| draft-ietf-netmod-acl-model-05.txt | draft-ietf-netmod-acl-model-06.txt | |||
|---|---|---|---|---|
| NETMOD WG D. Bogdanovic | NETMOD WG D. Bogdanovic | |||
| Internet-Draft | Internet-Draft | |||
| Intended status: Standards Track K. Sreenivasa | Intended status: Standards Track K. Sreenivasa | |||
| Expires: April 19, 2016 Brocade Communications System | Expires: June 10, 2016 Cisco Systems | |||
| L. Huang | L. Huang | |||
| Juniper Networks | Juniper Networks | |||
| D. Blair | D. Blair | |||
| Cisco Systems | Cisco Systems | |||
| October 17, 2015 | December 8, 2015 | |||
| Network Access Control List (ACL) YANG Data Model | Network Access Control List (ACL) YANG Data Model | |||
| draft-ietf-netmod-acl-model-05 | draft-ietf-netmod-acl-model-06 | |||
| Abstract | Abstract | |||
| This document describes a data model of Access Control List (ACL) | This document describes a data model of Access Control List (ACL) | |||
| basic building blocks. | basic building blocks. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 19, 2016. | This Internet-Draft will expire on June 10, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 25 | skipping to change at page 3, line 25 | |||
| Access Control List is also widely knowns as ACL (pronounce as [ak-uh | Access Control List is also widely knowns as ACL (pronounce as [ak-uh | |||
| l]) or Access List. In this document, Access Control List, ACL and | l]) or Access List. In this document, Access Control List, ACL and | |||
| Access List are interchangeable. | Access List are interchangeable. | |||
| 1.1. Definitions and Acronyms | 1.1. Definitions and Acronyms | |||
| ACE: Access Control Entry | ACE: Access Control Entry | |||
| ACL: Access Control List | ACL: Access Control List | |||
| AFI: Address Field Identifier | ||||
| DSCP: Differentiated Services Code Point | DSCP: Differentiated Services Code Point | |||
| ICMP: Internet Control Message Protocol | ICMP: Internet Control Message Protocol | |||
| IP: Internet Protocol | IP: Internet Protocol | |||
| IPv4: Internet Protocol version 4 | IPv4: Internet Protocol version 4 | |||
| IPv6: Internet Protocol version 6 | IPv6: Internet Protocol version 6 | |||
| skipping to change at page 4, line 27 | skipping to change at page 4, line 27 | |||
| destination prefix length. The actions can be any sort of operation | destination prefix length. The actions can be any sort of operation | |||
| from logging to rate limiting or dropping to simply forwarding. | from logging to rate limiting or dropping to simply forwarding. | |||
| Actions on the first matching ACE are applied with no processing of | Actions on the first matching ACE are applied with no processing of | |||
| subsequent ACEs. The model also includes a container to hold overall | subsequent ACEs. The model also includes a container to hold overall | |||
| operational state for each ACL and operational state for each ACE. | operational state for each ACL and operational state for each ACE. | |||
| One ACL can be applied to multiple targets within the device, such as | One ACL can be applied to multiple targets within the device, such as | |||
| interfaces of a networked device, applications or features running in | interfaces of a networked device, applications or features running in | |||
| the device, etc. When applied to interfaces of a networked device, | the device, etc. When applied to interfaces of a networked device, | |||
| the ACL is applied in a direction which indicates if it should be | the ACL is applied in a direction which indicates if it should be | |||
| applied to packet entering (input) or leaving the device (output). | applied to packet entering (input) or leaving the device (output). | |||
| An example in the appendix shows how to express it in YNAG model. | An example in the appendix shows how to express it in YANG model. | |||
| This draft tries to address the commonalities between all vendors and | This draft tries to address the commonalities between all vendors and | |||
| create a common model, which can be augmented with proprietary | create a common model, which can be augmented with proprietary | |||
| models. The base model is very simple and with this design we hope | models. The base model is very simple and with this design we hope | |||
| to achieve needed flexibility for each vendor to extend the base | to achieve needed flexibility for each vendor to extend the base | |||
| model. | model. | |||
| 3.1. ACL Modules | 3.1. ACL Modules | |||
| There are two YANG modules in the model. The first module, "ietf- | There are two YANG modules in the model. The first module, "ietf- | |||
| skipping to change at page 5, line 24 | skipping to change at page 5, line 24 | |||
| | | | | +--rw (ace-ip-version)? | | | | | +--rw (ace-ip-version)? | |||
| | | | | | +--:(ace-ipv4) | | | | | | +--:(ace-ipv4) | |||
| | | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix | | | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix | |||
| | | | | | | +--rw source-ipv4-network? inet:ipv4-prefix | | | | | | | +--rw source-ipv4-network? inet:ipv4-prefix | |||
| | | | | | +--:(ace-ipv6) | | | | | | +--:(ace-ipv6) | |||
| | | | | | +--rw destination-ipv6-network? inet:ipv6-prefix | | | | | | +--rw destination-ipv6-network? inet:ipv6-prefix | |||
| | | | | | +--rw source-ipv6-network? inet:ipv6-prefix | | | | | | +--rw source-ipv6-network? inet:ipv6-prefix | |||
| | | | | | +--rw flow-label? inet:ipv6-flow-label | | | | | | +--rw flow-label? inet:ipv6-flow-label | |||
| | | | | +--rw dscp? inet:dscp | | | | | +--rw dscp? inet:dscp | |||
| | | | | +--rw protocol? uint8 | | | | | +--rw protocol? uint8 | |||
| | | | | +--rw source-port-range | | | | | +--rw source-port-range! | |||
| | | | | | +--rw lower-port inet:port-number | | | | | | +--rw lower-port inet:port-number | |||
| | | | | | +--rw upper-port? inet:port-number | | | | | | +--rw upper-port? inet:port-number | |||
| | | | | +--rw destination-port-range | | | | | +--rw destination-port-range! | |||
| | | | | +--rw lower-port inet:port-number | | | | | +--rw lower-port inet:port-number | |||
| | | | | +--rw upper-port? inet:port-number | | | | | +--rw upper-port? inet:port-number | |||
| | | | +--:(ace-eth) | | | | +--:(ace-eth) | |||
| | | | +--rw destination-mac-address? yang:mac-address | | | | +--rw destination-mac-address? yang:mac-address | |||
| | | | +--rw destination-mac-address-mask? yang:mac-address | | | | +--rw destination-mac-address-mask? yang:mac-address | |||
| | | | +--rw source-mac-address? yang:mac-address | | | | +--rw source-mac-address? yang:mac-address | |||
| | | | +--rw source-mac-address-mask? yang:mac-address | | | | +--rw source-mac-address-mask? yang:mac-address | |||
| | | +--rw input-interface? string | | | +--rw input-interface? string | |||
| | | +--rw absolute-time | ||||
| | | +--rw start? yang:date-and-time | ||||
| | | +--rw end? yang:date-and-time | ||||
| | | +--rw active? boolean | ||||
| | +--rw actions | | +--rw actions | |||
| | | +--rw (packet-handling)? | | | +--rw (packet-handling)? | |||
| | | +--:(deny) | | | +--:(deny) | |||
| | | | +--rw deny? empty | | | | +--rw deny? empty | |||
| | | +--:(permit) | | | +--:(permit) | |||
| | | +--rw permit? empty | | | +--rw permit? empty | |||
| | +--ro ace-oper-data | | +--ro ace-oper-data | |||
| | | +--ro match-counter? yang:counter64 | | | +--ro match-counter? yang:counter64 | |||
| | +--rw rule-name string | | +--rw rule-name string | |||
| +--rw acl-name string | +--rw acl-name string | |||
| +--rw acl-type acl-type | +--rw acl-type acl-type | |||
| Figure 1 | Figure 1 | |||
| 4. ACL YANG Models | 4. ACL YANG Models | |||
| 4.1. IETF Access Contorl List module | 4.1. IETF Access Contorl List module | |||
| "ietf-access-control-list" is the standard top level module for | "ietf-access-control-list" is the standard top level module for | |||
| Access lists. The "access-lists" container stores a list of "acl". | access lists. The "access-lists" container stores a list of "acl". | |||
| Each "acl" has information identifying the access list by a | Each "acl" has information identifying the access list by a | |||
| name("acl-name") and a list("access-list-entries") of rules | name("acl-name") and a list("access-list-entries") of rules | |||
| associated with the "acl-name". Each of the entries in the | associated with the "acl-name". Each of the entries in the | |||
| list("access-list-entries"), indexed by the string "rule-name", has | list("access-list-entries"), indexed by the string "rule-name", has | |||
| containers defining "matches" and "actions". The "matches" define | containers defining "matches" and "actions". The "matches" define | |||
| criteria used to identify patterns in "ietf-packet-fields". The | criteria used to identify patterns in "ietf-packet-fields". The | |||
| "actions" define behavior to undertake once a "match" has been | "actions" define behavior to undertake once a "match" has been | |||
| identified. | identified. | |||
| <CODE BEGINS>file "ietf-access-control-list@2015-10-11.yang" | <CODE BEGINS>file "ietf-access-control-list@2015-12-08.yang" | |||
| module ietf-access-control-list { | module ietf-access-control-list { | |||
| yang-version 1; | yang-version 1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | |||
| prefix acl; | prefix acl; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| } | } | |||
| import ietf-packet-fields { | import ietf-packet-fields { | |||
| prefix packet-fields; | prefix packet-fields; | |||
| } | } | |||
| skipping to change at page 6, line 43 | skipping to change at page 6, line 43 | |||
| contact | contact | |||
| "WG Web: http://tools.ietf.org/wg/netmod/ | "WG Web: http://tools.ietf.org/wg/netmod/ | |||
