Erik Kline has entered the following ballot position for draft-ietf-netmod-acl-extensions-15: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netmod-acl-extensions/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- # Internet AD comments for draft-ietf-netmod-acl-extensions-15 CC @ekline * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## Comments ### S4 * The `identity layer4` description doesn't address whether IPv6 Extension Headers, or other "IP-layer" headers like AH, are to be skipped over or not. I suspect they are, but this description could say explicitly. In the spirit of "send text", here's one attempt: identity layer4 { base offset-type; description "The offset start right after the IP header and any headers pertaining to that IP layer, e.g. IPv6 Extension Headers and the Authentication Header (AH). This can be typically the beginning of a transport header (e.g., TCP or UDP) or any encapsulation scheme over IP such as IP-in-IP."; } but that's just for your consideration. * For the `payload` identity and the length in the `payload-match` for an `offset` of type `payload`, where is the end of the payload? Specifically, does this allow matching into the UDP Options space that is beyond the UDP payload but still within the IP payload? If the UDP Options space is excluded (or punted until future work), then it might be good to have some clarification about that here (we intend to include it in the payload match, exclude it, or leave it up to the implementer). * In `payload-match`, the `description` for `operator` reads: "How to interpret the prefix match." Should that be s/prefix/pattern/? (this seems like it might be a copy-paste error?) * Not important for this document, but we should probably consider whether it should be good practice to include SCTP and maybe DCCP, even if it's only for the port set ACL definitions and nothing fancier. Just a comment, not a request for any change. _______________________________________________ netmod mailing list -- [email protected] To unsubscribe send an email to [email protected]
