Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
Martin Bjorklund <mbj@tail-f.com> Mon, 08 January 2018 16:46 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B900124217 for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 08:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JvUa9sKGSyey for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 08:46:23 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id DEB771241F5 for <netmod@ietf.org>; Mon, 8 Jan 2018 08:46:22 -0800 (PST)
Received: from localhost (h-85-209.A165.priv.bahnhof.se [94.254.85.209]) by mail.tail-f.com (Postfix) with ESMTPSA id A7CE91AE0332; Mon, 8 Jan 2018 17:46:21 +0100 (CET)
Date: Mon, 08 Jan 2018 17:46:21 +0100
Message-Id: <20180108.174621.261235771307695730.mbj@tail-f.com>
To: acee@cisco.com
Cc: supjps-ietf@jpshallow.com, rwilton@cisco.com, netmod@ietf.org, einarnn@cisco.com, mjethanandani@gmail.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <D678FF01.E8C2A%acee@cisco.com>
References: <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com> <022401d38897$f2aa1b70$d7fe5250$@jpshallow.com> <D678FF01.E8C2A%acee@cisco.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/8JD5gm15oX1K-2bMs8Ph8zFFU5g>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 16:46:25 -0000
"Acee Lindem (acee)" <acee@cisco.com> wrote: > Hi Jon, > > From: netmod <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org>> > on behalf of Jon Shallow > <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>> > Date: Monday, January 8, 2018 at 10:47 AM > To: "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" > <rwilton@cisco.com<mailto:rwilton@cisco.com>>, > "netmod@ietf.org<mailto:netmod@ietf.org>" > <netmod@ietf.org<mailto:netmod@ietf.org>>, "Einar Nilsen-Nygaard > (einarnn)" <einarnn@cisco.com<mailto:einarnn@cisco.com>>, 'Mahesh > Jethanandani' > <mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>> > Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a > "grouping" > > Hi Robert, > > A good set of points. > > My particular use case (hence raising the question) is defining a YANG > model where there are multiple appliances and where ACLs are defined > for each appliance, but there is the likelihood of the different > appliances using the same “acl-name”, but the contents of “acl-name” > are different. Having a grouping (using import-by-revision) would > help me considerably here. > > I guess I don’t see the use case. Wouldn’t you have multiple network > devices for multiple network devices? Or at least separate LNEs? > https://www.ietf.org/id/draft-ietf-rtgwg-lne-model-05.txt Right. If a grouping is required for acls for this use case, wouldn't the same be true for interfaces and the other models? I think LNE or schema mount in general solves this issue. /martin > > Thanks, > Acee > > Regards > > Jon > > From: Robert Wilton [mailto: > rwilton@cisco.com<mailto:rwilton@cisco.com>] > Sent: 08 January 2018 15:31 > To: Einar Nilsen-Nygaard (einarnn); Jon Shallow; Mahesh Jethanandani > Cc: netmod@ietf.org<mailto:netmod@ietf.org> > Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a > "grouping" > > > Hi Einar, Jon, Mahesh, > > My gut instinct is that making this a grouping might not be a good > idea: > > 1) If somebody updates the core ACL model, will then need to check > that anyone using it should be similarly updated (unless they use > import-by-revision). > > 2) Does it make sense to define ACLs in separate places. Would like > be more simple if ACLs were defined in a central place and then just > referenced by other protocols as required. > 3) I think that groupings are probably overused and I think that they > can detract from the readability of the model. (I regard the > OpenConfig YANG models as an extreme example of this, where it is > necessary to compile the modules together to figure out where > everything fits together). > > Having said that, I don't think that this issue is important enough to > have a long discussion about ... > > Thanks, > Rob > > On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote: > Since this is a 7-line change, I see no harm in it if no-one objects? > Mahesh has the token for rolling in updates discussed just prior to > the end of 2017. > > Here’s a possible diff: > > $ git diff -b > diff --git a/src/yang/ietf-access-control-list.yang > b/src/yang/ietf-access-control-list.yang > index 4d698c9..b1a173f 100644 > --- a/src/yang/ietf-access-control-list.yang > +++ b/src/yang/ietf-access-control-list.yang > @@ -402,6 +402,10 @@ module ietf-access-control-list { > /* > * Configuration data nodes > */ > + grouping access-lists-top { > + description > + "Grouping to allow reuse of access lists container elsewhere."; > + > container access-lists { > description > "This is a top level container for Access Control Lists. > @@ -576,6 +580,9 @@ module ietf-access-control-list { > } > } > } > + } > + uses access-lists-top; > + > augment "/if:interfaces/if:interface" { > description > "Augment interfaces to allow ACLs to be associated in either the > > Cheers, > > Einar > > > > On 8 Jan 2018, at 10:53, Jon Shallow > <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>> wrote: > > Hi There, > > I appreciate that this is late to the table, but is it possible to set > up “access-lists” as a “grouping” in the YANG data model so that > “access-lists” can be included by “uses” in a higher level YANG data > model? > > I have raised this as issue #22 at > https://github.com/netmod-wg/acl-model/issues > > Regards > > Jon > _______________________________________________ > netmod mailing list > netmod@ietf.org<mailto:netmod@ietf.org> > https://www.ietf.org/mailman/listinfo/netmod > > > > > > _______________________________________________ > > netmod mailing list > > netmod@ietf.org<mailto:netmod@ietf.org> > > https://www.ietf.org/mailman/listinfo/netmod >
- [netmod] Netmod ACL - Can "access-lists" be set u… Jon Shallow
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Einar Nilsen-Nygaard (einarnn)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Robert Wilton
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Martin Bjorklund
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Jon Shallow
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Einar Nilsen-Nygaard (einarnn)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Acee Lindem (acee)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Martin Bjorklund
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Mahesh Jethanandani