Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

Robert Wilton <rwilton@cisco.com> Mon, 08 January 2018 15:31 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3956A126C25 for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:31:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUf_GuJ-btDR for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:31:29 -0800 (PST)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C84AD1200C5 for <netmod@ietf.org>; Mon, 8 Jan 2018 07:31:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17550; q=dns/txt; s=iport; t=1515425489; x=1516635089; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=qA0B9xc+sv9cPtqqKG0F+lIM9dhksXQuuybd1KUoPeg=; b=GoQj5bTxkYDgis4tC9Uwx4gbp4OSjxRs+aV7kToCwYKyUqH3NWL8JXEp SMU49dWJ49AJ5+XtHRehY0fibzRT7hXjXIbw/fWnbk+Lc9fRTDEdbLDr/ mYtdE/ivdHh2guQmCAKq2bdGTfd0EYSMtvS7Ixsv4WUmcCz4ZQhtd9i5F E=;
X-IronPort-AV: E=Sophos;i="5.46,330,1511827200"; d="scan'208,217";a="1278099"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Jan 2018 15:31:27 +0000
Received: from [10.63.23.84] (dhcp-ensft1-uk-vla370-10-63-23-84.cisco.com [10.63.23.84]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id w08FVQSc021801; Mon, 8 Jan 2018 15:31:26 GMT
To: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>, Jon Shallow <supjps-ietf@jpshallow.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>
References: <012301d3886e$f96f08e0$ec4d1aa0$@jpshallow.com> <B0576B62-CB61-45EA-99EF-E5B67545B85C@cisco.com>
From: Robert Wilton <rwilton@cisco.com>
Message-ID: <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com>
Date: Mon, 8 Jan 2018 15:31:26 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <B0576B62-CB61-45EA-99EF-E5B67545B85C@cisco.com>
Content-Type: multipart/alternative; boundary="------------66C4978BB07FF18388AA8688"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/-GNb6QET46mZlh8eM6YpGqHKjPg>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 15:31:31 -0000

Hi Einar, Jon, Mahesh,

My gut instinct is that making this a grouping might not be a good idea:

1) If somebody updates the core ACL model, will then need to check that 
anyone using it should be similarly updated (unless they use 
import-by-revision).

2) Does it make sense to define ACLs in separate places.  Would like be 
more simple if ACLs were defined in a central place and then just 
referenced by other protocols as required.

3) I think that groupings are probably overused and I think that they 
can detract from the readability of the model.  (I regard the OpenConfig 
YANG models as an extreme example of this, where it is necessary to 
compile the modules together to figure out where everything fits together).

Having said that, I don't think that this issue is important enough to 
have a long discussion about ...

Thanks,
Rob


On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:
> Since this is a 7-line change, I see no harm in it if no-one objects? 
> Mahesh has the token for rolling in updates discussed just prior to 
> the end of 2017.
>
> Here’s a possible diff:
>
> $ git diff -b
> diff --git a/src/yang/ietf-access-control-list.yang 
> b/src/yang/ietf-access-control-list.yang
> index 4d698c9..b1a173f 100644
> --- a/src/yang/ietf-access-control-list.yang
> +++ b/src/yang/ietf-access-control-list.yang
> @@ -402,6 +402,10 @@ module ietf-access-control-list {
>    /*
>     * Configuration data nodes
>     */
> +  grouping access-lists-top {
> +    description
> +      "Grouping to allow reuse of access lists container elsewhere.";
> +
>      container access-lists {
>        description
>          "This is a top level container for Access Control Lists.
> @@ -576,6 +580,9 @@ module ietf-access-control-list {
>          }
>        }
>      }
> +  }
> +  uses access-lists-top;
> +
>    augment "/if:interfaces/if:interface" {
>      description
>        "Augment interfaces to allow ACLs to be associated in either the
>
> Cheers,
>
> Einar
>
>
>> On 8 Jan 2018, at 10:53, Jon Shallow <supjps-ietf@jpshallow.com 
>> <mailto:supjps-ietf@jpshallow.com>> wrote:
>>
>> Hi There,
>> I appreciate that this is late to the table, but is it possible to 
>> set up “access-lists” as a “grouping” in the YANG data model so that 
>> “access-lists” can be included by “uses” in a higher level YANG data 
>> model?
>> I have raised this as issue #22 
>> athttps://github.com/netmod-wg/acl-model/issues
>> Regards
>> Jon
>> _______________________________________________
>> netmod mailing list
>> netmod@ietf.org <mailto:netmod@ietf.org>
>> https://www.ietf.org/mailman/listinfo/netmod
>
>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod