Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

Juergen Schoenwaelder <> Thu, 02 November 2017 08:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1FBD313FA6F for <>; Thu, 2 Nov 2017 01:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JOph4wV1W3SN for <>; Thu, 2 Nov 2017 01:21:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7557413F772 for <>; Thu, 2 Nov 2017 01:21:19 -0700 (PDT)
Received: from localhost ( []) by (Postfix) with ESMTP id 43A9569; Thu, 2 Nov 2017 09:21:18 +0100 (CET)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10032) with ESMTP id ZU8hMd9O4JvR; Thu, 2 Nov 2017 09:21:17 +0100 (CET)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Jacobs University CA - G01" (verified OK)) by (Postfix) with ESMTPS; Thu, 2 Nov 2017 09:21:18 +0100 (CET)
Received: from localhost ( []) by (Postfix) with ESMTP id 10E5620116; Thu, 2 Nov 2017 09:21:18 +0100 (CET)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a109rRPjtaep; Thu, 2 Nov 2017 09:21:17 +0100 (CET)
Received: from elstar.local ( []) by (Postfix) with ESMTP id 99AC120114; Thu, 2 Nov 2017 09:21:17 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 8670E41481DC; Thu, 2 Nov 2017 09:19:50 +0100 (CET)
Date: Thu, 02 Nov 2017 09:19:50 +0100
From: Juergen Schoenwaelder <>
To: Mahesh Jethanandani <>
Cc: Kristian Larsson <>, "" <>
Message-ID: <20171102081950.osk2tqkfkertbg2b@elstar.local>
Reply-To: Juergen Schoenwaelder <>
Mail-Followup-To: Mahesh Jethanandani <>, Kristian Larsson <>, "" <>
References: <> <> <> <20171101112249.wmq4ggx2ixgn4kqo@elstar.local> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: NeoMutt/20170714 (1.8.3)
Archived-At: <>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Nov 2017 08:21:22 -0000

On Thu, Nov 02, 2017 at 06:13:04AM +0630, Mahesh Jethanandani wrote:
> Take the case where the desired selection is l2,-l3, ipv4 and ipv6. The current tree looks like this:

> whereas, if the design went with one match container with each group of leafs in their own container (to support the if-feature statement for that container), the tree would look like this:

> The difference though is small and comes down to a preference. Select one feature statement and get one container with everything in it, or define multiple feature statements and assemble together the pieces to define the ACE entry.

Well, you leave out all the duplication you have and you leave out
that the client needs to calculate where to configure an acl based on
the feature set of a server. Copying the acl from one system to
another requires to adjust containers for not good reason.

The number of feature combinations will grow soon out of control and
things get worse if vendors follow the direction and define vendor
specific feature combinations and associated containers.
> > BTW, how do I filter on TCP flags in combination with
> > a source IP address? There seem to be reasonable combinations of
> > features not even covered.
> If the platform has declared support for feature that includes ipv4 (and/or ipv6) and tcp-acl, for a given ACE entry, it should be able to define a match filter that includes both the source IP address and the TCP flags. Do you see something that prevents it?

So if tcp-acl can be combined with other acls, why do I need in other
places of the data model combinations like l2-l3-ipv4-ipv6-acl? Why do
I not have tcp-acl, eth-acl, ipv4-acl, and ipv6-acl? (Note that l2-acl
is somewhat a misnomer - hence I used eth-acl instead.)


Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <>