IETF Logo Mail Archive

Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15

Kent Watsen <kwatsen@juniper.net> Mon, 22 January 2018 15:50 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA013126DD9 for <netmod@ietfa.amsl.com>; Mon, 22 Jan 2018 07:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nd0TXSkvWwrr for <netmod@ietfa.amsl.com>; Mon, 22 Jan 2018 07:50:31 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C442A124207 for <netmod@ietf.org>; Mon, 22 Jan 2018 07:50:31 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0MFmXs1014210; Mon, 22 Jan 2018 07:50:29 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=oRqxkaiKp+a63y5V+Rb/YKOl9GyT7HA08JyvfvTGF9w=; b=Nr8lFbYrNwgczXy6ngBTjg8aqKD73pya3lxcSN28KvzJyYPHf501O+1upzfTlUBbjQyr ykY3wN4epUskxLy91ynOU6HRjQbsgeOyTstmwjDnO1584cIq02HJP8TxEoAn1/q+kpvf iQfQbGfe/64EKuW5cWCPrS2vbKtHp4Lzz6FbXgp89aVKkg9tGeHItlmpClCtD3xjIbbm MQnCIM6LmGBSqjl2cyFFrLmYwNf/qCpWj+//moqg4WULXQOx+sNsgC7WHJx4c0eZ3pWj JF+Yk+EqeIBSyFDoXdTak+WICfr17fH9O1pm54U3pqdgZNfYX3CExIEGuofaY0NH4ifQ Yw==
Received: from nam03-dm3-obe.outbound.protection.outlook.com (mail-dm3nam03lp0016.outbound.protection.outlook.com [207.46.163.16]) by mx0a-00273201.pphosted.com with ESMTP id 2fnjpsg1fj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 22 Jan 2018 07:50:28 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB2842.namprd05.prod.outlook.com (10.168.175.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.444.5; Mon, 22 Jan 2018 15:50:26 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) by DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) with mapi id 15.20.0444.008; Mon, 22 Jan 2018 15:50:27 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15
Thread-Index: AQHTj93UjCIcW+s9eES+j5KHC1NlIKN4qxIAgAABR4D//7cngIADJ0+AgAEGT4CAAUG5gIAB6wuA
Date: Mon, 22 Jan 2018 15:50:27 +0000
Message-ID: <543B7D01-A491-4BFB-B74B-786002F31022@juniper.net>
References: <8C19AD4C-0DCA-4D96-A070-0D76BE92BFA4@juniper.net> <20180117224916.4xtwnxgsw3snzwvf@elstar.local> <B3AAE9DB-1F4B-40F5-91BC-7A283B6E5F8B@gmail.com> <BA276029-048F-4B80-A104-924DD1C488F1@juniper.net> <4EB04703-CD66-43D3-8653-BFC62B2C0FA1@gmail.com> <B1BA5D27-FF55-4DBB-B4FA-2697896F5F12@juniper.net> <788291A3-8BB6-494A-A7CF-D68B3FC70F98@gmail.com>
In-Reply-To: <788291A3-8BB6-494A-A7CF-D68B3FC70F98@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB2842; 7:hdlHw4EAx8xG7rehFZ5KNGZpQHRIyHNbROhIo8XmiUsYaNDO1MizCJrpboVTz6J96e/O/k+J7frjNVzWQRSv//WKuTSejVTajZZF38pruVz9MP9M7S/nkahMLNm1Pex6laee8WwRhOfN9I44E+mkCV6SIgmADAcWLWB0puRKCCRepe1Twm6tPyYDZvWrE9/0CKGLkhOTCOSMuZk6rnmibNzRH0XQBtpTcZAMXTnhTvzegQpFTnwMV1wRtxsVijSP
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 8227fe44-6478-4094-55af-08d561afdb6a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(48565401081)(4534125)(4602075)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB2842;
x-ms-traffictypediagnostic: DM5PR05MB2842:
x-microsoft-antispam-prvs: <DM5PR05MB28424D3A971938EF74E9E2A0A5EC0@DM5PR05MB2842.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(10436049006162)(166708455590820)(138986009662008)(85827821059158)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3231046)(2400081)(944501161)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041288)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:DM5PR05MB2842; BCL:0; PCL:0; RULEID:(100000803126)(100110400120); SRVR:DM5PR05MB2842;
x-forefront-prvs: 0560A2214D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(366004)(346002)(39860400002)(376002)(396003)(189003)(199004)(3660700001)(3280700002)(54906003)(5660300001)(83506002)(33656002)(229853002)(36756003)(316002)(58126008)(25786009)(93886005)(105586002)(6246003)(82746002)(106356001)(1411001)(14454004)(66066001)(478600001)(966005)(97736004)(2906002)(39060400002)(99286004)(86362001)(81156014)(8676002)(230783001)(102836004)(7736002)(8936002)(6346003)(6306002)(3846002)(54896002)(6116002)(26005)(77096007)(83716003)(236005)(81166006)(4326008)(6916009)(6506007)(68736007)(53546011)(6486002)(6436002)(59450400001)(53936002)(6512007)(76176011)(2900100001)(561944003)(2950100002)(9326002)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB2842; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Oa1TNUV2fHsQEV27VCW/vBnI3Gse0G+EcOvgIX5xdUP5XXtYBEOxUs3U9jEnDDkq9r4NGs8VhclL9t3PkuJJbQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_543B7D01A4914BFBB74B786002F31022junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 8227fe44-6478-4094-55af-08d561afdb6a
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2018 15:50:27.0830 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB2842
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-22_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801220223
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/bd0944J3Da-8Rpzu-5pyH_VrXRI>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2018 15:50:39 -0000

