Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

"Einar Nilsen-Nygaard (einarnn)" <> Wed, 13 December 2017 20:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1742A126FDC for <>; Wed, 13 Dec 2017 12:25:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q5AHZrourzdy for <>; Wed, 13 Dec 2017 12:25:09 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B1277128BBB for <>; Wed, 13 Dec 2017 12:25:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=21160; q=dns/txt; s=iport; t=1513196704; x=1514406304; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zONPRKzM+Kb/NnEPUmhRYS+gaAK328GpsiBj0u/XA9M=; b=Ru6XAFAZL2S+wxgdAMBKI8co80YTDeAnLMzRhyojGAbhJyXMOOJG5bUY vsbiKA620Qk2wz2aBPzCf62XTR7ZgejV6W2ovXxMGpiDyNC2aP/tc+Q7+ IyCqo5+ETijGj8db1dYLy7cQsnNxNqc+FO/0pQOuf2WUj6DGbxy5/6Yq2 I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.45,398,1508803200"; d="scan'208,217";a="114122583"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 Dec 2017 20:25:03 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id vBDKP3R5030803 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 20:25:03 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 13 Dec 2017 15:25:02 -0500
Received: from ([]) by ([]) with mapi id 15.00.1320.000; Wed, 13 Dec 2017 15:25:02 -0500
From: "Einar Nilsen-Nygaard (einarnn)" <>
To: Mahesh Jethanandani <>
CC: Eliot Lear <>, Kristian Larsson <>, "" <>
Thread-Topic: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
Thread-Index: AQHTbr9cXtHryOdSBU6fXjbxU9aeHqM3Cy0AgAqwcwCAAFeRgIAABBMA
Date: Wed, 13 Dec 2017 20:25:02 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-mailer: Apple Mail (2.3445.4.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_42A2F0C452FD48948D08092BB2B0772Bciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Dec 2017 20:25:12 -0000

I’m happy to have a way to attach an ACL globally, but that’s orthogonal to attaching to an interface, isn’t it? Attaching ACLs directly to an interface doesn’t preclude global attachment in any way as far as I can see…or have I missed something? I’m not sure I understand why choices are an issue. The current proposal has this container:

module: ietf-access-control-list
    +--rw access-lists
       +--rw attachment-points
          +--rw interface* [interface-id] {interface-attachment}?
             +--rw interface-id    if:interface-ref
             +--rw ingress
             |  +--rw acl-sets
             |     +--rw acl-set* [name]
             |        +--rw name    -> ../../../../../../acl/name
             |        +--rw type?   -> ../../../../../../acl/type
             |        +--ro ace* [name] {interface-stats or interface-acl-aggregate}?
             |           +--ro name               -> ../../../../../../../acl/aces/ace/name
             |           +--ro matched-packets?   yang:counter64
             |           +--ro matched-octets?    yang:counter64
             +--rw egress
                +--rw acl-sets
                   +--rw acl-set* [name]
                      +--rw name    -> ../../../../../../acl/name
                      +--rw type?   -> ../../../../../../acl/type
                      +--ro ace* [name] {interface-stats or interface-acl-aggregate}?
                         +--ro name               -> ../../../../../../../acl/aces/ace/name
                         +--ro matched-packets?   yang:counter64
                         +--ro matched-octets?    yang:counter64

If we added some form of global attachment points, that might be a peer with the list of interface attachments, right? Because we’d need to support “global” and multiple “interface” attachments. It’s not an “or”, it’s an “and”. Or have I missed something?



On 13 Dec 2017, at 20:10, Mahesh Jethanandani <<>> wrote:

We want to support “global” attachment point down the line, and that “global” attachment point will be one of the choices (the other being the interface), what would this augment look like. Note, as far as I know, you cannot augment inside a choice node.

On Dec 13, 2017, at 6:57 AM, Einar Nilsen-Nygaard (einarnn) <<>> wrote:

Perhaps like this, as an augmentation to the interface:

  augment /if:interfaces/if:interface:
    +--rw ingress-acls
    |  +--rw acl-sets
    |     +--rw acl-set* [name]
    |        +--rw name              -> /access-lists/acl/name
    |        +--rw type?             -> /access-lists/acl/type
    |        +--ro ace-statistics* [name] {interface-stats}?
    |           +--ro name               -> /access-lists/acl/aces/ace/name
    |           +--ro matched-packets?   yang:counter64
    |           +--ro matched-octets?    yang:counter64
    +--rw egress-acls
       +--rw acl-sets
          +--rw acl-set* [name]
             +--rw name              -> /access-lists/acl/name
             +--rw type?             -> /access-lists/acl/type
             +--ro ace-statistics* [name] {interface-stats}?
                +--ro name               -> /access-lists/acl/aces/ace/name
                +--ro matched-packets?   yang:counter64
                +--ro matched-octets?    yang:counter64

Could also put an “aces” container above both these & rename “ingress-acls" to “ingress”, etc. to give a single root for the augmentation if preferred.



On 6 Dec 2017, at 19:43, Eliot Lear <<>> wrote:

On 12/6/17 7:23 PM, Mahesh Jethanandani wrote:
How does one move the interface attachment point, currently an
'interface-ref', to an augmentation of the if:interfaces/interface,
inside of the ‘acl’  container? Down the line we might need to have an
container for "attachment points" to accommodate the possibility of
attaching an ACL either to an interface or “globally”.

Keeping in mind that one use is that an ACL doesn't attach to an
interface at all.

netmod mailing list<>

Mahesh Jethanandani<>