Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

"Acee Lindem (acee)" <acee@cisco.com> Mon, 08 January 2018 15:59 UTC

Return-Path: <acee@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4018129966 for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3v_fkW7Jqf4a for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:59:48 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFABD126579 for <netmod@ietf.org>; Mon, 8 Jan 2018 07:59:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=29089; q=dns/txt; s=iport; t=1515427187; x=1516636787; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=3+/aH2H1jBIN7oC8XmJ4iP2pnYoh23w7cL9NwP5I3i0=; b=jqyekcYgFV4orAyDqBE79uTXpLapg6lxHusAq2tIa7xJuKDqaknMkE8N 9tZW1pzGWvUedjITT0gOGtFGpd8fZ355hz3acBRZDrk+I9EpRctCjczGd ZfSRvlqFBcs0X+EVvO2RiNIwpItpp+Cyo5cQNtwUwdm0IE5u3+hRTgX6R 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AvBQAalFNa/5RdJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYJKdWZ0JweEAJh9ggKJCI4ighUKGAEKhANGTwIahBxBFgEBAQE?= =?us-ascii?q?BAQEBAWsohSMBAQEBAwEBIQpBGwIBCA4DAwEBASEHAwICAh8GCxQJCAEBBAESi?= =?us-ascii?q?U1MAxUQsF+CJyaDcQGDGw2CcAEBAQEBAQEBAQEBAQEBAQEBAQEBARgFhjWGbYJ?= =?us-ascii?q?rRAGBRz4JFoJhgmUFkiWHSokyPQKIBYg3hQCUCY0zP4h4AhEZAYE7ASYBMYFQb?= =?us-ascii?q?xU9giqCVByBLAE6eAGII4E0gRcBAQE?=
X-IronPort-AV: E=Sophos; i="5.46,330,1511827200"; d="scan'208,217"; a="53239822"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Jan 2018 15:59:47 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id w08Fxkss019255 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 8 Jan 2018 15:59:46 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 8 Jan 2018 10:59:45 -0500
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Mon, 8 Jan 2018 10:59:45 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" <rwilton@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>, "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com>, "'Mahesh Jethanandani'" <mjethanandani@gmail.com>
Thread-Topic: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
Thread-Index: AdOIbvlU0QBjg+SHRESC+Oh6XUPoRwATLimAAAD9eAAAAIzRgP//r6qA
Date: Mon, 8 Jan 2018 15:59:45 +0000
Message-ID: <D678FF01.E8C2A%acee@cisco.com>
References: <012301d3886e$f96f08e0$ec4d1aa0$@jpshallow.com> <B0576B62-CB61-45EA-99EF-E5B67545B85C@cisco.com> <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com> <022401d38897$f2aa1b70$d7fe5250$@jpshallow.com>
In-Reply-To: <022401d38897$f2aa1b70$d7fe5250$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.198]
Content-Type: multipart/alternative; boundary="_000_D678FF01E8C2Aaceeciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/vj4R9P7Sh7YnzBmBzUeNFr-AX98>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 15:59:51 -0000

Hi Jon,

From: netmod <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org>> on behalf of Jon Shallow <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>>
Date: Monday, January 8, 2018 at 10:47 AM
To: "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" <rwilton@cisco.com<mailto:rwilton@cisco.com>>, "netmod@ietf.org<mailto:netmod@ietf.org>" <netmod@ietf.org<mailto:netmod@ietf.org>>, "Einar Nilsen-Nygaard (einarnn)" <einarnn@cisco.com<mailto:einarnn@cisco.com>>, 'Mahesh Jethanandani' <mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

Hi Robert,

A good set of points.

My particular use case (hence raising the question) is defining a YANG model where there are multiple appliances and where ACLs are defined for each appliance, but there is the likelihood of the different appliances using the same “acl-name”, but the contents of “acl-name” are different.  Having a grouping (using import-by-revision) would help me considerably here.

I guess I don’t see the use case. Wouldn’t you have multiple network devices for multiple network devices? Or at least separate LNEs?  https://www.ietf.org/id/draft-ietf-rtgwg-lne-model-05.txt

Thanks,
Acee

Regards

Jon

From: Robert Wilton [mailto: rwilton@cisco.com<mailto:rwilton@cisco.com>]
Sent: 08 January 2018 15:31
To: Einar Nilsen-Nygaard (einarnn); Jon Shallow; Mahesh Jethanandani
Cc: netmod@ietf.org<mailto:netmod@ietf.org>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"


Hi Einar, Jon, Mahesh,

My gut instinct is that making this a grouping might not be a good idea:

1) If somebody updates the core ACL model, will then need to check that anyone using it should be similarly updated (unless they use import-by-revision).

2) Does it make sense to define ACLs in separate places.  Would like be more simple if ACLs were defined in a central place and then just referenced by other protocols as required.
3) I think that groupings are probably overused and I think that they can detract from the readability of the model.  (I regard the OpenConfig YANG models as an extreme example of this, where it is necessary to compile the modules together to figure out where everything fits together).

Having said that, I don't think that this issue is important enough to have a long discussion about ...

Thanks,
Rob

On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:
Since this is a 7-line change, I see no harm in it if no-one objects? Mahesh has the token for rolling in updates discussed just prior to the end of 2017.

Here’s a possible diff:

$ git diff -b
diff --git a/src/yang/ietf-access-control-list.yang b/src/yang/ietf-access-control-list.yang
index 4d698c9..b1a173f 100644
--- a/src/yang/ietf-access-control-list.yang
+++ b/src/yang/ietf-access-control-list.yang
@@ -402,6 +402,10 @@ module ietf-access-control-list {
   /*
    * Configuration data nodes
    */
+  grouping access-lists-top {
+    description
+      "Grouping to allow reuse of access lists container elsewhere.";
+
     container access-lists {
       description
         "This is a top level container for Access Control Lists.
@@ -576,6 +580,9 @@ module ietf-access-control-list {
         }
       }
     }
+  }
+  uses access-lists-top;
+
   augment "/if:interfaces/if:interface" {
     description
       "Augment interfaces to allow ACLs to be associated in either the

Cheers,

Einar



On 8 Jan 2018, at 10:53, Jon Shallow <supjps-ietf@jpshallow.com<mailto:supjps-ietf@jpshallow.com>> wrote:

Hi There,

I appreciate that this is late to the table, but is it possible to set up “access-lists” as a “grouping” in the YANG data model so that “access-lists” can be included by “uses” in a higher level YANG data model?

I have raised this as issue #22 at https://github.com/netmod-wg/acl-model/issues

Regards

Jon
_______________________________________________
netmod mailing list
netmod@ietf.org<mailto:netmod@ietf.org>
https://www.ietf.org/mailman/listinfo/netmod





_______________________________________________

netmod mailing list

netmod@ietf.org<mailto:netmod@ietf.org>

https://www.ietf.org/mailman/listinfo/netmod