| draft-ietf-netmod-acl-model-02.txt | draft-ietf-netmod-acl-model-03.txt | |||
|---|---|---|---|---|
| NETMOD WG D. Bogdanovic | NETMOD WG D. Bogdanovic | |||
| Internet-Draft Juniper Networks | Internet-Draft Juniper Networks | |||
| Intended status: Standards Track K. Sreenivasa | Intended status: Standards Track K. Sreenivasa | |||
| Expires: September 6, 2015 Brocade Communications System | Expires: December 27, 2015 Brocade Communications System | |||
| L. Huang | L. Huang | |||
| Juniper Networks | ||||
| D. Blair | D. Blair | |||
| Cisco Systems | Cisco Systems | |||
| March 5, 2015 | June 25, 2015 | |||
| Network Access Control List (ACL) YANG Data Model | Network Access Control List (ACL) YANG Data Model | |||
| draft-ietf-netmod-acl-model-02 | draft-ietf-netmod-acl-model-03 | |||
| Abstract | Abstract | |||
| This document describes a data model of Access Control List (ACL) | This document describes a data model of Access Control List (ACL) | |||
| basic building blocks. | basic building blocks. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 36 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 6, 2015. | This Internet-Draft will expire on December 27, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 12 | skipping to change at page 2, line 12 | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | |||
| 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Design of the ACL Model . . . . . . . . . . . . . . . . . . . 3 | 3. Design of the ACL Model . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. IETF-ACL module . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. IETF Access Contorl List module . . . . . . . . . . . . . 6 | |||
| 4.2. IETF-PACKET-FIELDS module . . . . . . . . . . . . . . . . 11 | 4.2. IETF-PACKET-FIELDS module . . . . . . . . . . . . . . . . 10 | |||
| 4.3. An ACL Example . . . . . . . . . . . . . . . . . . . . . 16 | 4.3. An ACL Example . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 17 | 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 16 | |||
| 5. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 17 | 5. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 19 | 9.2. Informative References . . . . . . . . . . . . . . . . . 19 | |||
| Appendix A. Extending ACL model examples . . . . . . . . . . . . 20 | Appendix A. Extending ACL model examples . . . . . . . . . . . . 20 | |||
| A.1. Example of extending existing model for route filtering . 20 | A.1. Example of extending existing model for route filtering . 20 | |||
| A.2. A company proprietary module example . . . . . . . . . . 22 | A.2. A company proprietary module example . . . . . . . . . . 22 | |||
| A.3. Attaching Access Control List to interfaces . . . . . . . 25 | A.3. Attaching Access Control List to interfaces . . . . . . . 24 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 1. Introduction | 1. Introduction | |||
| Access Control List (ACL) is one of the basic elements to configure | Access Control List (ACL) is one of the basic elements to configure | |||
| device forwarding behavior. It is used in many networking concepts | device forwarding behavior. It is used in many networking concepts | |||
| such as Policy Based Routing, Firewalls etc. | such as Policy Based Routing, Firewalls etc. | |||
| An ACL is an ordered set of rules that is used to filter traffic on a | An ACL is an ordered set of rules that is used to filter traffic on a | |||
| networking device. Each rule is represented by an Access Control | networking device. Each rule is represented by an Access Control | |||
| skipping to change at page 3, line 15 | skipping to change at page 3, line 15 | |||
| o Metadata matches apply to fields associated with the packet but | o Metadata matches apply to fields associated with the packet but | |||
| not in the packet header such as input interface or overall packet | not in the packet header such as input interface or overall packet | |||
| length | length | |||
| The actions specify what to do with the packet when the matching | The actions specify what to do with the packet when the matching | |||
| criteria is met. These actions are any operations that would apply | criteria is met. These actions are any operations that would apply | |||
| to the packet, such as counting, policing, or simply forwarding.The | to the packet, such as counting, policing, or simply forwarding.The | |||
| list of potential actions is endless depending on the innovations of | list of potential actions is endless depending on the innovations of | |||
| the networked devices. | the networked devices. | |||
| Access Control List is also widely knowns as ACL (pronounce as [ak-uh | ||||
| l]) or Access List. In this document, Access Control List, ACL and | ||||
| Access List are interchangeable. | ||||
| 1.1. Definitions and Acronyms | 1.1. Definitions and Acronyms | |||
| ACE: Access Control Entry | ACE: Access Control Entry | |||
| ACL: Access Control List | ACL: Access Control List | |||
| AFI: Address Field Identifier | AFI: Address Field Identifier | |||
| DSCP: Differentiated Services Code Point | DSCP: Differentiated Services Code Point | |||
| skipping to change at page 3, line 45 | skipping to change at page 3, line 49 | |||
| TCP: Transmission Control Protocol | TCP: Transmission Control Protocol | |||
| 2. Problem Statement | 2. Problem Statement | |||
| This document defines a YANG [RFC6020] data model for the | This document defines a YANG [RFC6020] data model for the | |||
| configuration of ACLs. It is very important that model can be easily | configuration of ACLs. It is very important that model can be easily | |||
| reused between vendors and between applications. | reused between vendors and between applications. | |||
| ACL implementations in every device may vary greatly in terms of the | ACL implementations in every device may vary greatly in terms of the | |||
| filter constructs and actions that they support. Therefore this | filter constructs and actions that they support. Therefore this | |||
| draft proposes a simple model that can be augmented by vendor | draft proposes a simple model that can be augmented by standard | |||
| proprietary models. | extensions and vendor proprietary models. | |||
| 3. Design of the ACL Model | 3. Design of the ACL Model | |||
| Although different vendors have different ACL data models, there is a | Although different vendors have different ACL data models, there is a | |||
| common understanding of what access control list (ACL) is. A network | common understanding of what access control list (ACL) is. A network | |||
| system usually have a list of ACLs, and each ACL contains an ordered | system usually have a list of ACLs, and each ACL contains an ordered | |||
| list of rules, also known as access list entries - ACEs. Each ACE | list of rules, also known as access list entries - ACEs. Each ACE | |||
| has a group of match criteria and a group of action criteria. The | has a group of match criteria and a group of action criteria. The | |||
| match criteria consist of packet header matching and metadata | match criteria consist of packet header matching and metadata | |||
| matching. Packet header matching applies to fields visible in the | matching. Packet header matching applies to fields visible in the | |||
| packet such as address or class of service or port numbers. Metadata | packet such as address or class of service or port numbers. Metadata | |||
| matching applies to fields associated with the packet, but not in the | matching applies to fields associated with the packet, but not in the | |||
| packet header such as input interface, packet length, or source or | packet header such as input interface, packet length, or source or | |||
| destination prefix length. The actions can be any sort of operation | destination prefix length. The actions can be any sort of operation | |||
| from logging to rate limiting or dropping to simply forwarding. | from logging to rate limiting or dropping to simply forwarding. | |||
| Actions on the first matching ACE are applied with no processing of | Actions on the first matching ACE are applied with no processing of | |||
| subsequent ACEs. The model also includes overall operational state | subsequent ACEs. The model also includes a container to hold overall | |||
| for the ACL and operational state for each ACE, targets where the ACL | operational state for each ACL and operational state for each ACE. | |||
| applied. One ACL can be applied to multiple targets within the | One ACL can be applied to multiple targets within the device, such as | |||
| device, such as interfaces of a networked device, applications or | interfaces of a networked device, applications or features running in | |||
