Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-01.txt
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 06 February 2015 21:14 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDE891A1A64 for <netmod@ietfa.amsl.com>; Fri, 6 Feb 2015 13:14:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.26
X-Spam-Level:
X-Spam-Status: No, score=-2.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwRUB1j2eTt8 for <netmod@ietfa.amsl.com>; Fri, 6 Feb 2015 13:14:10 -0800 (PST)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4D931A7003 for <netmod@ietf.org>; Fri, 6 Feb 2015 13:14:09 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 0BACD1CF2; Fri, 6 Feb 2015 22:14:08 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id m9PlZXjw4ZxM; Fri, 6 Feb 2015 22:13:39 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Fri, 6 Feb 2015 22:14:07 +0100 (CET)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id EF6B520036; Fri, 6 Feb 2015 22:14:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 5nRYQpzl5-rz; Fri, 6 Feb 2015 22:14:04 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 28FC820035; Fri, 6 Feb 2015 22:14:04 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 2D9B331AEABE; Fri, 6 Feb 2015 22:14:04 +0100 (CET)
Date: Fri, 06 Feb 2015 22:14:04 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: "Thomas D. Nadeau" <tnadeau@lucidvision.com>, NETMOD Working Group <netmod@ietf.org>
Message-ID: <20150206211404.GA2595@elstar.local>
Mail-Followup-To: "Thomas D. Nadeau" <tnadeau@lucidvision.com>, NETMOD Working Group <netmod@ietf.org>
References: <7C52DD5B-33F7-44D1-A701-90254AAD7C12@lucidvision.com> <20150206201546.GA911@elstar.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150206201546.GA911@elstar.local>
User-Agent: Mutt/1.4.2.3i
Archived-At: <http://mailarchive.ietf.org/arch/msg/netmod/_TNQeDUp9aaXegc-XrzPJKU-hLA>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-01.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2015 21:14:12 -0000
On Fri, Feb 06, 2015 at 09:15:46PM +0100, Juergen Schoenwaelder wrote: > On Fri, Feb 06, 2015 at 01:59:30PM -0500, Thomas D. Nadeau wrote: > > > > This commences a NETMOD WG Last call for draft-ietf-netmod-acl-model-01.txt. Please send comments to the list by 20-FEB-2015 by 9AM EST. > > > > Before I read this in detail already a few quick comments: > > - The module name 'packet-fields' should follow RFC 6020 guidelines. > > - Non-normative example modules should be in an appendix marked as > non-normative. > > - The security considerations include a TBD action item. > > - If ietf-route-filter.yang is an example, I would probably give it a > different name that has less chance to be confused with an official > module. > More comments: - Why do you use the prefix 'ietf' for ietf-yang-types? The default would have been 'yang'. - How is the packet-fields module updated? IETF process? Is this a candidate for IANA maintenance? - Do we need a copyright notice in the module descriptions? - The description of the revision does not make much sense, and the reference even less. I suggest to follow the YANG guidelines, RFC 6087. - Is layer 2 always ethernet or is this identity eth-acl { base "acl:acl-base"; description "layer 2 ACL type"; } just a misnomer? Perhaps the description of ip-acl also should be "IP layer ACL type" to be precise. But then, the associated grouping also includes layer 4 elements (port number ranges). - Since access-list/acl-type is optional, what is the meaning if it is not present? - I have no clue what to expect in the targets strings in acl-oper-data/targets. - The description of access-list talks about sequence numbers - I could not find them. Perhaps the text is outdated? - I personally would not inline the operational state nodes but this may be personal preference. - Is 'entry' the same as 'rule'? If so, why do we use two terms if one would be sufficient? - I do not understand this: The time range is identified by a name and then referenced by a function, so that those time restrictions are imposed on the function itself. I was surprised to find this since the introductory text never mentions time filters, it only talks about about packet filters and metadata filters. Well, this is filtering on the meta data when a packet is received but perhaps this deserves to be mentioned somewhere earlier. - You will be asked later on anyway to use the reserved example IP addresses in the examples, so make the changes now. - In the example in section 4.4, I suggest to remove all the edit-config stuff and to show only the config itself. I am also not sure the example is correct, has this been validated against the schema? - The explanation given at the beginning of section 4.5 belongs into the data model definition. What happens if I configure only an upper-port? What if I leave both ports out? What happens if the lower-port is larger than the upper-port? - I generally suggest to use the prefixed defined in an imported module unless there is a name clash that makes this impossible. If we always write inet:ipv4-prefix (where possible), it becomes simpler for human readers to read modules. - reference " "; avoids a warning but is otherwise not useful - The biggest thing that is unclear to me is how these generic acls are used in certain contexts. In the operational state, there is a list of opaque target strings but I do not know what they contain or how they are configured. So how do I use these generic acls? Suppose I want to use these acls to control access to my NC server. How would I have to extend the NC server config model to do that? - The IANA considerations are incomplete since I think you have two modules that need registration. - Since Section 10 is empty, remove it. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [netmod] WG Last Call: draft-ietf-netmod-acl-mode… Thomas D. Nadeau
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Juergen Schoenwaelder
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Juergen Schoenwaelder
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Dana Blair (dblair)
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Dana Blair (dblair)
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Juergen Schoenwaelder
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Acee Lindem (acee)
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Dean Bogdanovic
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Thomas D. Nadeau