Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 10 January 2018 00:41 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FB712422F for <netmod@ietfa.amsl.com>; Tue, 9 Jan 2018 16:41:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DKUC7wffWUQ for <netmod@ietfa.amsl.com>; Tue, 9 Jan 2018 16:41:22 -0800 (PST)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E281120454 for <netmod@ietf.org>; Tue, 9 Jan 2018 16:41:22 -0800 (PST)
Received: by mail-oi0-x235.google.com with SMTP id j129so2482083oib.12 for <netmod@ietf.org>; Tue, 09 Jan 2018 16:41:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NpD3nsjfCM2dEu9e7JLqK3UGUlLEtBlHOQXTNcbSwCw=; b=iLXfVYIjYtAq8H5wo/oAA52dGefbiv6ymQmtKD3n/YZF+fdG3AVw1i0+1wvdOtlIjB uhHmUfRucdy5OJSuo5YCwj+DfTkOgIm8Kf9ecOrLvx9To8pbbFLnU5zqYYYyD0iwo32A 7UUAR3hcIOL9g8kw2V6KszHAmZ9nr/IvzsFJmx6IZvSt2DwZdqJbmXN16hUAgsaedqoS S3lNccvaPX4lsx74Yx2WnBprmOYbhSg1qYTtgq1HAfgtlvqfhLsUzNAd5peFN/Fgxaci u+9h8mze5ewdFIqrcyv8PZIFqQ4iNuRQv2SPyY1GfsYtalEp/6rjX51U7dkWfN6JgvpR skiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NpD3nsjfCM2dEu9e7JLqK3UGUlLEtBlHOQXTNcbSwCw=; b=MVWo2Uga4zq/7gCCwmTYcGYgWBL4yc1jhl07j8YlJdvc3zzG+FN5I54tiRXB5jLi0A E7q6BgQTc1YpVUxiKst6GACKzOFY5cOZoHGtsh8Wbepx34ABZxr9coGnYipXgHbDcxSn 3KaTOtm1ioqDYDINVasrSMUYf3pZgXka4Pv3WAG/LeqiRTeECYvOWvyOpF0CTYAu8sG4 XGE4lBLRap21Z3eQsPZVU5ESku5hrpLTfmElZLp9v9hLz5y2K4CwlPRslSsiMC6pSSrz xvQKE0tOzpiwZRDFwG5R06aqGCk21OHg8dqAbwPPNdNtqJ/xLXifkrslyogLP6I/+sKR 3j4A==
X-Gm-Message-State: AKwxytfk8QYuXRbAFz0df0NBGaEC3K5IXX7XwBgtBNMf/31ScGpTJcun vEWlmmJjb/bwK+dTH7eCGlQ=
X-Google-Smtp-Source: ACJfBotmBdFr+mCoQHYHBhk50XkyjZJiVYtnm/ET1iCY745x51IrB7yK+za76Ne8ZSYf2Ji7NpJ5Kw==
X-Received: by 10.202.85.145 with SMTP id j139mr4359498oib.99.1515544881368; Tue, 09 Jan 2018 16:41:21 -0800 (PST)
Received: from mahesh-m-m8d1.attlocal.net ([2600:1700:edb0:8fd0:648a:d03c:6bd4:2fce]) by smtp.gmail.com with ESMTPSA id w21sm2050715otd.14.2018.01.09.16.41.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jan 2018 16:41:19 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <20180108.164509.2179320293753239869.mbj@tail-f.com>
Date: Tue, 9 Jan 2018 16:41:17 -0800
Cc: Robert Wilton <rwilton@cisco.com>, "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>, supjps-ietf@jpshallow.com, netmod@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <68BA264A-9036-4C7C-BBCC-7C2B7B05BDD2@gmail.com>
References: <012301d3886e$f96f08e0$ec4d1aa0$@jpshallow.com> <B0576B62-CB61-45EA-99EF-E5B67545B85C@cisco.com> <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com> <20180108.164509.2179320293753239869.mbj@tail-f.com>
To: Martin Bjorklund <mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/RpQfSxDI5ROIHgp3ueLov7ciNQ8>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2018 00:41:25 -0000