| WG List: netmod@ietf.org | WG List: netmod@ietf.org | |||
| WG Chair: Juergen Schoenwaelder | WG Chair: Juergen Schoenwaelder | |||
| j.schoenwaelder@jacobs-university.de | j.schoenwaelder@jacobs-university.de | |||
| WG Chair: Tom Nadeau | WG Chair: Tom Nadeau | |||
| tnadeau@lucidvision.com | tnadeau@lucidvision.com | |||
| Editor: Dean Bogdanovic | Editor: Dean Bogdanovic | |||
| ivandean@gmail.com | ivandean@gmail.com | |||
| Editor: Kiran Agrahara Sreenivasa | Editor: Kiran Agrahara Sreenivasa | |||
| kkoushik@brocade.com | kkoushik@cisco.com | |||
| Editor: Lisa Huang | Editor: Lisa Huang | |||
| lyihuang@juniper.net | lyihuang@juniper.net | |||
| Editor: Dana Blair | Editor: Dana Blair | |||
| dblair@cisco.com"; | dblair@cisco.com"; | |||
| description | description | |||
| "This YANG module defines a component that describing the | "This YANG module defines a component that describing the | |||
| configuration of Access Control Lists (ACLs). | configuration of Access Control Lists (ACLs). | |||
| Copyright (c) 2015 IETF Trust and the persons identified as | Copyright (c) 2015 IETF Trust and the persons identified as | |||
| the document authors. All rights reserved. | the document authors. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2015-03-17 { | revision 2015-12-08 { | |||
| description | description | |||
| "Base model for Network Access Control List (ACL)."; | "Base model for Network Access Control List (ACL)."; | |||
| reference | reference | |||
| "RFC XXXX: Network Access Control List (ACL) | "RFC XXXX: Network Access Control List (ACL) | |||
| YANG Data Model"; | YANG Data Model"; | |||
| } | } | |||
| identity acl-base { | identity acl-base { | |||
| description | description | |||
| "Base Access Control List type for all Access Control List type | "Base Access Control List type for all Access Control List type | |||
| identifiers."; | identifiers."; | |||
| skipping to change at page 7, line 44 | skipping to change at page 7, line 44 | |||
| base acl:acl-base; | base acl:acl-base; | |||
| description | description | |||
| "ACL that primarily matches on fields from the IPv6 header | "ACL that primarily matches on fields from the IPv6 header | |||
| (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP | (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP | |||
| destination port). An acl of type ipv6-acl does not contain | destination port). An acl of type ipv6-acl does not contain | |||
| matches on fields in the ethernet header or the IPv4 header."; | matches on fields in the ethernet header or the IPv4 header."; | |||
| } | } | |||
| identity eth-acl { | identity eth-acl { | |||
| base acl:acl-base; | base acl:acl-base; | |||
| description | description | |||
| "ACL that primarily matches on fields in the ethernet header. | "ACL that primarily matches on fields in the ethernet header, | |||
| An acl of type eth-acl does not contain matches on fields in | like 10/100/1000baseT or WiFi Access Control List. An acl of | |||
| the IPv4 header, IPv6 header or layer 4 headers."; | type eth-acl does not contain matches on fields in the IPv4 | |||
| header, IPv6 header or layer 4 headers."; | ||||
| } | } | |||
| typedef acl-type { | typedef acl-type { | |||
| type identityref { | type identityref { | |||
| base acl-base; | base acl-base; | |||
| } | } | |||
| description | description | |||
| "This type is used to refer to an Access Control List | "This type is used to refer to an Access Control List | |||
| (ACL) type"; | (ACL) type"; | |||
| } | } | |||
| typedef access-control-list-ref { | typedef access-control-list-ref { | |||
| skipping to change at page 10, line 48 | skipping to change at page 10, line 49 | |||
| 4.2. IETF-PACKET-FIELDS module | 4.2. IETF-PACKET-FIELDS module | |||
| The packet fields module defines the necessary groups for matching on | The packet fields module defines the necessary groups for matching on | |||
| fields in the packet including ethernet, ipv4, ipv6, transport layer | fields in the packet including ethernet, ipv4, ipv6, transport layer | |||
| fields and metadata. Since the number of match criteria is very | fields and metadata. Since the number of match criteria is very | |||
| large, the base draft does not include these directly but references | large, the base draft does not include these directly but references | |||
| them by "uses" to keep the base module simple. In case more match | them by "uses" to keep the base module simple. In case more match | |||
| conditions are needed, those can be added by augmenting choices | conditions are needed, those can be added by augmenting choices | |||
| within container "matches" in ietf-access-control-list.yang model | within container "matches" in ietf-access-control-list.yang model | |||
| <CODE BEGINS>file "ietf-packet-fields@2015-06-11.yang" | <CODE BEGINS> | |||
