Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 10 January 2018 00:41 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FB712422F for <netmod@ietfa.amsl.com>; Tue, 9 Jan 2018 16:41:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DKUC7wffWUQ for <netmod@ietfa.amsl.com>; Tue, 9 Jan 2018 16:41:22 -0800 (PST)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E281120454 for <netmod@ietf.org>; Tue, 9 Jan 2018 16:41:22 -0800 (PST)
Received: by mail-oi0-x235.google.com with SMTP id j129so2482083oib.12 for <netmod@ietf.org>; Tue, 09 Jan 2018 16:41:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NpD3nsjfCM2dEu9e7JLqK3UGUlLEtBlHOQXTNcbSwCw=; b=iLXfVYIjYtAq8H5wo/oAA52dGefbiv6ymQmtKD3n/YZF+fdG3AVw1i0+1wvdOtlIjB uhHmUfRucdy5OJSuo5YCwj+DfTkOgIm8Kf9ecOrLvx9To8pbbFLnU5zqYYYyD0iwo32A 7UUAR3hcIOL9g8kw2V6KszHAmZ9nr/IvzsFJmx6IZvSt2DwZdqJbmXN16hUAgsaedqoS S3lNccvaPX4lsx74Yx2WnBprmOYbhSg1qYTtgq1HAfgtlvqfhLsUzNAd5peFN/Fgxaci u+9h8mze5ewdFIqrcyv8PZIFqQ4iNuRQv2SPyY1GfsYtalEp/6rjX51U7dkWfN6JgvpR skiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NpD3nsjfCM2dEu9e7JLqK3UGUlLEtBlHOQXTNcbSwCw=; b=MVWo2Uga4zq/7gCCwmTYcGYgWBL4yc1jhl07j8YlJdvc3zzG+FN5I54tiRXB5jLi0A E7q6BgQTc1YpVUxiKst6GACKzOFY5cOZoHGtsh8Wbepx34ABZxr9coGnYipXgHbDcxSn 3KaTOtm1ioqDYDINVasrSMUYf3pZgXka4Pv3WAG/LeqiRTeECYvOWvyOpF0CTYAu8sG4 XGE4lBLRap21Z3eQsPZVU5ESku5hrpLTfmElZLp9v9hLz5y2K4CwlPRslSsiMC6pSSrz xvQKE0tOzpiwZRDFwG5R06aqGCk21OHg8dqAbwPPNdNtqJ/xLXifkrslyogLP6I/+sKR 3j4A==
X-Gm-Message-State: AKwxytfk8QYuXRbAFz0df0NBGaEC3K5IXX7XwBgtBNMf/31ScGpTJcun vEWlmmJjb/bwK+dTH7eCGlQ=
X-Google-Smtp-Source: ACJfBotmBdFr+mCoQHYHBhk50XkyjZJiVYtnm/ET1iCY745x51IrB7yK+za76Ne8ZSYf2Ji7NpJ5Kw==
X-Received: by 10.202.85.145 with SMTP id j139mr4359498oib.99.1515544881368; Tue, 09 Jan 2018 16:41:21 -0800 (PST)
Received: from mahesh-m-m8d1.attlocal.net ([2600:1700:edb0:8fd0:648a:d03c:6bd4:2fce]) by smtp.gmail.com with ESMTPSA id w21sm2050715otd.14.2018.01.09.16.41.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jan 2018 16:41:19 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <20180108.164509.2179320293753239869.mbj@tail-f.com>
Date: Tue, 09 Jan 2018 16:41:17 -0800
Cc: Robert Wilton <rwilton@cisco.com>, "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>, supjps-ietf@jpshallow.com, netmod@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <68BA264A-9036-4C7C-BBCC-7C2B7B05BDD2@gmail.com>
References: <012301d3886e$f96f08e0$ec4d1aa0$@jpshallow.com> <B0576B62-CB61-45EA-99EF-E5B67545B85C@cisco.com> <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com> <20180108.164509.2179320293753239869.mbj@tail-f.com>
To: Martin Bjorklund <mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/RpQfSxDI5ROIHgp3ueLov7ciNQ8>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2018 00:41:25 -0000
Hi, > On Jan 8, 2018, at 7:45 AM, Martin Bjorklund <mbj@tail-f.com> wrote: > > Hi, > > Robert Wilton <rwilton@cisco.com> wrote: >> Hi Einar, Jon, Mahesh, >> >> My gut instinct is that making this a grouping might not be a good >> idea: >> >> 1) If somebody updates the core ACL model, will then need to check >> that anyone using it should be similarly updated (unless they use >> import-by-revision). >> >> 2) Does it make sense to define ACLs in separate places. Would like >> be more simple if ACLs were defined in a central place and then just >> referenced by other protocols as required. >> >> 3) I think that groupings are probably overused and I think that they >> can detract from the readability of the model. (I