On 24.01.18 19:25, Mahesh Jethanandani wrote: > > >> On Jan 24, 2018, at 12:34 AM, Eliot Lear <[email protected] >> <mailto:[email protected]>> wrote: >> >> This update primarily focuses on two elements that were agreed during >> WGLC: >> >> * The update to the ACL model. That update has taken longer than I >> would have liked, but it is now at least close to finished. >> Note: the MUD model does not yet match the published ACL model, >> but it does match the agreed changes that will be produced in the >> next ACL draft. >> > Does it? > > Looking at the MUD example in Section 8 of the draft, I see that > port/range is hanging off of ipv6 IP header. Per your comment, we > moved the port under the ‘tcp’ header in the ACL model.
Yeah, the example was blown. Fixed in next release ;-) Same with
protocol. It ended up in l4 when it should be l3.
>
> Also, the container "access-list-entries" had been renamed to “aces”
> in an earlier version of the draft. Med has pointed out some other
> discrepancies, but in general, I would scrub the entire example one
> more time.
>
> Cheers.
>
> p.s. The updated ACL model tree looks like this now:
>
> module: ietf-access-control-list
> +--rw access-lists
> +--rw acl* [name]
> | +--rw name string
> | +--rw type? acl-type
> | +--rw aces
> | +--rw ace* [name]
> | +--rw name string
> | +--rw matches
> | | +--rw (l2)?
> | | | +--:(eth)
> | | | +--rw eth {match-on-eth}?
> | | | +--rw destination-mac-address?
> | | | | yang:mac-address
> | | | +--rw destination-mac-address-mask?
> | | | | yang:mac-address
> | | | +--rw source-mac-address?
> | | | | yang:mac-address
> | | | +--rw source-mac-address-mask?
> | | | | yang:mac-address
> | | | +--rw ethertype?
> | | | eth:ethertype
> | | +--rw (l3)?
> | | | +--:(ipv4)
> | | | | +--rw ipv4 {match-on-ipv4}?
> | | | | +--rw dscp? inet:dscp
> | | | | +--rw ecn? uint8
> | | | | +--rw length? uint16
> | | | | +--rw ttl? uint8
> | | | | +--rw protocol? uint8
> | | | | +--rw ihl? uint8
> | | | | +--rw flags? bits
> | | | | +--rw offset? uint16
> | | | | +--rw identification? uint16
> | | | | +--rw (destination-network)?
> | | | | | +--:(destination-ipv4-network)
> | | | | | +--rw destination-ipv4-network?
> | | | | | inet:ipv4-prefix
> | | | | +--rw (source-network)?
> | | | | +--:(source-ipv4-network)
> | | | | +--rw source-ipv4-network?
> | | | | inet:ipv4-prefix
> | | | +--:(ipv6)
> | | | +--rw ipv6 {match-on-ipv6}?
> | | | +--rw dscp? inet:dscp
> | | | +--rw ecn? uint8
> | | | +--rw length? uint16
> | | | +--rw ttl? uint8
> | | | +--rw protocol? uint8
> | | | +--rw (destination-network)?
> | | | | +--:(destination-ipv6-network)
> | | | | +--rw destination-ipv6-network?
> | | | | inet:ipv6-prefix
> | | | +--rw (source-network)?
> | | | | +--:(source-ipv6-network)
> | | | | +--rw source-ipv6-network?
> | | | | inet:ipv6-prefix
> | | | +--rw flow-label?
> | | | inet:ipv6-flow-label
> | | +--rw (l4)?
> | | | +--:(tcp)
> | | | | +--rw tcp {match-on-tcp}?
> | | | | +--rw sequence-number?
> | | | | | uint32
> | | | | +--rw acknowledgement-number?
> | | | | | uint32
> | | | | +--rw data-offset?
> | | | | | uint8
> | | | | +--rw reserved?
> | | | | | uint8
> | | | | +--rw flags?
> | | | | | bits
> | | | | +--rw window-size?
> | | | | | uint16
> | | | | +--rw urgent-pointer?
> | | | | | uint16
> | | | | +--rw options?
> | | | | | uint32
> | | | | +--rw (source-port)?
> | | | | | +--:(source-port-range-or-operator)
> | | | | | +--rw source-port-range-or-operator
> | | | | | +--rw (port-range-or-operator)?
> | | | | | +--:(range)
> | | | | | | +--rw lower-port
> | | | | | | | inet:port-number
> | | | | | | +--rw upper-port
> | | | | | | inet:port-number
> | | | | | +--:(operator)
> | | | | | +--rw operator? operator
> | | | | | +--rw port
> | | | | | inet:port-number
> | | | | +--rw (destination-port)?