| module ietf-packet-fields { | module ietf-packet-fields { | |||
| yang-version 1; | yang-version 1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | |||
| prefix packet-fields; | prefix packet-fields; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| } | } | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| } | } | |||
| skipping to change at page 11, line 23 | skipping to change at page 11, line 24 | |||
| contact | contact | |||
| "WG Web: http://tools.ietf.org/wg/netmod/ | "WG Web: http://tools.ietf.org/wg/netmod/ | |||
| WG List: netmod@ietf.org | WG List: netmod@ietf.org | |||
| WG Chair: Juergen Schoenwaelder | WG Chair: Juergen Schoenwaelder | |||
| j.schoenwaelder@jacobs-university.de | j.schoenwaelder@jacobs-university.de | |||
| WG Chair: Tom Nadeau | WG Chair: Tom Nadeau | |||
| tnadeau@lucidvision.com | tnadeau@lucidvision.com | |||
| Editor: Dean Bogdanovic | Editor: Dean Bogdanovic | |||
| deanb@juniper.net | deanb@juniper.net | |||
| Editor: Kiran Agrahara Sreenivasa | Editor: Kiran Agrahara Sreenivasa | |||
| kkoushik@brocade.com | kkoushik@cisco.com | |||
| Editor: Lisa Huang | Editor: Lisa Huang | |||
| lyihuang@juniper.net | lyihuang@juniper.net | |||
| Editor: Dana Blair | Editor: Dana Blair | |||
| dblair@cisco.com"; | dblair@cisco.com"; | |||
| description | description | |||
| "This YANG module defines groupings that are used by | "This YANG module defines groupings that are used by | |||
| ietf-access-control-list YANG module. Their usage is not | ietf-access-control-list YANG module. Their usage is not | |||
| limited to ietf-access-control-list and can be | limited to ietf-access-control-list and can be | |||
| used anywhere as applicable. | used anywhere as applicable. | |||
| Copyright (c) 2015 IETF Trust and the persons identified as | Copyright (c) 2015 IETF Trust and the persons identified as | |||
| the document authors. All rights reserved. | the document authors. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2015-06-11 { | revision 2015-12-08 { | |||
| description | description | |||
| "Initial version of packet fields used by | "Initial version of packet fields used by | |||
| ietf-access-control-list"; | ietf-access-control-list"; | |||
| reference | reference | |||
| "RFC XXXX: Network Access Control List (ACL) | "RFC XXXX: Network Access Control List (ACL) | |||
| YANG Data Model"; | YANG Data Model"; | |||
| } | } | |||
| grouping acl-transport-header-fields { | grouping acl-transport-header-fields { | |||
| description | description | |||
| "Transport header fields"; | "Transport header fields"; | |||
| skipping to change at page 12, line 18 | skipping to change at page 12, line 19 | |||
| description | description | |||
| "Inclusive range representing source ports to be used. | "Inclusive range representing source ports to be used. | |||
| When only lower-port is present, it represents a single port."; | When only lower-port is present, it represents a single port."; | |||
| leaf lower-port { | leaf lower-port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Lower boundary for port."; | "Lower boundary for port."; | |||
| } | } | |||
| leaf upper-port { | leaf upper-port { | |||
| type inet:port-number; | ||||
| must ". >= ../lower-port" { | must ". >= ../lower-port" { | |||
| error-message | error-message | |||
| "The upper-port must be greater than or equal to lower-port"; | "The upper-port must be greater than or equal to lower-port"; | |||
| } | } | |||
| type inet:port-number; | ||||
| description | description | |||
| "Upper boundary for port . If existing, the upper port | "Upper boundary for port . If existing, the upper port | |||
| must be greater or equal to lower-port."; | must be greater or equal to lower-port."; | |||
| } | } | |||
| } | } | |||
| container destination-port-range { | container destination-port-range { | |||
| presence "Enables setting destination port range"; | presence "Enables setting destination port range"; | |||
| description | description | |||
| "Inclusive range representing destination ports to be used. When | "Inclusive range representing destination ports to be used. When | |||
| only lower-port is present, it represents a single port."; | only lower-port is present, it represents a single port."; | |||
| leaf lower-port { | leaf lower-port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Lower boundary for port."; | "Lower boundary for port."; | |||
| } | } | |||
| leaf upper-port { | leaf upper-port { | |||
| must ". >= ../lower-port" { | ||||
| error-message | ||||
| "The upper-port must be greater than or equal to lower-port"; | ||||
| } | ||||
| type inet:port-number; | type inet:port-number; | |||
| must ". >= ../lower-port" { | ||||
| error-message | ||||
| "The upper-port must be greater than or equal to lower-port"; | ||||
| } | ||||
| description | description | |||
