Re: [netmod] Alissa Cooper's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS and COMMENT)
Mahesh Jethanandani <mjethanandani@gmail.com> Thu, 27 September 2018 01:18 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BCA127AC2; Wed, 26 Sep 2018 18:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PeSVNf7MBE3n; Wed, 26 Sep 2018 18:18:01 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D612412777C; Wed, 26 Sep 2018 18:18:00 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id a23-v6so581287pfi.12; Wed, 26 Sep 2018 18:18:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Thhz7s5tw6LO115DGwHoJ2/kwxiBYOfH01erqprzj0I=; b=LxMLP+iL6trRcEnwBegMVI6qSQA1WhU6EK+LE5iysmBoUyDPO4GoTFFyS75b1xQYLT O6mpx/OvlWjbhuIUq2ans2o9h9xtaOM5CHiRegum1HznJEuHxDNHXBJMPta2clvF0Gsf yLD20Pb15mCv5Ci3NNBUqNVGQDH4txKVn+zfLJV/e9NOPmi/1B34vMuk0xNWuQ8oR7yO dwjZki/1yKM1pgFexvMb5zyxyKUYY2E4UHuo6UyUjFkV1555czQqbT0hZHMnmyIrGpo1 8b1s4EQN+aHiW10EoVbWNFkwPa4gVsZT96yI8BuNlxXPPa2mEKQolouNkI5eql769nB+ e6VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Thhz7s5tw6LO115DGwHoJ2/kwxiBYOfH01erqprzj0I=; b=cVVNnqD9CiFQBGuWduOeXZEQTNSqJ9VBuCTjq99J7KhJStupQtqV0oDe9yExQFU1Sc QqHIJByZc5gJGz9JfRw3OwjhR7g+wIw7/AQ1vcSCB4kc3c73Z+zpArvzvF2ziKqbob1s foWB+PjJOGJZHqNXl3KMbStP0iIGGnK9t3BV9rnlSlc1i1koeGhY0xARrrPr/KSYODow tLTLllJyLdfix9+ONWLsJSaWv//weVGmG48ngjwPbsX+mNjDGVQGRito/TE1WeNhwzfI ShKBFiZFCiky+t62/ACA1A8MQpXDCVEUDmxPKG28MZsdENUUOoX4NbVeUV1zx3KMDVtG JWNQ==
X-Gm-Message-State: ABuFfohY2grB4r/B11oKbLdRxF2l6/lllksSDYMwZBLYphelTEukfONg Ijn/d2Op/HGa3qQZ9xR+oD7gzN1N
X-Google-Smtp-Source: ACcGV62d5POMNGojosLwsPLk39cW+7BNkJHKx2ZlWwzF0FckX7MCmm/1xnY705KvBPpTQuOnr+4GGg==
X-Received: by 2002:a17:902:59dd:: with SMTP id d29-v6mr8477025plj.34.1538011080171; Wed, 26 Sep 2018 18:18:00 -0700 (PDT)
Received: from [10.52.174.170] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id b126-v6sm390939pga.49.2018.09.26.18.17.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Sep 2018 18:17:59 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <34DE6585-7203-4A6A-AF99-E729448DCB9C@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DA11A6BB-5A0D-4A6B-8DCF-4FC7C78F3085"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 26 Sep 2018 18:17:58 -0700
In-Reply-To: <153799720002.21677.12855832165853636792.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netmod-acl-model@ietf.org, Kent Watsen <kwatsen@juniper.net>, NetMod WG Chairs <netmod-chairs@ietf.org>, netmod@ietf.org
To: Alissa Cooper <alissa@cooperw.in>
References: <153799720002.21677.12855832165853636792.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/tr1OCfHX9x-LGM0UoMUzUsLc_KY>
Subject: Re: [netmod] Alissa Cooper's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2018 01:18:03 -0000
Hi Alissa, > On Sep 26, 2018, at 2:26 PM, Alissa Cooper <alissa@cooperw.in> wrote: > > Alissa Cooper has entered the following ballot position for > draft-ietf-netmod-acl-model-19: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > We previously had a work item we were tracking with the IEEE leadership around > the IEEE writing a YANG module for ethertypes. I just wanted to check that the > IEEE is aware that this document is defining a placeholder module for > ethertypes until such time that they define one. They were told as much in the joint IETF-IEEE meeting. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Sec 1: > > s/Policy Based Routing, Firewalls etc./policy-based routing, firewalls, etc./ Isn’t Policy Based Routing (PBR) and particular form of routing, with its own acronym and all? I can make the F in Firewalls, lowercase. > > "The matching of filters and actions in an ACE/ACL are triggered only > after application/attachment of the ACL to an interface, VRF, vty/tty > session, QoS policy, routing protocols amongst various other config > attachment points.” > > This is a sentence fragment. How about this: OLD: The matching of filters and actions in an ACE/ACL are triggered only after application/attachment of the ACL to an interface, VRF, vty/tty session, QoS policy, routing protocols amongst various other config attachment points. NEW: The matching of filters and actions in an ACE/ACL are triggered only after the application/attachment of the ACL to an interface, VRF, vty/tty session, QoS policy, or routing protocols amongst various other config attachment points. > > s/in the ACE's/in the ACEs/ Ok. > > Sec 3.1: > > "There are two YANG modules in the model." > > Is this technically correct, given that ietf-ethertypes is also defined here? > > Also, I don't think the definition of ietf-ethertypes belongs in an appendix > under the heading "Extending ACL model examples." I can imagine that other > modules will want to import this module and that seems like a strange place to > put it. That is what we could agree with IEEE on. > > Sec 4.1: > > For avoidance of confusion, I would suggest replacing "l2," "l3," and "l4" with > "layer2," "layer3," and "layer4," respectively. I would object to making these changes in the model, particularly since the description already defines what they are. > > s/Definitions of action for this ace entry/Definitions of action for this ACE > entry/ It is referring to the node ‘ace’ defined in the module. > > s/Specifies the forwarding action per ace entry/Specifies the forwarding action > per ACE entry/ Same as above. > > Sec 4.2: > > "This module imports definitions from Common YANG Data Types [RFC6991] > and references IP [RFC0791], ICMP [RFC0792], Definition of the > Differentiated Services Field in the IPv4 and IPv6 Headers [RFC2474], > The Addition of Explicit Congestion Notification (ECN) to IP > [RFC3168], , IPv6 Scoped Address Architecture [RFC4007], IPv6 > Addressing Architecture [RFC4291], A Recommendation for IPv6 Address > Text Representation [RFC5952], IPv6 [RFC8200]." > > It looks like something is missing from this list, possibly RFC 793. Ok. > > Sec 5: > > In this section or elsewhere it would be nice to see a sentence noting that > this YANG model allows the configuration of packet logging, which if used would > additionally warrant protections against unauthorized log access and a logs > retention policy. How about this addition to the section under list of subtrees and data nodes that are sensitive and vulnerable: /acls/acl/aces/ace/actions/logging: This node specifies ability to log packets that match this ace entry. Unauthorized write access to this node can allow intruders to enable logging on one or many ace entries, overwhelming the server in the process. Unauthorized read access of this node can allow intruders to access logging information, which could be used to attack the server. Thanks. Mahesh Jethanandani mjethanandani@gmail.com
- [netmod] Alissa Cooper's Discuss on draft-ietf-ne… Alissa Cooper
- Re: [netmod] Alissa Cooper's Discuss on draft-iet… Mahesh Jethanandani
- Re: [netmod] Alissa Cooper's Discuss on draft-iet… Suresh Krishnan
- Re: [netmod] Alissa Cooper's Discuss on draft-iet… Alissa Cooper