> On Jan 24, 2018, at 12:34 AM, Eliot Lear <[email protected]> wrote:
>
> This update primarily focuses on two elements that were agreed during WGLC:
>
> The update to the ACL model. That update has taken longer than I would have
> liked, but it is now at least close to finished. Note: the MUD model does
> not yet match the published ACL model, but it does match the agreed changes
> that will be produced in the next ACL draft.
Does it?
Looking at the MUD example in Section 8 of the draft, I see that port/range is
hanging off of ipv6 IP header. Per your comment, we moved the port under the
‘tcp’ header in the ACL model.
Also, the container "access-list-entries" had been renamed to “aces” in an
earlier version of the draft. Med has pointed out some other discrepancies, but
in general, I would scrub the entire example one more time.
Cheers.
p.s. The updated ACL model tree looks like this now:
module: ietf-access-control-list
+--rw access-lists
+--rw acl* [name]
| +--rw name string
| +--rw type? acl-type
| +--rw aces
| +--rw ace* [name]
| +--rw name string
| +--rw matches
| | +--rw (l2)?
| | | +--:(eth)
| | | +--rw eth {match-on-eth}?
| | | +--rw destination-mac-address?
| | | | yang:mac-address
| | | +--rw destination-mac-address-mask?
| | | | yang:mac-address
| | | +--rw source-mac-address?
| | | | yang:mac-address
| | | +--rw source-mac-address-mask?
| | | | yang:mac-address
| | | +--rw ethertype?
| | | eth:ethertype
| | +--rw (l3)?
| | | +--:(ipv4)
| | | | +--rw ipv4 {match-on-ipv4}?
| | | | +--rw dscp? inet:dscp
| | | | +--rw ecn? uint8
| | | | +--rw length? uint16
| | | | +--rw ttl? uint8
| | | | +--rw protocol? uint8
| | | | +--rw ihl? uint8
| | | | +--rw flags? bits
| | | | +--rw offset? uint16
| | | | +--rw identification? uint16
| | | | +--rw (destination-network)?
| | | | | +--:(destination-ipv4-network)
| | | | | +--rw destination-ipv4-network?
| | | | | inet:ipv4-prefix
| | | | +--rw (source-network)?
| | | | +--:(source-ipv4-network)
| | | | +--rw source-ipv4-network?
| | | | inet:ipv4-prefix
| | | +--:(ipv6)
| | | +--rw ipv6 {match-on-ipv6}?
| | | +--rw dscp? inet:dscp
| | | +--rw ecn? uint8
| | | +--rw length? uint16
| | | +--rw ttl? uint8
| | | +--rw protocol? uint8
| | | +--rw (destination-network)?
| | | | +--:(destination-ipv6-network)
| | | | +--rw destination-ipv6-network?
| | | | inet:ipv6-prefix
| | | +--rw (source-network)?
| | | | +--:(source-ipv6-network)
| | | | +--rw source-ipv6-network?
| | | | inet:ipv6-prefix
| | | +--rw flow-label?
| | | inet:ipv6-flow-label
| | +--rw (l4)?
| | | +--:(tcp)
| | | | +--rw tcp {match-on-tcp}?
| | | | +--rw sequence-number?
| | | | | uint32
| | | | +--rw acknowledgement-number?
| | | | | uint32
| | | | +--rw data-offset?
| | | | | uint8
| | | | +--rw reserved?
| | | | | uint8
| | | | +--rw flags?
| | | | | bits
| | | | +--rw window-size?
| | | | | uint16
| | | | +--rw urgent-pointer?
| | | | | uint16
| | | | +--rw options?
| | | | | uint32
| | | | +--rw (source-port)?
| | | | | +--:(source-port-range-or-operator)
| | | | | +--rw source-port-range-or-operator
| | | | | +--rw (port-range-or-operator)?
| | | | | +--:(range)
| | | | | | +--rw lower-port
| | | | | | | inet:port-number
| | | | | | +--rw upper-port
| | | | | | inet:port-number
| | | | | +--:(operator)
| | | | | +--rw operator? operator
| | | | | +--rw port
| | | | | inet:port-number
| | | | +--rw (destination-port)?
| | | | +--:(destination-port-range-or-operator)
| | | | +--rw destination-port-range-or-opera
tor
| | | | +--rw (port-range-or-operator)?