| "Upper boundary for port. If existing, the upper port must | "Upper boundary for port. If existing, the upper port must | |||
| be greater or equal to lower-port"; | be greater or equal to lower-port"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping acl-ip-header-fields { | grouping acl-ip-header-fields { | |||
| description | description | |||
| "IP header fields common to ipv4 and ipv6"; | "IP header fields common to ipv4 and ipv6"; | |||
| leaf dscp { | leaf dscp { | |||
| type inet:dscp; | type inet:dscp; | |||
| description | description | |||
| "Value of dscp."; | "Value of dscp."; | |||
| } | } | |||
| leaf protocol { | leaf protocol { | |||
| skipping to change at page 14, line 34 | skipping to change at page 14, line 36 | |||
| } | } | |||
| leaf source-mac-address-mask { | leaf source-mac-address-mask { | |||
| type yang:mac-address; | type yang:mac-address; | |||
| description | description | |||
| "Source IEEE 802 MAC address mask."; | "Source IEEE 802 MAC address mask."; | |||
| } | } | |||
| reference | reference | |||
| "IEEE 802: IEEE Standard for Local and Metropolitan Area | "IEEE 802: IEEE Standard for Local and Metropolitan Area | |||
| Networks: Overview and Architecture."; | Networks: Overview and Architecture."; | |||
| } | } | |||
| grouping timerange { | ||||
| description | ||||
| "Time range contains time | ||||
| segments to allow access-control-list to be | ||||
| active/inactive when the system time | ||||
| is between the range."; | ||||
| container absolute-time { | ||||
| description | ||||
| "Absolute time and date that | ||||
| the associated function starts | ||||
| going into effect."; | ||||
| leaf start { | ||||
| type yang:date-and-time; | ||||
| description | ||||
| "Absolute start time and date"; | ||||
| } | ||||
| leaf end { | ||||
| type yang:date-and-time; | ||||
| description | ||||
| "Absolute end time and date"; | ||||
| } | ||||
| leaf active { | ||||
| type boolean; | ||||
| default "true"; | ||||
| description | ||||
| "This object indicates whether the | ||||
| the ACL will be active(true) or | ||||
| inactive(false) during this time range."; | ||||
| } | ||||
| } | ||||
| } | ||||
| grouping metadata { | grouping metadata { | |||
| description | description | |||
| "Fields associated with a packet whick are not in | "Fields associated with a packet whick are not in | |||
| the header."; | the header."; | |||
| leaf input-interface { | leaf input-interface { | |||
| type string; | type string; | |||
| description | description | |||
| "Packet was received on this interface."; | "Packet was received on this interface."; | |||
| } | } | |||
| uses timerange; | ||||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 4.3. An ACL Example | 4.3. An ACL Example | |||
| Requirement: Deny All traffic from 10.10.10.1 bound for host | Requirement: Deny All traffic from 10.10.10.1 bound for host | |||
| 10.10.10.255 from leaving. | 10.10.10.255 from leaving. | |||
| In order to achieve the requirement, an name Access Control List is | In order to achieve the requirement, an name Access Control List is | |||
| needed. The acl and aces can be described in CLI as the following: | needed. The acl and aces can be described in CLI as the following: | |||
| access-list ip sample-ip-acl | access-list ip sample-ip-acl | |||
| deny tcp host 10.10.10.1 host 10.10.10.255 | deny tcp host 10.10.10.1 host 10.10.10.255 | |||
| skipping to change at page 16, line 28 | skipping to change at page 16, line 37 | |||
| </source-port-range> | </source-port-range> | |||
| <destination-port-range> | <destination-port-range> | |||
| <lower-port /> | <lower-port /> | |||
| <upper-port /> | <upper-port /> | |||
| </destination-port-range> | </destination-port-range> | |||
| <destination-mac-address /> | <destination-mac-address /> | |||
| <destination-mac-address-mask /> | <destination-mac-address-mask /> | |||
| <source-mac-address /> | <source-mac-address /> | |||
| <source-mac-address-mask /> | <source-mac-address-mask /> | |||
| <input-interface /> | <input-interface /> | |||
| <absolute-time> | ||||
| <start /> | ||||
| <end /> | ||||
| </absolute-time> | ||||
| </matches> | </matches> | |||
| <actions> | <actions> | |||
| <deny /> | <deny /> | |||
| <permit /> | <permit /> | |||
| </actions> | </actions> | |||
| <ace-oper-data> | <ace-oper-data> | |||
| <match-counter /> | <match-counter /> | |||
| </ace-oper-data> | </ace-oper-data> | |||
| <rule-name>rule1<rule-name/> | <rule-name>rule1<rule-name/> | |||
| </ace> | </ace> | |||
| skipping to change at page 20, line 48 | skipping to change at page 20, line 48 | |||
| prefixes. Much like ACLs, they include some match criteria and | prefixes. Much like ACLs, they include some match criteria and | |||
| corresponding match action(s). For that reason, it is very simple to | corresponding match action(s). For that reason, it is very simple to | |||
