Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14

"Einar Nilsen-Nygaard (einarnn)" <> Thu, 14 December 2017 18:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E11BE12946F for <>; Thu, 14 Dec 2017 10:50:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rd6Zh8jbALiu for <>; Thu, 14 Dec 2017 10:50:15 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B58D412946A for <>; Thu, 14 Dec 2017 10:50:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=22274; q=dns/txt; s=iport; t=1513277415; x=1514487015; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Su4NhFfeNbXJJhVdErogcSvejWXbJIC+jaSsFLvLWPw=; b=TQOPbc8LBJ5bK7tedjzqRVPGxae8hu99ywZdH91+K3kcu0fI38NQsqAf TZFRXpV+FCNaGSq79jop5tP+ahIHrqO6hG41yvYBq8F2UojiXcrsJ2u8F QSSBqGRavFZhedpMYjOYvLtohywatXBST5OfnD9h3kc3MGz8UZNbL2lPm A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DhAQDMxjJa/5hdJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYMPL2Z0JweDe4ohjwaKeYhMhU6CFQoYAQqESU8CGoRdPxgBAQE?= =?us-ascii?q?BAQEBAQFrKIUkAgEDAQEhBEcLEAIBCA4xAwICAh8GCxQRAgQOBYlGTAMVEKkxg?= =?us-ascii?q?W06hzYNgxsBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYNlgg6DPymDAoJqRAGBbYM?= =?us-ascii?q?WMYIyBZIVhz6JFT0Ch3uIL4R+k2yNFT6FV4MWAhEZAYE6AR85gU5vFToqAYF+P?= =?us-ascii?q?4Fbgjx4iUGBFQEBAQ?=
X-IronPort-AV: E=Sophos; i="5.45,401,1508803200"; d="scan'208,217"; a="44698446"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Dec 2017 18:50:14 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id vBEIoEwr023110 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Dec 2017 18:50:14 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 14 Dec 2017 13:50:13 -0500
Received: from ([]) by ([]) with mapi id 15.00.1320.000; Thu, 14 Dec 2017 13:50:13 -0500
From: "Einar Nilsen-Nygaard (einarnn)" <>
To: Sonal Agarwal <>
CC: Mahesh Jethanandani <>, "" <>, Kristian Larsson <>
Thread-Topic: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
Thread-Index: AQHTbr9cXtHryOdSBU6fXjbxU9aeHqM3Cy0AgAqwcwCAAFeRgIAAzEsAgACvpIA=
Date: Thu, 14 Dec 2017 18:50:13 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-mailer: Apple Mail (2.3445.4.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_2826EF6BA6A64FDA9F3021830D748C51ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [netmod] WG Last Call: draft-ietf-netmod-acl-model-14
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Dec 2017 18:50:23 -0000

On 14 Dec 2017, at 08:21, Sonal Agarwal <<>> wrote:

Hi Einar,

You had 3 questions for me on all the several e-mail threads.
1. Global attachment point
2. icmp-off
3. acl-aggregate-interface stats.

For (1), my first preference is to have the model define attachment point for interfaces only.

einarnn> I have some diffs, layered on top of Mahesh’s PR to netmod-wg/acl-model that do this. Nearly like the augmentation I have below. Feel free to take a look at:

However, Kristian wants the global attachment point as well so that he can add the ACL to the linux tables.

einarnn> I think Kristian doesn’t feel a global attachment point needs to be in this first revision. But he can confirm.

If an ACL is attached globally, does this mean it is per direction or does it mean it is across directions?

einarnn> I don’t know right now :-)

This global ACL may not be applicable to any of Cisco's service provider routers as I don't see any platform actually replicating the ACL to all line cards and attaching it in ingress and egress directions across all interfaces.

einarnn> Per other emails, I don’t think we understand this enough yet to specify it, so I suggest we just leave it out for now. Nothing in the model prevents a “global attachment point” being added later once we understand what it really means.

For (2), I am ok with removing icmp-off.

einarnn> Done in my PR above.

For (3), this would have to be a combination of ACL stats across all interfaces for all ACL's. Something like this is possible on an XR box where ACES have counter names associated with it. Let's chat about this offline tomorrow.

einarnn> I’ll ping you to clarify, and we can bring any conclusion back to the list.




On Wed, Dec 13, 2017 at 12:10 PM, Mahesh Jethanandani <<>> wrote:
We want to support “global” attachment point down the line, and that “global” attachment point will be one of the choices (the other being the interface), what would this augment look like. Note, as far as I know, you cannot augment inside a choice node.

On Dec 13, 2017, at 6:57 AM, Einar Nilsen-Nygaard (einarnn) <<>> wrote:

Perhaps like this, as an augmentation to the interface:

  augment /if:interfaces/if:interface:
    +--rw ingress-acls
    |  +--rw acl-sets
    |     +--rw acl-set* [name]
    |        +--rw name              -> /access-lists/acl/name
    |        +--rw type?             -> /access-lists/acl/type
    |        +--ro ace-statistics* [name] {interface-stats}?
    |           +--ro name               -> /access-lists/acl/aces/ace/name
    |           +--ro matched-packets?   yang:counter64
    |           +--ro matched-octets?    yang:counter64
    +--rw egress-acls
       +--rw acl-sets
          +--rw acl-set* [name]
             +--rw name              -> /access-lists/acl/name
             +--rw type?             -> /access-lists/acl/type
             +--ro ace-statistics* [name] {interface-stats}?
                +--ro name               -> /access-lists/acl/aces/ace/name
                +--ro matched-packets?   yang:counter64
                +--ro matched-octets?    yang:counter64

Could also put an “aces” container above both these & rename “ingress-acls" to “ingress”, etc. to give a single root for the augmentation if preferred.



On 6 Dec 2017, at 19:43, Eliot Lear <<>> wrote:

On 12/6/17 7:23 PM, Mahesh Jethanandani wrote:
How does one move the interface attachment point, currently an
'interface-ref', to an augmentation of the if:interfaces/interface,
inside of the ‘acl’  container? Down the line we might need to have an
container for "attachment points" to accommodate the possibility of
attaching an ACL either to an interface or “globally”.

Keeping in mind that one use is that an ACL doesn't attach to an
interface at all.

netmod mailing list<>

Mahesh Jethanandani<>

netmod mailing list<>