| | | | +--:(range)
| | | | | +--rw lower-port
| | | | | | inet:port-number
| | | | | +--rw upper-port
| | | | | inet:port-number
| | | | +--:(operator)
| | | | +--rw operator? operator
| | | | +--rw port
| | | | inet:port-number
| | | +--:(udp)
| | | | +--rw udp {match-on-udp}?
| | | | +--rw length?
| | | | | uint16
| | | | +--rw (source-port)?
| | | | | +--:(source-port-range-or-operator)
| | | | | +--rw source-port-range-or-operator
| | | | | +--rw (port-range-or-operator)?
| | | | | +--:(range)
| | | | | | +--rw lower-port
| | | | | | | inet:port-number
| | | | | | +--rw upper-port
| | | | | | inet:port-number
| | | | | +--:(operator)
| | | | | +--rw operator? operator
| | | | | +--rw port
| | | | | inet:port-number
| | | | +--rw (destination-port)?
| | | | +--:(destination-port-range-or-operator)
| | | | +--rw destination-port-range-or-opera
tor
| | | | +--rw (port-range-or-operator)?
| | | | +--:(range)
| | | | | +--rw lower-port
| | | | | | inet:port-number
| | | | | +--rw upper-port
| | | | | inet:port-number
| | | | +--:(operator)
| | | | +--rw operator? operator
| | | | +--rw port
| | | | inet:port-number
| | | +--:(icmp)
| | | +--rw icmp {match-on-icmp}?
| | | +--rw type? uint8
| | | +--rw code? uint8
| | | +--rw rest-of-header? uint32
| | +--rw egress-interface? if:interface-ref
| | +--rw ingress-interface? if:interface-ref
| +--rw actions
| | +--rw forwarding identityref
| | +--rw logging? identityref
| +--ro statistics {acl-aggregate-stats}?
| +--ro matched-packets? yang:counter64
| +--ro matched-octets? yang:counter64
+--rw attachment-points
+--rw interface* [interface-id] {interface-attachment}?
+--rw interface-id if:interface-ref
+--rw ingress
| +--rw acl-sets
| +--rw acl-set* [name]
| +--rw name
| | -> ../../../../../../acl/name
| +--ro ace-statistics* [name] {interface-stats}?
| +--ro name leafref
| +--ro matched-packets? yang:counter64
| +--ro matched-octets? yang:counter64
+--rw egress
+--rw acl-sets
+--rw acl-set* [name]
+--rw name
| -> ../../../../../../acl/name
+--ro ace-statistics* [name] {interface-stats}?
+--ro name leafref
+--ro matched-packets? yang:counter64
+--ro matched-octets? yang:counter64
> Mark Nottingham had commented that it is not appropriate to have versioning
> information in the MUD-URL itself, but that it should be in the model. We
> agreed on this change, as well as some wording around how HTTP is handled.
> Based on these changes, I would like to move this document forward to IETF LC.
>
> Eliot
>
> On 24.01.18 09:29, [email protected] <mailto:[email protected]>
> wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Operations and Management Area Working
>> Group WG of the IETF.
>>
>> Title : Manufacturer Usage Description Specification
>> Authors : Eliot Lear
>> Ralph Droms
>> Dan Romascanu
>> Filename : draft-ietf-opsawg-mud-14.txt
>> Pages : 56
>> Date : 2018-01-24
>>
>> Abstract:
>> This memo specifies a component-based architecture for manufacturer
>> usage descriptions (MUD). The goal of MUD is to provide a means for
>> Things to signal to the network what sort of access and network
>> functionality they require to properly function. The initial focus
>> is on access control. Later work can delve into other aspects.
>>
>> This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an
>> LLDP TLV, a URL suffix specification, an X.509 certificate extension
>> and a means to sign and verify the descriptions.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/
>> <https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/>
>>
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-ietf-opsawg-mud-14
>> <https://tools.ietf.org/html/draft-ietf-opsawg-mud-14>
>> https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-mud-14
>> <https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-mud-14>
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-mud-14
>> <https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-mud-14>
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
>>
>> _______________________________________________
>> OPSAWG mailing list
>> [email protected] <mailto:[email protected]>
>> https://www.ietf.org/mailman/listinfo/opsawg
>> <https://www.ietf.org/mailman/listinfo/opsawg>
>>
>
Mahesh Jethanandani
[email protected]
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