> | | | | +--:(destination-port-range-or-operator)
> | | | | +--rw destination-port-range-or-opera
> tor
> | | | | +--rw (port-range-or-operator)?
> | | | | +--:(range)
> | | | | | +--rw lower-port
> | | | | | | inet:port-number
> | | | | | +--rw upper-port
> | | | | | inet:port-number
> | | | | +--:(operator)
> | | | | +--rw operator? operator
> | | | | +--rw port
> | | | | inet:port-number
> | | | +--:(udp)
> | | | | +--rw udp {match-on-udp}?
> | | | | +--rw length?
> | | | | | uint16
> | | | | +--rw (source-port)?
> | | | | | +--:(source-port-range-or-operator)
> | | | | | +--rw source-port-range-or-operator
> | | | | | +--rw (port-range-or-operator)?
> | | | | | +--:(range)
> | | | | | | +--rw lower-port
> | | | | | | | inet:port-number
> | | | | | | +--rw upper-port
> | | | | | | inet:port-number
> | | | | | +--:(operator)
> | | | | | +--rw operator? operator
> | | | | | +--rw port
> | | | | | inet:port-number
> | | | | +--rw (destination-port)?
> | | | | +--:(destination-port-range-or-operator)
> | | | | +--rw destination-port-range-or-opera
> tor
> | | | | +--rw (port-range-or-operator)?
> | | | | +--:(range)
> | | | | | +--rw lower-port
> | | | | | | inet:port-number
> | | | | | +--rw upper-port
> | | | | | inet:port-number
> | | | | +--:(operator)
> | | | | +--rw operator? operator
> | | | | +--rw port
> | | | | inet:port-number
> | | | +--:(icmp)
> | | | +--rw icmp {match-on-icmp}?
> | | | +--rw type? uint8
> | | | +--rw code? uint8
> | | | +--rw rest-of-header? uint32
> | | +--rw egress-interface? if:interface-ref
> | | +--rw ingress-interface? if:interface-ref
> | +--rw actions
> | | +--rw forwarding identityref
> | | +--rw logging? identityref
> | +--ro statistics {acl-aggregate-stats}?
> | +--ro matched-packets? yang:counter64
> | +--ro matched-octets? yang:counter64
> +--rw attachment-points
> +--rw interface* [interface-id] {interface-attachment}?
> +--rw interface-id if:interface-ref
> +--rw ingress
> | +--rw acl-sets
> | +--rw acl-set* [name]
> | +--rw name
> | | -> ../../../../../../acl/name
> | +--ro ace-statistics* [name] {interface-stats}?
> | +--ro name leafref
> | +--ro matched-packets? yang:counter64
> | +--ro matched-octets? yang:counter64
> +--rw egress
> +--rw acl-sets
> +--rw acl-set* [name]
> +--rw name
> | -> ../../../../../../acl/name
> +--ro ace-statistics* [name] {interface-stats}?
> +--ro name leafref
> +--ro matched-packets? yang:counter64
> +--ro matched-octets? yang:counter64
>>
>> * Mark Nottingham had commented that it is not appropriate to have
>> versioning information in the MUD-URL itself, but that it should
>> be in the model. We agreed on this change, as well as some
>> wording around how HTTP is handled.
>>
>> Based on these changes, I would like to move this document forward to
>> IETF LC.
>>
>> Eliot
>>
>>
>> On 24.01.18 09:29, [email protected] wrote:
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>> This draft is a work item of the Operations and Management Area Working
>>> Group WG of the IETF.
>>>
>>> Title : Manufacturer Usage Description Specification
>>> Authors : Eliot Lear
>>> Ralph Droms
>>> Dan Romascanu
>>> Filename : draft-ietf-opsawg-mud-14.txt
>>> Pages : 56
>>> Date : 2018-01-24
>>>
>>> Abstract:
>>> This memo specifies a component-based architecture for manufacturer
>>> usage descriptions (MUD). The goal of MUD is to provide a means for
>>> Things to signal to the network what sort of access and network
>>> functionality they require to properly function. The initial focus
>>> is on access control. Later work can delve into other aspects.
>>>
>>> This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an
>>> LLDP TLV, a URL suffix specification, an X.509 certificate extension
>>> and a means to sign and verify the descriptions.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/
>>>
>>> There are also htmlized versions available at:
>>> https://tools.ietf.org/html/draft-ietf-opsawg-mud-14
>>> https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-mud-14
>>>
>>> A diff from the previous version is available at:
>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-mud-14
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org
>>> <http://tools.ietf.org>.
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> OPSAWG mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/opsawg
>>>
>>
>
> Mahesh Jethanandani
> [email protected] <mailto:[email protected]>
>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