| features running in the device, etc. When applied to interfaces of a | the device, etc. When applied to interfaces of a networked device, | |||
| networked device, the ACL is applied in a direction which indicates | the ACL is applied in a direction which indicates if it should be | |||
| if it should be applied to packet entering (input) or leaving the | applied to packet entering (input) or leaving the device (output). | |||
| device (output). | An example in the appendix shows how to express it in YNAG model. | |||
| This draft tries to address the commonalities between all vendors and | This draft tries to address the commonalities between all vendors and | |||
| create a common model, which can be augmented with proprietary | create a common model, which can be augmented with proprietary | |||
| models. The base model is very simple and with this design we hope | models. The base model is very simple and with this design we hope | |||
| to achieve needed flexibility for each vendor to extend the base | to achieve needed flexibility for each vendor to extend the base | |||
| model. | model. | |||
| 3.1. ACL Modules | 3.1. ACL Modules | |||
| There are two YANG modules in the model. The first module, "ietf- | There are two YANG modules in the model. The first module, "ietf- | |||
| acl", defines generic ACL aspects which are common to all ACLs | access-control-list", defines generic ACL aspects which are common to | |||
| regardless of their type or vendor. In effect, the module can be | all ACLs regardless of their type or vendor. In effect, the module | |||
| viewed as providing a generic ACL "superclass". It imports the | can be viewed as providing a generic ACL "superclass". It imports | |||
| second module, "ietf-packet-fields". The match container in "ietf- | the second module, "ietf-packet-fields". The match container in | |||
| acl" uses groupings in "ietf-packet-fields". The "ietf-packet- | "ietf-access-control-list" uses groupings in "ietf-packet-fields". | |||
| fields" modules can easily be extended to reuse definitions from | If there is a need to define new "matches" choice, such as IPFIX | |||
| other modules such as IPFIX [RFC5101] or migrate proprietary | [RFC5101], the container "matches" can be augmented. | |||
| augmented module definitions into the standard module. | ||||
| module: ietf-acl | ||||
| +--rw access-lists | ||||
| +--rw access-list* [access-control-list-name] | ||||
| +--rw access-control-list-name string | ||||
| +--rw access-control-list-type? access-control-list-type | ||||
| +--ro access-control-list-oper-data | ||||
| | +--ro (targets)? | ||||
| | +--:(interface-name) | ||||
| | +--ro interface-name* string | ||||
| +--rw access-list-entries | ||||
| +--rw access-list-entry* [rule-name] | ||||
| +--rw rule-name string | ||||
| +--rw matches | ||||
| | +--rw (access-list-entries-type)? | ||||
| | | +--:(access-list-entries-ip) | ||||
| | | | +--rw source-port-range | ||||
| | | | | +--rw lower-port inet:port-number | ||||
| | | | | +--rw upper-port? inet:port-number | ||||
| | | | +--rw destination-port-range | ||||
| | | | | +--rw lower-port inet:port-number | ||||
| | | | | +--rw upper-port? inet:port-number | ||||
| | | | +--rw dscp? inet:dscp | ||||
| | | | +--rw protocol? uint8 | ||||
| | | | +--rw (access-list-entries-ip-version)? | ||||
| | | | +--:(access-list-entries-ipv4) | ||||
| | | | | +--rw destination-ipv4-network? inet:ipv4-prefix | ||||
| | | | | +--rw source-ipv4-network? inet:ipv4-prefix | ||||
| | | | +--:(access-list-entries-ipv6) | ||||
| | | | +--rw destination-ipv6-network? inet:ipv6-prefix | ||||
| | | | +--rw source-ipv6-network? inet:ipv6-prefix | ||||
| | | | +--rw flow-label? inet:ipv6-flow-label | ||||
| | | +--:(access-list-entries-eth) | ||||
| | | +--rw destination-mac-address? yang:mac-address | ||||
| | | +--rw destination-mac-address-mask? yang:mac-address | ||||
| | | +--rw source-mac-address? yang:mac-address | ||||
| | | +--rw source-mac-address-mask? yang:mac-address | ||||
| | +--rw input-interface? string | ||||
| | +--rw absolute | ||||
| | +--rw start? yang:date-and-time | ||||
| | +--rw end? yang:date-and-time | ||||
| | +--rw active? boolean | ||||
| +--rw actions | ||||
| | +--rw (packet-handling)? | ||||
| | +--:(deny) | ||||
| | | +--rw deny? empty | ||||
| | +--:(permit) | ||||
| | +--rw permit? empty | ||||
| +--ro access-list-entries-oper-data | ||||
| +--ro match-counter? yang:counter64 | ||||
| 4. ACL YANG Models | ||||
| 4.1. IETF-ACL module | ||||
| "ietf-acl" is the standard top level module for Access lists. It has | ||||
| a container for "access-list" to store access list information. This | ||||
| container has information identifying the access list by a name("acl- | ||||
| name") and a list("access-list-entries") of rules associated with the | ||||
| "acl-name". Each of the entries in the list("access-list-entries") | ||||
| indexed by the string "rule-name" have containers defining "matches" | ||||
| and "actions". The "matches" define criteria used to identify | ||||
| patterns in "ietf-packet-fields". The "actions" define behavior to | ||||
| undertake once a "match" has been identified. | ||||
| <CODE BEGINS>file "ietf-acl@2015-03-04.yang" | ||||
| module ietf-acl { | ||||
| yang-version 1; | ||||
| namespace "urn:ietf:params:xml:ns:yang:ietf-acl"; | ||||
| prefix access-control-list; | ||||
| import ietf-yang-types { | ||||
| prefix "yang"; | ||||
| } | ||||
| import ietf-packet-fields { | ||||
| prefix "packet-fields"; | ||||
| } | ||||
| organization | ||||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | ||||
| "WG Web: http://tools.ietf.org/wg/netmod/ | ||||
| WG List: netmod@ietf.org | ||||
| WG Chair: Juergen Schoenwaelder | ||||
| j.schoenwaelder@jacobs-university.de | ||||
| WG Chair: Tom Nadeau | ||||
| tnadeau@lucidvision.com | ||||
| Editor: Dean Bogdanovic | ||||
| deanb@juniper.net | ||||
| Editor: Kiran Agrahara Sreenivasa | ||||
| kkoushik@brocade.com | ||||
| Editor: Lisa Huang | ||||
| yihuan@cisco.com | ||||
| Editor: Dana Blair | ||||
| dblair@cisco.com"; | ||||
| description | ||||
| "This YANG module defines a component that describing the | ||||
| configuration of Access Control Lists (ACLs). | ||||
| Copyright (c) 2015 IETF Trust and the persons identified as | ||||
| the document authors. All rights reserved. | ||||
| Redistribution and use in source and binary forms, with or | ||||
| without modification, is permitted pursuant to, and subject | ||||
| to the license terms contained in, the Simplified BSD | ||||
| License set forth in Section 4.c of the IETF Trust's Legal | ||||
| Provisions Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info). | ||||
| This version of this YANG module is part of RFC XXXX; see | ||||
| the RFC itself for full legal notices."; | ||||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | ||||
| // note. | ||||
| revision 2015-03-04 { | ||||
| description "Base model for Network Access Control List (ACL)."; | ||||
| reference | ||||
| "RFC XXXX: Network Access Control List (ACL) | ||||
| YANG Data Model"; | ||||
| } | ||||
| identity access-control-list-base { | ||||
| description "Base access control list type for all access control list type | ||||
| identifiers."; | ||||
| } | ||||
| identity IP-access-control-list { | ||||
| base "access-control-list:access-control-list-base"; | ||||
| description "IP-access control list is common name for layer 3 and 4 access | ||||
| control list types. It is common among vendors to call 3-tupple or 5 tupple | ||||
| IP access control lists"; | ||||
| } | ||||
| identity eth-access-control-list { | ||||
| base "access-control-list:access-control-list-base"; | ||||
| description "Ethernet access control list is name for layer 2 Ethernet | ||||
| technology access control list types, like 10/100/1000baseT or WiFi | ||||
| access control list"; | ||||
| } | ||||
| typedef access-control-list-type { | ||||
| type identityref { | ||||
| base "access-control-list-base"; | ||||
| } | ||||
| description | ||||
| "This type is used to refer to an Access Control List | ||||
| (ACL) type"; | ||||
| } | ||||
| typedef access-control-list-ref { | ||||
| type leafref { | ||||
| path "/access-lists/access-list/access-control-list-name"; | ||||
| } | ||||
| description "This type is used by data models that need to referenced an | ||||
| access control list"; | ||||
| } | ||||
| container access-lists { | ||||
| description | ||||
| "This is top level container for Access Control Lists. It can have one | ||||
| or more Access Control List."; | ||||
| list access-list { | ||||
| key access-control-list-name; | ||||
| description "An access list (acl) is an ordered list of | ||||
| access list entries (ACE). Each access control entries has a | ||||
| list of match criteria, and a list of actions. | ||||
