The basic design idea for the base model is structure that all vendors support. Some of the examples mentioned below, like FQDN, are not supported by all vendors and are protected by IPR (which I wasn’t aware of it). There are many possible match conditions that could be added to the base model, like Auth header in IPSec or IPSec encapsulation security payload to keep it with security. There are many match conditions in Class of Services as well. All these match conditions would have created more issues to come to consensus about the base model, so for that reason we went with the minimal model that would be easy for all vendors to implement.
Dean > On Dec 18, 2015, at 5:21 PM, Sterne, Jason (Jason) > <jason.ste...@alcatel-lucent.com> wrote: > > I'm not a fan of adding something like that in the base model. Let's get a > basic model done and then we can consider an extension draft. I'd think that > things like TCP flags, for example, would be a more natural & common thing to > add to an ACL model than a host name match so I can't see host name being in > there before TCP flags (which I'm not advocating for in the base model). > > I also don't think the metadata interface match should be in this base model > either. That is out of place IMO. The base model provides an ACL that can > then get associated with objects like interfaces (as in the example in > section A.3) > I'd also suggest we consider making the actions 'deny' and 'permit' presence > containers instead of empty leafs. That would allow easier augmentations > (e.g. additional 'permit' parameters for policy based forwarding for example). > > Regards, > Jason > > -----Original Message----- > From: netmod [mailto:netmod-boun...@ietf.org] On Behalf Of Nadeau Thomas > Sent: Thursday, December 17, 2015 10:53 > To: Lear Eliot > Cc: Benoit Claise; RTG YANG Design Team; netmod WG > Subject: Re: [netmod] Working group Last Call: draft-ietf-netmod-acl-model-06 > > > You raise a good point. Do the contributors/editors have any thoughts > on this suggestion? > > —Tom > > >> On Dec 17, 2015:9:44 AM, at 9:44 AM, Eliot Lear <l...@cisco.com> wrote: >> >> >> >> On 12/17/15 2:45 PM, Nadeau Thomas wrote: >>> Do you mean an ASCII DNS name (versus an IP address w a mask)? >> >> I was thinking of "host" in RFC 6021. >> >> Eliot >> >> > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod > _______________________________________________ > Rtg-dt-yang-arch mailing list > rtg-dt-yang-a...@ietf.org > https://www.ietf.org/mailman/listinfo/rtg-dt-yang-arch _______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
