Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
Thanks - had forgotten those YANG 1.1 extensions. William -Original Message- From: Juergen Schoenwaelder [mailto:j.schoenwael...@jacobs-university.de] Sent: 11 May 2016 09:28 To: William Ivory <wiv...@brocade.com> Cc: Robert Wilton <rwil...@cisco.com>; Linda Dunbar <linda.dun...@huawei.com>; draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org' <netmod@ietf.org> Subject: Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07 YANG 1.1 introduces special functions for identities such as derived-from() or derived-from-or-self(), for more details see section 10.4 of draft-ietf-netmod-rfc6020bis-12. /js On Wed, May 11, 2016 at 08:19:01AM +, William Ivory wrote: > Hi Rob, > > Probably a stupid question but how would you write a 'when' statement that > checks identity type? What XPATH function / expression would allow you to > access the YANG type? > > Thanks, > > William > > -Original Message- > From: netmod [mailto:netmod-boun...@ietf.org] On Behalf Of Robert Wilton > Sent: 10 May 2016 18:27 > To: Linda Dunbar <linda.dun...@huawei.com> > Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org' <netmod@ietf.org> > Subject: Re: [netmod] Can you remove the "Identity acl-base" defined in > draft-ietf-netmod-acl-model-07 > > Hi Linda, > > I think that having the base identity makes the model safer and more > extensible in future. I think that the general idea of a base identity is > fairly standard and is perhaps a bit like defining an abstract base class in > an OO language. > > So, in YANG, rather than a when statement having to explicitly check for > ipv4-acl or ipv6-acl it can just check for any type derived from acl-base, > which allows for new types of ACL to be defined in future (potentially in > different modules). > > Conversely, it also helps prevent someone from using a completely > inappropriate identity, e.g. say trying to use an interface type identity > such as ift:ethernetCsmacd where a type of ACL identity is required. > > Thanks, > Rob > > > On 10/05/2016 17:55, Linda Dunbar wrote: > > Juergen, > > > > Of course, it is not confusing to you because you are in the box (vs. many > > of us are outside the box looking in). > > > > RFC 6020 doesn't say all identities have to have a sub-identity. > > > > > > My opinion only. > > > > > > Linda > > > > > > -Original Message- > > From: Juergen Schoenwaelder > > [mailto:j.schoenwael...@jacobs-university.de] > > Sent: Tuesday, May 10, 2016 10:38 AM > > To: Linda Dunbar > > Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D. > > Nadeau > > Subject: Re: Can you remove the "Identity acl-base" defined in > > draft-ietf-netmod-acl-model-07 > > > > On Tue, May 10, 2016 at 03:07:30PM +, Linda Dunbar wrote: > >> Juergen, > >> > >> If "acl-base" has some content more than the comment (i.e. the > >> description), then it makes sense. > >> > >> The comments in the "identity ipv4-acl" is enough to describe the > >> identity. Same with the identity ipv6-acl. > >> > >> I find it is very confusing to have the recursive reference of identity > >> (all of them are simply the description). > >> > > I fail to see anything confusing here. Did you read the relevant sections > > of RFC 6020? What is unclear about identities and how they work? > > > > /js > > > > ___ > netmod mailing list > netmod@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netmod=CwICAg=IL_XqQWOjubgfqINi2jTzg=GByLeg9jZvOv_AlgBo9uvdDrxizlOR7l_SnTXowyJU8=MlQZEKdXoP4IwlPcElVo_hIsmcgPxkS1AvAc3uGRU_E=iht1ryWsM95ONkVXCHgLCn-rGgsZVjmO0P_Hnhg2llM= > > > ___ > netmod mailing list > netmod@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netmod=CwIBAg=IL_XqQWOjubgfqINi2jTzg=GByLeg9jZvOv_AlgBo9uvdDrxizlOR7l_SnTXowyJU8=9SqA4lSC3_C0sr1ZX9Wd7wI8KYym05LqlsRSMn9nS0k=VTDyjdlJ_E4CVhRCNWy3hNeKwtWozq2hfJn5IvnwR7g= > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jacobs-2Duniversity.de_=CwIBAg=IL_XqQWOjubgfqINi2jTzg=GByLeg9jZvOv_AlgBo9uvdDrxizlOR7l_SnTXowyJU8=9SqA4lSC3_C0sr1ZX9Wd7wI8KYym05LqlsRSMn9nS0k=7LK8I-xuJJL1uj0aFRdbOMusbTZca15C8vQj8wDcs0U= > ___ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
