Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

"Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com> Wed, 13 December 2017 14:57 UTC

Return-Path: <einarnn@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F235127241 for <netmod@ietfa.amsl.com>; Wed, 13 Dec 2017 06:57:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id znHLO51iylsA for <netmod@ietfa.amsl.com>; Wed, 13 Dec 2017 06:57:05 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7DD126C2F for <netmod@ietf.org>; Wed, 13 Dec 2017 06:57:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10544; q=dns/txt; s=iport; t=1513177025; x=1514386625; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=naczvbdnItTddnNLEDYr2iQ7mSvt3Jf3OfRFmUFllFY=; b=cw1BIRjcSKJdZH9nxsqp7UP2W6LFnJxVoHk92PLW4RqJFVWhu2JhcIZ+ B2ebLZqngIkvcxKYsI0FI8fO20cPt9BIb+xdAxHffwGhSbETKGiCfu/An +iW4RHDZFJ2OWwrrg0nL45OGGcX11NiAMy0dVqmTyFd/8DS/qVh7LGuFw w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AsAQAlPzFa/49dJa1dGQEBAQEBAQEBAQEBAQcBAQEBAYM+ZnQnB4N7iiGPBYFXkWqFTYIVChgBCoRJTwIahHk/GAEBAQEBAQEBAWsohSQCAQMBASEERwsQAgEIPwMCAgIlCxQRAgQBDQWJRGQQqGWBbTqKXAEBAQEBAQEBAQEBAQEBAQEBAQEBARgFg2CCC4NoC4J3gy4BgW2DFjGCMgWSFJELApUlk2iTI4MWAhEZAYE6AR85gU5vFToqAYF+P4QWeIklgRUBAQE
X-IronPort-AV: E=Sophos;i="5.45,397,1508803200"; d="scan'208,217";a="330063781"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Dec 2017 14:57:04 +0000
Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id vBDEv3Wa017376 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 14:57:04 GMT
Received: from xch-rtp-009.cisco.com (64.101.220.149) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 13 Dec 2017 09:57:02 -0500
Received: from xch-rtp-009.cisco.com ([64.101.220.149]) by XCH-RTP-009.cisco.com ([64.101.220.149]) with mapi id 15.00.1320.000; Wed, 13 Dec 2017 09:57:02 -0500
From: "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>
To: Eliot Lear <lear@cisco.com>, Mahesh Jethanandani <mjethanandani@gmail.com>, Kristian Larsson <kristian@spritelink.net>
CC: "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
Thread-Index: AQHTbr9cXtHryOdSBU6fXjbxU9aeHqM3Cy0AgAqwcwA=
Date: Wed, 13 Dec 2017 14:57:02 +0000
Message-ID: <37FA28D8-6799-491C-94CB-04237766E4D3@cisco.com>
References: <20171102074318.GC12688@spritelink.se> <6359CD50-0F0D-4315-A58B-1D4CF0583475@gmail.com> <ac9fc676-80f7-723d-9a85-c99fbb122476@cisco.com> <20171102.132634.1363976895007772742.mbj@tail-f.com> <c90aa6c1-340e-2225-f960-73c1395041c5@cisco.com> <20171102164149.GD12688@spritelink.se> <6d6a1b2a-23f8-8bff-a01e-6d13cc73d92f@cisco.com> <20171103084231.GE12688@spritelink.se> <B63D5700-C13B-4D2D-9439-0E4471906374@gmail.com> <a75cf59c-7f5e-0b3b-0ace-ec9be9f67116@cisco.com>
In-Reply-To: <a75cf59c-7f5e-0b3b-0ace-ec9be9f67116@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.4.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.210.168]
Content-Type: multipart/alternative; boundary="_000_37FA28D86799491C94CB04237766E4D3ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/od99pYREtridQwyrf3YfHhhoFfU>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 14:57:07 -0000

Perhaps like this, as an augmentation to the interface:

  augment /if:interfaces/if:interface:
    +--rw ingress-acls
    |  +--rw acl-sets
    |     +--rw acl-set* [name]
    |        +--rw name              -> /access-lists/acl/name
    |        +--rw type?             -> /access-lists/acl/type
    |        +--ro ace-statistics* [name] {interface-stats}?
    |           +--ro name               -> /access-lists/acl/aces/ace/name
    |           +--ro matched-packets?   yang:counter64
    |           +--ro matched-octets?    yang:counter64
    +--rw egress-acls
       +--rw acl-sets
          +--rw acl-set* [name]
             +--rw name              -> /access-lists/acl/name
             +--rw type?             -> /access-lists/acl/type
             +--ro ace-statistics* [name] {interface-stats}?
                +--ro name               -> /access-lists/acl/aces/ace/name
                +--ro matched-packets?   yang:counter64
                +--ro matched-octets?    yang:counter64

Could also put an “aces” container above both these & rename “ingress-acls" to “ingress”, etc. to give a single root for the augmentation if preferred.

Cheers,

Einar


On 6 Dec 2017, at 19:43, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:



On 12/6/17 7:23 PM, Mahesh Jethanandani wrote:
How does one move the interface attachment point, currently an
'interface-ref', to an augmentation of the if:interfaces/interface,
inside of the ‘acl’  container? Down the line we might need to have an
container for "attachment points" to accommodate the possibility of
attaching an ACL either to an interface or “globally”.


Keeping in mind that one use is that an ACL doesn't attach to an
interface at all.

_______________________________________________
netmod mailing list
netmod@ietf.org<mailto:netmod@ietf.org>
https://www.ietf.org/mailman/listinfo/netmod