Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 13 December 2017 20:10 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6184A1242F5 for <netmod@ietfa.amsl.com>; Wed, 13 Dec 2017 12:10:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DagcyYk_NhPV for <netmod@ietfa.amsl.com>; Wed, 13 Dec 2017 12:10:44 -0800 (PST)
Received: from mail-pg0-x232.google.com (mail-pg0-x232.google.com [IPv6:2607:f8b0:400e:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 093A1126D45 for <netmod@ietf.org>; Wed, 13 Dec 2017 12:10:38 -0800 (PST)
Received: by mail-pg0-x232.google.com with SMTP id f12so1787685pgo.5 for <netmod@ietf.org>; Wed, 13 Dec 2017 12:10:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=lvS8t/dBPegemMp2GyLMqqwQhX+7SnibNBrMa/IdDk4=; b=RLPgUdrAIiNR2ojykPG8jhxArpJOKIzQez8vxM+I5HNlvfI4iuKt0l/lrLhSBJDAYJ hUsCJcjBdBmcOoKZ3kO11yJRVxNFa3zK7JirgC+2S+oLDHzOd27wbwe5taWstl534smt N52lApg7dImLBwFd/UGs3qCLfbwOr4ZUta1NtrmEACiW2YJgPzhrAwkBGSQrWBxNDdLS NnxTZAfyPcBubOzgd83iBoWPYSm8GtqHWRv7bgXoxxps3LKvwT2OwwkmcyTGZdNmiAer rC7MQCuhM+WTbhW0ztsNwRqVe6F2qAlfevsZO8p1j1pJzTSR9bhxB8rMQz3AaZ/7C2Tt J5iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=lvS8t/dBPegemMp2GyLMqqwQhX+7SnibNBrMa/IdDk4=; b=Su98lngEd12LlFBd7J/Th15lTrQr/tW9shvSQLRXo9Nz2cNI3sqsiqGsC/62U+4YTW 6qNLRYlugLt1e6eH9qovZ1OWJPMuGPgaCMlhcEUZXB64usriRxQVA7/nAJvotBr/4ES+ 6YhUVhbfwJ8v+ao92oA/NN/jOvx612ozFtGq/Dis671P504ypJ2mBPJ/GQrNzbU3EC0V TjF+N8LWr6D+3mQCDSLaGJskurNvttoYIAJioEXdFQpBrwoWhyOLoJGfKTD5icTEB/JF kzNNVPG40LByCnmhm2f3HtfxHilYoR8+htZ0Zb1WzJgQiPWf7+Q1zz0M/ELYLK04apJ7 2Bkg==
X-Gm-Message-State: AKGB3mJfuiXqDiE91lqSthH5f/9CYjrwOiMVONIoYXfDdQ2IHijVxrPu x279HAKi4A9IZzihfEqdetCsak2+
X-Google-Smtp-Source: ACJfBosXH7Zoylvce5dErRSMjdn+TraPlwQeAQEMNkqLQvs66ZHfuDFUwgINPj0zTJuhjKiWih3uqw==
X-Received: by 10.98.99.68 with SMTP id x65mr7240909pfb.56.1513195837491; Wed, 13 Dec 2017 12:10:37 -0800 (PST)
Received: from mahesh-m-m8d1.attlocal.net ([2600:1700:edb0:8fd0:4c65:acaa:7a67:d727]) by smtp.gmail.com with ESMTPSA id q24sm3932592pgv.27.2017.12.13.12.10.36 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 13 Dec 2017 12:10:36 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_3DA56E60-25E8-415D-B1C1-21108DBBEE13"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <37FA28D8-6799-491C-94CB-04237766E4D3@cisco.com>
Date: Wed, 13 Dec 2017 12:10:35 -0800
Cc: Eliot Lear <lear@cisco.com>, Kristian Larsson <kristian@spritelink.net>, "netmod@ietf.org" <netmod@ietf.org>
Message-Id: <2C381B09-15D6-417D-A70D-7C6818306FFC@gmail.com>
References: <20171102074318.GC12688@spritelink.se> <6359CD50-0F0D-4315-A58B-1D4CF0583475@gmail.com> <ac9fc676-80f7-723d-9a85-c99fbb122476@cisco.com> <20171102.132634.1363976895007772742.mbj@tail-f.com> <c90aa6c1-340e-2225-f960-73c1395041c5@cisco.com> <20171102164149.GD12688@spritelink.se> <6d6a1b2a-23f8-8bff-a01e-6d13cc73d92f@cisco.com> <20171103084231.GE12688@spritelink.se> <B63D5700-C13B-4D2D-9439-0E4471906374@gmail.com> <a75cf59c-7f5e-0b3b-0ace-ec9be9f67116@cisco.com> <37FA28D8-6799-491C-94CB-04237766E4D3@cisco.com>
To: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/efCVlbrtCkTa13zQm-0BcxGY-7Y>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 20:10:46 -0000

We want to support “global” attachment point down the line, and that “global” attachment point will be one of the choices (the other being the interface), what would this augment look like. Note, as far as I know, you cannot augment inside a choice node.

> On Dec 13, 2017, at 6:57 AM, Einar Nilsen-Nygaard (einarnn) <einarnn@cisco.com>; wrote:
> 
> Perhaps like this, as an augmentation to the interface:
> 
>   augment /if:interfaces/if:interface:
>     +--rw ingress-acls
>     |  +--rw acl-sets
>     |     +--rw acl-set* [name]
>     |        +--rw name              -> /access-lists/acl/name
>     |        +--rw type?             -> /access-lists/acl/type
>     |        +--ro ace-statistics* [name] {interface-stats}?
>     |           +--ro name               -> /access-lists/acl/aces/ace/name
>     |           +--ro matched-packets?   yang:counter64
>     |           +--ro matched-octets?    yang:counter64
>     +--rw egress-acls
>        +--rw acl-sets
>           +--rw acl-set* [name]
>              +--rw name              -> /access-lists/acl/name
>              +--rw type?             -> /access-lists/acl/type
>              +--ro ace-statistics* [name] {interface-stats}?
>                 +--ro name               -> /access-lists/acl/aces/ace/name
>                 +--ro matched-packets?   yang:counter64
>                 +--ro matched-octets?    yang:counter64
> 
> Could also put an “aces” container above both these & rename “ingress-acls" to “ingress”, etc. to give a single root for the augmentation if preferred.
> 
> Cheers,
> 
> Einar
> 
> 
>> On 6 Dec 2017, at 19:43, Eliot Lear <lear@cisco.com <mailto:lear@cisco.com>> wrote:
>> 
>> 
>> 
>> On 12/6/17 7:23 PM, Mahesh Jethanandani wrote:
>>> How does one move the interface attachment point, currently an
>>> 'interface-ref', to an augmentation of the if:interfaces/interface,
>>> inside of the ‘acl’  container? Down the line we might need to have an
>>> container for "attachment points" to accommodate the possibility of
>>> attaching an ACL either to an interface or “globally”.
>>> 
>> 
>> Keeping in mind that one use is that an ACL doesn't attach to an
>> interface at all.
>> 
>> _______________________________________________
>> netmod mailing list
>> netmod@ietf.org <mailto:netmod@ietf.org>
>> https://www.ietf.org/mailman/listinfo/netmod <https://www.ietf.org/mailman/listinfo/netmod>
> 

Mahesh Jethanandani
mjethanandani@gmail.com