Juergen, If "acl-base" has some content more than the comment (i.e. the description), then it makes sense.
The comments in the "identity ipv4-acl" is enough to describe the identity. Same with the identity ipv6-acl. I find it is very confusing to have the recursive reference of identity (all of them are simply the description). My two cents, Linda -----Original Message----- From: Juergen Schoenwaelder [mailto:[email protected]] Sent: Monday, May 09, 2016 11:24 PM To: Linda Dunbar Cc: [email protected]; '[email protected]'; Thomas D. Nadeau Subject: Re: Can you remove the "Identity acl-base" defined in draft-ietf-netmod-acl-model-07 Linda, the identityref type in YANG can be scoped to a base identity. This allows to restrict an indentityref to a certain set of identities. See 6020 section 7.16.3 and section 9.10.5 for an example. The ACL draft follows the model described in RFC 6020 and defines typedef acl-type { type identityref { base acl-base; } } which restricts acl-type to any identity directly or indirectly derived from acl-base. If you remove acl-base, then acl-type could refer to any identity, which includes identities that have nothing to do with ACLs. /js On Tue, May 10, 2016 at 03:43:38AM +0000, Linda Dunbar wrote: > Dear Authors: > > The "acl-base" identity defined in your draft is empty (i.e. only with a > description) . Then you define "ipv4-acl" to be "acl-base". So basically you > inherited the comments twice. > > identity acl-base { > description > "Base Access Control List type for all Access Control List type > identifiers."; } identity ipv4-acl { base acl:acl-base; description > "ACL that primarily matches on fields from the IPv4 header (e.g. IPv4 > destination address) and layer 4 headers (e.g. TCP destination port). > An acl of type ipv4-acl does not contain matches on fields in the > ethernet header or the IPv6 header."; } identity ipv6-acl { base > acl:acl-base; description "ACL that primarily matches on fields from > the IPv6 header (e.g. IPv6 destination address) and layer 4 headers > (e.g. TCP destination port). An acl of type ipv6-acl does not contain > matches on fields in the ethernet header or the IPv4 header."; } > > > You really don't need to define the "acl-base". What is the impact if > defining the "ipv4-acl" and "ipv6-acl" as follows? > > identity ipv4-acl { > description > "ACL that primarily matches on fields from the IPv4 header > (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP > destination port). An acl of type ipv4-acl does not contain > matches on fields in the ethernet header or the IPv6 header."; } > identity ipv6-acl { > description > "ACL that primarily matches on fields from the IPv6 header > (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP > destination port). An acl of type ipv6-acl does not contain > matches on fields in the ethernet header or the IPv4 header."; } > > > Thanks, Linda Dunbar -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