| Since there are several kinds of access control lists | ||||
| implemented with different attributes for | ||||
| each and different for each vendor, this | ||||
| model accommodates customizing access control lists for | ||||
| each kind and for each vendor."; | ||||
| leaf access-control-list-name { | ||||
| type string; | ||||
| description "The name of access-list. A device MAY restrict the length | ||||
| and value of this name, possibly space and special characters are not | ||||
| allowed."; | ||||
| } | ||||
| leaf access-control-list-type { | ||||
| type access-control-list-type; | ||||
| description "Type of access control list. When this | ||||
| type is not explicitely specified, if vendor implementation permits, | ||||
| the access control entires in the list can be mixed, | ||||
| by containing L2, L3 and L4 entries"; | ||||
| } | ||||
| container access-control-list-oper-data { | ||||
| config false; | ||||
| description "Overall access control list operational data"; | ||||
| choice targets{ | ||||
| description "List of targets where access control list is applied"; | ||||
| leaf-list interface-name { | ||||
| type string; | ||||
| description "Interfaces where access control list is applied"; | ||||
| } | ||||
| } | ||||
| } | ||||
| container access-list-entries { | module: ietf-access-control-list | |||
| description "The access-list-entries container contains | +--rw access-lists | |||
| a list of access-list-entry(ACE)."; | +--rw acl* [acl-name] | |||
| +--ro acl-oper-data | ||||
| +--rw access-list-entries | ||||
| | +--rw ace* [rule-name] | ||||
| | +--rw matches | ||||
| | | +--rw (ace-type)? | ||||
| | | | +--:(ace-ip) | ||||
| | | | | +-rw (ace-ip-version)? | ||||
| | | | | | +--:(ace-ipv4) | ||||
| | | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix | ||||
| | | | | | | +--rw source-ipv4-network? inet:ipv4-prefix | ||||
| | | | | | +--:(ace-ipv6) | ||||
| | | | | | +--rw destination-ipv6-network? inet:ipv6-prefix | ||||
| | | | | | +--rw source-ipv6-network? inet:ipv6-prefix | ||||
| | | | | | +--rw flow-label? inet:ipv6-flow-label | ||||
| | | | | +--rw dscp? inet:dscp | ||||
| | | | | +--rw protocol? uint8 | ||||
| | | | | +--rw source-port-range | ||||
| | | | | | +--rw lower-port? inet:port-number | ||||
| | | | | | +--rw upper-port? inet:port-number | ||||
| | | | | +--rw destination-port-range | ||||
| | | | | +--rw lower-port? inet:port-number | ||||
| | | | | +--rw upper-port? inet:port-number | ||||
| | | | +--:(ace-eth) | ||||
| | | | +--rw destination-mac-address? yang:mac-address | ||||
| | | | +--rw destination-mac-address-mask? yang:mac-address | ||||
| | | | +--rw source-mac-address? yang:mac-address | ||||
| | | | +--rw source-mac-address-mask? yang:mac-address | ||||
| | | +--rw input-interface? string | ||||
| | | +--rw absolute-time | ||||
| | | +--rw start? yang:date-and-time | ||||
| | | +--rw end? yang:date-and-time | ||||
| | | +--rw active? boolean | ||||
| | +--rw actions | ||||
| | | +--rw (packet-handling)? | ||||
| | | +--:(deny) | ||||
| | | | +--rw deny? empty | ||||
| | | +--:(permit) | ||||
| | | +--rw permit? empty | ||||
| | +--ro ace-oper-data | ||||
| | | +--ro match-counter? yang:counter64 | ||||
| | +--rw rule-name string | ||||
| +--rw acl-name string | ||||
| +--rw acl-type? acl-type | ||||
| list access-list-entry { | Figure 1 | |||
| key rule-name; | ||||
| ordered-by user; | ||||
| description "List of access list entries(ACE)"; | ||||
| leaf rule-name { | ||||
| type string; | ||||
| description "Entry name."; | ||||
| } | ||||
| container matches { | 4. ACL YANG Models | |||
| description "Define match criteria"; | ||||
| choice access-list-entries-type { | ||||
| description "Type of access list entry."; | ||||
| case access-list-entries-ip { | ||||
| uses packet-fields:access-control-list-ip-header-fields; | ||||
| choice access-list-entries-ip-version { | ||||
| description "Choice of IP version."; | ||||
| case access-list-entries-ipv4 { | ||||
| uses packet-fields:access-control-list-ipv4-header-fields; | ||||
| } | ||||
| case access-list-entries-ipv6 { | ||||
| uses packet-fields:access-control-list-ipv6-header-fields; | 4.1. IETF Access Contorl List module | |||
| } | ||||
| } | ||||
| } | ||||
| case access-list-entries-eth { | ||||
| description "Ethernet MAC address entry."; | ||||
| uses packet-fields:access-control-list-eth-header-fields; | ||||
| } | ||||
| } | ||||
| uses packet-fields:metadata; | ||||
| } | ||||
| container actions { | "ietf-access-control-list" is the standard top level module for | |||
| description "Define action criteria"; | Access lists. The "access-lists" container stores a list of "acl". | |||
| choice packet-handling { | Each "acl" has information identifying the access list by a | |||
| default deny; | name("acl-name") and a list("access-list-entries") of rules | |||
| associated with the "acl-name". Each of the entries in the | ||||
| list("access-list-entries"), indexed by the string "rule-name", has | ||||
| containers defining "matches" and "actions". The "matches" define | ||||
| criteria used to identify patterns in "ietf-packet-fields". The | ||||
| "actions" define behavior to undertake once a "match" has been | ||||
| identified. | ||||
| description "Packet handling action."; | <CODE BEGINS>file "ietf-access-control-list@2015-05-03.yang" | |||
| case deny { | module ietf-access-control-list { | |||
| leaf deny { | yang-version 1; | |||
| type empty; | namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | |||
| description "Deny action."; | prefix acl; | |||
| import ietf-yang-types { | ||||
| prefix yang; | ||||
| } | ||||
| import ietf-packet-fields { | ||||
| prefix packet-fields; | ||||
| } | ||||
| organization "IETF NETMOD (NETCONF Data Modeling Language) | ||||
| Working Group"; | ||||
| contact | ||||
| "WG Web: http://tools.ietf.org/wg/netmod/ | ||||
| WG List: netmod@ietf.org | ||||
| WG Chair: Juergen Schoenwaelder | ||||
| j.schoenwaelder@jacobs-university.de | ||||
| WG Chair: Tom Nadeau | ||||
| tnadeau@lucidvision.com | ||||
| Editor: Dean Bogdanovic | ||||
| deanb@juniper.net | ||||
| Editor: Kiran Agrahara Sreenivasa | ||||
| kkoushik@brocade.com | ||||
| Editor: Lisa Huang | ||||
| lyihuang@juniper.net | ||||
| Editor: Dana Blair | ||||
| dblair@cisco.com"; | ||||
| description | ||||
| "This YANG module defines a component that describing the | ||||
| configuration of Access Control Lists (ACLs). | ||||
| Copyright (c) 2015 IETF Trust and the persons identified as | ||||
| the document authors. All rights reserved. | ||||
| } | Redistribution and use in source and binary forms, with or | |||
| } | without modification, is permitted pursuant to, and subject | |||
| case permit { | to the license terms contained in, the Simplified BSD | |||
| leaf permit { | License set forth in Section 4.c of the IETF Trust's Legal | |||
| type empty; | Provisions Relating to IETF Documents | |||
| description "Permit action."; | (http://trustee.ietf.org/license-info). | |||
| } | This version of this YANG module is part of RFC XXXX; see | |||
| } | the RFC itself for full legal notices."; | |||
| } | revision 2015-03-17 { | |||
| } | description | |||
| "Base model for Network Access Control List (ACL)."; | ||||
| reference | ||||
| "RFC XXXX: Network Access Control List (ACL) | ||||
| YANG Data Model"; | ||||
| } | ||||
| identity acl-base { | ||||
| description | ||||
| "Base Access Control List type for all Access Control List type | ||||
| identifiers."; | ||||
| } | ||||
| identity ip-acl { | ||||
| base acl:acl-base; | ||||
| description | ||||
| "IP Access Control List is a common name for lists that contain | ||||
| layer 3 and/or layer 4 match conditions."; | ||||
| } | ||||
| identity eth-acl { | ||||
| base acl:acl-base; | ||||
| description | ||||
| "Ethernet Access Control List is name for layer 2 Ethernet | ||||
| technology Access Control List types, like 10/100/1000baseT or | ||||
| WiFi Access Control List"; | ||||
| } | ||||
| typedef acl-type { | ||||
| type identityref { | ||||
| base acl-base; | ||||
| } | ||||
| description | ||||
| "This type is used to refer to an Access Control List | ||||
| (ACL) type"; | ||||
| } | ||||
| typedef access-control-list-ref { | ||||
| type leafref { | ||||
| path "/access-lists/acl/acl-name"; | ||||
| } | ||||
| description | ||||
| "This type is used by data models that need to reference an | ||||
| Access Control List"; | ||||
| container access-list-entries-oper-data { | } | |||
| config false; | container access-lists { | |||
| description | ||||
| "This is a top level container for Access Control Lists. | ||||
| It can have one or more Access Control Lists."; | ||||
| list acl { | ||||
| key "acl-name"; | ||||
| description | ||||
| "An Access Control List(ACL) is an ordered list of | ||||
