IETF Logo Mail Archive

Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15

Kristian Larsson <kristian@spritelink.net> Fri, 02 February 2018 07:44 UTC

Return-Path: <kristian@spritelink.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2FB127601 for <netmod@ietfa.amsl.com>; Thu, 1 Feb 2018 23:44:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkG4dZkM74Lp for <netmod@ietfa.amsl.com>; Thu, 1 Feb 2018 23:44:17 -0800 (PST)
Received: from Mail2.SpriteLink.NET (Mail2.spritelink.net [195.182.5.83]) by ietfa.amsl.com (Postfix) with ESMTP id 3977F12EAEA for <netmod@ietf.org>; Thu, 1 Feb 2018 23:44:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by Mail2.SpriteLink.NET (Postfix) with ESMTP id 657222618E4 for <netmod@ietf.org>; Fri, 2 Feb 2018 08:44:19 +0100 (CET)
X-Virus-Scanned: amavisd-new at SpriteLink.NET
Received: from Mail2.SpriteLink.NET ([195.182.5.83]) by localhost (Mail2.SpriteLink.NET [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giFP5QkACs9v for <netmod@ietf.org>; Fri, 2 Feb 2018 08:44:17 +0100 (CET)
Received: from Kristians-MacBook-Pro.local (c-1789e455.014-82-73746f13.cust.bredbandsbolaget.se [85.228.137.23]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: kristian@spritelink.net) by Mail2.SpriteLink.NET (Postfix) with ESMTPSA id 665622619D1 for <netmod@ietf.org>; Fri, 2 Feb 2018 08:44:17 +0100 (CET)
To: netmod@ietf.org
References: <8C19AD4C-0DCA-4D96-A070-0D76BE92BFA4@juniper.net> <20180117224916.4xtwnxgsw3snzwvf@elstar.local> <B3AAE9DB-1F4B-40F5-91BC-7A283B6E5F8B@gmail.com> <BA276029-048F-4B80-A104-924DD1C488F1@juniper.net> <4EB04703-CD66-43D3-8653-BFC62B2C0FA1@gmail.com> <B1BA5D27-FF55-4DBB-B4FA-2697896F5F12@juniper.net> <788291A3-8BB6-494A-A7CF-D68B3FC70F98@gmail.com> <543B7D01-A491-4BFB-B74B-786002F31022@juniper.net>
From: Kristian Larsson <kristian@spritelink.net>
Message-ID: <5cdb95e6-35ab-8120-7f35-4d6d8df0274c@spritelink.net>
Date: Fri, 02 Feb 2018 08:44:13 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <543B7D01-A491-4BFB-B74B-786002F31022@juniper.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/lTDqt0_X4JbhK7wYUKW8GQ1ofSU>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-15
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 07:44:20 -0000

Mahesh,

I've reviewed this model, I think I largely caused the last couple of 
updates to it late last year. Overall I think it is a good model. 
Placement of feature-statements could be debated - no clear answers.
object groupings is something I would like to see in the model but it 
was always deferred.


On 2018-01-22 16:50, Kent Watsen wrote:
> Hi Mahesh,
> 
> Thanks, it doesn't get much more concrete then a pull request  ;)
> 
> Okay, so from a chair/shepherd perspective, can folks please consider 
> this update to -15 as the LC solution to removing the open issue Juergen 
> found in the draft?
> 
> As a contributor, I don't think the name of the groupings or their 
> description statements should allude to something that doesn't exist 
> yet.  Rather than e.g. "source-or-group", could it be instead something 
> like "source-type"?

+1

> Also, the update seems to be for both when 
> specifying networks as well as when specifying port-ranges, but the 
> original issue (see below) only mentioned addresses - is the 
> pull-request actually what's needed and the description of the issue in 
> Section 8 is incomplete?
> 
>      8.  Open Issues
> 
>         o  The current model does not support the concept of "containers"
> 
>              used to contain multiple addresses per rule entry.

Object groupings are useful whenever there are many of something. There 
are usually more address entries than ports, so perhaps more useful for 
addresses, but it can still be useful to say "NFS-PORTS" and mean all 
the ports that NFS use (god knows what they are).

Other have mentioned scale ACL and that it can be solved in other ways. 
To me, this sort of object-groupings is not about optimising things for 
the hardware but rather making it easy for me to write rules. I think it 
is paramount for security that ACLs can be easily read and understood. 
If we do not understand them, then we cannot say they are effective and 
secure. Object groupings greatly improves the readability of ACLs and 
thus makes it easier to write secure ACLs.

I understand the authors wishes to get the first version out the door 
but I can't help but wonder if it isn't just easier to add in object 
groupings now. It's not that damn complicated (they are just lists).
If not, I'm happy to work with them on the next version which could 
include object groupings.

As for the PR to add choices, there seems to be an extra container 
inserted. I also made a comment on GitHub.
At the very least, I think it would be best if this PR is fixed and 
merged before we proceed.

    kll

v2.31.3 | Report a Bug | By Email | System Status