diff options
| author |   Marek Gradzki <mgradzki@cisco.com> | 2016-08-26 12:37:45 +0200 |
|---|---|---|
| committer | Marek Gradzki <mgradzki@cisco.com> | 2016-08-26 14:28:28 +0200 |
| commit | a0a1b0e2af851e1a15286e5d5eb576eae5769a59 (patch) | |
| tree | 4dfd3a54eef8bfc6e3024cf623d20df5daece852 /v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/Readme.adoc | |
| parent | a92df9b4a2c5488621f8e95a6b88fb126a375649 (diff) | |
HONEYCOMB-139: ietf-acl translation layer. IP6 L3 ACL support
Other changes:
- documentation update
- eth + ip4 writer rafactoring + tests
Change-Id: I1ac6a4e99dd4f12c870cbd749af6b98018294dd4
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/Readme.adoc')
| -rw-r--r-- | v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/Readme.adoc | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/Readme.adoc b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/Readme.adoc new file mode 100644 index 000000000..e59f72abe --- /dev/null +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/Readme.adoc @@ -0,0 +1,32 @@ += VPP to IETF-ACL model translation + +Package provides VPP translation code for draft-ietf-netmod-acl-model-08. +Access control lists are mapped to chains of classify tables, each with single classify session. + +== Available operations + +=== Configuration data +Configuration data for the model is stored in Honeycomb. Corresponding classify tables and sessions +are not created until control access list is assigned to an interface. + +Classify tables and sessions are removed from VPP when ACL assignment is deleted. + +ACLs can be shared among interfaces, but each time, new instance of classify table chain would be created in VPP. + +ACLs that are assigned to an interface have to be unassigned before update/removal. + +=== Operational state +Operational read in terms of ietf-acl model is not supported (would require storing additional metadata in vpp). +As a consequence, configuration data initialization based on operational state is not possible. + +To check how ietf-acl model was translated to classify tables/session, low-level vpp-classfier model can be used. + +== Restrictions + +VPP classfier works in form of offsets and masks of 16B units. +The offset always starts at the beginning of L2 Ethernet header +of input packet. Because IP header can have variable length, +source/destination port matching (L4 features of ietf-acl model) is not possible. + +Current implementation also assumes constant Ethernet header size +(802.1Q headers are not supported).
\ No newline at end of file |