Re: [netmod] ACL draft issues found during shepherd writeup

"Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com> Tue, 27 February 2018 11:01 UTC

Return-Path: <einarnn@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E211273B1; Tue, 27 Feb 2018 03:01:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.529
X-Spam-Level:
X-Spam-Status: No, score=-14.529 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XEVDeKv5hBq; Tue, 27 Feb 2018 03:01:19 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73D341200F1; Tue, 27 Feb 2018 03:01:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25780; q=dns/txt; s=iport; t=1519729279; x=1520938879; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=SekqmMopKzwMyvoomiftblzohvLqDGxy0mMTvH10fnM=; b=dr/8vFmPhbHmLmDjg5aXHbc4Bobx4HjtyKOIEoU5MnZoYZuPt5ebaWgU bf2AnSrso6CTnv62g/NS/ols0Ii/YKbUytmPRoidChz87aNpcZgvyU//F fGuhUa3TMK87v2mwtL7+tSlZPpSPZWX5SniGbqTq2mZ/jEyFi1YyDJBRK 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DOAAA/OZVa/5RdJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYJaSS1mcBUTCoNKiiKNf4ICgRaHIY0JFIIBChgBCoRATwIagjB?= =?us-ascii?q?UGAECAQEBAQEBAmsohSQCBAEBIUsLEAIBCD8DAgICHwYLFBECBA4FhDFMAxUQq?= =?us-ascii?q?weCJyaHDQ2BMIIUAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWFIYIng2aDBIJqRAE?= =?us-ascii?q?BgVkXCBCCdjCCMgWTOYZlMAkChk6GaIM5gWaENIhaiXo5hCuCRQIRGQGBLQEeO?= =?us-ascii?q?IFRcBU6KgGCGD6CBRyBBAEJbXeMJ4EXAQEB?=
X-IronPort-AV: E=Sophos;i="5.47,400,1515456000"; d="scan'208,217";a="359446755"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Feb 2018 11:01:18 +0000
Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id w1RB1HB4029158 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 27 Feb 2018 11:01:18 GMT
Received: from xch-rtp-009.cisco.com (64.101.220.149) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 27 Feb 2018 06:01:17 -0500
Received: from xch-rtp-009.cisco.com ([64.101.220.149]) by XCH-RTP-009.cisco.com ([64.101.220.149]) with mapi id 15.00.1320.000; Tue, 27 Feb 2018 06:01:17 -0500
From: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>
To: Eliot Lear <lear@cisco.com>
CC: Mahesh Jethanandani <mjethanandani@gmail.com>, Warren Kumari <warren@kumari.net>, "draft-ietf-netmod-acl-model@ietf.org" <draft-ietf-netmod-acl-model@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] ACL draft issues found during shepherd writeup
Thread-Index: AQHTpRpSR0BIQpp1FUa5qmqsmhR9+aOpuIqAgAkWYYCAA8edgIAAJvaAgAC67gCAAOmBgIAAHEMA
Date: Tue, 27 Feb 2018 11:01:17 +0000
Message-ID: <DC341012-FDF8-45D3-BCA5-F4B7E1BCC2EE@cisco.com>
References: <14BA9086-69D4-4BAF-A7C7-0EB1F3F400BB@juniper.net> <2864E0CF-D038-4FDA-B69C-FD43F486BF17@gmail.com> <8D3773A8-ECA6-406A-B28D-6DD44F951F10@juniper.net> <02D4541E-FF83-41AD-A026-A1AB857E0A62@gmail.com> <1a4a3f5d-5211-8b13-308e-3b124c836135@cisco.com> <DD6A8E90-53DE-422F-AB91-A3547298A135@gmail.com> <d7bef5fa-b790-2562-c17b-7ef5dc4f3307@cisco.com>
In-Reply-To: <d7bef5fa-b790-2562-c17b-7ef5dc4f3307@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.5.20)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.197.101]
Content-Type: multipart/alternative; boundary="_000_DC341012FDF845D3BCA5F4B7E1BCC2EEciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/sL8v9P2rHMR2_xXOuYM3OzMH-YA>
Subject: Re: [netmod] ACL draft issues found during shepherd writeup
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 11:01:21 -0000

What Kristian and I discussed, what Sonal and I had discussed, and what I thought we had accepted as a proposed change was something like:

    choice source-port-range-or-operator {
      case range {
        leaf source-port-lower {
          type inet:port-number;
          must ". <= ../source-port-upper" {
            error-message
              "The source-port-lower must be less than or equal to
               source-port-upper";
          }
          mandatory true;
          description
            "Lower boundary for port.";
        }
        leaf source-port-upper {
          type inet:port-number;
          mandatory true;
          description
            "Lower boundary for port.";
        }
      }
      case operator {
        leaf source-operator {
          type operator;
          mandatory true;
        }
        leaf source-port {
          type inet:port-number;
          mandatory true;
          description
            "Port value to match.";
        }
      }
    }

…and with the same pattern for the destination. The type “operator” was defined as:

  typedef operator {
    type enumeration {
      enum lte {
        description
          "Less than or equal to.";
      }
      enum gte {
        description
          "Greater than or equal to.";
      }
      enum eq {
        description
          "Equal to.";
      }
      enum neq {
        description
          "Not equal to.";
      }
    }

Cheers,

Einar


On 27 Feb 2018, at 09:20, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:


This edit doesn't seem correct to me because now we have a choice with a single case, with range having been removed.  Can we please revert and proceed?

On 26.02.18 20:24, Mahesh Jethanandani wrote:
A pull request to address LC, shepherd, this and the other comments, including derived-from(), can be reviewed here:

https://github.com/netmod-wg/acl-model/pull/24

Thanks.

On Feb 26, 2018, at 12:15 AM, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:



On 26.02.18 06:55, Mahesh Jethanandani wrote:



 PS: And this is not a shepherd directive, but I found the whole
     "source-port-range-or-operator" syntax clumsy.  I'm surprised
     it didn't look something like:

         OLD
               <source-port-range-or-operator>
                  <port-range-or-operator>
                    <range>
                      <lower-port>16384</lower-port>
                      <upper-port>65535</upper-port>
                    </range>
                  </port-range-or-operator>
               </source-port-range-or-operator>

               <source-port-range-or-operator>
                 <port-range-or-operator>
                   <operator>
                     <operator>eq</operator>
                     <port>21</port>
                   </operator>
                 </port-range-or-operator>
               </source-port-range-or-operator>

         NEW

               <source-port>
                 <range>
                   <lower>16384</lower>
                   <upper>65535</upper>
                 </range>
               </source-port>

               <source-port>
                 <operator>
                   <operator>eq</operator>
                   <port>21</port>
                 </operator>
               </source-port>

Did you try making the change in the model to see if it work? It will complain that <range> is already used within the container and that it cannot be repeated (for destination-port).

<KENT> No, I did not, nor do I intend to get that deep into it.  But I recall that Kristian made the same comment before, and was making pull requests before, so maybe he can suggest something?

Kristian’s suggestion requires changing the module. It is not an editorial change. And that change will have an impact on the MUD draft, which has been sent for publication.


As it happens, we found a bug in our augment statements, and so we will need to rev one more time.  If the change can be made quickly, I can live with it.

Eliot

Mahesh Jethanandani
mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>


_______________________________________________
netmod mailing list
netmod@ietf.org<mailto:netmod@ietf.org>
https://www.ietf.org/mailman/listinfo/netmod