Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

Martin Bjorklund <mbj@tail-f.com> Mon, 08 January 2018 16:46 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B900124217 for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 08:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JvUa9sKGSyey for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 08:46:23 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id DEB771241F5 for <netmod@ietf.org>; Mon, 8 Jan 2018 08:46:22 -0800 (PST)
Received: from localhost (h-85-209.A165.priv.bahnhof.se [94.254.85.209]) by mail.tail-f.com (Postfix) with ESMTPSA id A7CE91AE0332; Mon, 8 Jan 2018 17:46:21 +0100 (CET)
Date: Mon, 08 Jan 2018 17:46:21 +0100 (CET)
Message-Id: <20180108.174621.261235771307695730.mbj@tail-f.com>
To: acee@cisco.com
Cc: supjps-ietf@jpshallow.com, rwilton@cisco.com, netmod@ietf.org, einarnn@cisco.com, mjethanandani@gmail.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <D678FF01.E8C2A%acee@cisco.com>
References: <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com> <022401d38897$f2aa1b70$d7fe5250$@jpshallow.com> <D678FF01.E8C2A%acee@cisco.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=utf-8
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/8JD5gm15oX1K-2bMs8Ph8zFFU5g>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 16:46:25 -0000

"Acee Lindem (acee)" <acee@cisco.com>; wrote:
> Hi Jon,
> 
> From: netmod <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org>>
> on behalf of Jon Shallow
> <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>>
> Date: Monday, January 8, 2018 at 10:47 AM
> To: "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)"
> <rwilton@cisco.com<mailto:rwilton@cisco.com>>,
> "netmod@ietf.org<mailto:netmod@ietf.org>"
> <netmod@ietf.org<mailto:netmod@ietf.org>>, "Einar Nilsen-Nygaard
> (einarnn)" <einarnn@cisco.com<mailto:einarnn@cisco.com>>, 'Mahesh
> Jethanandani'
> <mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>>
> Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a
> "grouping"
> 
> Hi Robert,
> 
> A good set of points.
> 
> My particular use case (hence raising the question) is defining a YANG
> model where there are multiple appliances and where ACLs are defined
> for each appliance, but there is the likelihood of the different
> appliances using the same “acl-name”, but the contents of “acl-name”
> are different.  Having a grouping (using import-by-revision) would
> help me considerably here.
> 
> I guess I don’t see the use case. Wouldn’t you have multiple network
> devices for multiple network devices? Or at least separate LNEs?
> https://www.ietf.org/id/draft-ietf-rtgwg-lne-model-05.txt

Right.  If a grouping is required for acls for this use case, wouldn't
the same be true for interfaces and the other models?  I think LNE or
schema mount in general solves this issue.


/martin


> 
> Thanks,
> Acee
> 
> Regards
> 
> Jon
> 
> From: Robert Wilton [mailto:
> rwilton@cisco.com<mailto:rwilton@cisco.com>]
> Sent: 08 January 2018 15:31
> To: Einar Nilsen-Nygaard (einarnn); Jon Shallow; Mahesh Jethanandani
> Cc: netmod@ietf.org<mailto:netmod@ietf.org>
> Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a
> "grouping"
> 
> 
> Hi Einar, Jon, Mahesh,
> 
> My gut instinct is that making this a grouping might not be a good
> idea:
> 
> 1) If somebody updates the core ACL model, will then need to check
> that anyone using it should be similarly updated (unless they use
> import-by-revision).
> 
> 2) Does it make sense to define ACLs in separate places.  Would like
> be more simple if ACLs were defined in a central place and then just
> referenced by other protocols as required.
> 3) I think that groupings are probably overused and I think that they
> can detract from the readability of the model.  (I regard the
> OpenConfig YANG models as an extreme example of this, where it is
> necessary to compile the modules together to figure out where
> everything fits together).
> 
> Having said that, I don't think that this issue is important enough to
> have a long discussion about ...
> 
> Thanks,
> Rob
> 
> On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:
> Since this is a 7-line change, I see no harm in it if no-one objects?
> Mahesh has the token for rolling in updates discussed just prior to
> the end of 2017.
> 
> Here’s a possible diff:
> 
> $ git diff -b
> diff --git a/src/yang/ietf-access-control-list.yang
> b/src/yang/ietf-access-control-list.yang
> index 4d698c9..b1a173f 100644
> --- a/src/yang/ietf-access-control-list.yang
> +++ b/src/yang/ietf-access-control-list.yang
> @@ -402,6 +402,10 @@ module ietf-access-control-list {
>    /*
>     * Configuration data nodes
>     */
> +  grouping access-lists-top {
> +    description
> +      "Grouping to allow reuse of access lists container elsewhere.";
> +
>      container access-lists {
>        description
>          "This is a top level container for Access Control Lists.
> @@ -576,6 +580,9 @@ module ietf-access-control-list {
>          }
>        }
>      }
> +  }
> +  uses access-lists-top;
> +
>    augment "/if:interfaces/if:interface" {
>      description
>        "Augment interfaces to allow ACLs to be associated in either the
> 
> Cheers,
> 
> Einar
> 
> 
> 
> On 8 Jan 2018, at 10:53, Jon Shallow
> <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>> wrote:
> 
> Hi There,
> 
> I appreciate that this is late to the table, but is it possible to set
> up “access-lists” as a “grouping” in the YANG data model so that
> “access-lists” can be included by “uses” in a higher level YANG data
> model?
> 
> I have raised this as issue #22 at
> https://github.com/netmod-wg/acl-model/issues
> 
> Regards
> 
> Jon
> _______________________________________________
> netmod mailing list
> netmod@ietf.org<mailto:netmod@ietf.org>
> https://www.ietf.org/mailman/listinfo/netmod
> 
> 
> 
> 
> 
> _______________________________________________
> 
> netmod mailing list
> 
> netmod@ietf.org<mailto:netmod@ietf.org>
> 
> https://www.ietf.org/mailman/listinfo/netmod
>