--- 1/draft-ietf-netmod-acl-model-00.txt 2015-02-06 07:14:55.819391322 -0800
+++ 2/draft-ietf-netmod-acl-model-01.txt 2015-02-06 07:14:55.863392389 -0800
@@ -1,22 +1,22 @@
NETMOD WG D. Bogdanovic
Internet-Draft Juniper Networks
Intended status: Standards Track K. Sreenivasa
-Expires: May 10, 2015 Brocade Communications System
+Expires: August 9, 2015 Brocade Communications System
L. Huang
D. Blair
Cisco Systems
- November 6, 2014
+ February 05, 2015
Network Access Control List (ACL) YANG Data Model
- draft-ietf-netmod-acl-model-00
+ draft-ietf-netmod-acl-model-01
Abstract
This document describes a data model of Access Control List (ACL)
basic building blocks.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
@@ -24,25 +24,25 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on May 10, 2015.
+ This Internet-Draft will expire on August 9, 2015.
Copyright Notice
- Copyright (c) 2014 IETF Trust and the persons identified as the
+ Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
@@ -50,32 +50,33 @@
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3
3. Design of the ACL Model . . . . . . . . . . . . . . . . . . . 3
3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 4
4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. IETF-ACL module . . . . . . . . . . . . . . . . . . . . . 6
- 4.2. Packet Header module . . . . . . . . . . . . . . . . . . 10
+ 4.2. Packet Header module . . . . . . . . . . . . . . . . . . 11
4.3. A company proprietary module example . . . . . . . . . . 15
4.4. An ACL Example . . . . . . . . . . . . . . . . . . . . . 17
- 5. Example of extending existing model for route filtering . . . 18
- 6. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 20
+ 4.5. Port Range Usage Example . . . . . . . . . . . . . . . . 18
+ 5. Example of extending existing model for route filtering . . . 19
+ 6. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 21
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
- 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
- 10. Change log [RFC Editor: Please remove] . . . . . . . . . . . 22
- 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
- 11.1. Normative References . . . . . . . . . . . . . . . . . . 22
- 11.2. Informative References . . . . . . . . . . . . . . . . . 22
+ 10. Change log [RFC Editor: Please remove] . . . . . . . . . . . 23
+ 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
+ 11.1. Normative References . . . . . . . . . . . . . . . . . . 23
+ 11.2. Informative References . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction
Access Control List (ACL) is one of the basic elements to configure
device forwarding behavior. It is used in many networking concepts
such as Policy Based Routing, Firewalls etc.
An ACL is an ordered set of rules that is used to filter traffic on a
networking device. Each rule is represented by an Access Control
@@ -811,32 +809,65 @@
sample-ip-acl
telnet-block-rule
2.2.2.2/32
1.1.1.1/32
-
+
Figure 2
+4.5. Port Range Usage Example
+
+ When a lower-port and an upper-port are both present, it represents a
+ range between lower-port and upper-port with both the lower-port and
+ upper-port are included. When only a lower-port presents, it
+ represents a single port.
+
+ With the follow XML snippet:
+
+
+ 16384
+ 16387
+
+
+ This represents source ports 16384,16385, 16386, and 16387.
+
+ With the follow XML snippet:
+
+
+ 16384
+ 65535
+
+
+ This represents source ports greater than/equal to 16384.
+
+ With the follow XML snippet:
+
+
+ 21
+
+
+ This represents port 21.
+
5. Example of extending existing model for route filtering
With proposed modular design, it is easy to extend the model with
other features. Those features can be standard features, like route
filters. Route filters match on specific IP addresses or ranges of
prefixes. Much like ACLs, they include some match criteria and
corresponding match action(s). For that reason, it is very simple to
extend existing ACL model with route filtering. The combination of a
route prefix and prefix length along with the type of match
determines how route filters are evaluated against incoming routes.