Hi, Oscar et al.
This is a useful work and an obvious extension to acl yang.
I have following comments on the draft:
1. I think it is important to highlight m x n issue in the acl yang (section
3.1/3.2). Let me describe a bit:
If there are 4 prefixes and 3 ports such that for each prefix and port
combination a matching rule needs to be created, it results into 12 matching
rule. As the scale goes high, the number of rules multiplies much faster. By
creating object-groups/defined-sets for prefix and port, it need to be updated
m and n times respectively (making it m + n order) which is much lower than m
x n rules which needs to be created otherwise.
2. icmp defined sets for type and code can be defined independently, similar to
flowspec and will be simple extension of ACL yang.
3. Can the defined-sets contains ranges as well (say for port: 40,47, 83-93,
98, 120-140 etc)
4. section 3.4, 3.5: It needs to be decided how much ACL yang can be aligned
with flowspec config options. Some of the things like "numeric operator" and
"bitmast operand format" are powerful but makes rules complex.
5. For section 3.6,
a). it need to be decided whether policer will be pps (packets per sec)
or bps or both. In true ACL way, I think pps makes more sense.
b) the counters need to be enhanced to support "drop count" as well
since "match count" will not be enough.
6. Similarly, "redirect" to nexthop (VRF and/or prefix) action can also be
defined for matching ACL rules.
Best Regards,
Aseem
On 10/19/21, 9:34 AM, "netmod on behalf of Oscar González de Dios"
<[email protected] on behalf of [email protected]>
wrote:
Dear Netmod colleagues,
We discussed in the list some time ago a few possible enhancements
on the ACL Yang model (RFC 8519).
Following the suggestions received the list, we've prepared an
individual draft in which we document the motivation of several enhacements to
the Access control list Yang model. Note that, in this first version of the
document, we have not included on purpose any yang model. We are seeking the
work direction from the netmod WG whether the missing features can be
accomplished by means of augmentations or whether an ACL-bis document is more
appropriate.
Looking forward to receiving your comments / thoughts/
suggestions.
Best Regards,
Oscar, Samier, Med
-----Mensaje original-----
De: [email protected] <[email protected]>
Enviado el: lunes, 18 de octubre de 2021 13:06
Para: Mohamed Boucadair <[email protected]>; Oscar González de
Dios <[email protected]>; Oscar González de Dios
<[email protected]>; SAMIER BARGUIL GIRALDO
<[email protected]>; SAMIER BARGUIL GIRALDO
<[email protected]>
Asunto: New Version Notification for draft-dbb-netmod-acl-00.txt
A new version of I-D, draft-dbb-netmod-acl-00.txt has been successfully
submitted by Oscar Gonzalez de Dios and posted to the IETF repository.
Name: draft-dbb-netmod-acl
Revision: 00
Title: Extensions to the Access Control Lists (ACLs) YANG Model
Document date: 2021-10-18
Group: Individual Submission
Pages: 18
URL: https://www.ietf.org/archive/id/draft-dbb-netmod-acl-00.txt
Status: https://datatracker.ietf.org/doc/draft-dbb-netmod-acl/
Htmlized: https://datatracker.ietf.org/doc/html/draft-dbb-netmod-acl
Abstract:
RFC 8519 defines a YANG data model for Access Control Lists (ACLs).
This document discusses a set of extensions that fix many of the
limitations of the ACL model as initially defined in RFC 8519.
The IETF Secretariat
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
puede contener información privilegiada o confidencial y es para uso exclusivo
de la persona o entidad de destino. Si no es usted. el destinatario indicado,
queda notificado de que la lectura, utilización, divulgación y/o copia sin
autorización puede estar prohibida en virtud de la legislación vigente. Si ha
recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente
por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and
confidential information intended only for the use of the individual or entity
named above. If the reader of this message is not the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this transmission in
error, do not read it. Please immediately reply to the sender that you have
received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
pode conter informação privilegiada ou confidencial e é para uso exclusivo da
pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado,
fica notificado de que a leitura, utilização, divulgação e/ou cópia sem
autorização pode estar proibida em virtude da legislação vigente. Se recebeu
esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta
mesma via e proceda a sua destruição
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod
