Hi, I guess what I'm hearing is that we should do a hopefully very short augmentation for domain names in the matches clause and standardize that separately. Does that seem reasonable?
Eliot On 12/19/15 2:05 PM, Dean Bogdanovic wrote: > The basic design idea for the base model is structure that all vendors > support. Some of the examples mentioned below, like FQDN, are not supported > by all vendors and are protected by IPR (which I wasn’t aware of it). There > are many possible match conditions that could be added to the base model, > like Auth header in IPSec or IPSec encapsulation security payload to keep it > with security. There are many match conditions in Class of Services as well. > All these match conditions would have created more issues to come to > consensus about the base model, so for that reason we went with the minimal > model that would be easy for all vendors to implement. > > Dean > >> On Dec 18, 2015, at 5:21 PM, Sterne, Jason (Jason) >> <[email protected]> wrote: >> >> I'm not a fan of adding something like that in the base model. Let's get a >> basic model done and then we can consider an extension draft. I'd think >> that things like TCP flags, for example, would be a more natural & common >> thing to add to an ACL model than a host name match so I can't see host name >> being in there before TCP flags (which I'm not advocating for in the base >> model). >> >> I also don't think the metadata interface match should be in this base model >> either. That is out of place IMO. The base model provides an ACL that can >> then get associated with objects like interfaces (as in the example in >> section A.3) >> I'd also suggest we consider making the actions 'deny' and 'permit' presence >> containers instead of empty leafs. That would allow easier augmentations >> (e.g. additional 'permit' parameters for policy based forwarding for >> example). >> >> Regards, >> Jason >> >> -----Original Message----- >> From: netmod [mailto:[email protected]] On Behalf Of Nadeau Thomas >> Sent: Thursday, December 17, 2015 10:53 >> To: Lear Eliot >> Cc: Benoit Claise; RTG YANG Design Team; netmod WG >> Subject: Re: [netmod] Working group Last Call: draft-ietf-netmod-acl-model-06 >> >> >> You raise a good point. Do the contributors/editors have any thoughts >> on this suggestion? >> >> —Tom >> >> >>> On Dec 17, 2015:9:44 AM, at 9:44 AM, Eliot Lear <[email protected]> wrote: >>> >>> >>> >>> On 12/17/15 2:45 PM, Nadeau Thomas wrote: >>>> Do you mean an ASCII DNS name (versus an IP address w a mask)? >>> I was thinking of "host" in RFC 6021. >>> >>> Eliot >>> >>> >> _______________________________________________ >> netmod mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/netmod >> _______________________________________________ >> Rtg-dt-yang-arch mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/rtg-dt-yang-arch >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
