Re: [netmod] draft-ietf-netmod-acl-model

Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 03 October 2017 23:56 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B021C1341F8 for <netmod@ietfa.amsl.com>; Tue, 3 Oct 2017 16:56:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlSRD7IQ9Jxa for <netmod@ietfa.amsl.com>; Tue, 3 Oct 2017 16:56:56 -0700 (PDT)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC93A13232C for <netmod@ietf.org>; Tue, 3 Oct 2017 16:56:56 -0700 (PDT)
Received: by mail-pg0-x22f.google.com with SMTP id i195so5578745pgd.9 for <netmod@ietf.org>; Tue, 03 Oct 2017 16:56:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=GKls5AZISM5SSxfzJAVgNcPKFAsemTFmHOY1N4ZFU9o=; b=B5R4PM6TviXnMH98GFrc3M4bJVBls7y6lIqDQEFTjRwG6SMoD2wZy57EEzG1OleBuL k4hIjshcvsXZfF0ym4VyQc/tY6zVRyVStx4Battg1B4DbZHNf3F1O/bBO6j8tz1nAxsL DemZiEOvirsHl0/2m8lsKDmsijaozZMYnGBnh0d4Wsn+F/z4g7EcKzDwquoSZFwbTQUT Ae6XIi4StXLy+GyUppBojHB7iU9qr6RkdrNMwKAU8plyP6G0mY7kKdGT2MmjQeVgXs6w 8NmbUlv9NgHYhyaCow227eoU3a8DYSf3IhSUq475O2sh7Mk2eFr8XHUKD12Y5tS0zzNq CClA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=GKls5AZISM5SSxfzJAVgNcPKFAsemTFmHOY1N4ZFU9o=; b=aimfOBRZtZZeM5DkojYhgLM+wNCdgyh6SRfLatkRTjjCN00LgsnqL/yKhMo9hS+H73 W7JwStxTl9nLLNIau3fBwDT5dkx/3lS/8FqQKxIg/h2iEbESP0Ef+jyMMkXPt1wpQj3i 8kIoaV862Gh+V43n2f6ToJZJzJDVGGYSTt2FyAzBpyQLKlzd3kMm1/eLT41prrLyUOBp /VUaTJn5VAQjNq8OdFvIol7JfSJrr31IHVGhIzp88eynBgzhBQX01Vvo7Wa2foWY9sSQ M5PtS2edjhWchdMXo1CiUOqFNwgJCtD2BdthhaCu1ZhMLPBB6SP9acTXW4aZl3xeXE91 oi+g==
X-Gm-Message-State: AHPjjUi+ioelPuqJnuY6jYQxJaMcD8z2T6UFuBediC0M4YRMAF9GZ3tT 7aAtZcJSrmYKLGjraOYVTOGEySYT
X-Google-Smtp-Source: AOwi7QDEopl5MOpwdpnnyJWVvSlHxDqmqvt0N+aGHCd14nYyjk6PRZ/6r98Ox6x4Mp0BTczZWKxv5A==
X-Received: by 10.99.117.65 with SMTP id f1mr17000533pgn.104.1507075016247; Tue, 03 Oct 2017 16:56:56 -0700 (PDT)
Received: from [10.154.131.13] ([128.107.241.185]) by smtp.gmail.com with ESMTPSA id c16sm22682390pfj.123.2017.10.03.16.56.54 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 03 Oct 2017 16:56:54 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_317CEFB0-F08E-4E61-88C3-D041A81E5413"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <050801d33b9c$ed929560$c8b7c020$@jpshallow.com>
Date: Tue, 3 Oct 2017 16:56:55 -0700
Cc: netmod@ietf.org
Message-Id: <E55D4FCD-77F4-49BF-8200-FEF663D98966@gmail.com>
References: <050801d33b9c$ed929560$c8b7c020$@jpshallow.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/htUqm_dVWh7mONns8o4qHubzo1c>
Subject: Re: [netmod] draft-ietf-netmod-acl-model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2017 23:56:59 -0000

Jon,

‘ordered-by user’ directive is useful to have on list of ACLs as/when they are applied. For example, in the latest published draft (-14) we added the 'ordered-by user’ statement to the list of ACLs when they are applied to the interfaces. You would not order the “global” ACLs list (under access-lists), because another interface may want a different order of ACLs. 

Does that help?


> On Oct 2, 2017, at 9:38 AM, Jon Shallow <supjps-ietf@jpshallow.com> wrote:
> 
> Hi there,
>  
> I’m currently working on another draft ietf specification (draft-ietf-dots-data-channel) which has a ordering requirement, but the ‘ordered-by’ statement is not specified (missing?)  for the ‘list acl’ in container ‘access-lists’ in 4.1 IETF Access Control List "ietf-access-control-list@2017-09-12.yang <mailto:ietf-access-control-list@2017-09-12.yang>". 
>  
> Container ‘aces’ has the ‘ordered-by-user’ statement for the list ACE.
>       container aces {
>         description
>           "The access-list-entries container contains
>            a list of access-list-entries(ACE).";
>         list ace {
>           key "rule-name";
>           ordered-by user;
>           description
>             "List of access list entries(ACE)";
>           .....           
>  
> Container ‘access-lists’ does not have the ‘ordered-by-user’ statement for the list ACL.
>   container access-lists {
>     description
>       "This is a top level container for Access Control Lists.
>        It can have one or more Access Control Lists.";
>     list acl {
>       key "acl-type acl-name";
>       description
>         "An Access Control List(ACL) is an ordered list of
>          Access List Entries (ACE). Each Access Control Entry has a
>          list of match criteria and a list of actions.
>          Since there are several kinds of Access Control Lists
>          implemented with different attributes for
>          different vendors, this
>          model accommodates customizing Access Control Lists for
>          each kind and for each vendor.";
>       .......
>  
> Is there a good reason why ‘list acl’ is not defined as sortable?
> - or is it defined elsewhere as being sortable?
> - or is the intention that there can only be one ACL?
>  
> We potentially have a requirement for multiple ACLs, each with its own set of sorted ACEs where the ACLs cannot be configured in a random order and need to know how to move forward.
>  
> Regards
>  
> Jon
> _______________________________________________
> netmod mailing list
> netmod@ietf.org <mailto:netmod@ietf.org>
> https://www.ietf.org/mailman/listinfo/netmod <https://www.ietf.org/mailman/listinfo/netmod>
Mahesh Jethanandani
mjethanandani@gmail.com