| Access List Entries (ACE). Each Access Control Entry has a | ||||
| list of match criteria and a list of actions. | ||||
| Since there are several kinds of Access Control Lists | ||||
| implemented with different attributes for | ||||
| different vendors, this | ||||
| model accommodates customizing Access Control Lists for | ||||
| each kind and for each vendor."; | ||||
| container acl-oper-data { | ||||
| config false; | ||||
| description | ||||
| "Overall Access Control List operational data"; | ||||
| } | ||||
| container access-list-entries { | ||||
| description | ||||
| "The access-list-entries container contains | ||||
| a list of access-list-entries(ACE)."; | ||||
| list ace { | ||||
| key "rule-name"; | ||||
| ordered-by user; | ||||
| description | ||||
| "List of access list entries(ACE)"; | ||||
| container matches { | ||||
| description | ||||
| "Definitions for match criteria for this Access List | ||||
| Entry."; | ||||
| choice ace-type { | ||||
| description | ||||
| "Type of access list entry."; | ||||
| case ace-ip { | ||||
| description "IP Access List Entry."; | ||||
| choice ace-ip-version { | ||||
| description | ||||
| "IP version used in this Acess List Entry."; | ||||
| case ace-ipv4 { | ||||
| uses packet-fields:acl-ipv4-header-fields; | ||||
| } | ||||
| case ace-ipv6 { | ||||
| uses packet-fields:acl-ipv6-header-fields; | ||||
| } | ||||
| description "Per access list entries operational data"; | } | |||
| leaf match-counter { | uses packet-fields:acl-ip-header-fields; | |||
| type yang:counter64; | } | |||
| description "Number of matches for an access list entry"; | case ace-eth { | |||
| } | description | |||
| } | "Ethernet Access List entry."; | |||
| } | uses packet-fields:acl-eth-header-fields; | |||
| } | } | |||
| } | } | |||
| } | uses packet-fields:metadata; | |||
| } | } | |||
| container actions { | ||||
| description | ||||
| "Definitions of action criteria for this Access List | ||||
| Entry."; | ||||
| choice packet-handling { | ||||
| default "deny"; | ||||
| description | ||||
| "Packet handling action."; | ||||
| case deny { | ||||
| leaf deny { | ||||
| type empty; | ||||
| description | ||||
| "Deny action."; | ||||
| } | ||||
| } | ||||
| case permit { | ||||
| leaf permit { | ||||
| type empty; | ||||
| description | ||||
| "Permit action."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| container ace-oper-data { | ||||
| config false; | ||||
| description | ||||
| "Operational data for this Access List Entry."; | ||||
| leaf match-counter { | ||||
| type yang:counter64; | ||||
| description | ||||
| "Number of matches for this Access List Entry"; | ||||
| } | ||||
| } | ||||
| leaf rule-name { | ||||
| type string; | ||||
| description | ||||
| "A unique name identifying this Access List | ||||
| Entry(ACE)."; | ||||
| } | ||||
| } | ||||
| } | ||||
| leaf acl-name { | ||||
| type string; | ||||
| description | ||||
| "The name of access-list. A device MAY restrict the length | ||||
| and value of this name, possibly space and special | ||||
| characters are not allowed."; | ||||
| } | ||||
| leaf acl-type { | ||||
| type acl-type; | ||||
| description | ||||
| "It is recommended to have an Access Control List with | ||||
| uniform access list entries, all of the same type. When | ||||
| this type is not explicitly specified, if vendor | ||||
| implementation permits, the access control entries | ||||
| in the list can be mixed, | ||||
| by containing L2, L3 and L4 entries"; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| <CODE ENDS> | ||||
| 4.2. IETF-PACKET-FIELDS module | 4.2. IETF-PACKET-FIELDS module | |||
| The packet fields module defines the necessary groups for matching on | The packet fields module defines the necessary groups for matching on | |||
| fields in the packet including ethernet, ipv4, ipv6, transport layer | fields in the packet including ethernet, ipv4, ipv6, transport layer | |||
| fields and metadata. These groupings can be augmented to include | fields and metadata. Since the number of match criteria is very | |||
| other proprietary matching criteria. Since the number of match | large, the base draft does not include these directly but references | |||
| criteria is very large, the base draft does not include these | them by "uses" to keep the base module simple. In case more match | |||
| directly but references them by "uses" to keep the base module | conditions are needed, those can be added by augmenting choices | |||
| simple. | within container "matches" in ietf-access-control-list.yang model | |||
| <CODE BEGINS>file "ietf-packet-fields@2015-03-04.yang" | ||||
| <CODE BEGINS>file "ietf-packet-fields@2015-06-11.yang" | ||||
| module ietf-packet-fields { | module ietf-packet-fields { | |||
| yang-version 1; | yang-version 1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | |||
| prefix packet-fields; | prefix packet-fields; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix "inet"; | prefix inet; | |||
| } | } | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix "yang"; | prefix yang; | |||
| } | } | |||
| organization "IETF NETMOD (NETCONF Data Modeling Language) Working | ||||
| organization | Group"; | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | contact | |||
| "WG Web: http://tools.ietf.org/wg/netmod/ | "WG Web: http://tools.ietf.org/wg/netmod/ | |||
| WG List: netmod@ietf.org | WG List: netmod@ietf.org | |||
| WG Chair: Juergen Schoenwaelder | WG Chair: Juergen Schoenwaelder | |||
| j.schoenwaelder@jacobs-university.de | j.schoenwaelder@jacobs-university.de | |||
| WG Chair: Tom Nadeau | WG Chair: Tom Nadeau | |||
| tnadeau@lucidvision.com | tnadeau@lucidvision.com | |||
| Editor: Dean Bogdanovic | Editor: Dean Bogdanovic | |||
| deanb@juniper.net | deanb@juniper.net | |||
| Editor: Kiran Agrahara Sreenivasa | Editor: Kiran Agrahara Sreenivasa | |||
| kkoushik@brocade.com | kkoushik@brocade.com | |||
| Editor: Lisa Huang | Editor: Lisa Huang | |||
| yihuan@cisco.com | lyihuang@juniper.net | |||
| Editor: Dana Blair | Editor: Dana Blair | |||
| dblair@cisco.com"; | dblair@cisco.com"; | |||
| description | description | |||
| "This YANG module defines groupings that used by ietf-acl | "This YANG module defines groupings that are used by | |||
| but not limited to acl. | ietf-access-control-list YANG module. Their usage is not | |||
| limited to ietf-access-control-list and can be | ||||
| used anywhere as applicable. | ||||
| Copyright (c) 2015 IETF Trust and the persons identified as | Copyright (c) 2015 IETF Trust and the persons identified as | |||
| the document authors. All rights reserved. | the document authors. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2015-06-11 { | ||||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | description | |||
| // note. | "Initial version of packet fields used by | |||
| ietf-access-control-list"; | ||||
| revision 2015-03-04 { | ||||
| description "Initial version of packet fields used by | ||||
| access-lists"; | ||||
| reference | reference | |||
| "RFC XXXX: Network Access Control List (ACL) | "RFC XXXX: Network Access Control List (ACL) | |||
| YANG Data Model"; | YANG Data Model"; | |||
| } | } | |||
| grouping acl-transport-header-fields { | ||||
| grouping access-control-list-transport-header-fields { | description | |||
| description "Transport header fields"; | "Transport header fields"; | |||
| container source-port-range { | container source-port-range { | |||
| description "inclusive range of source ports"; | description | |||
| "Inclusive range representing source ports to be used. | ||||
| When only lower-port is present, it represents a single port."; | ||||
| leaf lower-port { | leaf lower-port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description "Lower boundary."; | description | |||
| "Lower boundary for port."; | ||||
| } | } | |||
| leaf upper-port { | leaf upper-port { | |||
| must ". >= ../lower-port" { | ||||
| error-message | ||||
| "The upper-port must be greater than or equal to lower-port"; | ||||
| } | ||||
| type inet:port-number; | type inet:port-number; | |||
| description "Upper boundary. If exist, upper port must be greater or | description | |||
| equal to lower port."; | "Upper boundary for port . If existing, the upper port | |||
| must be greater or equal to lower-port."; | ||||
| } | } | |||
| } | } | |||
| container destination-port-range { | container destination-port-range { | |||
| description "inclusive range of destination ports"; | description | |||
| "Inclusive range representing destination ports to be used. When | ||||
| only lower-port is present, it represents a single port."; | ||||
| leaf lower-port { | leaf lower-port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description "Lower boundary."; | description | |||
