Re: [netmod] draft-ietf-netmod-acl-model

"Jon Shallow" <> Thu, 05 October 2017 08:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A7E7C13416B for <>; Thu, 5 Oct 2017 01:08:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pShWFp-NWXNG for <>; Thu, 5 Oct 2017 01:08:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0CA671321CB for <>; Thu, 5 Oct 2017 01:08:15 -0700 (PDT)
Received: from [] (helo=N01332) by with smtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from <>) id 1e01CX-0004rJ-5F; Thu, 05 Oct 2017 09:08:13 +0100
From: "Jon Shallow" <>
To: "'Mahesh Jethanandani'" <>, <>
References: <050801d33b9c$ed929560$c8b7c020$> <>
In-Reply-To: <>
Date: Thu, 5 Oct 2017 09:08:13 +0100
Message-ID: <077701d33db1$17aa5160$46fef420$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0778_01D33DB9.796F7CB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ18Axf/JP9v/XDquaZDSgLRAtNwwG+35yAoYGJh9A=
Content-Language: en-gb
Archived-At: <>
Subject: Re: [netmod] draft-ietf-netmod-acl-model
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Oct 2017 08:08:18 -0000


Hi Mahesh,


I think that we can with a bit of re-work, use the interfaces concept.  The clue that I had missed was in the (now deleted in -04) text in the following section.


A.2.  A company proprietary module example              


   Access control list typically does not exist in isolation.  Instead,

   they are associated with a certain scope in which they are applied,

   for example, an interface of a set of interfaces.  How to attach an

   access control list to an interface (or other system artifact) is

   outside the scope of this model, as it depends on the specifics of

   the system model that is being applied.  However, in general, the

   general design pattern will involved adding a data node with a

   reference, or set of references, to ACLs that are to be applied to

   the interface.  For this purpose, the type definition "access-

   control-list-ref" can be used.


Thanks for your help.






From: Mahesh Jethanandani [mailto:] 
Sent: 04 October 2017 00:57
To: Jon Shallow
Subject: Re: [netmod] draft-ietf-netmod-acl-model




‘ordered-by user’ directive is useful to have on list of ACLs as/when they are applied. For example, in the latest published draft (-14) we added the 'ordered-by user’ statement to the list of ACLs when they are applied to the interfaces. You would not order the “global” ACLs list (under access-lists), because another interface may want a different order of ACLs. 


Does that help?