YANG 1.1 introduces special functions for identities such as derived-from() or derived-from-or-self(), for more details see section 10.4 of draft-ietf-netmod-rfc6020bis-12. /js On Wed, May 11, 2016 at 08:19:01AM +, William Ivory wrote: > Hi Rob, > > Probably a stupid question but how would you write a 'when' statement that > checks identity type? What XPATH function / expression would allow you to > access the YANG type? > > Thanks, > > William > > -Original Message- > From: netmod [mailto:netmod-boun...@ietf.org] On Behalf Of Robert Wilton > Sent: 10 May 2016 18:27 > To: Linda Dunbar <linda.dun...@huawei.com> > Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org' <netmod@ietf.org> > Subject: Re: [netmod] Can you remove the "Identity acl-base" defined in > draft-ietf-netmod-acl-model-07 > > Hi Linda, > > I think that having the base identity makes the model safer and more > extensible in future. I think that the general idea of a base identity is > fairly standard and is perhaps a bit like defining an abstract base class in > an OO language. > > So, in YANG, rather than a when statement having to explicitly check for > ipv4-acl or ipv6-acl it can just check for any type derived from acl-base, > which allows for new types of ACL to be defined in future (potentially in > different modules). > > Conversely, it also helps prevent someone from using a completely > inappropriate identity, e.g. say trying to use an interface type identity > such as ift:ethernetCsmacd where a type of ACL identity is required. > > Thanks, > Rob > > > On 10/05/2016 17:55, Linda Dunbar wrote: > > Juergen, > > > > Of course, it is not confusing to you because you are in the box (vs. many > > of us are outside the box looking in). > > > > RFC 6020 doesn't say all identities have to have a sub-identity. > > > > > > My opinion only. > > > > > > Linda > > > > > > -Original Message- > > From: Juergen Schoenwaelder > > [mailto:j.schoenwael...@jacobs-university.de] > > Sent: Tuesday, May 10, 2016 10:38 AM > > To: Linda Dunbar > > Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D. > > Nadeau > > Subject: Re: Can you remove the "Identity acl-base" defined in > > draft-ietf-netmod-acl-model-07 > > > > On Tue, May 10, 2016 at 03:07:30PM +, Linda Dunbar wrote: > >> Juergen, > >> > >> If "acl-base" has some content more than the comment (i.e. the > >> description), then it makes sense. > >> > >> The comments in the "identity ipv4-acl" is enough to describe the > >> identity. Same with the identity ipv6-acl. > >> > >> I find it is very confusing to have the recursive reference of identity > >> (all of them are simply the description). > >> > > I fail to see anything confusing here. Did you read the relevant sections > > of RFC 6020? What is unclear about identities and how they work? > > > > /js > > > > ___ > netmod mailing list > netmod@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netmod=CwICAg=IL_XqQWOjubgfqINi2jTzg=GByLeg9jZvOv_AlgBo9uvdDrxizlOR7l_SnTXowyJU8=MlQZEKdXoP4IwlPcElVo_hIsmcgPxkS1AvAc3uGRU_E=iht1ryWsM95ONkVXCHgLCn-rGgsZVjmO0P_Hnhg2llM= > > > ___ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> ___ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
Yea, I agree that its probably worth giving a little more latitude when helping people with models. 8) —Tom > On May 10, 2016:12:55 PM, at 12:55 PM, Linda Dunbar <linda.dun...@huawei.com> > wrote: > > Juergen, > > Of course, it is not confusing to you because you are in the box (vs. many of > us are outside the box looking in). > > RFC 6020 doesn't say all identities have to have a sub-identity. > > > My opinion only. > > > Linda > > > -Original Message- > From: Juergen Schoenwaelder [mailto:j.schoenwael...@jacobs-university.de] > Sent: Tuesday, May 10, 2016 10:38 AM > To: Linda Dunbar > Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D. Nadeau > Subject: Re: Can you remove the "Identity acl-base" defined in > draft-ietf-netmod-acl-model-07 > > On Tue, May 10, 2016 at 03:07:30PM +, Linda Dunbar wrote: >> Juergen, >> >> If "acl-base" has some content more than the comment (i.e. the description), >> then it makes sense. >> >> The comments in the "identity ipv4-acl" is enough to describe the identity. >> Same with the identity ipv6-acl. >> >> I find it is very confusing to have the recursive reference of identity (all >> of them are simply the description). >> > > I fail to see anything confusing here. Did you read the relevant sections of > RFC 6020? What is unclear about identities and how they work? > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> ___ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
Lisa,
My difficulty was not being able to see the value of one comment based on
another comment.
Now I understand it is really just personal preference. Having an extra step
doesn't hurt the bottom line end result. It is Ok.
Linda
-Original Message-
From: Lisa (Yi) Huang [mailto:lyihu...@juniper.net]
Sent: Tuesday, May 10, 2016 12:06 PM
To: Linda Dunbar; Juergen Schoenwaelder
Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D. Nadeau
Subject: Re: Can you remove the "Identity acl-base" defined in
draft-ietf-netmod-acl-model-07
Linda,
Could you elaborate what difficulty you are facing?
The draft defines
typedef acl-type {
type identityref {
base acl-base;
}
}
This allows the acl-type to be ipv4-acl or ipv6-acl, or other new types that
inherit from acl-type.
Hope this helps.
Thanks,
Lisa
On 5/10/16, 9:55 AM, "Linda Dunbar" <linda.dun...@huawei.com> wrote:
>Juergen,
>
>Of course, it is not confusing to you because you are in the box (vs.
>many of us are outside the box looking in).
>
>RFC 6020 doesn't say all identities have to have a sub-identity.
>
>
>My opinion only.
>
>
>Linda
>
>
>-Original Message-
>From: Juergen Schoenwaelder
>[mailto:j.schoenwael...@jacobs-university.de]
>Sent: Tuesday, May 10, 2016 10:38 AM
>To: Linda Dunbar
>Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D.
>Nadeau
>Subject: Re: Can you remove the "Identity acl-base" defined in
>draft-ietf-netmod-acl-model-07
>
>On Tue, May 10, 2016 at 03:07:30PM +, Linda Dunbar wrote:
>> Juergen,
>>
>> If "acl-base" has some content more than the comment (i.e. the
>>description), then it makes sense.
>>
>> The comments in the "identity ipv4-acl" is enough to describe the
>>identity. Same with the identity ipv6-acl.
>>
>> I find it is very confusing to have the recursive reference of
>>identity (all of them are simply the description).
>>
>
>I fail to see anything confusing here. Did you read the relevant
>sections of RFC 6020? What is unclear about identities and how they work?
>
>/js
>
>--
>Juergen Schoenwaelder Jacobs University Bremen gGmbH
>Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
>Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
___
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
Hi Linda, I think that having the base identity makes the model safer and more extensible in future. I think that the general idea of a base identity is fairly standard and is perhaps a bit like defining an abstract base class in an OO language. So, in YANG, rather than a when statement having to explicitly check for ipv4-acl or ipv6-acl it can just check for any type derived from acl-base, which allows for new types of ACL to be defined in future (potentially in different modules). Conversely, it also helps prevent someone from using a completely inappropriate identity, e.g. say trying to use an interface type identity such as ift:ethernetCsmacd where a type of ACL identity is required. Thanks, Rob On 10/05/2016 17:55, Linda Dunbar wrote: Juergen, Of course, it is not confusing to you because you are in the box (vs. many of us are outside the box looking in). RFC 6020 doesn't say all identities have to have a sub-identity. My opinion only. Linda -Original Message- From: Juergen Schoenwaelder [mailto:j.schoenwael...@jacobs-university.de] Sent: Tuesday, May 10, 2016 10:38 AM To: Linda Dunbar Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D. Nadeau Subject: Re: Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07 On Tue, May 10, 2016 at 03:07:30PM +, Linda Dunbar wrote: Juergen, If "acl-base" has some content more than the comment (i.e. the description), then it makes sense. The comments in the "identity ipv4-acl" is enough to describe the identity. Same with the identity ipv6-acl. I find it is very confusing to have the recursive reference of identity (all of them are simply the description). I fail to see anything confusing here. Did you read the relevant sections of RFC 6020? What is unclear about identities and how they work? /js ___ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
On Tue, May 10, 2016 at 9:55 AM, Linda Dunbar <linda.dun...@huawei.com>
wrote:
> Juergen,
>
> Of course, it is not confusing to you because you are in the box (vs. many
> of us are outside the box looking in).
>
> RFC 6020 doesn't say all identities have to have a sub-identity.
>
>
>
This is how YANG does strong typing for identities.
It allows the compiler to check the identity being used for a given
identityref leaf. Otherwise the identities meant for completely different
purposes could not be screened by the compiler
leaf transport {
type identityref {
base transport-protocol;
}
}
leaf toast-type {
type identityref {
base bread-type;
}
}
> My opinion only.
>
>
> Linda
>
>
>
Andy
> -Original Message-
> From: Juergen Schoenwaelder [mailto:j.schoenwael...@jacobs-university.de]
> Sent: Tuesday, May 10, 2016 10:38 AM
> To: Linda Dunbar
> Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D.
