Hi Dhuv Thanks for the review. A PR to address your comments can be seen at: https://github.com/IETF-OPSAWG-WG/policy-based-network-acl/pull/114/files.
Please see inline for more contex. Cheers, Med (as author) > -----Message d'origine----- > De : Dhruv Dhody via Datatracker <[email protected]> > Envoyé : mardi 7 octobre 2025 07:11 > À : [email protected] > Cc : [email protected]; [email protected] > Objet : draft-ietf-opsawg-ucl-acl-08 early Opsdir review > > > Document: draft-ietf-opsawg-ucl-acl > Title: A YANG Data Model and RADIUS Extension for Policy-based > Network Access Control Reviewer: Dhruv Dhody Review result: Has > Issues > > # OPSDIR Early Review of draft-ietf-opsawg-ucl-acl-08 > > I have reviewed this document as part of the Operational > directorate’s ongoing effort to review all IETF documents being > processed by the IESG. These comments were written with the intent > of improving the operational aspects of the IETF drafts. > > The document is well-written. The motivation is clear. Thank you > for including the examples. > > ## Major > > - The relationship between the ietf-ucl-acl and ietf-acl-enh YANG > modules is unclear. The text suggests that the ACL Extensions work > ([I-D.ietf-netmod-acl-extensions]) is a foundational dependency, > while the ietf-ucl-acl module itself does not import or augment > ietf-acl-enh or is referenced normatively. I suggest this to be > explicitly clarified. [Med] I don't know which part of the text smells like there is strong dependency between these two. Section 3 has already the following: The network ACLs can be provisioned on devices using specific mechanisms, such as [RFC8519] or [I-D.ietf-netmod-acl-extensions]. > > ## Minor > > - "A PEP exposes a NETCONF interface [RFC6241] to an SDN > controller" - why NETCONF only and not say a YANG-based interface > to allow any protocol, including RESTCONF? [Med] This was mentioned as an example but agree with your comments. Fixed. > > - It might be better to make it explicit that Figure 1 is an > 'example' or a 'typical' architecture. The text in the section > clarifies that there are various options possible. [Med] Agree. Made several changes. > > - Section 5.1, what is this text referring to - "Note that the > data model augments the definition of "recurrence" grouping with a > "duration" data node to specify the duration of time for each > occurrence the policy activation is triggered"? - I could not > locate this in the YANG model. [Med] Thanks for catching this stale text. Deleted. > > - In A.2, the rule1 and rule2 appear to be inconsistent. rule1 for > accepting matches on a destination-user-group-id, whereas rule2 > for rejecting matches on a destination-ipv4-network - please be > explicit on why the accept, group-id is being used, but for > reject, ip address is used. [Med] That section says: "This example does not intend to be exhaustive." The intent was to show the correlation between the id and actual IP addresses for a rule, but not for all rules. BTW, nothing prevents that the same match criteria are used for rules in a list. > > - Section 6.1, the YANG module description should clearly state > what the term UCL stands for; use of prefix uacl adds to the > confusion. [Med] Good point. Updated the module description. > > ## Nits > > - Replace 'he/she' with 'they' [Med] ACK. > > Thanks! > Dhruv > > ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