Hi Mahesh,

Thanks, it doesn't get much more concrete then a pull request  ;)

Okay, so from a chair/shepherd perspective, can folks please consider this update to -15 as the LC solution to removing the open issue Juergen found in the draft?

As a contributor, I don't think the name of the groupings or their description statements should allude to something that doesn't exist yet.  Rather than e.g. "source-or-group", could it be instead something like "source-type"?    Also, the update seems to be for both when specifying networks as well as when specifying port-ranges, but the original issue (see below) only mentioned addresses - is the pull-request actually what's needed and the description of the issue in Section 8 is incomplete?

    8.  Open Issues

       o  The current model does not support the concept of "containers"
            used to contain multiple addresses per rule entry.

Thanks,
Kent


On 1/21/18, 12:32 AM, "Mahesh Jethanandani" <mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>> wrote:




On Jan 20, 2018, at 7:21 AM, Kent Watsen <kwatsen@juniper.net<mailto:kwatsen@juniper.net>> wrote:

Hi Mahesh,

I'm okay not adding the ability to reference an external rulebase now, or are you saying that you'd also like to defer priming the YANG model now so that it can be added later in a backwards compatible manner?

If you plan to prime the YANG model so that the ability to reference an external rulebase can added later in a backwards compatible manner, can you please send a concrete proposal to the list so that we can better understand the impact?

My expectation is that it merely adds a 'choice' statement around the existing rulebase container, thereby enabling something other than a rulebase container to exist some day in the future.

That is correct. The proposal is to add a ‘choice’ statement in parts of the model that will allow an external rulebase to be added in the future as another case statement.

Here is the concrete proposal of what those changes will look like:

https://github.com/netmod-wg/acl-model/pull/23<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_netmod-2Dwg_acl-2Dmodel_pull_23&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=TTcVNmD-pP5Jg3P0iLLmNN-oThtmLiDD-i-cfmml-d4&s=9amd15fEoT406blmduaLuqGo7l1Mi0jt86nidbOJ2fU&e=>

Thanks



If the addition is indeed just this, then I don't believe that it materially changes the ACL model and therefore can be added as a LC comment.  Of course, the WG will want to review the addition for correctness, but otherwise should be alright.

Thanks,
Kent // co-chair and shepherd


===== original message =====

Kent,

I have not heard a strong requirement to have the open issue fixed in this version of the RFC. We would therefore like to defer it to a bis document.

I will wait for the LC to complete, and update the draft to address all the comments received during the LC.

Thanks.


On Jan 17, 2018, at 3:33 PM, Kent Watsen <kwatsen@juniper.net<mailto:kwatsen@juniper.net>> wrote:


H Mahesh,


- There is an open issue in the document (section 8) - are we going
to resolve that during WG last call or is this a leftover?

This will be resolved in the next version of the module. It is
documented under Issues tab in GitHub. Should we remove it from
the draft?

Most of Juergen's comments are editorial in nature and can truly be handled as part of the LC process, but this open issue has me worried, as it may result in a significant technical change.

What will it take to close this open issue?  Is it just a matter of the getting the WG to agree that it's not an issue, or do we already know that it is a real issue and only the solution is pending?

Thanks,
Kent




Mahesh Jethanandani
mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>



Mahesh Jethanandani
mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>

v2.23.0 | Report a Bug | By Email