| extend existing ACL model with route filtering. The combination of a | extend existing ACL model with route filtering. The combination of a | |||
| route prefix and prefix length along with the type of match | route prefix and prefix length along with the type of match | |||
| determines how route filters are evaluated against incoming routes. | determines how route filters are evaluated against incoming routes. | |||
| Different vendors have different match types and in this model we are | Different vendors have different match types and in this model we are | |||
| using only ones that are common across all vendors participating in | using only ones that are common across all vendors participating in | |||
| this draft. As in this example, the base ACL model can be extended | this draft. As in this example, the base ACL model can be extended | |||
| with company proprietary extensions, described in the next section. | with company proprietary extensions, described in the next section. | |||
| file "ietf-example-ext-route-filter@2015-02-14.yang" | file "example-ext-route-filter@2015-12-08.yang" | |||
| module example-ext-route-filter { | ||||
| yang-version 1; | ||||
| namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter"; | ||||
| prefix example-ext-route-filter; | ||||
| import ietf-inet-types { | ||||
| prefix "inet"; | ||||
| } | ||||
| import ietf-access-control-list { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| module ietf-example-ext-route-filter { | organization | |||
| yang-version 1; | "Route model group."; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-example-ext-route-filter"; | ||||
| prefix ietf-example-ext-route-filter; | ||||
| import ietf-inet-types { | ||||
| prefix "inet"; | ||||
| } | ||||
| import ietf-access-control-list { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| organization | ||||
| "Route modele group."; | ||||
| contact | contact | |||
| "abc@abc.com"; | "abc@abc.com"; | |||
| description " | description " | |||
| This module describes route filter as a collection of | This module describes route filter as a collection of | |||
| match prefixes. When specifying a match prefix, you | match prefixes. When specifying a match prefix, you | |||
| can specify an exact match with a particular route or | can specify an exact match with a particular route or | |||
| a less precise match. You can configure either a | a less precise match. You can configure either a | |||
| common action that applies to the entire list or an | common action that applies to the entire list or an | |||
| action associated with each prefix. | action associated with each prefix. | |||
| "; | "; | |||
| revision 2015-05-03 { | revision 2015-12-08 { | |||
| description | description | |||
| "Creating Route-Filter extension model based on | "Creating Route-Filter extension model based on | |||
| ietf-access-control-list model"; | ietf-access-control-list model"; | |||
| reference " "; | reference " "; | |||
| } | } | |||
| augment "/ietf-acl:access-lists/ietf-acl:acl/ | augment "/ietf-acl:access-lists/ietf-acl:acl/" | |||
| ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches"{ | + "ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches"{ | |||
| description " | description " | |||
| This module augments the matches container in the ietf-acl | This module augments the matches container in the ietf-acl | |||
| module with route filter specific actions | module with route filter specific actions | |||
| "; | "; | |||
| choice route-prefix{ | choice route-prefix{ | |||
| description "Define route filter match criteria"; | description "Define route filter match criteria"; | |||
| case range { | case range { | |||
| description | description | |||
| " Route falls between the lower prefix/prefix-length | "Route falls between the lower prefix/prefix-length | |||
| and the upperprefix/prefix-length."; | and the upperprefix/prefix-length."; | |||
| choice ipv4-range { | choice ipv4-range { | |||
| description "Defines the IPv4 prefix range"; | description "Defines the IPv4 prefix range"; | |||
| leaf v4-lower-bound { | leaf v4-lower-bound { | |||
| type inet:ipv4-prefix; | type inet:ipv4-prefix; | |||
| description | description | |||
| "Defines the lower IPv4 prefix/prefix length"; | "Defines the lower IPv4 prefix/prefix length"; | |||
| } | } | |||
| leaf v4-upper-bound { | leaf v4-upper-bound { | |||
| type inet:ipv4-prefix; | type inet:ipv4-prefix; | |||
| description | description | |||
| "Defines the upper IPv4 prefix/prefix length"; | "Defines the upper IPv4 prefix/prefix length"; | |||
| } | } | |||
| } | } | |||
| choice ipv6-range { | choice ipv6-range { | |||
| description "Defines the IPv6 prefix/prefix range"; | description "Defines the IPv6 prefix/prefix range"; | |||
| leaf v6-lower-bound { | leaf v6-lower-bound { | |||
| type inet:ipv6-prefix; | type inet:ipv6-prefix; | |||
