Hi Kent and Mahesh and Sonal, Thanks very much for working on this draft. I have noted one problem that I think needs correcting. I come prepared with a diff.
The current model has {source,dest}-port-or-range hanging off ipv4 or ipv6. This is a transport parameter and is not appropriate for protocols that do not use ports (ie, ICMP, ESP, etc). A better locale would be to hang these components underneath l4 underneath their respective tcp and udp branches. Because this is so basic a function, I propose that this *not* be included in match-on-tcp or match-on-udp. Instead, the contents of both tcp and udp be moved to new containers "tcp-all" and "udp-all", respectively, and the ports hang as peers to that. Thus, if a very simple device can understand TCP and UDP ports but cannot understand more detailed information, that is supported. And so from a tree perspective, it would look like this: | | +--rw (l4)? | | | +--:(tcp) | | | | +--rw tcp | | | | +--rw source-port-range-or-operator | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--rw destination-port-range-or-operator | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--rw tcp-all {match-on-tcp}? | | | | +--rw sequence-number? uint32 | | | | +--rw acknowledgement-number? uint32 | | | | +--rw data-offset? uint8 | | | | +--rw reserved? uint8 | | | | +--rw flags? bits | | | | +--rw window-size? uint16 | | | | +--rw urgent-pointer? uint16 | | | | +--rw options? uint32 | | | +--:(udp) | | | | +--rw udp | | | | +--rw source-port-range-or-operator | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--rw destination-port-range-or-operator | | | | | +--rw (port-range-or-operator)? | | | | | +--:(range) | | | | | | +--rw lower-port inet:port-number | | | | | | +--rw upper-port inet:port-number | | | | | +--:(operator) | | | | | +--rw operator? operator | | | | | +--rw port inet:port-number | | | | +--rw udp-all {match-on-udp}? | | | | +--rw length? uint16 A diff ietf-packet-fields.yang and ietf-access-control-lists.yang is attached. Eliot On 17.01.18 22:55, Kent Watsen wrote: > All, > > This starts a two-week working group last call on > draft-ietf-netmod-acl-model-15. > > This working group last call ends on January 31st. > Please send your comments to the NETMOD mailing list. > > Positive comments, e.g., "I've reviewed this document > and believe it is ready for publication", are welcome! > This is useful and important, even from authors. > > Also, could the authors, explicitly CC-ed on this email, > please confirm at this time that they are unaware of > any IPR related to this draft. > > Thank you, > NETMOD Chairs > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod >
*** ietf-packet-fie...@2018-01-16.yang.orig Mon Jan 22 12:58:08 2018 --- ietf-packet-fie...@2018-01-16.yang Mon Jan 22 13:10:57 2018 *************** *** 190,205 **** payload. In IPv6, this field is known as 'next-header."; reference "RFC 719, RFC 2460."; } - container source-port-range-or-operator { - uses port-range-or-operator; - description - "Source port definition."; - } - container destination-port-range-or-operator { - uses port-range-or-operator; - description - "Destination port definition."; - } } grouping acl-ipv4-header-fields { --- 190,195 ----
*** ietf-access-control-l...@2018-01-16.yang.orig Mon Jan 22 10:16:17 2018 --- ietf-access-control-l...@2018-01-16.yang Mon Jan 22 13:09:06 2018 *************** *** 440,457 **** choice l4 { container tcp { ! if-feature match-on-tcp; uses packet-fields:acl-tcp-header-fields; ! description "Rule set that matches TCP headers."; ! } ! container udp { ! if-feature match-on-udp; ! uses packet-fields:acl-udp-header-fields; ! description ! "Rule set that matches UDP headers."; ! } container icmp { if-feature match-on-icmp; --- 440,482 ---- choice l4 { container tcp { ! container source-port-range-or-operator { ! uses packet-fields:port-range-or-operator; ! description ! "Source port definition."; ! } ! container destination-port-range-or-operator { ! uses packet-fields:port-range-or-operator; ! description ! "Destination port definition."; ! } ! container tcp-all { ! if-feature match-on-tcp; uses packet-fields:acl-tcp-header-fields; ! description "Rule set that matches TCP headers."; ! } ! description "TCP matchable characteristics"; ! } container udp { ! container source-port-range-or-operator { ! uses packet-fields:port-range-or-operator; ! description ! "Source port definition."; ! } ! container destination-port-range-or-operator { ! uses packet-fields:port-range-or-operator; ! description ! "Destination port definition."; ! } ! container udp-all { ! if-feature match-on-udp; ! uses packet-fields:acl-udp-header-fields; ! description ! "Rule set that matches UDP headers."; ! } ! description "UDP matchable characteristics"; ! } container icmp { if-feature match-on-icmp;
signature.asc
Description: OpenPGP digital signature
_______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod