Re: [netmod] Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07

Mon, 09 May 2016 21:24:50 -0700 

Linda,

the identityref type in YANG can be scoped to a base identity. This
allows to restrict an indentityref to a certain set of identities.
See 6020 section 7.16.3 and section 9.10.5 for an example.

The ACL draft follows the model described in RFC 6020 and defines

     typedef acl-type {
       type identityref {
         base acl-base;
       }
     }

which restricts acl-type to any identity directly or indirectly
derived from acl-base. If you remove acl-base, then acl-type could
refer to any identity, which includes identities that have nothing
to do with ACLs.

/js

On Tue, May 10, 2016 at 03:43:38AM +0000, Linda Dunbar wrote:
> Dear Authors:
> 
> The "acl-base" identity defined in your draft is empty (i.e. only with a 
> description) . Then you define "ipv4-acl" to be "acl-base". So basically you 
> inherited the comments twice.
> 
> identity acl-base {
> description
> "Base Access Control List type for all Access Control List type
> identifiers.";
> }
> identity ipv4-acl {
> base acl:acl-base;
> description
> "ACL that primarily matches on fields from the IPv4 header
> (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
> destination port). An acl of type ipv4-acl does not contain
> matches on fields in the ethernet header or the IPv6 header.";
> }
> identity ipv6-acl {
> base acl:acl-base;
> description
> "ACL that primarily matches on fields from the IPv6 header
> (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
> destination port). An acl of type ipv6-acl does not contain
> matches on fields in the ethernet header or the IPv4 header.";
> }
> 
> 
> You really don't need to define the "acl-base". What is the impact if 
> defining the "ipv4-acl" and "ipv6-acl" as follows?
> 
> identity ipv4-acl {
>    description
>    "ACL that primarily matches on fields from the IPv4 header
>    (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
>    destination port). An acl of type ipv4-acl does not contain
>    matches on fields in the ethernet header or the IPv6 header.";
> }
> identity ipv6-acl {
>    description
>    "ACL that primarily matches on fields from the IPv6 header
>    (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
>    destination port). An acl of type ipv6-acl does not contain
>    matches on fields in the ethernet header or the IPv4 header.";
> }
> 
> 
> Thanks, Linda Dunbar

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod

Reply via email to