Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

"Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com> Thu, 14 December 2017 18:50 UTC

Return-Path: <einarnn@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E11BE12946F for <netmod@ietfa.amsl.com>; Thu, 14 Dec 2017 10:50:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rd6Zh8jbALiu for <netmod@ietfa.amsl.com>; Thu, 14 Dec 2017 10:50:15 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B58D412946A for <netmod@ietf.org>; Thu, 14 Dec 2017 10:50:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22274; q=dns/txt; s=iport; t=1513277415; x=1514487015; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Su4NhFfeNbXJJhVdErogcSvejWXbJIC+jaSsFLvLWPw=; b=TQOPbc8LBJ5bK7tedjzqRVPGxae8hu99ywZdH91+K3kcu0fI38NQsqAf TZFRXpV+FCNaGSq79jop5tP+ahIHrqO6hG41yvYBq8F2UojiXcrsJ2u8F QSSBqGRavFZhedpMYjOYvLtohywatXBST5OfnD9h3kc3MGz8UZNbL2lPm A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DhAQDMxjJa/5hdJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYMPL2Z0JweDe4ohjwaKeYhMhU6CFQoYAQqESU8CGoRdPxgBAQE?= =?us-ascii?q?BAQEBAQFrKIUkAgEDAQEhBEcLEAIBCA4xAwICAh8GCxQRAgQOBYlGTAMVEKkxg?= =?us-ascii?q?W06hzYNgxsBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYNlgg6DPymDAoJqRAGBbYM?= =?us-ascii?q?WMYIyBZIVhz6JFT0Ch3uIL4R+k2yNFT6FV4MWAhEZAYE6AR85gU5vFToqAYF+P?= =?us-ascii?q?4Fbgjx4iUGBFQEBAQ?=
X-IronPort-AV: E=Sophos; i="5.45,401,1508803200"; d="scan'208,217"; a="44698446"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Dec 2017 18:50:14 +0000
Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id vBEIoEwr023110 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Dec 2017 18:50:14 GMT
Received: from xch-rtp-009.cisco.com (64.101.220.149) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 14 Dec 2017 13:50:13 -0500
Received: from xch-rtp-009.cisco.com ([64.101.220.149]) by XCH-RTP-009.cisco.com ([64.101.220.149]) with mapi id 15.00.1320.000; Thu, 14 Dec 2017 13:50:13 -0500
From: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>
To: Sonal Agarwal <sagarwal12@gmail.com>
CC: Mahesh Jethanandani <mjethanandani@gmail.com>, "netmod@ietf.org" <netmod@ietf.org>, Kristian Larsson <kll@spritelink.net>
Thread-Topic: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
Thread-Index: AQHTbr9cXtHryOdSBU6fXjbxU9aeHqM3Cy0AgAqwcwCAAFeRgIAAzEsAgACvpIA=
Date: Thu, 14 Dec 2017 18:50:13 +0000
Message-ID: <2826EF6B-A6A6-4FDA-9F30-21830D748C51@cisco.com>
References: <20171102074318.GC12688@spritelink.se> <6359CD50-0F0D-4315-A58B-1D4CF0583475@gmail.com> <ac9fc676-80f7-723d-9a85-c99fbb122476@cisco.com> <20171102.132634.1363976895007772742.mbj@tail-f.com> <c90aa6c1-340e-2225-f960-73c1395041c5@cisco.com> <20171102164149.GD12688@spritelink.se> <6d6a1b2a-23f8-8bff-a01e-6d13cc73d92f@cisco.com> <20171103084231.GE12688@spritelink.se> <B63D5700-C13B-4D2D-9439-0E4471906374@gmail.com> <a75cf59c-7f5e-0b3b-0ace-ec9be9f67116@cisco.com> <37FA28D8-6799-491C-94CB-04237766E4D3@cisco.com> <2C381B09-15D6-417D-A70D-7C6818306FFC@gmail.com> <CAMMHi8ge4cbrVgRK8=xtJLNYCG1+p+Jh6pFeCy9sEMZP674FHQ@mail.gmail.com>
In-Reply-To: <CAMMHi8ge4cbrVgRK8=xtJLNYCG1+p+Jh6pFeCy9sEMZP674FHQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.4.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.210.168]
Content-Type: multipart/alternative; boundary="_000_2826EF6BA6A64FDA9F3021830D748C51ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/z_h98S8NPW-HefYC8yqTtJNeVhs>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 18:50:23 -0000


On 14 Dec 2017, at 08:21, Sonal Agarwal <sagarwal12@gmail.com<mailto:sagarwal12@gmail.com>> wrote:

Hi Einar,

You had 3 questions for me on all the several e-mail threads.
1. Global attachment point
2. icmp-off
3. acl-aggregate-interface stats.

