[netmod] review of draft-bogdanovic-netmod-acl-model-01
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 29 July 2014 12:49 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98C761A03EF for <netmod@ietfa.amsl.com>; Tue, 29 Jul 2014 05:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtFfHNUpx_T2 for <netmod@ietfa.amsl.com>; Tue, 29 Jul 2014 05:49:34 -0700 (PDT)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0826C1A03F7 for <netmod@ietf.org>; Tue, 29 Jul 2014 05:49:34 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 9F34A1038; Tue, 29 Jul 2014 14:49:32 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id n64JeeS45tT4; Tue, 29 Jul 2014 14:49:26 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Tue, 29 Jul 2014 14:49:31 +0200 (CEST)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 2B94D2002C; Tue, 29 Jul 2014 14:49:31 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id eEEbec_Q0Ulo; Tue, 29 Jul 2014 14:49:29 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 9EDA520017; Tue, 29 Jul 2014 14:49:28 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 920422DFDE8D; Tue, 29 Jul 2014 14:49:26 +0200 (CEST)
Date: Tue, 29 Jul 2014 14:49:26 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: draft-bogdanovic-netmod-acl-model@tools.ietf.org
Message-ID: <20140729124925.GC58615@elstar.local>
Mail-Followup-To: draft-bogdanovic-netmod-acl-model@tools.ietf.org, netmod@ietf.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Archived-At: http://mailarchive.ietf.org/arch/msg/netmod/j6aoL2DveUTSWbOAi6yD4HDJczQ
Cc: netmod@ietf.org
Subject: [netmod] review of draft-bogdanovic-netmod-acl-model-01
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 12:49:36 -0000
Hi, during the Sunday session before IETF 90, I got nominated to be the Yang Doctor for draft-bogdanovic-netmod-acl-model-01. And as a consequence, I have done a review of this I-D and since this was submitted as a contribution to the IETF, I thought I post the review right here. Note that many comments are not really Yang Doctors concerns but once I review a document, I often end up reviewing the whole thing. /js - If this document is supposed to be standards-track, then the intended status should not be "Informational". - The title should be more descriptive. Following recent YANG RFCs, perhaps something like "A YANG Data Model for Network Access Control List (ACL) Management". - I am not sure you define an information model and a data model. I think you define just a data model and hence you may want to update the abstract. And I am not sure what 'basic building blocks' means, perhaps expand on the approach taken (i.e. that it is a basic structure designed to be augmented). - The first paragraph on the introduction has singular/plural mismatches. - Run idnits and fix lines that are too long and split the references into normative and informative references and update any outdated references. - Section 2: s/that model can be/that the model can be/ s/Actions/actions/ s/that augmented/that can be augmented/ - Section 3: You say that a access control list containers an ordered set of rules. Why do you choose the term "Access Control Entry" instead of simply "Access Control Rule"? What is a _group of_ match and action criteria? Why is a prefix length meta data? I mean, how do you determine the source prefix length? According to a lookup in the local forwarding table(s)? Is this strictly speaking meta data or more precisely data derived from packet headers? s/daufault/default/ - Section 3.1: You can't write 'imports module "packet-headers" into the match container'. While you claim it is easy to reuse definitions of say IPFIX [RFC5101], I am not sure I see the details how this would work. Better work out the details and then leave the judgment whether it is easy or not to the reader. s/is example/is an example/ You may want to consider to describe the standard models in section 3 and to discuss proprietary extensions in a separate section or even an appendix to make it very clear which text is normative and which is not. - Section 4.1. s/Access/access/ Make sure the YANG module passes pyang --ietf checks. Also note that the description of the revision statement should refer to the document defining the data model. Note that the prefix does not have to carry 'ietf-'. (As you will see, shorter identifiers make path expressions shorter and much more readable.) Look at some other published data models to see how people usually format YANG data models. It wonder why access-list is a container, that is this is a singleton. In Linux, I can have multiple tables and multiple chains that contain multiple rules. And if this is a singleton, why do I need acl-name? Perhaps this was supposed to be a list keyed by acl-name? There is ongoing debate whether operational state mixed with config data is good or bad design. While I believe acl-oper-data is meant to be operational state, it is not marked as config false either. And note that the common terminology is operational state and not operational data. I do not know what a target in the leaf-list of targets are. The type just says string, which is a bit too open ended I guess. And it seems this is really configuration and not operational state, hence this might be misplaced? It seems the matching is rather limited per rule. This may be fine but seems at odd with a previous statement "Each ACE has a group of match criteria and a group of action criteria." It seems a rule (oops ACE) has a single simple match against header files and metadata and a single action it can trigger, no? The counters in ace-oper-data should at least be config false. - Section 4.2: The module needs to get a proper name that starts with ietf- and make sure things compile using pyang --ietf. Since the packet fields definitions may be reused, do not prefix them with acl- - in fact those prefixes are not really needed in YANG since you prefix identifiers when use them. Perhaps think about a shorter prefix than 'packet-fields'? Some fields need more description. Is it useful to represent the protocol by number? Should the ip-header-fields not include the ipv4/ipv6 header fields (e.g. in a choice)? Right now, the user of the definitions has to create and maintain the choice. I also note that the fields are called ...-address but the type is really a prefix. So the idea is that you match an address taken from the packet header against a prefix. I guess this (though perhaps obvious to us) should be explained in the missing description statements. [Note that the type for source-ipv6-address is ...-address - I guess this is a typo.] You should explain how address masking is supposed to work just to be clear everybody does the same thing. What about VLANs? Out of scope? What is the purpose of the absolute container of the timerange definition? There is no other timerange defined. The description of 'active' is somewhat confusing. While the Internet ages, we see interesting layerings coming along. (I do not want to mention WebRTC.) How does your framework apply to tunnels etc? I assume all this applies only to the outer headers and I can't say filter IP in IP encapsulated traffic with it. That is fine but supposed I need to, can I extend this easily? A bigger question I have is how the 'packet-header' module (needs a better name) is being maintained. Is this cast into stone via an RFC and then RFC update rules apply? Or is this to be maintained by IANA with a careful review process? And if changes are made, how does a client figure out which set of filters an implementation supports? Do we need to define suitable features? Are features sufficient - what happens if I add say flow-label to the IP header fields? Should things perhaps be split into several modules, one for Ethernet header matching, one for IP header matching, one for transport header matching to make updates and maintenance easier? - Section 4.3: I do not understand the 'range' enum of the match-simple-payload-protocol-value grouping. - Several citations are duplicated in the text, such as [RFC6241] [RFC6241]. - Section 4.4 should use IP addresses reserved for examples and not just 1.1.1.1 and 2.2.2.2. I am also not sure that showing some random proprietary CLI is a good way of describing an example in an I-D - simple remove Figure 1. In Figure 2, I would remove all the edit-config noise and focus only on the config data. That said, I am not sure what <top> is nor am I convinced you got the namespaces right. Make sure you validate your examples against the data model. (See the pyang tutorial on how to do that.) - Section 5 probably needs to be expanded. Linux has tables, chains, and rules and it would be nice to document how things actually map to the concepts in the propose data model. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [netmod] review of draft-bogdanovic-netmod-acl-mo… Juergen Schoenwaelder
- Re: [netmod] review of draft-bogdanovic-netmod-ac… Lisa Huang (yihuan)
- Re: [netmod] review of draft-bogdanovic-netmod-ac… Dana Blair (dblair)