Re: [netmod] derived-from() vs derived-from-or-self() in acl model
Per Hedeland <per@tail-f.com> Mon, 26 February 2018 17:01 UTC
Return-Path: <per@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8371512D864; Mon, 26 Feb 2018 09:01:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHvQh1n-a5fu; Mon, 26 Feb 2018 09:01:54 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 1236912D88B; Mon, 26 Feb 2018 09:01:49 -0800 (PST)
Received: from mars.tail-f.com (unknown [173.38.220.47]) by mail.tail-f.com (Postfix) with ESMTPSA id 55FDA1B046BE; Mon, 26 Feb 2018 18:01:47 +0100 (CET)
To: "netmod@ietf.org" <netmod@ietf.org>
References: <35213d61-08b4-ce5b-f7b2-251d2d5c2e70@tail-f.com> <87y3jf51ed.fsf@nic.cz>
Cc: "draft-ietf-netmod-acl-model@ietf.org" <draft-ietf-netmod-acl-model@ietf.org>
From: Per Hedeland <per@tail-f.com>
Message-ID: <ed68a5f1-7854-3d7c-2ff7-ee71857707d9@tail-f.com>
Date: Mon, 26 Feb 2018 18:01:46 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <87y3jf51ed.fsf@nic.cz>
Content-Type: text/plain; charset="windows-1252"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/NEqCzFZCga4z6MYJIlNsD6JWjzY>
Subject: Re: [netmod] derived-from() vs derived-from-or-self() in acl model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2018 17:01:56 -0000
[Adding Cc to draft-ietf-netmod-acl-model@ietf.org] On 2018-02-26 14:24, Ladislav Lhotka wrote: > Per Hedeland <per@tail-f.com> writes: > >> Hi, >> >> A customer of ours using one of the draft versions of the >> ietf-access-control-list module reported that it was not possible to >> configure an ethernet ace with type acl:eth-acl-type, due to the >> derived-from() in >> >> container eth { >> when "derived-from(../../../../type, " + >> "'acl:eth-acl-type')"; >> if-feature match-on-eth; >> uses pf:acl-eth-header-fields; >> description >> "Rule set that matches ethernet headers."; >> } >> >> evaluating to "false". I pointed out that this is correct behavior of >> our SW, since acl:eth-acl-type is not derived from acl:eth-acl-type, and >> it would need to be derived-from-or-self() in order to evaluate to >> "true". I also ventured a guess (not having followed the development of >> the acl model in detail) that the intent was that vendors should define >> their own identities, that actually *were* derived from acl:eth-acl-type >> (and ditto for all the other *-acl-type identities, of course). >> >> However I'm not at all sure that the guess is correct, and if so why >> this should be *enforced* by excluding the base identity. And having a >> look at the example in section 4.3 of draft-ietf-netmod-acl-model-16, it >> seems to be doing exactly what our customer tried, alhough with >> ipv4-acl-type: >> >> <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> >> <access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-access-control-list"> >> <acl> >> <name>sample-ipv4-acl</name> >> <type>ipv4-acl-type</type> >> <aces> >> <ace> >> <name>rule1</name> >> <matches> >> <l3> >> <ipv4> >> <protocol>tcp</protocol> >> >> As far as I can see, this snippet is invalid for the model, since the >> 'ipv4' container has >> >> container ipv4 { >> when "derived-from(../../../../type, " + >> "'acl:ipv4-acl-type')"; >> >> - and ipv4-acl-type is *not* derived from ipv4-acl-type. (Of course >> there shouldn't be any <l3> element either, but that's another thing.) >> >> So, is it the case that the derived-from()s should actually be >> derived-from-or-self()s, or is the example wrong? > > This has to do with the irreflexivity property of identity derivation, > which is, in my view, an unnecessary complication. It would be simpler > but sufficient to define derivation as a reflexive relation, and have > only one "derived-from()" XPath function. Be that as it may, it is obviously not what RFC 7950 says. > Identities that are considered "abstract" should not be instantiated, and > then derived-from() and derived-from-or-self() give the same result. So I guess your take is that the *-acl-type identities derived from acl:acl-base in the ietf-access-control-list module should be considered "abstract", and thus the example should not use ipv4-acl-type for the 'type' leaf, but instead some other identity derived from acl:ipv4-acl-type. Do the authors agree? --Per > Lada > >> >> --Per Hedeland >> >> _______________________________________________ >> netmod mailing list >> netmod@ietf.org >> https://www.ietf.org/mailman/listinfo/netmod >
- [netmod] derived-from() vs derived-from-or-self()… Per Hedeland
- Re: [netmod] derived-from() vs derived-from-or-se… Ladislav Lhotka
- Re: [netmod] derived-from() vs derived-from-or-se… Per Hedeland
- Re: [netmod] derived-from() vs derived-from-or-se… Mahesh Jethanandani
- Re: [netmod] derived-from() vs derived-from-or-se… Per Hedeland
- Re: [netmod] derived-from() vs derived-from-or-se… Mahesh Jethanandani
- Re: [netmod] derived-from() vs derived-from-or-se… Per Hedeland
- Re: [netmod] derived-from() vs derived-from-or-se… Ladislav Lhotka