Hi,

> On Jan 8, 2018, at 7:45 AM, Martin Bjorklund <mbj@tail-f.com> wrote:
> 
> Hi,
> 
> Robert Wilton <rwilton@cisco.com> wrote:
>> Hi Einar, Jon, Mahesh,
>> 
>> My gut instinct is that making this a grouping might not be a good
>> idea:
>> 
>> 1) If somebody updates the core ACL model, will then need to check
>> that anyone using it should be similarly updated (unless they use
>> import-by-revision).
>> 
>> 2) Does it make sense to define ACLs in separate places.  Would like
>> be more simple if ACLs were defined in a central place and then just
>> referenced by other protocols as required.
>> 
>> 3) I think that groupings are probably overused and I think that they
>> can detract from the readability of the model.  (I regard the
>> OpenConfig YANG models as an extreme example of this, where it is
>> necessary to compile the modules together to figure out where
>> everything fits together).
> 
> I agree with all three statements.  The current acl data model has a
> top-level grouping "interface-acl" which probably is not intended to
> be "exported".  I think ot should be moved into the
> "attachment-points" container, in order to make it local.

Have moved “interface-acl” under the “attachment-point” container and made it local.

Thanks.

> 
> If the entire access-list container is defined as a goruping, and is
> used in multiple places, how are the multiple interface
> attachment-points handled?
> 
> 
> /martin
> 
> 
> 
>> 
>> Having said that, I don't think that this issue is important enough to
>> have a long discussion about ...
>> 
>> Thanks,
>> Rob
>> 
>> 
>> On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:
>>> Since this is a 7-line change, I see no harm in it if no-one objects?
>>> Mahesh has the token for rolling in updates discussed just prior to
>>> the end of 2017.
>>> 
>>> Here’s a possible diff:
>>> 
>>> $ git diff -b
>>> diff --git a/src/yang/ietf-access-control-list.yang
>>> b/src/yang/ietf-access-control-list.yang
>>> index 4d698c9..b1a173f 100644
>>> --- a/src/yang/ietf-access-control-list.yang
>>> +++ b/src/yang/ietf-access-control-list.yang
>>> @@ -402,6 +402,10 @@ module ietf-access-control-list {
>>>    /*
>>>     * Configuration data nodes
>>>     */
>>> +  grouping access-lists-top {
>>> +    description
>>> +      "Grouping to allow reuse of access lists container elsewhere.";
>>> +
>>>      container access-lists {
>>>        description
>>>          "This is a top level container for Access Control Lists.
>>> @@ -576,6 +580,9 @@ module ietf-access-control-list {
>>>          }
>>>        }
>>>      }
>>> +  }
>>> +  uses access-lists-top;
>>> +
>>>    augment "/if:interfaces/if:interface" {
>>>      description
>>>        "Augment interfaces to allow ACLs to be associated in either
>>> the
>>> 
>>> Cheers,
>>> 
>>> Einar
>>> 
>>> 
>>>> On 8 Jan 2018, at 10:53, Jon Shallow <supjps-ietf@jpshallow.com
>>>> <mailto:supjps-ietf@jpshallow.com>> wrote:
>>>> 
>>>> Hi There,
>>>> I appreciate that this is late to the table, but is it possible to set
>>>> up “access-lists” as a “grouping” in the YANG data model so that
>>>> “access-lists” can be included by “uses” in a higher level YANG data
>>>> model?
>>>> I have raised this as issue #22
>>>> athttps://github.com/netmod-wg/acl-model/issues
>>>> Regards
>>>> Jon
>>>> _______________________________________________
>>>> netmod mailing list
>>>> netmod@ietf.org <mailto:netmod@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/netmod
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> netmod mailing list
>>> netmod@ietf.org
>>> https://www.ietf.org/mailman/listinfo/netmod
>> 

Mahesh Jethanandani
mjethanandani@gmail.com