| "Lower boundary for port."; | ||||
| } | } | |||
| leaf upper-port { | leaf upper-port { | |||
| must ". >= ../lower-port" { | ||||
| error-message | ||||
| "The upper-port must be greater than or equal to lower-port"; | ||||
| } | ||||
| type inet:port-number; | type inet:port-number; | |||
| description "Upper boundary."; | description | |||
| "Upper boundary for port. If existing, the upper port must | ||||
| be greater or equal to lower-port"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping acl-ip-header-fields { | ||||
| grouping access-control-list-ip-header-fields { | description | |||
| description "Header fields common to ipv4 and ipv6"; | "IP header fields common to ipv4 and ipv6"; | |||
| uses access-control-list-transport-header-fields; | ||||
| leaf dscp { | leaf dscp { | |||
| type inet:dscp; | type inet:dscp; | |||
| description | ||||
| description "Value of dscp."; | "Value of dscp."; | |||
| } | } | |||
| leaf protocol { | leaf protocol { | |||
| type uint8; | type uint8; | |||
| description "Internet Protocol number."; | description | |||
| "Internet Protocol number."; | ||||
| } | } | |||
| uses acl-transport-header-fields; | ||||
| } | } | |||
| grouping acl-ipv4-header-fields { | ||||
| grouping access-control-list-ipv4-header-fields { | description | |||
| description "fields in IPv4 header"; | "Fields in IPv4 header."; | |||
| leaf destination-ipv4-network { | leaf destination-ipv4-network { | |||
| type inet:ipv4-prefix; | type inet:ipv4-prefix; | |||
| description "One or more ip addresses."; | description | |||
| "Destination IPv4 address prefix."; | ||||
| } | } | |||
| leaf source-ipv4-network { | leaf source-ipv4-network { | |||
| type inet:ipv4-prefix; | type inet:ipv4-prefix; | |||
| description "One or more ip addresses."; | description | |||
| "Source IPv4 address prefix."; | ||||
| } | } | |||
| } | } | |||
| grouping acl-ipv6-header-fields { | ||||
| grouping access-control-list-ipv6-header-fields { | description | |||
| description "fields in IPv6 header"; | "Fields in IPv6 header"; | |||
| leaf destination-ipv6-network { | leaf destination-ipv6-network { | |||
| type inet:ipv6-prefix; | type inet:ipv6-prefix; | |||
| description "One or more ip addresses."; | description | |||
| "Destination IPv6 address prefix."; | ||||
| } | } | |||
| leaf source-ipv6-network { | leaf source-ipv6-network { | |||
| type inet:ipv6-prefix; | type inet:ipv6-prefix; | |||
| description "One or more ip addresses."; | description | |||
| "Source IPv6 address prefix."; | ||||
| } | } | |||
| leaf flow-label { | leaf flow-label { | |||
| type inet:ipv6-flow-label; | type inet:ipv6-flow-label; | |||
| description "Flow label."; | description | |||
| "IPv6 Flow label."; | ||||
| } | } | |||
| reference | ||||
| "RFC 4291: IP Version 6 Addressing Architecture | ||||
| RFC 4007: IPv6 Scoped Address Architecture | ||||
| RFC 5952: A Recommendation for IPv6 Address Text Representation"; | ||||
| } | } | |||
| grouping acl-eth-header-fields { | ||||
| grouping access-control-list-eth-header-fields { | description | |||
| "Fields in Ethernet header."; | ||||
| description "fields in ethernet header"; | ||||
| leaf destination-mac-address { | leaf destination-mac-address { | |||
| type yang:mac-address; | type yang:mac-address; | |||
| description "Mac addresses."; | description | |||
| "Destination IEEE 802 MAC address."; | ||||
| } | } | |||
| leaf destination-mac-address-mask { | leaf destination-mac-address-mask { | |||
| type yang:mac-address; | type yang:mac-address; | |||
| description "Mac addresses mask."; | description | |||
| "Destination IEEE 802 MAC address mask."; | ||||
| } | } | |||
| leaf source-mac-address { | leaf source-mac-address { | |||
| type yang:mac-address; | type yang:mac-address; | |||
| description "Mac addresses."; | description | |||
| "Source IEEE 802 MAC address."; | ||||
| } | } | |||
| leaf source-mac-address-mask { | leaf source-mac-address-mask { | |||
| type yang:mac-address; | type yang:mac-address; | |||
| description "Mac addresses mask."; | description | |||
| "Source IEEE 802 MAC address mask."; | ||||
| } | } | |||
| reference | ||||
| "IEEE 802: IEEE Standard for Local and Metropolitan Area | ||||
| Networks: Overview and Architecture."; | ||||
| } | } | |||
| grouping timerange { | grouping timerange { | |||
| description "Time range contains time | description | |||
| segments to allow access-control-list to be | "Time range contains time | |||
| active/inactive when the system time | segments to allow access-control-list to be | |||
| is within the time segments."; | active/inactive when the system time | |||
| is between the range."; | ||||
| container absolute { | container absolute-time { | |||
| description | description | |||
| "Absolute time and date that | "Absolute time and date that | |||
| the associated function starts | the associated function starts | |||
| going into effect."; | going into effect."; | |||
| leaf start { | leaf start { | |||
| type yang:date-and-time; | type yang:date-and-time; | |||
| description | description | |||
| "Start time and date"; | "Absolute start time and date"; | |||
| } | } | |||
| leaf end { | leaf end { | |||
| type yang:date-and-time; | type yang:date-and-time; | |||
| description "Absolute end time and date"; | description | |||
| "Absolute end time and date"; | ||||
| } | } | |||
| leaf active { | leaf active { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "This object indicates whether the | ||||
| "Specify the associated function | the ACL will be active(true) or | |||
| inactive(false) during this time range."; | ||||
| active or inactive state when | ||||
| starts going into effect"; | ||||
| } | } | |||
| } // container absolute | } | |||
| } //grouping timerange | } | |||
| grouping metadata { | grouping metadata { | |||
| description "Fields associated with a packet but not in | description | |||
| the header"; | "Fields associated with a packet whick are not in | |||
| the header."; | ||||
| leaf input-interface { | leaf input-interface { | |||
| type string; | type string; | |||
| description "Packet was received on this interface"; | description | |||
| "Packet was received on this interface."; | ||||
| } | } | |||
| uses timerange; | uses timerange; | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 4.3. An ACL Example | 4.3. An ACL Example | |||
| Requirement: Deny All traffic from 10.10.10.1 bound for host | Requirement: Deny All traffic from 10.10.10.1 bound for host | |||
| 10.10.10.255 from leaving. | 10.10.10.255 from leaving. | |||
| In order to achieve the requirement, an name access control list is | In order to achieve the requirement, an name Access Control List is | |||
| needed. The acl and aces can be described in CLI as the following: | needed. The acl and aces can be described in CLI as the following: | |||
| access-list ip iacl | access-list ip sample-ip-acl | |||
| deny tcp host 10.10.10.1 host 10.10.10.255 | deny tcp host 10.10.10.1 host 10.10.10.255 | |||
| Figure 1 | ||||
| Here is the example acl configuration xml: | Here is the example acl configuration xml: | |||
| <rpc message-id="101" xmlns:nc="urn:cisco:params:xml:ns:yang:ietf-acl:1.0"> | <rpc message-id="101" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||
| // replace with IANA namespace when assigned | ||||
| <edit-config> | <edit-config> | |||
| <target> | <target> | |||
| <running/> | <running/> | |||
| </target> | </target> | |||
| <config> | <config> | |||
| <top xmlns="http://example.com/schema/1.2/config"> | <access-lists "urn:ietf:params:xml:ns:yang:ietf-acl:1.0"> | |||
| <access-lists> | <acl> | |||
| <access-list> | <acl-name>sample-ip-acl</acl-name> | |||
| <access-control-list-name>sample-ip-acl</access-control-list-name> | ||||
| <access-list-entries> | <access-list-entries> | |||
| <access-list-entry> | <ace> | |||
| <rule-name>telnet-block-rule</rule-name> | <rule-name>rule1</rule-name> | |||
| <matches> | <matches> | |||
| <destination-ipv4-address>10.10.10.255/24</destination-ipv4-address> | <destination-ipv4-network> | |||
| <source-ipv4-address>10.10.10.1/24</source-ipv4-address> | 10.10.10.255/24 | |||
| </matches> | </destination-ipv4-network> | |||
| <actions> | <source-ipv4-network> | |||
| <deny/> | 10.10.10.1/24 | |||
| </actions> | </source-ipv4-network> | |||
| </access-list-entry> | </matches> | |||
| <actions> | ||||
| <deny/> | ||||
| </actions> | ||||
| </ace> | ||||
| </access-list-entries> | </access-list-entries> | |||
| </access-list> | </acl> | |||
| </access-lists> | </access-lists> | |||
| </top> | ||||
| </config> | </config> | |||
| </edit-config> | </edit-config> | |||
| </rpc> | </rpc> | |||
| Figure 2 | ||||
| 4.4. Port Range Usage Example | 4.4. Port Range Usage Example | |||
