Document: draft-ietf-opsawg-ucl-acl-11
Reviewer: Acee Lindem
Review Date: 2026-01-26
IETF LC End Date: 2026-01-26
Intended Status: STANDARD TRACK

This is a YANG doctor review on the YANG data module ietf-ucl-acl.yang.

I have one major concern with this document. The YANG model adds
generalized schedule-based ACEs, yet this is not reflected in the
YANG model name,  draft title, or abstract. This should at least
be in a separate YANG model and possibly in a separate draft since it appears
to have been added as an afterthought and, IMO, it is much more
important than the group-based access control.

The following issues/questions also have to be addressed:

1. In section 2, the formatting of "device group" and "application group"
   are messed up. Also, there is an unresolved reference to {{sec-dg}} and
   {{sec-ag}}. I guess you are not using the standard XML source.
2. Section 4.2.2 - I've never used a printer to send emails ;^)
3. Section 4.3 - I believe you want to change "not differentiating" to
   "differentiating" as this is prefaced by "run without requiring".
4. Throughout, you hyphenate end-user but not end-device? I changed this
   in my suggested edits.
5. How did you decide on 64 octets for the group identifier string
   maximum?
6. In section 6, I would have expected the attribute to be the first
   column in table 4.
7. In section 8.1, I guess the PEP wouldn't need to implement anything
   beyond standard ACLs, as long as the SDN controller maps the
   group-id-based rule ACE to one or more standard ACEs - correct?
8. In section 9, source-group-id and destination-group-id should both
   in ACEs should both be addressed.
9. If the schedule-based ACEs are retained in this document, write access
   could facilitate multiple attacks.

Consider:

I have some editorial suggestions for the draft that I've attached.

Thanks,
Acee