[yang-doctors] Review of draft-ietf-acl-model
Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 21 June 2016 00:48 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D6AD12D66B; Mon, 20 Jun 2016 17:48:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWVSDn6kkvvz; Mon, 20 Jun 2016 17:48:14 -0700 (PDT)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5E1112D65F; Mon, 20 Jun 2016 17:48:11 -0700 (PDT)
Received: by mail-pf0-x232.google.com with SMTP id i123so442702pfg.0; Mon, 20 Jun 2016 17:48:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:date:message-id:cc:to:mime-version; bh=hL05WM2jyYZGyyWfATiqzWs+SJk9aeloqPyObA8OglI=; b=jJNXnNXc3N5w6KuHYktaz7I0KTpahYRPr3kirleUMBjyBXxPJgIfPA64hs+KHcoqg9 HKC+7GIePgG9m7gu062dROqDt8GxTqcbtZDaj9X9wIF7WAvG4lg85hik78d0juMLkbIY IxvCopXfPPyrVAhhzPddymsRxj7u78M5XArn0flnM4VEfDIiG0nco27hWyjoK6OJqe1D V171+nF/ax3DO8A5Zf+e3w6dsHuq0yFspPAgru7/KUsX2UNASo/2h6U4x4TEpE5FIiNo +EKBwZ6NGRq7xRN05n0rTrmO8p2H9+CfGSsWM0Fh7VhDckYtURB2qmZVVHer3KPKcP0J i8Ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:date:message-id:cc:to:mime-version; bh=hL05WM2jyYZGyyWfATiqzWs+SJk9aeloqPyObA8OglI=; b=Q8qLQkmJLOL0gGj4yI2f1uG32iDSt1RK/Wkbi3FuT9TSFu4Dzrq+V0RJLUKXu2aL47 d6dilIXGEAydBLDhKmOdvqGSkVZGLOd9XHHrSMRYVkJwLMIby1D1c66ahkLhyN9+dEA8 EzRGWIFs3yfYxNfEAAs/zGgVYFKWvhcuOIwVM7I9HHScvnp5BtEniKbup8KJHzv1wF1y fbssvHvsQCgR8qn24ubXJPZxokVwEb6FezLd8Owpkx9vpg5gvgLPOqSEm7l+JmIokTJE Sn/KNW+D5htfSDu9Q0Y1LJpreJvNwW56zQn9H/jHMz2XWuJS9qFin/fSFCn2eGZeT651 JQ7A==
X-Gm-Message-State: ALyK8tLMkWwVGCxPvVWfjKNP1Lvzogqsp3jZgZsUWY8BmzA10yG4mHRUVx4I+pxjbJ2akg==
X-Received: by 10.98.149.10 with SMTP id p10mr24805224pfd.88.1466470090907; Mon, 20 Jun 2016 17:48:10 -0700 (PDT)
Received: from dhcp-128-107-151-26.cisco.com (dhcp-128-107-151-26.cisco.com. [128.107.151.26]) by smtp.gmail.com with ESMTPSA id 81sm69825994pfo.74.2016.06.20.17.48.09 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 20 Jun 2016 17:48:10 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E684D03B-ED31-4AB5-A515-B41F97BC8CC3"
Date: Mon, 20 Jun 2016 17:48:08 -0700
Message-Id: <056EA676-918C-4E31-8408-139607F19204@gmail.com>
To: draft-ietf-netmod-acl-model.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/Vr9M7973AonuwtljQUO-h_LhfEs>
Cc: YANG Doctors <yang-doctors@ietf.org>
Subject: [yang-doctors] Review of draft-ietf-acl-model
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2016 00:48:16 -0000
Document reviewed: draft-ietf-netmod-acl-model-07
Status: Ready with work
I have marked it ready with work because it appears that there were points raised on the mailing list that are not reflected in this draft. At the minimum the authors will need to post a new draft. While they are doing that, it would be helpful if they can address some of the points raised in this review.
Summary:
This document describes a data model of ACL basic building blocks. As such the model cannot be used as is and is not a standalone model. It needs to be augmented by vendors for their particular implementation of ACLs. Examples of how the model needs to be extended are described in the Appendix section of the document.
