On 24.01.18 19:25, Mahesh Jethanandani wrote: > > >> On Jan 24, 2018, at 12:34 AM, Eliot Lear <l...@cisco.com >> <mailto:l...@cisco.com>> wrote: >> >> This update primarily focuses on two elements that were agreed during >> WGLC: >> >> * The update to the ACL model. That update has taken longer than I >> would have liked, but it is now at least close to finished. >> Note: the MUD model does not yet match the published ACL model, >> but it does match the agreed changes that will be produced in the >> next ACL draft. >> > Does it? > > Looking at the MUD example in Section 8 of the draft, I see that > port/range is hanging off of ipv6 IP header. Per your comment, we > moved the port under the ‘tcp’ header in the ACL model.
Yeah, the example was blown. Fixed in next release ;-) Same with protocol. It ended up in l4 when it should be l3. > > Also, the container "access-list-entries" had been renamed to “aces” > in an earlier version of the draft. Med has pointed out some other > discrepancies, but in general, I would scrub the entire example one > more time. > > Cheers. > > p.s. The updated ACL model tree looks like this now: > > module: ietf-access-control-list > +--rw access-lists > +--rw acl* [name] > | +--rw name string > | +--rw type? acl-type > | +--rw aces > | +--rw ace* [name] > | +--rw name string > | +--rw matches > | | +--rw (l2)? > | | | +--:(eth) > | | | +--rw eth {match-on-eth}? > | | | +--rw destination-mac-address? > | | | | yang:mac-address > | | | +--rw destination-mac-address-mask? > | | | | yang:mac-address > | | | +--rw source-mac-address? > | | | | yang:mac-address > | | | +--rw source-mac-address-mask? > | | | | yang:mac-address > | | | +--rw ethertype? > | | | eth:ethertype > | | +--rw (l3)? > | | | +--:(ipv4) > | | | | +--rw ipv4 {match-on-ipv4}? > | | | | +--rw dscp? inet:dscp > | | | | +--rw ecn? uint8 > | | | | +--rw length? uint16 > | | | | +--rw ttl? uint8 > | | | | +--rw protocol? uint8 > | | | | +--rw ihl? uint8 > | | | | +--rw flags? bits > | | | | +--rw offset? uint16 > | | | | +--rw identification? uint16 > | | | | +--rw (destination-network)? > | | | | | +--:(destination-ipv4-network) > | | | | | +--rw destination-ipv4-network? > | | | | | inet:ipv4-prefix > | | | | +--rw (source-network)? > | | | | +--:(source-ipv4-network) > | | | | +--rw source-ipv4-network? > | | | | inet:ipv4-prefix > | | | +--:(ipv6) > | | | +--rw ipv6 {match-on-ipv6}? > | | | +--rw dscp? inet:dscp > | | | +--rw ecn? uint8 > | | | +--rw length? uint16 > | | | +--rw ttl? uint8 > | | | +--rw protocol? uint8 > | | | +--rw (destination-network)? > | | | | +--:(destination-ipv6-network) > | | | | +--rw destination-ipv6-network? > | | | | inet:ipv6-prefix > | | | +--rw (source-network)? > | | | | +--:(source-ipv6-network) > | | | | +--rw source-ipv6-network? > | | | | inet:ipv6-prefix > | | | +--rw flow-label? > | | | inet:ipv6-flow-label > | | +--rw (l4)? > | | | +--:(tcp) > | | | | +--rw tcp {match-on-tcp}? > | | | | +--rw sequence-number? > | | | | | uint32 > | | | | +--rw acknowledgement-number? > | | | | | uint32 > | | | | +--rw data-offset? > | | | | | uint8 > | | | | +--rw reserved? > | | | | | uint8 > | | | | +--rw flags? > | | | | | bits > | | | | +--rw window-size? > | | | | | uint16 > | | | | +--rw urgent-pointer? > | | | | | uint16 > | | | | +--rw options? > | | | | | uint32 > | | | | +--rw (source-port)? > | | | | | +--:(source-port-range-or-operator) > | | | | | +--rw source-port-range-or-operator > | | | | | +--rw (port-range-or-operator)? > | | | | | +--:(range) > | | | | | | +--rw lower-port > | | | | | | | inet:port-number > | | | | | | +--rw upper-port > | | | | | | inet:port-number > | | | | | +--:(operator) > | | | | | +--rw operator? operator > | | | | | +--rw port > | | | | | inet:port-number > | | | | +--rw (destination-port)? > | | | | +--:(destination-port-range-or-operator) > | | | | +--rw destination-port-range-or-opera > tor > | | | | +--rw (port-range-or-operator)? > | | | | +--:(range) > | | | | | +--rw lower-port > | | | | | | inet:port-number > | | | | | +--rw upper-port > | | | | | inet:port-number > | | | | +--:(operator) > | | | | +--rw operator? operator > | | | | +--rw port > | | | | inet:port-number > | | | +--:(udp) > | | | | +--rw udp {match-on-udp}? > | | | | +--rw length? > | | | | | uint16 > | | | | +--rw (source-port)? > | | | | | +--:(source-port-range-or-operator) > | | | | | +--rw source-port-range-or-operator > | | | | | +--rw (port-range-or-operator)? > | | | | | +--:(range) > | | | | | | +--rw lower-port > | | | | | | | inet:port-number > | | | | | | +--rw upper-port > | | | | | | inet:port-number > | | | | | +--:(operator) > | | | | | +--rw operator? operator > | | | | | +--rw port > | | | | | inet:port-number > | | | | +--rw (destination-port)? > | | | | +--:(destination-port-range-or-operator) > | | | | +--rw destination-port-range-or-opera > tor > | | | | +--rw (port-range-or-operator)? > | | | | +--:(range) > | | | | | +--rw lower-port > | | | | | | inet:port-number > | | | | | +--rw upper-port > | | | | | inet:port-number > | | | | +--:(operator) > | | | | +--rw operator? operator > | | | | +--rw port > | | | | inet:port-number > | | | +--:(icmp) > | | | +--rw icmp {match-on-icmp}? > | | | +--rw type? uint8 > | | | +--rw code? uint8 > | | | +--rw rest-of-header? uint32 > | | +--rw egress-interface? if:interface-ref > | | +--rw ingress-interface? if:interface-ref > | +--rw actions > | | +--rw forwarding identityref > | | +--rw logging? identityref > | +--ro statistics {acl-aggregate-stats}? > | +--ro matched-packets? yang:counter64 > | +--ro matched-octets? yang:counter64 > +--rw attachment-points > +--rw interface* [interface-id] {interface-attachment}? > +--rw interface-id if:interface-ref > +--rw ingress > | +--rw acl-sets > | +--rw acl-set* [name] > | +--rw name > | | -> ../../../../../../acl/name > | +--ro ace-statistics* [name] {interface-stats}? > | +--ro name leafref > | +--ro matched-packets? yang:counter64 > | +--ro matched-octets? yang:counter64 > +--rw egress > +--rw acl-sets > +--rw acl-set* [name] > +--rw name > | -> ../../../../../../acl/name > +--ro ace-statistics* [name] {interface-stats}? > +--ro name leafref > +--ro matched-packets? yang:counter64 > +--ro matched-octets? yang:counter64 >> >> * Mark Nottingham had commented that it is not appropriate to have >> versioning information in the MUD-URL itself, but that it should >> be in the model. We agreed on this change, as well as some >> wording around how HTTP is handled. >> >> Based on these changes, I would like to move this document forward to >> IETF LC. >> >> Eliot >> >> >> On 24.01.18 09:29, internet-dra...@ietf.org wrote: >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> This draft is a work item of the Operations and Management Area Working >>> Group WG of the IETF. >>> >>> Title : Manufacturer Usage Description Specification >>> Authors : Eliot Lear >>> Ralph Droms >>> Dan Romascanu >>> Filename : draft-ietf-opsawg-mud-14.txt >>> Pages : 56 >>> Date : 2018-01-24 >>> >>> Abstract: >>> This memo specifies a component-based architecture for manufacturer >>> usage descriptions (MUD). The goal of MUD is to provide a means for >>> Things to signal to the network what sort of access and network >>> functionality they require to properly function. The initial focus >>> is on access control. Later work can delve into other aspects. >>> >>> This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an >>> LLDP TLV, a URL suffix specification, an X.509 certificate extension >>> and a means to sign and verify the descriptions. >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/ >>> >>> There are also htmlized versions available at: >>> https://tools.ietf.org/html/draft-ietf-opsawg-mud-14 >>> https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-mud-14 >>> >>> A diff from the previous version is available at: >>> https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-mud-14 >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org >>> <http://tools.ietf.org>. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> _______________________________________________ >>> OPSAWG mailing list >>> OPSAWG@ietf.org >>> https://www.ietf.org/mailman/listinfo/opsawg >>> >> > > Mahesh Jethanandani > mjethanand...@gmail.com <mailto:mjethanand...@gmail.com> >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg