IETF Logo Mail Archive

Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15

Mahesh Jethanandani <mjethanandani@gmail.com> Thu, 18 January 2018 00:54 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22C012D87E for <netmod@ietfa.amsl.com>; Wed, 17 Jan 2018 16:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4aB9JUKZeYSl for <netmod@ietfa.amsl.com>; Wed, 17 Jan 2018 16:54:35 -0800 (PST)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C620212EADD for <netmod@ietf.org>; Wed, 17 Jan 2018 16:54:35 -0800 (PST)
Received: by mail-pf0-x232.google.com with SMTP id 23so12875877pfp.3 for <netmod@ietf.org>; Wed, 17 Jan 2018 16:54:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=XjmzVf+AY3wtsnROoOokVOMC2BvpebKfm9QJehhsMBg=; b=W0K+hlpm2FZdmdRZzmxfGzwI8km9tQmsCw9T/5cV3Ys3pKBkJfem4rduHZPxRGwJNQ ROJECbQaPmhLhT9jxiSzFJz5Y+I/tiHE+GmvnblEu49R9pwiGxAy9hlUzTneTUjBGK6C 6zB5FGnkr5WPOD6nRj0WgmHfqchsE2vWHhd9TenGTTqO+TelP/VgQuMB6/KvzockkT4P WguhBQP7VUeQ+rHX/lMlpM8Wu9ErAecRp3t9EzzbCcY+OUjbltDdNNiqDmbZqS8dCWgp 4vyVggVN9aykBlqHlaXjPyQZt5RCyvN+BqT4tZJdCQ30lhywdLolooTB0hX4zC8XtBdk Qaiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=XjmzVf+AY3wtsnROoOokVOMC2BvpebKfm9QJehhsMBg=; b=QtNuTQhb8EHRB1WejHUQLQoH3OtFdk2M+JxvdqQFiCthZTjLxrDBjPKu726yBdOMGn kc75sIvbVIrKuvtMbARG+YU96dhppa6BVGrrM3PnnDs8zOVV9Lti67KEiYJs4JQpyCzk 7hrMge2o/t8tm89W2YHH0nOVgPaCHQot+W1gDeMvRLjkBKSJAz6RgNxP1PQ/g7nT/T1A 7lbur26X+HJwmpfNkRLDwxnn1npog/5CkCihj9jgf5vi3Y0EaWF5s5J+c0haNd4zCNMJ uM8YuCmnbccRcQpRWWsAGCkneN9ENYaiQY+yMsBIeB6Tc+oNSfKJDq6xYTNueMLTOzv0 NtfQ==
X-Gm-Message-State: AKwxytdegyOCk4p3u04K3I8rDifhqcNEmwpcI5r/MRzY9zcDpqD8DKlX Vfnca0sEAnDwTnFLEHGCu8Y=
X-Google-Smtp-Source: ACJfBouS/SQfLSACftsVU6n9uT8I6liwxOMff5zYo9yBiIebHDhf9ziGoVN049wMMkH8zmQjGJ2Fkw==
X-Received: by 10.98.153.197 with SMTP id t66mr5746253pfk.142.1516236875202; Wed, 17 Jan 2018 16:54:35 -0800 (PST)
Received: from mahesh-m-m8d1.attlocal.net ([2600:1700:edb0:8fd0:d998:dcd9:6c19:6a28]) by smtp.gmail.com with ESMTPSA id 125sm9346982pff.23.2018.01.17.16.54.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jan 2018 16:54:34 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <B2E035BE-1214-46DF-8AFE-2D2D172625B0@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CF12D5E5-126D-4120-816B-FE0F3247DBC4"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 17 Jan 2018 16:54:32 -0800
In-Reply-To: <CAMMHi8jdoXcVcw6tWeK=eK4y8kFTZX7UaVo3=vUCOR2KM6bw=g@mail.gmail.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>, Sonal Agarwal <sagarwal12@gmail.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kwatsen@juniper.net>
References: <8C19AD4C-0DCA-4D96-A070-0D76BE92BFA4@juniper.net> <20180117224916.4xtwnxgsw3snzwvf@elstar.local> <B3AAE9DB-1F4B-40F5-91BC-7A283B6E5F8B@gmail.com> <BA276029-048F-4B80-A104-924DD1C488F1@juniper.net> <CAMMHi8jdoXcVcw6tWeK=eK4y8kFTZX7UaVo3=vUCOR2KM6bw=g@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/f5pdhSByt1kCVzwDS4kiBkpc6TM>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2018 00:54:41 -0000

The important thing to note is that the current model does not prevent ACEs from being configured for each ACL, like most configurations that exist today. As Acee mentions in his e-mail, scaling can be done programmatically also.

Object groups (or containers) are another way to organize rules that constitute an ACE. And object groups can contain other object groups. Instead of having an ACL with a list of rules, one could have an ACL that refers to an object group that contains the rules. And multiple ACL can refer to the same object group.

If there is a strong desire for the feature, the authors believe that this can be addressed in the next version of the *RFC*, probably as a bis document (sorry, if I was not clear what I meant by “next version”).

Looking at RFC 7950, I see that we can update the model in a backward compatible way, by adding a ‘case’ statement. How about adding a ‘choice’ statement? Would that be backward compatible? If not, we can make an editorial change to add the ‘choice’ statement in the model today, and later in the bis document add the ‘case’ statement for object groups.

Cheers.

> On Jan 17, 2018, at 4:25 PM, Sonal Agarwal <sagarwal12@gmail.com> wrote:
> 
> Hi Kent,
> 
> The last remaining open issue is about adding containers for addresses (source, destination) and ports (source, destination). A user has the choice to use the container or leaf for address (source/dest) and port (source/dest).  With this, the user can use the Yang model to configure scale ACL's.
> 
> I did some preliminary work on this in August/September last year, but ran out of time to explore this fully as I had to upload my other changes by particular dates.
> 
> The non implementation of this does not detract from the usability of the ACL model.
> 
> Closing the issue to completion will require me to revisit and implement the yang solution for container support in the model.
> 
> Thanks,
> Sonal.
> 
> 
> On Wed, Jan 17, 2018 at 3:33 PM, Kent Watsen <kwatsen@juniper.net <mailto:kwatsen@juniper.net>> wrote:
> 
> H Mahesh,
> 
> >> - There is an open issue in the document (section 8) - are we going
> >>  to resolve that during WG last call or is this a leftover?
> >
> > This will be resolved in the next version of the module. It is
> > documented under Issues tab in GitHub. Should we remove it from
> > the draft?
> 
> Most of Juergen's comments are editorial in nature and can truly be handled as part of the LC process, but this open issue has me worried, as it may result in a significant technical change.
> 
> What will it take to close this open issue?  Is it just a matter of the getting the WG to agree that it's not an issue, or do we already know that it is a real issue and only the solution is pending?
> 
> Thanks,
> Kent
> 
> 
> 
> 
> _______________________________________________
> netmod mailing list
> netmod@ietf.org <mailto:netmod@ietf.org>
> https://www.ietf.org/mailman/listinfo/netmod <https://www.ietf.org/mailman/listinfo/netmod>
> 

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email