| description | description | |||
| "Defines the lower IPv6 prefix/prefix length"; | "Defines the lower IPv6 prefix/prefix length"; | |||
| } | } | |||
| leaf v6-upper-bound { | leaf v6-upper-bound { | |||
| type inet:ipv6-prefix; | type inet:ipv6-prefix; | |||
| description | description | |||
| "Defines the upper IPv6 prefix/prefix length"; | "Defines the upper IPv6 prefix/prefix length"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| A.2. A company proprietary module example | A.2. A company proprietary module example | |||
| Module "example-newco-acl" is an example of company proprietary model | Module "example-newco-acl" is an example of company proprietary model | |||
| that augments "ietf-acl" module. It shows how to use 'augment' with | that augments "ietf-acl" module. It shows how to use 'augment' with | |||
| an XPath expression to add additional match criteria, action | an XPath expression to add additional match criteria, action | |||
| criteria, and default actions when no ACE matches found. All these | criteria, and default actions when no ACE matches found. All these | |||
| are company proprietary extensions or system feature extensions. | are company proprietary extensions or system feature extensions. | |||
| "example-newco-acl" is just an example and it is expected from | "example-newco-acl" is just an example and it is expected from | |||
| vendors to create their own proprietary models. | vendors to create their own proprietary models. | |||
| The following figure is the tree structure of example-newco-acl. In | The following figure is the tree structure of example-newco-acl. In | |||
| this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- | this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- | |||
| list-entries/ ietf-acl:ace/ietf-acl:matches are augmented with a new | list-entries/ ietf-acl:ace/ietf-acl:matches are augmented with a new | |||
| choice, protocol-payload-choice. The protocol-payload-choice uses a | choice, protocol-payload-choice. The protocol-payload-choice uses a | |||
| grouping with an enumeration of all supported protocol values. In | grouping with an enumeration of all supported protocol values. In | |||
| other example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- | other example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- | |||
| list-entries/ ietf-acl:ace/ietf-acl:actions are augmented with new | list-entries/ ietf-acl:ace/ietf-acl:actions are augmented with new | |||
| choice of actions. | choice of actions. | |||
| module: example-newco-acl | module: example-newco-acl | |||
| augment /ietf-acl:access-lists/ietf-acl:acl/ | augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ | |||
| ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: | ietf-acl:ace/ietf-acl:matches: | |||
| +--rw (protocol-payload-choice)? | +--rw (protocol-payload-choice)? | |||
| +--:(protocol-payload) | +--:(protocol-payload) | |||
| +--rw protocol-payload* [value-keyword] | +--rw protocol-payload* [value-keyword] | |||
| +--rw value-keyword enumeration | +--rw value-keyword enumeration | |||
| augment /ietf-acl:access-lists/ietf-acl:acl/ | augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ | |||
| ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions: | ietf-acl:ace/ietf-acl:actions: | |||
| +--rw (action)? | +--rw (action)? | |||
| +--:(count) | +--:(count) | |||
| | +--rw count? string | | +--rw count? string | |||
| +--:(policer) | +--:(policer) | |||
| | +--rw policer? string | | +--rw policer? string | |||
| +--:(hiearchical-policer) | +--:(hiearchical-policer) | |||
| +--rw hierarchitacl-policer? string | +--rw hierarchitacl-policer? string | |||
| augment /ietf-acl:access-lists/ietf-acl:acl: | augment /ietf-acl:access-lists/ietf-acl:acl: | |||
| +--rw default-actions | +--rw default-actions | |||
| +--rw deny? empty | +--rw deny? empty | |||
| file "newco-acl@2015-03-04.yang" | ||||
| file "newco-acl@2015-12-08.yang" | ||||
| module example-newco-acl { | module example-newco-acl { | |||
| yang-version 1; | yang-version 1; | |||
| namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; | namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; | |||
| prefix example-newco-acl; | prefix example-newco-acl; | |||
| import ietf-acl { | import ietf-access-control-list { | |||
| prefix "ietf-acl"; | prefix "ietf-acl"; | |||
| } | } | |||
| revision 2015-05-03{ | organization | |||
| description "Creating NewCo proprietary extensions to ietf-acl model"; | "Newco model group."; | |||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list | contact | |||
| /ietf-acl:access-list-entries/ | "abc@newco.com"; | |||
| ietf-acl:access-list-entry/ietf-acl:matches" { | description | |||
| "This YANG module augment IETF ACL Yang."; | ||||
| revision 2015-12-08{ | ||||
| description | ||||
| "Creating NewCo proprietary extensions to ietf-acl model"; | ||||