The above point needs to come out clearly in the document. Maybe the paragraph from Appendix A.3 can be moved up into the introduction to clarify the scope of the document. Besides a statement of the scope of the document hardly belongs in the Appendix section.
The document has been extensively reviewed on the mailing list and comments provided. Two issues that were particularly debated were around:
how ACEs are ordered inside the ACL
use of metadata to filter traffic.
There was much debate on the use of ‘ace-type’ (which is a string) as a key in the list of ACE. Implementations that use numbers to identify the order of entires need to map the ‘ordered-by-user’ list to whatever the internal implementation allows. This is just an observation and authors are not expected to take any action on it.
The consensus on the mailing list seems to be for the removal of definition of metadata from the base model and moving it into an extension module. If that turns out to be the case, the authors need to update the Introduction and other sections to update references to metadata in the document.
Section 1: Introduction
s/basic elements to configure/basic elements used to configure/
s/networking concepts/networking technologies/
s/depending on the innovations/depending on the capabilities/
s/are interchangeable/are used interchangeably/
Section 2: Problem Statement
The second statement of the first paragraph is not clear. I think the authors meant to say that the model can be used by vendors and applications. Why are the models “reused” and what is “between applications”?
Also, what is a “simple model”? Further down, there is reference to “common model”. I think the idea is that this model represents what is common across several implementations of ACL. Therefore the use of “common model” rather than “simple model” makes more sense.
Section 3: Design of the ACL model.
This section is titled “Design of the ACL Model”, but is talking about how ACLs work on a system. The actual design of the model is in section 3.1 and should have that title. A more appropriate title for Section 3 would be “How ACLs Work” or something similar.
But a more important question is whether ietf-packet-fields a module or a submodule of ietf-access-control-list. The authors talk about ietf-access-control-list as a “superclass”, and it using groupings out of ietf-packet-fields. If that is the case, and there is no plan to use ietf-packet-fields outside of this model, it would probably make more sense to make it a submodule.
Section 4.1 title says “IETF Access Contorl (sp?) List module” while Section 4.2 says IETF-PACKET-FIELDS module. Can we be consistent in the titles of the sections?
Section 4.1 IETF Access Contorl List module
In general spaces between different fields and parts of the model would go a long way towards making the model more readable. See RFC 7223 for an example.
Do we need to specify yang-version in the YANG module?
The contact references in the model are dated. Please update.
Please add a note in the draft letting the RFC editor know that the Revision date in the model needs to be updated to the date when the draft gets approved. That date also needs to be reflected on the line with <CODE BEGINS>.
Ditto for “RFC XXXX” in the reference section.
Please add headers for each section of the module as follows to make the draft more readable.
/*
* Identities
*/
/*
* Typedefs
*/
There is extensive use of acl instead of access-control-list. Why not use it in typedef of access-control-list-ref and call it acl-ref? Same for the use of aces instead of access-list-entries in other parts of the module, like
container aces {
list ace {
Would it make sense to have a separate container for operational data? Keeping it with configuration data might make some sense, but keeping it separate allows one to get all operational data by doing a <get> on the top level container.
There also seems to dearth of operational data. For example, I do not see any operational data for actions in the model. How about a count for packets that are denied or permitted?
Section 4.3 An ACL Example.
The example is very confusing. It seems to represent many different examples all randomly put together. The CLI example does not match the XML version. It would help to have a complete example all the way from CLI to XML that is the same. And yes, more examples would be even better.
Section 4.4 Port Range Usage Example
The explanation for the second snippet is incomplete. Yes, the port is greater/equal to 16384, but is it not also less than/equal to 65535?
Section 5 Linux nftables
The first paragraph needs to be rewritten for spelling mistakes and readability.
More importantly, it is not clear what the intent of this section is. Yes, Linux is popular and is used for network platforms, but this model is not about Linux or how it is going to be implemented there. It would be best to remove it completely.
Thanks.
Mahesh Jethanandani
mjethanandani@gmail.com
- [yang-doctors] Review of draft-ietf-acl-model Mahesh Jethanandani