regard the >> OpenConfig YANG models as an extreme example of this, where it is >> necessary to compile the modules together to figure out where >> everything fits together). > > I agree with all three statements. The current acl data model has a > top-level grouping "interface-acl" which probably is not intended to > be "exported". I think ot should be moved into the > "attachment-points" container, in order to make it local. Have moved “interface-acl” under the “attachment-point” container and made it local. Thanks. > > If the entire access-list container is defined as a goruping, and is > used in multiple places, how are the multiple interface > attachment-points handled? > > > /martin > > > >> >> Having said that, I don't think that this issue is important enough to >> have a long discussion about ... >> >> Thanks, >> Rob >> >> >> On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote: >>> Since this is a 7-line change, I see no harm in it if no-one objects? >>> Mahesh has the token for rolling in updates discussed just prior to >>> the end of 2017. >>> >>> Here’s a possible diff: >>> >>> $ git diff -b >>> diff --git a/src/yang/ietf-access-control-list.yang >>> b/src/yang/ietf-access-control-list.yang >>> index 4d698c9..b1a173f 100644 >>> --- a/src/yang/ietf-access-control-list.yang >>> +++ b/src/yang/ietf-access-control-list.yang >>> @@ -402,6 +402,10 @@ module ietf-access-control-list { >>> /* >>> * Configuration data nodes >>> */ >>> + grouping access-lists-top { >>> + description >>> + "Grouping to allow reuse of access lists container elsewhere."; >>> + >>> container access-lists { >>> description >>> "This is a top level container for Access Control Lists. >>> @@ -576,6 +580,9 @@ module ietf-access-control-list { >>> } >>> } >>> } >>> + } >>> + uses access-lists-top; >>> + >>> augment "/if:interfaces/if:interface" { >>> description >>> "Augment interfaces to allow ACLs to be associated in either >>> the >>> >>> Cheers, >>> >>> Einar >>> >>> >>>> On 8 Jan 2018, at 10:53, Jon Shallow <supjps-ietf@jpshallow.com >>>> <mailto:supjps-ietf@jpshallow.com>> wrote: >>>> >>>> Hi There, >>>> I appreciate that this is late to the table, but is it possible to set >>>> up “access-lists” as a “grouping” in the YANG data model so that >>>> “access-lists” can be included by “uses” in a higher level YANG data >>>> model? >>>> I have raised this as issue #22 >>>> athttps://github.com/netmod-wg/acl-model/issues >>>> Regards >>>> Jon >>>> _______________________________________________ >>>> netmod mailing list >>>> netmod@ietf.org <mailto:netmod@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/netmod >>> >>> >>> >>> _______________________________________________ >>> netmod mailing list >>> netmod@ietf.org >>> https://www.ietf.org/mailman/listinfo/netmod >> Mahesh Jethanandani mjethanandani@gmail.com
- [netmod] Netmod ACL - Can "access-lists" be set u… Jon Shallow
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Einar Nilsen-Nygaard (einarnn)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Robert Wilton
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Martin Bjorklund
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Jon Shallow
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Einar Nilsen-Nygaard (einarnn)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Acee Lindem (acee)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Martin Bjorklund
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Mahesh Jethanandani