| When a lower-port and an upper-port are both present, it represents a | When a lower-port and an upper-port are both present, it represents a | |||
| range between lower-port and upper-port with both the lower-port and | range between lower-port and upper-port with both the lower-port and | |||
| upper-port are included. When only a lower-port presents, it | upper-port are included. When only a lower-port presents, it | |||
| represents a single port. | represents a single port. | |||
| With the follow XML snippet: | With the follow XML snippet: | |||
| <source-port-range> | <source-port-range> | |||
| <lower-port>16384</lower-port> | <lower-port>16384</lower-port> | |||
| <upper-port>16387</upper-port> | <upper-port>16387</upper-port> | |||
| </source-port-range> | </source-port-range> | |||
| This represents source ports 16384,16385, 16386, and 16387. | This represents source ports 16384,16385, 16386, and 16387. | |||
| With the follow XML snippet: | With the follow XML snippet: | |||
| <source-port-range> | <source-port-range> | |||
| <lower-port>16384</lower-port> | <lower-port>16384</lower-port> | |||
| <upper-port>65535</upper-port> | <upper-port>65535</upper-port> | |||
| </source-port-range> | </source-port-range> | |||
| This represents source ports greater than/equal to 16384. | This represents source ports greater than/equal to 16384. | |||
| With the follow XML snippet: | With the follow XML snippet: | |||
| <source-port-range> | <source-port-range> | |||
| <lower-port>21</lower-port> | <lower-port>21</lower-port> | |||
| </source-port-range> | </source-port-range> | |||
| This represents port 21. | This represents port 21. | |||
| 5. Linux nftables | 5. Linux nftables | |||
| As Linux platform is becoming more popular as networking platform, | As Linux platform is becoming more popular as networking platform, | |||
| the Linux data model is changing. Previously ACLs in Linux were | the Linux data model is changing. Previously ACLs in Linux were | |||
| highly protocol specific and different utilities were used for it | highly protocol specific and different utilities were used (iptables, | |||
| (iptables, ip6tables, arptables, ebtables). Recently, this has | ip6tables, arptables, ebtables), so each one had separate data model. | |||
| changed and a single utility, nftables, has been provided. This | Recently, this has changed and a single utility, nftables, has been | |||
| utility follows very similarly the same base model as proposed in | developed. With a single application, it has a single data model for | |||
| this draft. The nftables support input and output ACEs and each ACE | filewall filters and it follows very similarly to the ietf-access- | |||
| can be defined with match and action. | control list module proposed in this draft. The nftables support | |||
| input and output ACEs and each ACE can be defined with match and | ||||
| action. | ||||
| In the example below, it shows nftable configuration that accepts and | ||||
| count packets. It contains a | ||||
| table ip filter { | ||||
| chain output { | ||||
| type filter hook output priority 0; | ||||
| counter packets 1 bytes 84 accept | ||||
| } | ||||
| } | ||||
| There are many similarities between Linux nftables and IETF ACL YANG | ||||
| data models. It should be fairly easy to do translation between ACL | ||||
| YANG model described in this draft and Linux nftables. | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| The YANG module defined in this memo is designed to be accessed via | The YANG module defined in this memo is designed to be accessed via | |||
| the NETCONF protocol [RFC6241] [RFC6241]. The lowest NETCONF layer | the NETCONF protocol [RFC6241] [RFC6241]. The lowest NETCONF layer | |||
| is the secure transport layer and the mandatory-to-implement secure | is the secure transport layer and the mandatory-to-implement secure | |||
| transport is SSH [RFC6242] [RFC6242]. The NETCONF access control | transport is SSH [RFC6242] [RFC6242]. The NETCONF access control | |||
| model [RFC6536] [RFC6536] provides the means to restrict access for | model [RFC6536] [RFC6536] provides the means to restrict access for | |||
| particular NETCONF users to a pre-configured subset of all available | particular NETCONF users to a pre-configured subset of all available | |||
| NETCONF protocol operations and content. | NETCONF protocol operations and content. | |||
| skipping to change at page 18, line 25 | skipping to change at page 18, line 25 | |||
| There are a number of data nodes defined in the YANG module which are | There are a number of data nodes defined in the YANG module which are | |||
| writable/creatable/deletable (i.e., config true, which is the | writable/creatable/deletable (i.e., config true, which is the | |||
| default). These data nodes may be considered sensitive or vulnerable | default). These data nodes may be considered sensitive or vulnerable | |||
| in some network environments. Write operations (e.g., <edit-config>) | in some network environments. Write operations (e.g., <edit-config>) | |||
| to these data nodes without proper protection can have a negative | to these data nodes without proper protection can have a negative | |||
| effect on network operations. | effect on network operations. | |||
| These are the subtrees and data nodes and their sensitivity/ | These are the subtrees and data nodes and their sensitivity/ | |||
| vulnerability: | vulnerability: | |||
| /ietf-acl:access-lists/access-list/access-list-entries: This list | /access-lists/acl/access-list-entries: This list specifies all the | |||
| specifies all the configured access list entries on the device. | configured access list entries on the device. Unauthorized write | |||
| Unauthorized write access to this list can allow intruders to access | access to this list can allow intruders to access and control the | |||
| and control the system. Unauthorized read access to this list can | system. Unauthorized read access to this list can allow intruders to | |||
| allow intruders to spoof packets with authorized addresses thereby | spoof packets with authorized addresses thereby compromising the | |||
| compromising the system. | system. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document registers a URI in the IETF XML registry [RFC3688] | This document registers a URI in the IETF XML registry [RFC3688] | |||
| [RFC3688]. Following the format in RFC 3688, the following | [RFC3688]. Following the format in RFC 3688, the following | |||
| registration is requested to be made: | registration is requested to be made: | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-acl | URI: urn:ietf:params:xml:ns:yang:ietf-access-control-list | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-packet-fields | URI: urn:ietf:params:xml:ns:yang:ietf-packet-fields | |||
| Registrant Contact: The IESG. | Registrant Contact: The IESG. | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A, the requested URI is an XML namespace. | |||
| This document registers a YANG module in the YANG Module Names | This document registers a YANG module in the YANG Module Names | |||
| registry [RFC6020]. | registry [RFC6020]. | |||
| name: ietf-acl namespace: urn:ietf:params:xml:ns:yang:ietf-acl | name: ietf-access-control-list namespace: | |||
| prefix: ietf-acl reference: RFC XXXX | urn:ietf:params:xml:ns:yang:ietf-access-control-list prefix: ietf-acl | |||
| reference: RFC XXXX | ||||
| name: ietf-packet-fields namespace: urn:ietf:params:xml:ns:yang:ietf- | name: ietf-packet-fields namespace: urn:ietf:params:xml:ns:yang:ietf- | |||
| packet-fields prefix: ietf-packet-fields reference: RFC XXXX | packet-fields prefix: ietf-packet-fields reference: RFC XXXX | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Alex Clemm, Andy Bierman and Lisa Huang started it by sketching out | Alex Clemm, Andy Bierman and Lisa Huang started it by sketching out | |||
| an initial IETF draft in several past IETF meetings. That draft | an initial IETF draft in several past IETF meetings. That draft | |||
| included an ACL YANG model structure and a rich set of match filters, | included an ACL YANG model structure and a rich set of match filters, | |||
| and acknowledged contributions by Louis Fourie, Dana Blair, Tula | and acknowledged contributions by Louis Fourie, Dana Blair, Tula | |||
| Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen, | Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen, | |||
| skipping to change at page 20, line 22 | skipping to change at page 20, line 22 | |||
| prefixes. Much like ACLs, they include some match criteria and | prefixes. Much like ACLs, they include some match criteria and | |||
| corresponding match action(s). For that reason, it is very simple to | corresponding match action(s). For that reason, it is very simple to | |||