| reference | ||||
| "RFC XXXX: Network Access Control List (ACL) | ||||
| YANG Data Model"; | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" { | ||||
| description "Newco proprietary simple filter matches"; | description "Newco proprietary simple filter matches"; | |||
| choice protocol-payload-choice { | choice protocol-payload-choice { | |||
| description ""; | ||||
| list protocol-payload { | list protocol-payload { | |||
| key value-keyword; | key value-keyword; | |||
| ordered-by user; | ordered-by user; | |||
| description "Match protocol payload"; | description "Match protocol payload"; | |||
| uses match-simple-payload-protocol-value; | uses match-simple-payload-protocol-value; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment "/ietf-acl:access-lists/ietf-acl:access-list/ | augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions" { | |||
| ietf-acl:access-list-entries/ietf-acl:access-list-entry/ | ||||
| ietf-acl:actions" { | ||||
| description "Newco proprietary simple filter actions"; | description "Newco proprietary simple filter actions"; | |||
| choice action { | choice action { | |||
| description ""; | ||||
| case count { | case count { | |||
| description "Count the packet in the named counter"; | description "Count the packet in the named counter"; | |||
| leaf count { | leaf count { | |||
| type string; | type string; | |||
| description ""; | ||||
| } | } | |||
| } | } | |||
| case policer { | case policer { | |||
| description "Name of policer to use to rate-limit traffic"; | description "Name of policer to use to rate-limit traffic"; | |||
| leaf policer { | leaf policer { | |||
| type string; | type string; | |||
| description ""; | ||||
| } | } | |||
| } | } | |||
| case hiearchical-policer { | case hiearchical-policer { | |||
| description "Name of hierarchical policer to use to | description "Name of hierarchical policer to use to | |||
| rate-limit traffic"; | rate-limit traffic"; | |||
| leaf hierarchitacl-policer{ | leaf hierarchitacl-policer{ | |||
| type string; | type string; | |||
| description ""; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment "/ietf-acl:access-lists/ietf-acl:access-list" { | augment "/ietf-acl:access-lists/ietf-acl:acl" { | |||
| description "Newco proprietary default action"; | ||||
| container default-actions { | container default-actions { | |||
| description "Actions that occur if no access-list entry is matched."; | description | |||
| "Actions that occur if no access-list entry is matched."; | ||||
| leaf deny { | leaf deny { | |||
| type empty; | type empty; | |||
| description ""; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping match-simple-payload-protocol-value { | grouping match-simple-payload-protocol-value { | |||
| description "Newco proprietary payload"; | ||||
| leaf value-keyword { | leaf value-keyword { | |||
| description "(null)"; | ||||
| type enumeration { | type enumeration { | |||
| enum icmp { | enum icmp { | |||
| description "Internet Control Message Protocol"; | description "Internet Control Message Protocol"; | |||
| } | } | |||
| enum icmp6 { | enum icmp6 { | |||
| description "Internet Control Message Protocol Version 6"; | description "Internet Control Message Protocol Version 6"; | |||
| } | } | |||
| enum range { | enum range { | |||
| description "Range of values"; | description "Range of values"; | |||
| } | } | |||
| } | } | |||
| description "(null)"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| Draft authors expect that different vendors will provide their own | Draft authors expect that different vendors will provide their own | |||
| yang models as in the example above, which is the augmentation of the | yang models as in the example above, which is the augmentation of the | |||
| base model | base model | |||
| A.3. Attaching Access Control List to interfaces | A.3. Attaching Access Control List to interfaces | |||
| skipping to change at page 27, line 38 | skipping to change at page 27, line 38 | |||
| layer 4 header fields may also exist in the list."; | layer 4 header fields may also exist in the list."; | |||
| } | } | |||
| Authors' Addresses | Authors' Addresses | |||
| Dean Bogdanovic | Dean Bogdanovic | |||
| Email: ivandean@gmail.com | Email: ivandean@gmail.com | |||
| Kiran Agrahara Sreenivasa | Kiran Agrahara Sreenivasa | |||
| Brocade Communications System | Cisco Systems | |||
| Email: kkoushik@brocade.com | Email: kkoushik@cisco.com | |||
| Lisa Huang | Lisa Huang | |||
| Juniper Networks | Juniper Networks | |||
| Email: lyihuang@juniper.net | Email: lyihuang@juniper.net | |||
| Dana Blair | Dana Blair | |||
| Cisco Systems | Cisco Systems | |||
| Email: dblair@cisco.com | Email: dblair@cisco.com | |||
| End of changes. 52 change blocks. | ||||
| 175 lines changed or deleted | 150 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||