Hi Dean,
3) With the model definition, even the acl-type is configured as Ethernet,
the operator still can configure the matches of ace under the acl as ipv4 or
ipv6, right?
No, if ACL type is ethernet, then all ACEs are expected to be ethernet.
[Adrian] I understand your point, but this is not reflected in the model, if
according to the model, the operator still can configure the acl-type as
Ethernet, while configure the ace of the acl as ipv4, and this should be valid
configuration.
is this the model design intention?
If acl-type is of one family, then only ace with match condition from that
family are expected to be in the acl. If you want to combine them, please use
mixed type.
[Adrian] if it’s only expected to be the same as the acl-type, but without the
restriction in the model, you can’t avoid the operator configuration to mix the
acl-type and the ace matches. So my thinking is that, can we add the
restriction in the model for this as below to better reflect the model design
intention?
container matches {
description
"Definitions for match criteria for this Access List
Entry.";
container ace-ipv4 {
when "../../acl-type='ipv4-acl'";
description "IPv4 Access List Entry.";
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv4-header-fields;
}
container ace-ipv6 {
when "../../acl-type='ipv6-acl'";
description "IPv6 Access List Entry.";
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv6-header-fields;
}
container ace-eth {
when "../../acl-type='eth-acl'";
description
"Ethernet Access List entry.";
uses packet-fields:acl-eth-header-fields;
}
}
Thanks
Adrian
From: Dean Bogdanovic [mailto:[email protected]]
Sent: Monday, August 22, 2016 5:39 PM
To: Adrian Pan <[email protected]>
Cc: [email protected]; [email protected]; [email protected]; netmod WG
<[email protected]>
Subject: Re: Question about acl-type in draft-ietf-netmod-acl-model-08
(+netmod mailing list)
Adrian,
Please see inline
On Aug 22, 2016, at 2:27 AM, Adrian Pan
<[email protected]<mailto:[email protected]>> wrote:
Dear authors,
I have some questions about ietf acl model as below, your reply is appreciated.
1) In the model definition acl-type is one key of the acl, also in the
description it says that the acl-type could be ethernet, IPv4, IPv6, mixed, in
case the acl-type is mixed, what’s the identifier should be?
Should it be augmented by different vendor? Since I don’t see the definition
about it.
As mixed ACLs are not supported by all vendors, those are not part of the
standard model. Iit is up to the vendor to augment the ace-type and select an
identifier to their liking.
2) In the “mix” case, the “matches” the ace list can be the combination of
Ethernet,ipv4,ipv6 for different ace, right?
Or another combination, again depends on what that particular vendor supports.
3) With the model definition, even the acl-type is configured as Ethernet,
the operator still can configure the matches of ace under the acl as ipv4 or
ipv6, right?
No, if ACL type is ethernet, then all ACEs are expected to be ethernet.
is this the model design intention?
If acl-type is of one family, then only ace with match condition from that
family are expected to be in the acl. If you want to combine them, please use
mixed type.
Dean
module: ietf-access-control-list
+--rw access-lists
+--rw acl* [acl-type acl-name]
+--rw acl-name string
+--rw acl-type acl-type
+--ro acl-oper-data
+--rw access-list-entries
+--rw ace* [rule-name]
+--rw rule-name string
+--rw matches
| +--rw (ace-type)?
leaf acl-type {
type acl-type;
description
"Type of access control list. Indicates the primary intended
type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc)
used in the list instance.";
}
Thanks
Adrian
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod
