[netmod] draft-ietf-netmod-acl-model

"Jon Shallow" <supjps-ietf@jpshallow.com> Mon, 02 October 2017 16:38 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA384132F65 for <netmod@ietfa.amsl.com>; Mon, 2 Oct 2017 09:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d5p750ep2n_P for <netmod@ietfa.amsl.com>; Mon, 2 Oct 2017 09:38:54 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18BB91344C6 for <netmod@ietf.org>; Mon, 2 Oct 2017 09:38:54 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with smtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from <jon.shallow@jpshallow.com>) id 1dz3k3-0002hG-Jr for ietf-supjps-netmod@ietf.org; Mon, 02 Oct 2017 17:38:51 +0100
From: "Jon Shallow" <supjps-ietf@jpshallow.com>
To: <netmod@ietf.org>
Date: Mon, 2 Oct 2017 17:38:50 +0100
Message-ID: <050801d33b9c$ed929560$c8b7c020$@jpshallow.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0509_01D33BA5.4F57C0B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdM7nO15rmjN5pBQSk+F0IC3O8vbgw==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/VXykDgKeV5n8czZBoPFV1RNRu5k>
Subject: [netmod] draft-ietf-netmod-acl-model
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2017 16:38:56 -0000

Hi there,

 

I'm currently working on another draft ietf specification
(draft-ietf-dots-data-channel) which has a ordering requirement, but the
'ordered-by' statement is not specified (missing?)  for the 'list acl' in
container 'access-lists' in 4.1 IETF Access Control List
"ietf-access-control-list@2017-09-12.yang"yang". 

 

Container 'aces' has the 'ordered-by-user' statement for the list ACE.

      container aces {

        description

          "The access-list-entries container contains

           a list of access-list-entries(ACE).";

        list ace {

          key "rule-name";

          ordered-by user;

          description

            "List of access list entries(ACE)";

          .....           

 

Container 'access-lists' does not have the 'ordered-by-user' statement for
the list ACL.

  container access-lists {

    description

      "This is a top level container for Access Control Lists.

       It can have one or more Access Control Lists.";

    list acl {

      key "acl-type acl-name";

      description

        "An Access Control List(ACL) is an ordered list of

         Access List Entries (ACE). Each Access Control Entry has a

         list of match criteria and a list of actions.

         Since there are several kinds of Access Control Lists

         implemented with different attributes for

         different vendors, this

         model accommodates customizing Access Control Lists for

         each kind and for each vendor.";

      .......

 

Is there a good reason why 'list acl' is not defined as sortable?

- or is it defined elsewhere as being sortable?

- or is the intention that there can only be one ACL?

 

We potentially have a requirement for multiple ACLs, each with its own set
of sorted ACEs where the ACLs cannot be configured in a random order and
need to know how to move forward.

 

Regards

 

Jon