Re: [netmod] A few comments on draft-dbb-netmod-acl
mohamed.boucadair@orange.com Mon, 07 November 2022 08:36 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41BA0C1524A0 for <netmod@ietfa.amsl.com>; Mon, 7 Nov 2022 00:36:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JT8zPPkyldPs for <netmod@ietfa.amsl.com>; Mon, 7 Nov 2022 00:36:32 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C225FC1522A2 for <netmod@ietf.org>; Mon, 7 Nov 2022 00:36:31 -0800 (PST)
Received: from opfedar03.francetelecom.fr (unknown [xx.xx.xx.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar22.francetelecom.fr (ESMTP service) with ESMTPS id 4N5Pht0HMPz2xlc; Mon, 7 Nov 2022 09:36:30 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1667810190; bh=Bvo9uElq1xZdpiZ6wrhQjRu3N5Br16MNIxROPDj/fuE=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=V6/qJF2ViKcdyhofhx0HUF3VaVpnG03xiksjd1y12MbUNRCp3+NyLqh1TeCBeKT7p d3BgmdILdGnqdS20zW6kxD8K9Ps5f/fuSR1EQXuJy1tWPAYkCUanBSxrQ30R0bc7cu hKiIElAEKT33IH01w5jEE456acf8GaIryPuC1KC9mIcES4WuCXahSS67ysULkmgTOs o57uO9+g8wj70gsF3M1P6l1GwYH38GcZ28S/XmKmdlYpANL59gtwoOE9zRYbBoE+wI njKaS5OwgY/CjJ83WKBPPDsJurYTaKMCrGiuGffXkmrMbLbYUfGnrDN/5pt+cZc/b7 f/ZOtSAFWBeRg==
From: mohamed.boucadair@orange.com
To: Qin Wu <bill.wu@huawei.com>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: A few comments on draft-dbb-netmod-acl
Thread-Index: AdjwkInok2Z0LfrVRjeTYv8K+6kUmAB8eSog
Content-Class:
Date: Mon, 07 Nov 2022 08:36:29 +0000
Message-ID: <22241_1667810189_6368C38D_22241_173_1_ceb8579fa92744d48f53049443c96583@orange.com>
References: <734e92f4dec846d08a8fa2303343e7d9@huawei.com>
In-Reply-To: <734e92f4dec846d08a8fa2303343e7d9@huawei.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-11-07T08:25:15Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=81e77afb-0fef-413b-b915-ec920945e436; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.27.51]
Content-Type: multipart/alternative; boundary="_000_ceb8579fa92744d48f53049443c96583orangecom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/loJIQ6C0gk6LroWui3JBrWZY4Ik>
Subject: Re: [netmod] A few comments on draft-dbb-netmod-acl
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2022 08:36:36 -0000
Hi Qin, Please see inline. Cheers, Med De : Qin Wu <bill.wu@huawei.com> Envoyé : vendredi 4 novembre 2022 21:19 À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; netmod@ietf.org Objet : RE: A few comments on draft-dbb-netmod-acl Hi, Med: See my follow up comments marked with [Qin-1] 发件人: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> 发送时间: 2022年11月4日 21:58 收件人: Qin Wu <bill.wu@huawei.com<mailto:bill.wu@huawei.com>>; netmod@ietf.org<mailto:netmod@ietf.org> 主题: RE: A few comments on draft-dbb-netmod-acl Hi Qin, Thanks for the comments. Please see inline. Cheers, Med De : netmod <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org>> De la part de Qin Wu Envoyé : jeudi 27 octobre 2022 08:08 À : netmod@ietf.org<mailto:netmod@ietf.org> Objet : [netmod] A few comments on draft-dbb-netmod-acl Hi, Oscar: I have read the latest version of draft-dbb-netmod-acl, the problem statement and gap analysis are interesting, here are a few comments on this draft: 1.For problem statement in section 4.3 and section 4.5, I am wondering how do you feel encrypted traffic at the transport layer, e.g., TLS layer or QUIC layer, I feel it is hard, you might read one of presentation slides for IAB MTEN workshop, one gap we identify is ACL fall short to deal with encrypted traffic. [Med] I guess this falls under a match-based on the payload: == 3.7. Payload-based Filtering Some transport protocols use existing protocols (e.g., TCP or UDP) as substrate. The match criteria for such protocols may rely upon the 'protocol' under 'l3', TCP/UDP match criteria, part of the TCP/UDP payload, or a combination thereof. [RFC8519] does not support matching based on the payload. Likewise, the current version of the ACL model does not support filtering of encapsulated traffic. [Qin-1] :Thank for clarification, this is exactly what I am looking for, see additional comment below. === The full augmentation is augment /ietf-acl:acls/ietf-acl:acl/ietf-acl:aces/ietf-acl:ace /ietf-acl:matches: +--rw (payload)? +--:(prefix-pattern) +--rw prefix-pattern {match-on-payload}? +--rw offset? identityref +--rw offset-end? uint64 +--rw operator? operator +--rw prefix? binary Please let us know if you think this does not address the case you have in mind. Thanks. [Qin-1] See the following identity definitions: “ identity layer3 { base offset-type; description "IP header."; } identity layer4 { base offset-type; description "Transport header (e.g., TCP or UDP)."; } identity payload { base offset-type; description "Transport payload. For example, this represents the beginning of the TCP data right after any TCP options."; } ” It looks payload definition is not generic enough to cover layer 3 payload case, when I read “Transport payload. For example, this represents the beginning of the TCP data right after any TCP options.” Transport is usually referred to layer 4, am my understanding correct? [Med] I’m afraid it isn’t. Please note that these identities are used to populate: = leaf offset { type identityref { base offset-type; } description "Indicates the payload offset."; } == for l3 payload cases, a l3 offset type can be used. We will make this change: s/ identity payload/ identity transport-payload Also it would be great to provide xml snippet example for payload based filtering usage. [Med] Yes, will do. But for unencrypted traffic, yes, the ACL extension provide fine granularity access control. [Med] Thanks. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [netmod] A few comments on draft-dbb-netmod-acl Qin Wu
- Re: [netmod] A few comments on draft-dbb-netmod-a… mohamed.boucadair
- Re: [netmod] A few comments on draft-dbb-netmod-a… Qin Wu
- Re: [netmod] A few comments on draft-dbb-netmod-a… mohamed.boucadair