> Nadeau
> Subject: Re: Can you remove the "Identity acl-base" defined in
> draft-ietf-netmod-acl-model-07
>
> On Tue, May 10, 2016 at 03:07:30PM +, Linda Dunbar wrote:
> > Juergen,
> >
> > If "acl-base" has some content more than the comment (i.e. the
> description), then it makes sense.
> >
> > The comments in the "identity ipv4-acl" is enough to describe the
> identity. Same with the identity ipv6-acl.
> >
> > I find it is very confusing to have the recursive reference of identity
> (all of them are simply the description).
> >
>
> I fail to see anything confusing here. Did you read the relevant sections
> of RFC 6020? What is unclear about identities and how they work?
>
> /js
>
> --
> Juergen Schoenwaelder Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
> Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
>
> ___
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod
>
___
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
Linda,
Could you elaborate what difficulty you are facing?
The draft defines
typedef acl-type {
type identityref {
base acl-base;
}
}
This allows the acl-type to be ipv4-acl or ipv6-acl, or other new types
that inherit from acl-type.
Hope this helps.
Thanks,
Lisa
On 5/10/16, 9:55 AM, "Linda Dunbar" <linda.dun...@huawei.com> wrote:
>Juergen,
>
>Of course, it is not confusing to you because you are in the box (vs.
>many of us are outside the box looking in).
>
>RFC 6020 doesn't say all identities have to have a sub-identity.
>
>
>My opinion only.
>
>
>Linda
>
>
>-Original Message-
>From: Juergen Schoenwaelder [mailto:j.schoenwael...@jacobs-university.de]
>Sent: Tuesday, May 10, 2016 10:38 AM
>To: Linda Dunbar
>Cc: draft-ietf-netmod-acl-mo...@ietf.org; 'netmod@ietf.org'; Thomas D.
>Nadeau
>Subject: Re: Can you remove the "Identity acl-base" defined in
>draft-ietf-netmod-acl-model-07
>
>On Tue, May 10, 2016 at 03:07:30PM +, Linda Dunbar wrote:
>> Juergen,
>>
>> If "acl-base" has some content more than the comment (i.e. the
>>description), then it makes sense.
>>
>> The comments in the "identity ipv4-acl" is enough to describe the
>>identity. Same with the identity ipv6-acl.
>>
>> I find it is very confusing to have the recursive reference of identity
>>(all of them are simply the description).
>>
>
>I fail to see anything confusing here. Did you read the relevant sections
>of RFC 6020? What is unclear about identities and how they work?
>
>/js
>
>--
>Juergen Schoenwaelder Jacobs University Bremen gGmbH
>Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
>Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
___
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07
Linda,
the identityref type in YANG can be scoped to a base identity. This
allows to restrict an indentityref to a certain set of identities.
See 6020 section 7.16.3 and section 9.10.5 for an example.
The ACL draft follows the model described in RFC 6020 and defines
typedef acl-type {
type identityref {
base acl-base;
}
}
which restricts acl-type to any identity directly or indirectly
derived from acl-base. If you remove acl-base, then acl-type could
refer to any identity, which includes identities that have nothing
to do with ACLs.
/js
On Tue, May 10, 2016 at 03:43:38AM +, Linda Dunbar wrote:
> Dear Authors:
>
> The "acl-base" identity defined in your draft is empty (i.e. only with a
> description) . Then you define "ipv4-acl" to be "acl-base". So basically you
> inherited the comments twice.
>
> identity acl-base {
> description
> "Base Access Control List type for all Access Control List type
> identifiers.";
> }
> identity ipv4-acl {
> base acl:acl-base;
> description
> "ACL that primarily matches on fields from the IPv4 header
> (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
> destination port). An acl of type ipv4-acl does not contain
> matches on fields in the ethernet header or the IPv6 header.";
> }
> identity ipv6-acl {
> base acl:acl-base;
> description
> "ACL that primarily matches on fields from the IPv6 header
> (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
> destination port). An acl of type ipv6-acl does not contain
> matches on fields in the ethernet header or the IPv4 header.";
> }
>
>
> You really don't need to define the "acl-base". What is the impact if
> defining the "ipv4-acl" and "ipv6-acl" as follows?
>
> identity ipv4-acl {
>description
>"ACL that primarily matches on fields from the IPv4 header
>(e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
>destination port). An acl of type ipv4-acl does not contain
>matches on fields in the ethernet header or the IPv6 header.";
> }
> identity ipv6-acl {
>description
>"ACL that primarily matches on fields from the IPv6 header
>(e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
>destination port). An acl of type ipv6-acl does not contain
>matches on fields in the ethernet header or the IPv4 header.";
> }
>
>
> Thanks, Linda Dunbar
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
Fax: +49 421 200 3103
