Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

Kristian Larsson <kristian@spritelink.net> Wed, 08 November 2017 07:47 UTC

Return-Path: <kristian@spritelink.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2AC1131519 for <netmod@ietfa.amsl.com>; Tue, 7 Nov 2017 23:47:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_4E26aSWUdE for <netmod@ietfa.amsl.com>; Tue, 7 Nov 2017 23:47:25 -0800 (PST)
Received: from Mail2.SpriteLink.NET (Mail2.SpriteLink.NET [195.182.5.83]) by ietfa.amsl.com (Postfix) with ESMTP id D427D129C26 for <netmod@ietf.org>; Tue, 7 Nov 2017 23:47:24 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by Mail2.SpriteLink.NET (Postfix) with ESMTP id DBBC926184B; Wed, 8 Nov 2017 08:47:25 +0100 (CET)
X-Virus-Scanned: amavisd-new at SpriteLink.NET
Received: from Mail2.SpriteLink.NET ([195.182.5.83]) by localhost (Mail2.SpriteLink.NET [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JpGqbW5JUkmW; Wed, 8 Nov 2017 08:47:23 +0100 (CET)
Received: from localhost (Mission-Control.SpriteLink.NET [195.182.5.153]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: kristian@SpriteLink.NET) by Mail2.SpriteLink.NET (Postfix) with ESMTPSA id 6B17B261846; Wed, 8 Nov 2017 08:47:23 +0100 (CET)
Date: Wed, 8 Nov 2017 08:47:21 +0100
From: Kristian Larsson <kristian@spritelink.net>
To: Sonal Agarwal <sagarwal12@gmail.com>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, netmod@ietf.org
Message-ID: <20171108074721.GK12688@spritelink.se>
References: <20171102074318.GC12688@spritelink.se> <6359CD50-0F0D-4315-A58B-1D4CF0583475@gmail.com> <ac9fc676-80f7-723d-9a85-c99fbb122476@cisco.com> <20171102.132634.1363976895007772742.mbj@tail-f.com> <51CEDFCB-88CF-4066-8428-55BF7521D1F0@gmail.com> <20171103085244.GG12688@spritelink.se> <0587EC2C-6B31-409D-B2A4-649EECEEB45A@gmail.com> <CAMMHi8gv-+uV5ALAk+ooUFqAWcqezK2k1dTtQX-6yy-ZTNjrng@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAMMHi8gv-+uV5ALAk+ooUFqAWcqezK2k1dTtQX-6yy-ZTNjrng@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/M2byiUIbN_ktw2rt5oGZxjJ3VBM>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 07:47:27 -0000

On Sat, Nov 04, 2017 at 10:38:45AM -0700, Sonal Agarwal wrote:
> Kristian,
> 
> In response to one of your previous comments:
> 
> "I'm really bothered by the compound key consisting of acl-type
> and the acl-name since attachment points then need to reference
> both.  It's also weird because I don't think choosing the
> acl-type is really a choice of the user but more of a limitation
> of the platform.
> 
> One approach would be to change the key to only be the acl-name
> but let the acl-type leaf remain, perhaps make it mandatory or
> default to some unified acl-type. I think it's still possible to
> implement a constraint on this, right? Like if a platform only
> supports a specific type at some attachment point it can add a
> constraint on the acl-type by doing deref() on the leafref."
> 
> The key for an ACL needs to remain as the name and type. They
> both uniquely define the presence of the ACL in config. 

You can't argue for a design choice by saying "this is how it
is". If we change the key to be acl-name only then it is the name
that "uniquely define the presence of the ACL in config".

What do you perceive as the benefit of having acl-type in the
key? Why can't it be an attribute? We can still check, from the
attachment point, what the acl-type is.

   kll

-- 
Kristian Larsson                                        KLL-RIPE
+46 72 5479985                                kll@spritelink.net