| extend existing ACL model with route filtering. The combination of a | extend existing ACL model with route filtering. The combination of a | |||
| route prefix and prefix length along with the type of match | route prefix and prefix length along with the type of match | |||
| determines how route filters are evaluated against incoming routes. | determines how route filters are evaluated against incoming routes. | |||
| Different vendors have different match types and in this model we are | Different vendors have different match types and in this model we are | |||
| using only ones that are common across all vendors participating in | using only ones that are common across all vendors participating in | |||
| this draft. As in this example, the base ACL model can be extended | this draft. As in this example, the base ACL model can be extended | |||
| with company proprietary extensions, described in the next section. | with company proprietary extensions, described in the next section. | |||
| <CODE BEGINS> file "std-ext-route-filter@2015-02-14.yang" | file "example-ext-route-filter@2015-02-14.yang" | |||
| module std-ext-route-filter { | ||||
| yang-version 1; | ||||
| namespace "urn:ietf:params:xml:ns:yang:ietf-route-filter"; | ||||
| prefix std-ext-route-filter; | ||||
| import ietf-inet-types { | ||||
| prefix "inet"; | ||||
| } | ||||
| import ietf-acl { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| organization | ||||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | ||||
| "WG Web: http://tools.ietf.org/wg/netmod/ | ||||
| WG List: netmod@ietf.org | ||||
| WG Chair: Juergen Schoenwaelder | ||||
| j.schoenwaelder@jacobs-university.de | ||||
| WG Chair: Tom Nadeau | ||||
| tnadeau@lucidvision.com | ||||
| Editor: Dean Bogdanovic | ||||
| deanb@juniper.net | ||||
| Editor: Kiran Agrahara Sreenivasa | ||||
| kkoushik@brocade.com | ||||
| Editor: Lisa Huang | ||||
| yihuan@cisco.com | ||||
| Editor: Dana Blair | module example-ext-route-filter { | |||
| dblair@cisco.com"; | yang-version 1; | |||
| namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter"; | ||||
| prefix example-ext-route-filter; | ||||
| import ietf-inet-types { | ||||
| prefix "inet"; | ||||
| } | ||||
| import ietf-access-control-list { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| organization | ||||
| "Route modele group."; | ||||
| description " | contact | |||
| This module describes route filter as a collection of | "abc@abc.com"; | |||
| match prefixes. When specifying a match prefix, you | ||||
| can specify an exact match with a particular route or | ||||
| a less precise match. You can configure either a | ||||
| common action that applies to the entire list or an | ||||
| action associated with each prefix. | ||||
| "; | ||||
| revision 2015-02-14 { | description " | |||
| description "creating Route-Filter extension model based on ietf-acl model"; | This module describes route filter as a collection of | |||
| reference " "; | match prefixes. When specifying a match prefix, you | |||
| } | can specify an exact match with a particular route or | |||
| a less precise match. You can configure either a | ||||
| common action that applies to the entire list or an | ||||
| action associated with each prefix. | ||||
| "; | ||||
| revision 2015-05-03 { | ||||
| description | ||||
| "Creating Route-Filter extension model based on | ||||
| ietf-access-control-list model"; | ||||
| reference " "; | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list | } | |||
| /ietf-acl:access-list-entries/ | augment "/ietf-acl:access-lists/ietf-acl:acl/ | |||
| ietf-acl:access-list-entry/ietf-acl:matches"{ | ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches"{ | |||
| description " | description " | |||
| This module augments the matches container in the ietf-acl | This module augments the matches container in the ietf-acl | |||
| module with route filter specific actions | module with route filter specific actions | |||
| "; | "; | |||
| choice route-prefix{ | choice route-prefix{ | |||
| description "Define route filter match criteria"; | description "Define route filter match criteria"; | |||
| case range { | case range { | |||
| description " | description | |||
| Route falls between the lower prefix/prefix-length and the upper | " Route falls between the lower prefix/prefix-length | |||
| prefix/prefix-length. | and the upperprefix/prefix-length."; | |||
| "; | choice ipv4-range { | |||
| choice ipv4-range { | description "Defines the IPv4 prefix range"; | |||
| description "Defines the lower IPv4 prefix/prefix range"; | leaf v4-lower-bound { | |||
| leaf v4-lower-bound { | type inet:ipv4-prefix; | |||
| type inet:ipv4-prefix; | description | |||
| description "Defines the lower IPv4 prefix/prefix length"; | "Defines the lower IPv4 prefix/prefix length"; | |||
| } | } | |||
| leaf v4-upper-bound { | leaf v4-upper-bound { | |||
| type inet:ipv4-prefix; | type inet:ipv4-prefix; | |||
| description "Defines the upper IPv4 prefix/prefix length"; | description | |||
| } | "Defines the upper IPv4 prefix/prefix length"; | |||
| } | } | |||
| choice ipv6-range { | } | |||
| description "Defines the IPv6 prefix/prefix range"; | choice ipv6-range { | |||
| leaf v6-lower-bound { | description "Defines the IPv6 prefix/prefix range"; | |||
| type inet:ipv6-prefix; | leaf v6-lower-bound { | |||
| description "Defines the lower IPv6 prefix/prefix length"; | type inet:ipv6-prefix; | |||
| } | description | |||
| leaf v6-upper-bound { | "Defines the lower IPv6 prefix/prefix length"; | |||
| type inet:ipv6-prefix; | } | |||
| description "Defines the upper IPv6 prefix/prefix length"; | leaf v6-upper-bound { | |||
| } | type inet:ipv6-prefix; | |||
| } | description | |||
| } | "Defines the upper IPv6 prefix/prefix length"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | } | |||
| } | ||||
| } | ||||
| A.2. A company proprietary module example | A.2. A company proprietary module example | |||
| Module "newco-acl" is an example of company proprietary model that | Module "example-newco-acl" is an example of company proprietary model | |||
| augments "ietf-acl" module. It shows how to use 'augment' with an | that augments "ietf-acl" module. It shows how to use 'augment' with | |||
| XPath expression to add additional match criteria, action criteria, | an XPath expression to add additional match criteria, action | |||
| and default actions when no ACE matches found. All these are company | criteria, and default actions when no ACE matches found. All these | |||
| proprietary extensions or system feature extensions. "newco-acl" is | are company proprietary extensions or system feature extensions. | |||
| just an example and it is expected from vendors to create their own | "example-newco-acl" is just an example and it is expected from | |||
| proprietary models. | vendors to create their own proprietary models. | |||
| The following figure is the tree structure of newco-acl. In this | The following figure is the tree structure of example-newco-acl. In | |||
| example, ietf-acl:access-lists/ietf-acl:access-list/ietf-acl:access- | this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- | |||
| list-entries/ietf-acl:access-list-entry/ietf-acl:matches: are | list-entries/ ietf-acl:ace/ietf-acl:matches are augmented with a new | |||
| augmented with a new choice, protocol-payload-choice. The protocol- | choice, protocol-payload-choice. The protocol-payload-choice uses a | |||
| payload-choice uses a grouping with an enumeration of all supported | grouping with an enumeration of all supported protocol values. In | |||
| protocol values. In other example, ietf-acl:access-lists/ietf-acl | other example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- | |||
| :access-list/ietf-acl:access-list-entries/ietf-acl:access-list-entry/ | list-entries/ ietf-acl:ace/ietf-acl:actions are augmented with new | |||
| ietf-acl:actions are augmented with new choice of actions. | choice of actions. | |||
| module: newco-acl | module: example-newco-acl | |||
| augment /ietf-acl:access-lists/ietf-acl:access-list | augment /ietf-acl:access-lists/ietf-acl:acl/ | |||
| /ietf-acl:access-list-entries/ | ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: | |||
| ietf-acl:access-list-entry/ietf-acl:matches: | +--rw (protocol-payload-choice)? | |||
| +--rw (protocol-payload-choice)? | ||||
| +--:(protocol-payload) | +--:(protocol-payload) | |||
| +--rw protocol-payload* [value-keyword] | +--rw protocol-payload* [value-keyword] | |||
| +--rw value-keyword enumeration | +--rw value-keyword enumeration | |||
| augment /ietf-acl:access-lists/ietf-acl:access-list | augment /ietf-acl:access-lists/ietf-acl:acl/ | |||
| /ietf-acl:access-list-entries/ | ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions: | |||
