Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 11 January 2018 07:00 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB6B126D74 for <netmod@ietfa.amsl.com>; Wed, 10 Jan 2018 23:00:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g_IiLLLdxZ4s for <netmod@ietfa.amsl.com>; Wed, 10 Jan 2018 23:00:04 -0800 (PST)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 476EF12EA58 for <netmod@ietf.org>; Wed, 10 Jan 2018 23:00:04 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 0FA126BA; Thu, 11 Jan 2018 08:00:03 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id nBciBcmtzRbt; Thu, 11 Jan 2018 08:00:01 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Thu, 11 Jan 2018 08:00:02 +0100 (CET)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id C3FB62013E; Thu, 11 Jan 2018 08:00:02 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id lWDP-a2_pJiK; Thu, 11 Jan 2018 08:00:02 +0100 (CET)
Received: from elstar.local (unknown [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 6EB822013C; Thu, 11 Jan 2018 08:00:02 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id C0F67420B1FB; Thu, 11 Jan 2018 08:00:01 +0100 (CET)
Date: Thu, 11 Jan 2018 08:00:01 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>
Message-ID: <20180111070001.aszydvhhfsrvmjii@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Mahesh Jethanandani <mjethanandani@gmail.com>, "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>
References: <2C381B09-15D6-417D-A70D-7C6818306FFC@gmail.com> <CAMMHi8ge4cbrVgRK8=xtJLNYCG1+p+Jh6pFeCy9sEMZP674FHQ@mail.gmail.com> <2826EF6B-A6A6-4FDA-9F30-21830D748C51@cisco.com> <0F43CDE9-21D2-4ED7-AE7C-9A2B9F854101@cisco.com> <fe8b601a-2a02-8011-b913-a49f2f486971@cisco.com> <5299E333-F1F3-4781-B467-0BFB271A4915@cisco.com> <5dd3a635-61ce-8dee-3472-589cda19fcbb@cisco.com> <3490D0AB-B7F0-4048-83F1-8151AA034E20@gmail.com> <E2A33B74-9D0B-4964-8280-FF931CA1D330@cisco.com> <D8DCD665-6630-421D-B055-D4291C3D0C27@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Content-Transfer-Encoding: 8bit
In-Reply-To: <D8DCD665-6630-421D-B055-D4291C3D0C27@gmail.com>
User-Agent: NeoMutt/20171215
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/nVj_znWn23AQxlizD0k-OyUZ4Hc>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 07:00:12 -0000

On Wed, Jan 10, 2018 at 08:16:13PM -0800, Mahesh Jethanandani wrote:
> 
> 
> > On Jan 10, 2018, at 12:58 AM, Einar Nilsen-Nygaard (einarnn) <einarnn@cisco.com> wrote:
> > 
> > Mahesh,
> > 
> > Two things:
> > 
> > First, I see that you have still left in the “icmp-off” action. This was something both Kristian and I recommended removing, and I also discussed this with Sonal at the end of last year and she agreed that it should probably be removed since it seems at this point (absent anyone pointing out other implementations) to be a Cisco IOS-XR-specific feature that should probably be dealt with via a vendor augmentation initially. Can we remove this?
> 
> You are right. It was discussed, but more to understand why we needed it. Before we remove it, let me clarify why we need it, and if after that the consensus is still to remove it, or move it to a Cisco specific augmentation, we can do it.
> 
> The idea behind having the leaf is for routers to setup a rule to accept ICMP messages, allow the router to process the message, but suggest that a response may be suppressed. That way one can have rules to receive and process ICMP messages like “destination unreachable” or “fragmentation required” that are important for routers/hosts, but prevent rogue machines from discovering machines in a sweeping ping. 
>

This sort of thing seems to be done in other implementations by having
different rules for incoming and outgoing traffic; does the acl model
support that?

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>