IETF Logo Mail Archive

Re: [OPSAWG] Review of draft-ma-opsawg-ucl-acl

"maqiufang (A)" <maqiufang1@huawei.com> Thu, 01 December 2022 12:48 UTC

Return-Path: <maqiufang1@huawei.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C05A0C14F740; Thu, 1 Dec 2022 04:48:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UaC5PtLGDIh5; Thu, 1 Dec 2022 04:47:55 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4944CC14F73D; Thu, 1 Dec 2022 04:47:55 -0800 (PST)
Received: from fraeml703-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4NNG4f4jpxz67tKy; Thu, 1 Dec 2022 20:45:06 +0800 (CST)
Received: from kwepemm000019.china.huawei.com (7.193.23.135) by fraeml703-chm.china.huawei.com (10.206.15.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2375.31; Thu, 1 Dec 2022 13:47:52 +0100
Received: from kwepemm600017.china.huawei.com (7.193.23.234) by kwepemm000019.china.huawei.com (7.193.23.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 1 Dec 2022 20:47:50 +0800
Received: from kwepemm600017.china.huawei.com ([7.193.23.234]) by kwepemm600017.china.huawei.com ([7.193.23.234]) with mapi id 15.01.2375.031; Thu, 1 Dec 2022 20:47:50 +0800
From: "maqiufang (A)" <maqiufang1@huawei.com>
To: "jclarke@cisco.com" <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>
CC: "draft-ma-opsawg-ucl-acl@ietf.org" <draft-ma-opsawg-ucl-acl@ietf.org>
Thread-Topic: Review of draft-ma-opsawg-ucl-acl
Thread-Index: AQHZA177bfAdnOY2G02M0faCVVSnpa5VhtDAgABY7l6AAom9QA==
Date: Thu, 01 Dec 2022 12:47:50 +0000
Message-ID: <c21af6f18fa54f6a810e29a7b818a739@huawei.com>
References: <BN9PR11MB53718FC006165F39E4D3E39BB8139@BN9PR11MB5371.namprd11.prod.outlook.com> <7e99500f068c451c8c95113a73529924@huawei.com> <BN9PR11MB537102B1E935ABF99EDE4AB1B8129@BN9PR11MB5371.namprd11.prod.outlook.com>
In-Reply-To: <BN9PR11MB537102B1E935ABF99EDE4AB1B8129@BN9PR11MB5371.namprd11.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.100.87]
Content-Type: multipart/alternative; boundary="_000_c21af6f18fa54f6a810e29a7b818a739huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/tkt6A864UT3NteIjk0YojT0DFxM>
Subject: Re: [OPSAWG] Review of draft-ma-opsawg-ucl-acl
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 12:48:00 -0000

Hi, Joe,

[JMC] It makes sense conceptually.  In practice, though, it seems very inefficient for the NAS to be resolving the user-group assignments at the packet level (the draft mentions something to this effect).  You're right that resolving that at the controller level wouldn't be any more practical.  But what I envision is that the mapping of session (i.e., user-group) attributes to network header elements (i.e., MAC/IP) would happen once and be generally visible to the administrators of the network.  The ACEs on the device need not have explicit user-group properties.  Those could be comments.  For example (in CLI syntax):

ip access-list extended DYNAMIC-ACCESS
  10 comment Allow jdoe to access finance resources
  20 permit ip host 10.10.10.10 172.20.20.0/24
...

This way the device isn't have to resolve any of the user-group elements on reception of a packet.

The controller, on the other hand, would have a broader picture of the network use and access.  It would show where the user connected, when, and their session properties.
I think I have no doubt that the controller needs to maintain a high-level user-group based ACL, the divergence between us is that whether it has merits to allow devices to be aware of user-group.
I agree with you that the current draft would need devices to resolve common network header (e.g., 5 tuple) to user-group ID at packet level, and then look up the related user-group based ACL; but this way the controller only needs to pre-configure the devices once (at least the least number of times) and the user-group based ACL itself can dynamically adapt to different circumstances(e.g., IP/MAC changes, time varies, etc).

I also agree that it feels more straightforward if the devices can only see the common network header attributes and look up ACL directly, but it does requires multiple communications between the controller and the device, depending on the user group attribute changes.

It seems to me that both have upsides and downsides.
It seems to me the flow might be:

Step 1: Administrators configure the controller/orchestrator with the security policies (e.g., group Finance can access Finance resources)
Step 2: The user-group-based access control is maintained on the controller (this is now the PEP, I guess)
Step 3: A user logs in
Step 4: The AAA server either notifies the controller or the device notifies the controller that user jdoe has logged in successfully with the given group attributes
Step 5: The controller programs the NAS with the required IP/MAC ACEs
In your proposed flow, are you suggesting that the controller programs the NAS dynamically according to the network header (IP/MAC) information notified by the AAA server or the device? Does the "device" you mentioned in step 4 refer to the user authentication device/AAA client which has received the authentication result feedback? Just want to ensure that I've fully understood your proposal.

On the model itself, I don't understand the intent of role-type.  I guess it's so you could say user's with a role of visitor can only access visitor resources?  But couldn't you do that with arbitrary groups and not have to list out various identities?
The current ietf-ucl-group model tries to build the mapping between the user-group ID and the user's associated attributes. The role is defined as a mandatory-false node, I think that this node might be useful when administrators would like to  understand the user-group information. A single group-id would be useful to uniquely identify a user-group, while a role-type provides an overview of what that user-group ID represents.

[JMC] Seems like that could just be a description (string) rather than having to maintain arbitrary identities.
Sure, will update the data type in the next version. Thanks;-)
Joe

Best Regards,
Qiufang

v2.23.0 | Report a Bug | By Email