVR7qBDOr/fuEYzsIzdI g/Pq9zcA8J2hUkh+LVOaSIJEhkc+waJDzozZBKkssV3AVTE3Dim2eT5TV57TPZIF3/8J oMGce/WqhnYSAYSEyvp35Q7O7OiH2XZeLtKRQK/gAuelt2kpmV7/V37WNpBAuVxwUuXT DinCguLET9oX2OjqCwkK36CGYw9WwcBN68QzRRQd5KogRAEkQIMfv5m0JP6XWwGwA6Xg e7o3m/W8k1mAp7CKmof4p/++BZHUl+JCVhYH0M2/Tz+PFSPpTIEXbokgYfI/SY5YPmBV kRJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=mkYM18bzTh3lX8UDr8oTky0UhHsx0EnxcjWIUAcZQZg=; b=hIgDDiObvd6tPJwmL2/MVEyQS6KJNhu9UEcqHsksRNZiX01VHHyPyK4rXU8TZTIw2u aUkCAyJW8/SdpmPY04EZm7buPE3DNpaXIfWMjgglhDe+XF7mcdSfeE7U+7F2pVvOTdUH cD7PvPmr119wxpMHFFWJwP4caG3ewFRmMxA5/kV8Pr/xA1IpGTtF/NL/ujhF1ud7bg7I 7Fhxopu1JdqDeuhGhe2mfDxaKAhCVE0LPquvoG6y5ATB88/KEnA+kGzYeu/7l7U3zqds CS2AHCohWqxMW74/cyNN2AvXWu/2hptNzeGEDNukayciOQi6d7H1O8bbXLZR4DTUi6QQ go5w==
X-Gm-Message-State: ABuFfojhBu9rT4mvkars0CTzmP3sMwPedg9AYFwBhTbpkDlC874+USbN 4DwHiOLbfF/QsZMkdlja1lU=
X-Google-Smtp-Source: ACcGV62EQ/RsKFvChYn9bWJLry8ete+xL9yetTdvKLOXTu0DcPZO9lkHkuORvWcFEvcKYEZ0bwd9uw==
X-Received: by 2002:a17:902:4081:: with SMTP id c1-v6mr2355830pld.169.1537900562290; Tue, 25 Sep 2018 11:36:02 -0700 (PDT)
Received: from [10.52.174.170] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id l79-v6sm6489809pfi.172.2018.09.25.11.35.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Sep 2018 11:36:00 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <8C4D59E2-0C6D-4570-B8B0-D27D6C74CA2C@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5599B211-BCAF-4DCB-9C21-DAFC827ABD6F"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 25 Sep 2018 11:35:59 -0700
In-Reply-To: <53A51142-7568-473D-B309-E3A86459B5F9@kuehlewind.net>
Cc: NetMod WG Chairs <netmod-chairs@ietf.org>, Kent Watsen <kwatsen@juniper.net>, The IESG <iesg@ietf.org>, NetMod WG <netmod@ietf.org>, draft-ietf-netmod-acl-model@ietf.org
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
References: <153753763758.7269.9597830616255329217.idtracker@ietfa.amsl.com> <E957D368-88BA-442F-AB7F-F8464847C719@gmail.com> <53A51142-7568-473D-B309-E3A86459B5F9@kuehlewind.net>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/Zn8LIrV5IQjaZZDyIqQT2Mc_BUA>
Subject: Re: [netmod] Mirja Kühlewind's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2018 18:36:06 -0000

Hi Mirja,

See responses inline.

> On Sep 25, 2018, at 2:32 AM, Mirja Kuehlewind (IETF) <ietf@kuehlewind.net> wrote:
> 
> Hi Mahesh,
> 
> please see below.
> 
>> Am 25.09.2018 um 00:56 schrieb Mahesh Jethanandani <mjethanandani@gmail.com>:
>> 
>> 
>> 
>>> On Sep 21, 2018, at 6:47 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
>>> 
>>> Mirja Kühlewind has entered the following ballot position for
>>> draft-ietf-netmod-acl-model-19: Discuss
>>> 
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>> 
>>> 
>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>> 
>>> 
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model/
>>> 
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> 
>>> 1) The tcp options element is type uint32, however, the option field in the TCP
>>> header can be up to 40 bytes.
>> 
>> You are right that the options field can be up to 40 bytes long.
>> 
>> To the WG - We have two options in front of us. Take the field out completely or change the type to binary, and add a ‘length’ restriction of 40. Unless there is a objection, we will go with the latter option.
> 
> Not sure what exactly you mean but change the type to binary and add a length restriction but I’ll leave it to you to have the appropriate change.

Ok.

> 
>> 
>>> 
>>> 2) Why are only TCP and UDP supported? What's about SCTP and DCCP?
>> 
>> There has been no requirement to support either of those protocols. Support for those protocols can be added as augmentations to the base model in the future if such a need arises.
> 
> That’s do bad. However, the document must at least say that it’s scope is restricted to TCP and UDP only and it would also be nice to reason why that restriction is and what would need to be done to extend it in future.

To the contrary. The model is not restricted to TCP and UDP. In Section 2, the document states that:

   ACL implementations in every device may vary greatly in terms of the
   filter constructs and actions that they support.  Therefore this
   draft proposes a model that can be augmented by standard extensions
   and vendor proprietary models.


It is a different matter that it has chosen not to support SCTP and DCCP. That is because implementations today have not felt the market need to add support for those protocols. But that does not prevent anyone from adding support for them.

As far as an example for how the model can be extended in the future, see Appendix A - Extending ACL model examples.

> 
>> 
>>> 
>>> 3) The icmp rest-of-header can also be larger than 4 bytes but the type is
>>> uint32 again.
>> 
>> You are right that the rest-of-header can be more than 4 bytes, but in reality we have not had a requirement to support more than 4 bytes. 
>> 
>> To the WG - We will give it the same treatment as above - two options. Take it out completely, or change this to binary also. The only difference is that there does not seem to be a length restriction on the size of the field, so the field will be left unbounded. Unless there is a objection, we will go with the conversion to binary option.
> 
> Again, leaving it to you to apply the appropriate fix.

Ok.

Thanks.

> 
> Mirja
> 
> 
> 
>> 
>> Cheers.

v2.23.0 | Report a Bug | By Email