Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

"Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com> Thu, 11 January 2018 08:05 UTC

Return-Path: <einarnn@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6021312D880 for <netmod@ietfa.amsl.com>; Thu, 11 Jan 2018 00:05:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.53
X-Spam-Level:
X-Spam-Status: No, score=-14.53 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3p7ppdq8xzC4 for <netmod@ietfa.amsl.com>; Thu, 11 Jan 2018 00:05:18 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB4CD124BFA for <netmod@ietf.org>; Thu, 11 Jan 2018 00:05:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2666; q=dns/txt; s=iport; t=1515657917; x=1516867517; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KYf423ryfLPVQ7Td5Ef+DvcU3gdnx7z1sKgp8grDkek=; b=kwV6UYwhbwSvW9yACVG2haPnkYksOQLybWxIzCsSl2X8EHcOdZgpDG1R vftTQxTuU/d4+6211BTulXyMoD94EqsJ6AdTIubVelMgvX+jJHqGaXphq 0Dgkuj6w6jmpzozQw1Kl6xBUD4Ug4KmekqvFhFXaQkkSsbfKrwUqS/TaQ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A1AQDYGVda/4wNJK1bAxkBAQEBAQEBAQEBAQEHAQEBAQGDQWZ0J4QHiiSOXoIClzAUggIKH4UcAhqELj8YAQEBAQEBAQEBayiFIwEBAQECASMRRQUJAgIBCA4CCAICJgICAhkXFRACBA4FiisIsEWCJ4o9AQEBAQEBAQEBAQEBAQEBAQEBAQEBHQWBCoMcghWDaYMFgy8EgVcYFwomglAxgjQFo2QClUWUDpZ3AhEZAYE7AR85gVBvFWcBgX8JhE54i2ABAQE
X-IronPort-AV: E=Sophos;i="5.46,343,1511827200"; d="scan'208";a="55143057"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Jan 2018 08:05:17 +0000
Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id w0B85GSd025355 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 11 Jan 2018 08:05:16 GMT
Received: from xch-rtp-009.cisco.com (64.101.220.149) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 11 Jan 2018 03:05:15 -0500
Received: from xch-rtp-009.cisco.com ([64.101.220.149]) by XCH-RTP-009.cisco.com ([64.101.220.149]) with mapi id 15.00.1320.000; Thu, 11 Jan 2018 03:05:15 -0500
From: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: Mahesh Jethanandani <mjethanandani@gmail.com>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
Thread-Index: AQHTbr9cXtHryOdSBU6fXjbxU9aeHqM3Cy0AgAqwcwCAAFeRgIAAzEsAgACvpICAAshNAIABc5kAgAAzf4CAAXAVAIAjiDCAgABhzICAAUOSgIAALcSA//++aBQ=
Date: Thu, 11 Jan 2018 08:05:15 +0000
Message-ID: <02CF0DC6-AC89-4BDF-9B0A-7B0C313D0A86@cisco.com>
References: <2C381B09-15D6-417D-A70D-7C6818306FFC@gmail.com> <CAMMHi8ge4cbrVgRK8=xtJLNYCG1+p+Jh6pFeCy9sEMZP674FHQ@mail.gmail.com> <2826EF6B-A6A6-4FDA-9F30-21830D748C51@cisco.com> <0F43CDE9-21D2-4ED7-AE7C-9A2B9F854101@cisco.com> <fe8b601a-2a02-8011-b913-a49f2f486971@cisco.com> <5299E333-F1F3-4781-B467-0BFB271A4915@cisco.com> <5dd3a635-61ce-8dee-3472-589cda19fcbb@cisco.com> <3490D0AB-B7F0-4048-83F1-8151AA034E20@gmail.com> <E2A33B74-9D0B-4964-8280-FF931CA1D330@cisco.com> <D8DCD665-6630-421D-B055-D4291C3D0C27@gmail.com>, <20180111070001.aszydvhhfsrvmjii@elstar.local>
In-Reply-To: <20180111070001.aszydvhhfsrvmjii@elstar.local>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/vzBLd0pCMW4aRZZSxpLtsHj4tuA>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 08:05:19 -0000

Yes, the ACL model supports ingress and egress rules that can be different.


> On Jan 11, 2018, at 07:00, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> 
>> On Wed, Jan 10, 2018 at 08:16:13PM -0800, Mahesh Jethanandani wrote:
>> 
>> 
>>> On Jan 10, 2018, at 12:58 AM, Einar Nilsen-Nygaard (einarnn) <einarnn@cisco.com> wrote:
>>> 
>>> Mahesh,
>>> 
>>> Two things:
>>> 
>>> First, I see that you have still left in the “icmp-off” action. This was something both Kristian and I recommended removing, and I also discussed this with Sonal at the end of last year and she agreed that it should probably be removed since it seems at this point (absent anyone pointing out other implementations) to be a Cisco IOS-XR-specific feature that should probably be dealt with via a vendor augmentation initially. Can we remove this?
>> 
>> You are right. It was discussed, but more to understand why we needed it. Before we remove it, let me clarify why we need it, and if after that the consensus is still to remove it, or move it to a Cisco specific augmentation, we can do it.
>> 
>> The idea behind having the leaf is for routers to setup a rule to accept ICMP messages, allow the router to process the message, but suggest that a response may be suppressed. That way one can have rules to receive and process ICMP messages like “destination unreachable” or “fragmentation required” that are important for routers/hosts, but prevent rogue machines from discovering machines in a sweeping ping. 
>> 
> 
> This sort of thing seems to be done in other implementations by having
> different rules for incoming and outgoing traffic; does the acl model
> support that?
> 
> /js
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>