| ietf-acl:access-list-entry/ietf-acl:actions: | +--rw (action)? | |||
| +--rw (action)? | ||||
| +--:(count) | +--:(count) | |||
| | +--rw count? string | | +--rw count? string | |||
| +--:(policer) | +--:(policer) | |||
| | +--rw policer? string | | +--rw policer? string | |||
| +--:(hiearchical-policer) | +--:(hiearchical-policer) | |||
| +--rw hierarchitacl-policer? string | +--rw hierarchitacl-policer? string | |||
| augment /ietf-acl:access-lists/ietf-acl:access-list: | augment /ietf-acl:access-lists/ietf-acl:acl: | |||
| +--rw default-actions | +--rw default-actions | |||
| +--rw deny? empty | +--rw deny? empty | |||
| <CODE BEGINS> file "newco-acl@2015-03-04.yang" | file "newco-acl@2015-03-04.yang" | |||
| module newco-acl { | module example-newco-acl { | |||
| yang-version 1; | yang-version 1; | |||
| namespace "urn:newco:params:xml:ns:yang:newco-acl"; | namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; | |||
| prefix newco-acl; | ||||
| prefix example-newco-acl; | ||||
| import ietf-acl { | import ietf-acl { | |||
| prefix "ietf-acl"; | prefix "ietf-acl"; | |||
| } | } | |||
| revision 2015-03-04{ | revision 2015-05-03{ | |||
| description "creating NewCo proprietary extensions to ietf-acl model"; | description "Creating NewCo proprietary extensions to ietf-acl model"; | |||
| } | } | |||
| augment "/ietf-acl:access-lists/ietf-acl:access-list | augment "/ietf-acl:access-lists/ietf-acl:access-list | |||
| /ietf-acl:access-list-entries/ | /ietf-acl:access-list-entries/ | |||
| ietf-acl:access-list-entry/ietf-acl:matches" { | ietf-acl:access-list-entry/ietf-acl:matches" { | |||
| description "Newco proprietary simple filter matches"; | description "Newco proprietary simple filter matches"; | |||
| choice protocol-payload-choice { | choice protocol-payload-choice { | |||
| list protocol-payload { | list protocol-payload { | |||
| key value-keyword; | key value-keyword; | |||
| ordered-by user; | ordered-by user; | |||
| description "Match protocol payload"; | description "Match protocol payload"; | |||
| uses match-simple-payload-protocol-value; | uses match-simple-payload-protocol-value; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment "/ietf-acl:access-lists/ietf-acl:access-list/ietf-acl:access-list-entries/ietf-acl:access-list-entry/ietf-acl:actions" { | augment "/ietf-acl:access-lists/ietf-acl:access-list/ | |||
| ietf-acl:access-list-entries/ietf-acl:access-list-entry/ | ||||
| ietf-acl:actions" { | ||||
| description "Newco proprietary simple filter actions"; | description "Newco proprietary simple filter actions"; | |||
| choice action { | choice action { | |||
| case count { | case count { | |||
| description "Count the packet in the named counter"; | description "Count the packet in the named counter"; | |||
| leaf count { | leaf count { | |||
| type string; | type string; | |||
| } | } | |||
| } | } | |||
| case policer { | case policer { | |||
| description "Name of policer to use to rate-limit traffic"; | description "Name of policer to use to rate-limit traffic"; | |||
| skipping to change at page 25, line 4 | skipping to change at page 24, line 22 | |||
| grouping match-simple-payload-protocol-value { | grouping match-simple-payload-protocol-value { | |||
| leaf value-keyword { | leaf value-keyword { | |||
| description "(null)"; | description "(null)"; | |||
| type enumeration { | type enumeration { | |||
| enum icmp { | enum icmp { | |||
| description "Internet Control Message Protocol"; | description "Internet Control Message Protocol"; | |||
| } | } | |||
| enum icmp6 { | enum icmp6 { | |||
| description "Internet Control Message Protocol Version 6"; | description "Internet Control Message Protocol Version 6"; | |||
| } | } | |||
| enum range { | enum range { | |||
| description "Range of values"; | description "Range of values"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | ||||
| Draft authors expect that different vendors will provide their own | Draft authors expect that different vendors will provide their own | |||
| yang models as in the example above, which is the extension of the | yang models as in the example above, which is the augmentation of the | |||
| base model | base model | |||
| A.3. Attaching Access Control List to interfaces | A.3. Attaching Access Control List to interfaces | |||
| Access control list typically does not exist in isolation. Instead, | Access control list typically does not exist in isolation. Instead, | |||
| they are associated with a certain scope in which they are applied, | they are associated with a certain scope in which they are applied, | |||
| for example, an interface of a set of interfaces. How to attach an | for example, an interface of a set of interfaces. How to attach an | |||
| SPF to an interface (or other system artifact) is outside the scope | access control list to an interface (or other system artifact) is | |||
| of this model, as it depends on the specifics of the system model | outside the scope of this model, as it depends on the specifics of | |||
| that is being applied. However, in general, the general design | the system model that is being applied. However, in general, the | |||
| pattern will involved adding a dada node with a reference, or set of | general design pattern will involved adding a data node with a | |||
| references, to ACLs that are to be applied to the interface. For | reference, or set of references, to ACLs that are to be applied to | |||
| this purpose, the type definition "access-control-list-ref" can be | the interface. For this purpose, the type definition "access- | |||
| used. | control-list-ref" can be used. | |||
| This is an example of attaching an access control list to an | This is an example of attaching an Access Control List to an | |||
| interface. | interface. | |||
| <CODE BEGINS> file "interface model augmentation with ACL | import ietf-access-control-list { | |||
| @2015-03-04.yang" | ||||
| import ietf-acl { | ||||
| prefix "ietf-acl"; | prefix "ietf-acl"; | |||
| } | } | |||
| import ietf-interface { | import ietf-interface { | |||
| prefix "ietf-if"; | prefix "ietf-if"; | |||
| } | } | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix "yang"; | prefix "yang"; | |||
| } | } | |||
| augment "/ietf-if:interfaces/ietf-if:interface" { | augment "/ietf-if:interfaces/ietf-if:interface" { | |||
| description "Apply acl to interfaces"; | description "Apply ACL to interfaces"; | |||
| container acl{ | container acl{ | |||
| description "ACL related properties."; | description "ACL related properties."; | |||
| leaf acl-name { | leaf acl-name { | |||
| type ietf-acl:access-control-list-ref; | type ietf-acl:acl-ref; | |||
| mandatory true; | mandatory true; | |||
| description "Access Control List name."; | description "Access Control List name."; | |||
| } | } | |||
| leaf match-counter { | leaf match-counter { | |||
| type yang:counter64; | type yang:counter64; | |||
| config false; | config false; | |||
| description "Total match count for access control list "; | description | |||
| "Total match count for Access Control | ||||
| List on this interface"; | ||||
| } | } | |||
| choice direction { | choice direction { | |||
| leaf in { type empty;} | leaf in { type empty;} | |||
| leaf out { type empty;} | leaf out { type empty;} | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data" { | |||
| description | ||||
| "This is an example on how to apply acl to a target to collect | ||||
| operational data"; | ||||
| container targets{ | ||||
| choice interface{ | ||||
| leaf-list interface-name{ | ||||
| type ietf-if:interface-ref; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| Authors' Addresses | Authors' Addresses | |||
| Dean Bogdanovic | Dean Bogdanovic | |||
| Juniper Networks | Juniper Networks | |||
| Email: deanb@juniper.net | Email: deanb@juniper.net | |||
| Kiran Agrahara Sreenivasa | Kiran Agrahara Sreenivasa | |||
| Brocade Communications System | Brocade Communications System | |||
| skipping to change at page 27, line 4 | skipping to change at page 26, line 16 | |||
| Dean Bogdanovic | Dean Bogdanovic | |||
| Juniper Networks | Juniper Networks | |||
| Email: deanb@juniper.net | Email: deanb@juniper.net | |||
| Kiran Agrahara Sreenivasa | Kiran Agrahara Sreenivasa | |||
| Brocade Communications System | Brocade Communications System | |||
| Email: kkoushik@brocade.com | Email: kkoushik@brocade.com | |||
| Lisa Huang | Lisa Huang | |||
| Cisco Systems | Juniper Networks | |||
| Email: yihuan@cisco.com | Email: lyihuang@juniper.net | |||
| Dana Blair | Dana Blair | |||
| Cisco Systems | Cisco Systems | |||
| Email: dblair@cisco.com | Email: dblair@cisco.com | |||
| End of changes. 133 change blocks. | ||||
| 627 lines changed or deleted | 607 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||