Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-01.txt
"Dana Blair (dblair)" <dblair@cisco.com> Thu, 12 February 2015 20:07 UTC
Return-Path: <dblair@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 733181A1DBC for <netmod@ietfa.amsl.com>; Thu, 12 Feb 2015 12:07:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QntFXqi5_27l for <netmod@ietfa.amsl.com>; Thu, 12 Feb 2015 12:07:21 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E7871A026E for <netmod@ietf.org>; Thu, 12 Feb 2015 12:07:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4689; q=dns/txt; s=iport; t=1423771641; x=1424981241; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=zsNRMgz90O+alipdght8m2IixhPNL0326bgFwsyKVeI=; b=l27UdF0aCxqFWYGw85I1B95F8/IwexPWHEig727t4BE9BMUMbFySfftH P8AKPLMzIJYnVR4bwIOCdZsrgQhL0MO84veViGdLTGGVSTz0pc4oZP0yl 9XubmMKU3ihcpXuEWzUQgtsoh6S3onst/W/OzpUCg0Xe3V7Gs6UF6fTRn s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkQFABMH3VStJV2T/2dsb2JhbABSBgODBlJaBMMaCoUnSgKBLEMBAQEBAQF8hA0BAQQBAQEaHTQZBAEIDgIIHisMCyUCBAESiC0N1VMBAQEBAQEEAQEBAQEBAQEaBIsIhBJLFxGEGQWPKYc6gXmBGBCCdoJJjBkig25vgQQkHH8BAQE
X-IronPort-AV: E=Sophos;i="5.09,566,1418083200"; d="scan'208";a="392554317"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-1.cisco.com with ESMTP; 12 Feb 2015 20:07:20 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t1CK7KqD018620 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 12 Feb 2015 20:07:20 GMT
Received: from xmb-aln-x07.cisco.com ([169.254.2.221]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.03.0195.001; Thu, 12 Feb 2015 14:07:20 -0600
From: "Dana Blair (dblair)" <dblair@cisco.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "Thomas D. Nadeau" <tnadeau@lucidvision.com>, NETMOD Working Group <netmod@ietf.org>
Thread-Topic: [netmod] WG Last Call: draft-ietf-netmod-acl-model-01.txt
Thread-Index: AQHQQj8ZBQjsPnuiEUeC8pHyZ5d5Rpzkc3gAgAAQSgCACQd/AA==
Date: Thu, 12 Feb 2015 20:07:19 +0000
Message-ID: <D1027208.25B7F7%dblair@cisco.com>
In-Reply-To: <20150206211404.GA2595@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [10.24.24.65]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <17DFEF91F789464D87C5D2C93BF161D6@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/netmod/lgprX1fPeWMQaZhMnmQ3n6Q7rJE>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-01.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 20:07:24 -0000
Great comments. The authors are meeting right now and will get back to the list. thanks, Dana On 2/6/15, 4:14 PM, "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de> wrote: >On Fri, Feb 06, 2015 at 09:15:46PM +0100, Juergen Schoenwaelder wrote: >> On Fri, Feb 06, 2015 at 01:59:30PM -0500, Thomas D. Nadeau wrote: >> > >> > This commences a NETMOD WG Last call for >>draft-ietf-netmod-acl-model-01.txt. Please send comments to the list by >>20-FEB-2015 by 9AM EST. >> > >> >> Before I read this in detail already a few quick comments: >> >> - The module name 'packet-fields' should follow RFC 6020 guidelines. >> >> - Non-normative example modules should be in an appendix marked as >> non-normative. >> >> - The security considerations include a TBD action item. >> >> - If ietf-route-filter.yang is an example, I would probably give it a >> different name that has less chance to be confused with an official >> module. >> > >More comments: > >- Why do you use the prefix 'ietf' for ietf-yang-types? The default > would have been 'yang'. > >- How is the packet-fields module updated? IETF process? Is this a > candidate for IANA maintenance? > >- Do we need a copyright notice in the module descriptions? > >- The description of the revision does not make much sense, and the > reference even less. I suggest to follow the YANG guidelines, > RFC 6087. > >- Is layer 2 always ethernet or is this > > identity eth-acl { > base "acl:acl-base"; > description "layer 2 ACL type"; > } > > just a misnomer? Perhaps the description of ip-acl also should be > "IP layer ACL type" to be precise. But then, the associated grouping > also includes layer 4 elements (port number ranges). > >- Since access-list/acl-type is optional, what is the meaning if it is > not present? > >- I have no clue what to expect in the targets strings in > acl-oper-data/targets. > >- The description of access-list talks about sequence numbers - I > could not find them. Perhaps the text is outdated? > >- I personally would not inline the operational state nodes but this > may be personal preference. > >- Is 'entry' the same as 'rule'? If so, why do we use two terms if one > would be sufficient? > >- I do not understand this: > > The time range is identified by a name > and then referenced by a function, so that those > time restrictions are imposed on the function itself. > > I was surprised to find this since the introductory text never > mentions time filters, it only talks about about packet filters and > metadata filters. Well, this is filtering on the meta data when a > packet is received but perhaps this deserves to be mentioned > somewhere earlier. > >- You will be asked later on anyway to use the reserved example IP > addresses in the examples, so make the changes now. > >- In the example in section 4.4, I suggest to remove all the > edit-config stuff and to show only the config itself. I am also not > sure the example is correct, has this been validated against the > schema? > >- The explanation given at the beginning of section 4.5 belongs into > the data model definition. What happens if I configure only an > upper-port? What if I leave both ports out? What happens if the > lower-port is larger than the upper-port? > >- I generally suggest to use the prefixed defined in an imported > module unless there is a name clash that makes this impossible. If > we always write inet:ipv4-prefix (where possible), it becomes > simpler for human readers to read modules. > >- reference " "; avoids a warning but is otherwise not useful > >- The biggest thing that is unclear to me is how these generic acls > are used in certain contexts. In the operational state, there is a > list of opaque target strings but I do not know what they contain or > how they are configured. So how do I use these generic acls? > Suppose I want to use these acls to control access to my NC > server. How would I have to extend the NC server config model to do > that? > >- The IANA considerations are incomplete since I think you have two > modules that need registration. > >- Since Section 10 is empty, remove it. > >/js > >-- >Juergen Schoenwaelder Jacobs University Bremen gGmbH >Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany >Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > >_______________________________________________ >netmod mailing list >netmod@ietf.org >https://www.ietf.org/mailman/listinfo/netmod
- [netmod] WG Last Call: draft-ietf-netmod-acl-mode… Thomas D. Nadeau
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Juergen Schoenwaelder
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Juergen Schoenwaelder
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Dana Blair (dblair)
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Dana Blair (dblair)
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Juergen Schoenwaelder
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Acee Lindem (acee)
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Dean Bogdanovic
- Re: [netmod] WG Last Call: draft-ietf-netmod-acl-… Thomas D. Nadeau