Re: [Supa] Fwd: I-D Action: draft-halpern-supa-generic-policy-data-model-01.txt
"Joel M. Halpern" <jmh@joelhalpern.com> Sat, 16 April 2016 18:35 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: supa@ietfa.amsl.com
Delivered-To: supa@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EED2C12D764 for <supa@ietfa.amsl.com>; Sat, 16 Apr 2016 11:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SP9e9dSO_-IX for <supa@ietfa.amsl.com>; Sat, 16 Apr 2016 11:35:29 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42B2F12D6C8 for <supa@ietf.org>; Sat, 16 Apr 2016 11:35:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id D2F1B5E1519; Sat, 16 Apr 2016 11:35:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1460831728; bh=fJ6PYLlACAL3TYXGfxtO6Dek1IC9wK/cBof2gwSYzb0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=ViCvIxd7KadjYU8GEdtzrNrtflhYpTLGINP0me5g4eGaoiEjD1dKcCK5GBx+9Pkje QntVBbTgwn+hfeJXOSqXDZuN/bExE9yQLhW1Tvn96JlPIO/KN68JtT3lSkUwQ+1/6i wLgpChBl0T3vi36WOB4Vh2MzpbJORHYHZ2CHxprQ=
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from Joels-MacBook-Pro.local (209-255-163-147.ip.mcleodusa.net [209.255.163.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 3D4F55E1517; Sat, 16 Apr 2016 11:35:28 -0700 (PDT)
To: Andy Bierman <andy@yumaworks.com>
References: <20160415200632.17497.79135.idtracker@ietfa.amsl.com> <57114FD4.8000709@joelhalpern.com> <CABCOCHSx+=HXehVv5qrtiBGgUBmZ_9wLQ1RJzx-nhjpn9T+Zjg@mail.gmail.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <571285E2.5070104@joelhalpern.com>
Date: Sat, 16 Apr 2016 14:35:14 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <CABCOCHSx+=HXehVv5qrtiBGgUBmZ_9wLQ1RJzx-nhjpn9T+Zjg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/supa/bN9ddLPY-u6w4MTY-7ztj5TCJGQ>
Cc: SUPA list <supa@ietf.org>
Subject: Re: [Supa] Fwd: I-D Action: draft-halpern-supa-generic-policy-data-model-01.txt
X-BeenThere: supa@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This list is to discuss SUPA \(Simplified Use of Policy Abstractions\) related issues." <supa.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/supa>, <mailto:supa-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/supa/>
List-Post: <mailto:supa@ietf.org>
List-Help: <mailto:supa-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/supa>, <mailto:supa-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2016 18:35:31 -0000
Yes, that case can be represented. No, it will not be simpler than a hard-coded system that places such an ACL whenever interfaces come up. (General tools seem to usually be more complex than specialized ones.) Rough sketch: Subclass of event to represent interface up, with sufficient information to know what interface it is. Subclass of Condition testing whether the interface testing whether an interface is an edge interface (both solutions assume this is knowable, otherwise the problem is not solvable without human intervention.) Subclass of action representing applying an ACL set, with the ACL parameters. Then a Policy Clause that ties the three together, and a policy statement that says to apply the clause. This does not make use of the pwoer of policy statement or policy clause. Those are to enable representation of more complex policies. Yours, Joel On 4/16/16 1:56 PM, Andy Bierman wrote: > Hi, > > I would like to see an example of SUPA in use. > I thought Juergen has a clear maybe-not-simple use-case with SNMP: > > > Event: example-interface-up notification received > Task: Extract NE ID and interface ID > > Condition: Determine if NE,interface is an edge interface to an > untrusted network > Task: examine topology database? Out of scope? > > Action: install an ACL on this NE, interface to deny incoming and outbound > packets on port 161, 162 > Task: Determine how ACLs done on NE and send proper configuration changes > > What parts will SUPA provide and how are they done? > What parts will the domain-specific models provide and how do > they integrate with this module? What parts are left > as implementation details and out of scope for SUPA? > > I am far from convinced this approach is simpler than a controller level > data model. > E.g., a network-wide ACL that blocks SNMP from entering or exiting the > administrative > domain can implement this policy, and all the ECA configuration and > execution details > are hidden within implementation details. > > > > Andy > > > > On Fri, Apr 15, 2016 at 1:32 PM, Joel Halpern <jmh@joelhalpern.com > <mailto:jmh@joelhalpern.com>> wrote: > > We have revised the data model draft to fix the extraction and YANG > errors. > It has been checked with a YANG 1.1 validator, which says it works. > > The must clauses on the instance-identifiers now indicate the target > class (including subclasses) of the association. As I noted in BA, > for associations with properties, the two end-points both point to > the association class, which points to both end-points. > > We will be doing the YANG tree, better descriptions, and text about > the mapping from IM to DM. > > Please review either the IM or the DM (using the IM descriptions) to > see whether this model represents what the WG wants to see. > > Yours, > Joel > > > -------- Forwarded Message -------- > Subject: I-D Action: draft-halpern-supa-generic-policy-data-model-01.txt > Date: Fri, 15 Apr 2016 13:06:32 -0700 > From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > Reply-To: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org> > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : Generic Policy Data Model for Simplified > Use of Policy Abstractions (SUPA) > Authors : Joel Halpern > John Strassner > Filename : > draft-halpern-supa-generic-policy-data-model-01.txt > Pages : 48 > Date : 2016-04-15 > > Abstract: > This document defines two YANG policy data models. The first is a > generic policy model that is meant to be extended on an application- > specific basis. The second is an exemplary extension of the first > generic policy model, and defines rules as event-condition-action > policies. Both models are independent of the level of abstraction of > the content and meaning of a policy. > > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-halpern-supa-generic-policy-data-model/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-halpern-supa-generic-policy-data-model-01 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-halpern-supa-generic-policy-data-model-01 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <http://tools.ietf.org>. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org <mailto:I-D-Announce@ietf.org> > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > > _______________________________________________ > Supa mailing list > Supa@ietf.org <mailto:Supa@ietf.org> > https://www.ietf.org/mailman/listinfo/supa > >
- [Supa] Fwd: I-D Action: draft-halpern-supa-generi… Joel Halpern
- Re: [Supa] Fwd: I-D Action: draft-halpern-supa-ge… Andy Bierman
- Re: [Supa] Fwd: I-D Action: draft-halpern-supa-ge… Andy Bierman
- Re: [Supa] Fwd: I-D Action: draft-halpern-supa-ge… Joel M. Halpern