Re: [netmod] IETF ACL model

Robert Wilton <> Tue, 21 November 2017 16:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3D3CC129B0D for <>; Tue, 21 Nov 2017 08:39:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m-6sHjDsAMC5 for <>; Tue, 21 Nov 2017 08:39:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 16C18124D6C for <>; Tue, 21 Nov 2017 08:39:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=18190; q=dns/txt; s=iport; t=1511282388; x=1512491988; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=5RGhzAK/LOrvyXY/Prk8xgwdy7dFw07EqC6FxZ/909E=; b=m5gA0Fx5nOqr2YJsKvFIGwVq/kUppr6dsO3n6gbzcqwjdfkdmmwz1UpB 8dl5sij/t77cIYz5JTUOJ0RcGtbxT7YbZhliVCSx+O/0vZrMEBy7zty0/ uaLJHuFX0kjDgXhNvad2HGL3jhxRAh152gVrltIpFid73X/Tp8YJt63h7 o=;
X-IronPort-AV: E=Sophos;i="5.44,432,1505779200"; d="scan'208,217";a="356349"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Nov 2017 16:39:46 +0000
Received: from [] ( []) by (8.14.5/8.14.5) with ESMTP id vALGdjmS010439; Tue, 21 Nov 2017 16:39:46 GMT
To: Mahesh Jethanandani <>, NetMod WG <>
Cc: Kristian Larsson <>, Kristian Larsson <>, Kent Watsen <>, "Einar Nilsen-Nygaard (einarnn)" <>, "Sonal Agarwal (agarwaso)" <>, Kristian Larsson <>, Jeffrey Haas <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Robert Wilton <>
Message-ID: <>
Date: Tue, 21 Nov 2017 16:39:45 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------4A814F6A16F6AA2BE296564D"
Content-Language: en-US
Archived-At: <>
Subject: Re: [netmod] IETF ACL model
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Nov 2017 16:39:50 -0000

On 21/11/2017 16:25, Mahesh Jethanandani wrote:
> [Taking the discussion to the mailing list]
> The summary of the discussion happening on a private thread has to do 
> with the ‘any’ container (now leaf) definition in the ACL model for 
> something that matches anything, much like a ‘*’ would do in regex. 
> The discussion has come down to:
> - leave the definition as is, so users would have to explicitly define it
What would it mean if the client configured an ACL type of "any" but 
didn't configure the "any" leaf?

>   pro: It is explicit and there would be no confusion about its 
> presence or absence.
>   con: It is verbose, in that every access list entry would have to 
> define it.
> - remove the any definition, so an absence of the definition implies 
> match on all. The text in the draft would have to be updated to state 
> this, and YANG parsers would need to watch out for the non-definition 
> in the match container.
> Opinion? Preferences?
> p.s. Current CLI configurations require explicit declaration of ‘any’.

If we have an "any" leaf that it seems that:
- it only applies for an ACL of type "any-acl", and can't be used for 
other ACL types.
- it has to be applied for an ACL of type "any-acl" (to have any use).
- it makes is ambiguous if the leaf isn't configured, which would sort 
of force the any leaf to be mandatory for ACLs of type "any-acl".

So it seems redundant to me.  I.e. I'm not sure what extra information 
an "any" leaf imparts beyond knowing that the ACL is of type"any-acl".


>> On Nov 20, 2017, at 2:20 PM, Jeff Haas < 
>> <>> wrote:
>>> On Nov 20, 2017, at 4:54 PM, Kristian Larsson 
>>> < <>> wrote:
>>> On 2017-11-20 18:26, Jeff Haas wrote:
>>>> IMO, the contention here is a consequence of proof by assertion. >
>>>>> On Nov 17, 2017, at 5:56 AM, Kristian Larsson 
>>>>> < <> 
>>>>> <>> wrote:
>>>>>>> Changes I'd like to see to this PR:
>>>>>>> * remove any-acl completely as it serves no purpose (we achieve
>>>>>>>  this through a ACE with no match conditions)
>>>>>> Will let Jeff respond as he articulated this requirement. Agree 
>>>>>> that most platforms have deny as the default. But what if the ace 
>>>>>> entry is something like this:
>>>>>> access-list 11 permit tcp any any
>>>>>> Would the absence of match rules for IP addresses imply any any?
>>>>> An absence of any match means it matches on everything. If there 
>>>>> are no IP matches at all, then yes, it implies any source or 
>>>>> destination address. I don't see why we would need to explicitly 
>>>>> have an any-acl container or leaf to point this out. With the same 
>>>>> concept applied uniformly you would explicitly call out "any" 
>>>>> matches for all types of matches. That would be extremely verbose.
>>>> Where in the model does it say that the absence of a matches 
>>>> container implies a match all vs. match none?
>>>> Where in the normative text of the internet-draft does it say that?
>>>> In the absence of either of the above, an "any" removes ambiguity.
>>>> FWIW, I'm totally fine with removing the any; however you *MUST* 
>>>> clarify the above.  Preferably both in the matches container and 
>>>> also in the normative text.  For my part, I think it's easier on 
>>>> the parser if you basically require at least one item from the 
>>>> container so you don't have to deal with optional contents.  But 
>>>> I'm not the one writing yang parsers for a living.
>>> I think it's clear that if no match condition is defined for a 
>>> particular (header) field then that means any value will match. It 
>>> is only an extension of this that no match conditions at all means 
>>> we match any and all packets. I think that is logical.
>>> This can naturally be spelled out in the text :)
>> You think it's clear, but where is it in the document or model?
>> Of such "implied clarity" is many interop bugs made. :-P
>> -- Jeff
>>> Kind regards,
>>>  Kristian.
> Mahesh Jethanandani
> <>