For (1), my first preference is to have the model define attachment point for interfaces only.

einarnn> I have some diffs, layered on top of Mahesh’s PR to netmod-wg/acl-model that do this. Nearly like the augmentation I have below. Feel free to take a look at:

https://github.com/mjethanandani/acl-model/pull/3

However, Kristian wants the global attachment point as well so that he can add the ACL to the linux tables.

einarnn> I think Kristian doesn’t feel a global attachment point needs to be in this first revision. But he can confirm.

If an ACL is attached globally, does this mean it is per direction or does it mean it is across directions?

einarnn> I don’t know right now :-)

This global ACL may not be applicable to any of Cisco's service provider routers as I don't see any platform actually replicating the ACL to all line cards and attaching it in ingress and egress directions across all interfaces.

einarnn> Per other emails, I don’t think we understand this enough yet to specify it, so I suggest we just leave it out for now. Nothing in the model prevents a “global attachment point” being added later once we understand what it really means.

For (2), I am ok with removing icmp-off.

einarnn> Done in my PR above.

For (3), this would have to be a combination of ACL stats across all interfaces for all ACL's. Something like this is possible on an XR box where ACES have counter names associated with it. Let's chat about this offline tomorrow.

einarnn> I’ll ping you to clarify, and we can bring any conclusion back to the list.

Cheers,

Einar



Sonal.


On Wed, Dec 13, 2017 at 12:10 PM, Mahesh Jethanandani <mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>> wrote:
We want to support “global” attachment point down the line, and that “global” attachment point will be one of the choices (the other being the interface), what would this augment look like. Note, as far as I know, you cannot augment inside a choice node.

On Dec 13, 2017, at 6:57 AM, Einar Nilsen-Nygaard (einarnn) <einarnn@cisco.com<mailto:einarnn@cisco.com>> wrote:

Perhaps like this, as an augmentation to the interface:

  augment /if:interfaces/if:interface:
    +--rw ingress-acls
    |  +--rw acl-sets
    |     +--rw acl-set* [name]
    |        +--rw name              -> /access-lists/acl/name
    |        +--rw type?             -> /access-lists/acl/type
    |        +--ro ace-statistics* [name] {interface-stats}?
    |           +--ro name               -> /access-lists/acl/aces/ace/name
    |           +--ro matched-packets?   yang:counter64
    |           +--ro matched-octets?    yang:counter64
    +--rw egress-acls
       +--rw acl-sets
          +--rw acl-set* [name]
             +--rw name              -> /access-lists/acl/name
             +--rw type?             -> /access-lists/acl/type
             +--ro ace-statistics* [name] {interface-stats}?
                +--ro name               -> /access-lists/acl/aces/ace/name
                +--ro matched-packets?   yang:counter64
                +--ro matched-octets?    yang:counter64

Could also put an “aces” container above both these & rename “ingress-acls" to “ingress”, etc. to give a single root for the augmentation if preferred.

Cheers,

Einar


On 6 Dec 2017, at 19:43, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:



On 12/6/17 7:23 PM, Mahesh Jethanandani wrote:
How does one move the interface attachment point, currently an
'interface-ref', to an augmentation of the if:interfaces/interface,
inside of the ‘acl’  container? Down the line we might need to have an
container for "attachment points" to accommodate the possibility of
attaching an ACL either to an interface or “globally”.


Keeping in mind that one use is that an ACL doesn't attach to an
interface at all.

_______________________________________________
netmod mailing list
netmod@ietf.org<mailto:netmod@ietf.org>
https://www.ietf.org/mailman/listinfo/netmod


Mahesh Jethanandani
mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>


_______________________________________________
netmod mailing list
netmod@ietf.org<mailto:netmod@ietf.org>
https://www.ietf.org/mailman/listinfo/netmod