| draft-ietf-netmod-acl-model-09.txt | draft-ietf-netmod-acl-model-10.txt | |||
|---|---|---|---|---|
| NETMOD WG D. Bogdanovic | NETMOD WG D. Bogdanovic | |||
| Internet-Draft Volta Networks | Internet-Draft Volta Networks | |||
| Intended status: Standards Track K. Sreenivasa | Intended status: Standards Track K. Sreenivasa | |||
| Expires: April 15, 2017 Cisco Systems | Expires: September 14, 2017 Cisco Systems | |||
| L. Huang | L. Huang | |||
| General Electric | General Electric | |||
| D. Blair | D. Blair | |||
| Cisco Systems | Cisco Systems | |||
| October 12, 2016 | March 13, 2017 | |||
| Network Access Control List (ACL) YANG Data Model | Network Access Control List (ACL) YANG Data Model | |||
| draft-ietf-netmod-acl-model-09 | draft-ietf-netmod-acl-model-10 | |||
| Abstract | Abstract | |||
| This document describes a data model of Access Control List (ACL) | This document describes a data model of Access Control List (ACL) | |||
| basic building blocks. | basic building blocks. | |||
| Editorial Note (To be removed by RFC Editor) | Editorial Note (To be removed by RFC Editor) | |||
| This draft contains many placeholder values that need to be replaced | This draft contains many placeholder values that need to be replaced | |||
| with finalized values at the time of publication. This note | with finalized values at the time of publication. This note | |||
| skipping to change at page 2, line 7 ¶ | skipping to change at page 2, line 7 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 15, 2017. | This Internet-Draft will expire on September 14, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 45 ¶ | skipping to change at page 2, line 45 ¶ | |||
| 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 16 | 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 16 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 19 | 8.2. Informative References . . . . . . . . . . . . . . . . . 19 | |||
| Appendix A. Extending ACL model examples . . . . . . . . . . . . 20 | Appendix A. Extending ACL model examples . . . . . . . . . . . . 20 | |||
| A.1. Example of extending existing model for route filtering . 20 | A.1. Example of extending existing model for route filtering . 20 | |||
| A.2. A company proprietary module example . . . . . . . . . . 22 | A.2. A company proprietary module example . . . . . . . . . . 22 | |||
| A.3. Example to augment model with mixed ACL type . . . . . . 27 | A.3. Example to augment model with mixed ACL type . . . . . . 30 | |||
| A.4. Linux nftables . . . . . . . . . . . . . . . . . . . . . 28 | A.4. Linux nftables . . . . . . . . . . . . . . . . . . . . . 30 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 1. Introduction | 1. Introduction | |||
| Access Control List (ACL) is one of the basic elements to configure | Access Control List (ACL) is one of the basic elements to configure | |||
| device forwarding behavior. It is used in many networking concepts | device forwarding behavior. It is used in many networking concepts | |||
| such as Policy Based Routing, Firewalls etc. | such as Policy Based Routing, Firewalls etc. | |||
| An ACL is an ordered set of rules that is used to filter traffic on a | An ACL is an ordered set of rules that is used to filter traffic on a | |||
| networking device. Each rule is represented by an Access Control | networking device. Each rule is represented by an Access Control | |||
| Entry (ACE). | Entry (ACE). | |||
| skipping to change at page 23, line 7 ¶ | skipping to change at page 23, line 7 ¶ | |||
| new choices, protocol-payload-choice and metadata. The protocol- | new choices, protocol-payload-choice and metadata. The protocol- | |||
| payload-choice uses a grouping with an enumeration of all supported | payload-choice uses a grouping with an enumeration of all supported | |||
| protocol values. Metadata matches apply to fields associated with | protocol values. Metadata matches apply to fields associated with | |||
| the packet but not in the packet header such as input interface or | the packet but not in the packet header such as input interface or | |||
| overall packet length. In other example, /ietf-acl:access-lists/ | overall packet length. In other example, /ietf-acl:access-lists/ | |||
| ietf-acl:acl/ietf-acl:access-list-entries/ ietf-acl:ace/ietf- | ietf-acl:acl/ietf-acl:access-list-entries/ ietf-acl:ace/ietf- | |||
| acl:actions are augmented with new choice of actions. | acl:actions are augmented with new choice of actions. | |||
| module: example-newco-acl | module: example-newco-acl | |||
| augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: | augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: | |||
| +--rw vlan-tagged? uint16 | ||||
| +--rw mpls-unicast? uint16 | ||||
| +--rw mpls-multicast? uint16 | ||||
| +--rw ipv4? uint16 | ||||
| +--rw ipv6? uint16 | ||||
| augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: | ||||
| +--rw ipv4-ttl? uint8 | ||||
| +--rw ipv4-len? uint16 | ||||
| +--rw ipv4-ihl? uint8 | ||||
| +--rw ipv4-id? uint16 | ||||
| +--rw ipv4-flags? ipv4-flags-type | ||||
| +--rw ipv4-offset? uint16 | ||||
| augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: | ||||
| +--rw (protocol-payload-choice)? | +--rw (protocol-payload-choice)? | |||
| | +--:(protocol-payload) | | +--:(protocol-payload) | |||
| | +--rw protocol-payload* [value-keyword] | | +--rw protocol-payload* [value-keyword] | |||
| | +--rw value-keyword enumeration | | +--rw value-keyword enumeration | |||
| +--rw (metadata)? | +--rw (metadata)? | |||
| +--:(interface-name) | +--:(interface-name) | |||
| +--rw interface-name* [input-interface] | +--rw interface-name* [input-interface] | |||
| +--rw input-interface ietf-if:interface-ref | +--rw input-interface ietf-if:interface-ref | |||
| augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions: | augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions: | |||
| +--rw (action)? | +--rw (action)? | |||
| skipping to change at page 23, line 41 ¶ | skipping to change at page 24, line 5 ¶ | |||
| +--:(in) | +--:(in) | |||
| | +--rw in? empty | | +--rw in? empty | |||
| +--:(out) | +--:(out) | |||
| +--rw out? empty | +--rw out? empty | |||
| augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data: | augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data: | |||
| +--ro targets | +--ro targets | |||
| +--ro (interface)? | +--ro (interface)? | |||
| +--:(interface-name) | +--:(interface-name) | |||
| +--ro interface-name* ietf-if:interface-ref | +--ro interface-name* ietf-if:interface-ref | |||
| file "newco-acl@2016-10-12.yang" | ||||
| module example-newco-acl { | module example-newco-acl { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; | namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; | |||
| prefix example-newco-acl; | prefix example-newco-acl; | |||
| import ietf-access-control-list { | import ietf-access-control-list { | |||
| prefix "ietf-acl"; | prefix "ietf-acl"; | |||
| skipping to change at page 24, line 31 ¶ | skipping to change at page 24, line 41 ¶ | |||
| "This YANG module augment IETF ACL Yang."; | "This YANG module augment IETF ACL Yang."; | |||
| revision 2016-10-12{ | revision 2016-10-12{ | |||
| description | description | |||
| "Creating NewCo proprietary extensions to ietf-acl model"; | "Creating NewCo proprietary extensions to ietf-acl model"; | |||
| reference | reference | |||
| "RFC XXXX: Network Access Control List (ACL) | "RFC XXXX: Network Access Control List (ACL) | |||
| YANG Data Model"; | YANG Data Model"; | |||
| } | } | |||
| typedef known-ether-type { | ||||
| type enumeration { | ||||
| enum "ipv4" { | ||||
| value 2048; // 0x0800 | ||||
| description "Internet Protocol version 4 (IPv4)"; | ||||
| } | ||||
| enum "vlan-tagged" { | ||||
| value 33024; // 0x8100 | ||||
| description "VLAN-tagged frame (IEEE 802.1Q) & Shortest Path Bridging IEEE 802.1aq[4]"; | ||||
| } | ||||
| enum "ipv6" { | ||||
| value 34525; // 0x86DD | ||||
| description "Internet Protocol Version 6 (IPv6)"; | ||||
| } | ||||
| enum "mpls-unicast" { | ||||
| value 34887; // 0x8847 | ||||
| description "MPLS unicast"; | ||||
| } | ||||
| enum "mpls-multicast" { | ||||
| value 34888; // 0x8848 | ||||
| description "MPLS multicast"; | ||||
| } | ||||
| } | ||||
| description "Listing supported Ethertypes"; | ||||
| } | ||||
| typedef ipv4-flags-type { | ||||
| type bits { | ||||
| bit ipv4-reserved { | ||||
| position 0; | ||||
| description "reserved bit"; | ||||
| } | ||||
| bit ipv4-DF { | ||||
| position 1; | ||||
| description "DF bit"; | ||||
| } | ||||
| bit ipv4-MF { | ||||
| position 2; | ||||
| description "MF bit"; | ||||
| } | ||||
| } | ||||
| description "IPv4 flag types"; | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" { | ||||
| when "ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-type = 'ace-eth'"; | ||||
| description "additional MAC header matching"; | ||||
| leaf vlan-tagged { | ||||
| type uint16; | ||||
| description "Ethernet frame with VLAN tag"; | ||||
| } | ||||
| leaf mpls-unicast { | ||||
| type uint16; | ||||
| description "Ethernet frame with MPLS unicast payload"; | ||||
| } | ||||
| leaf mpls-multicast { | ||||
| type uint16; | ||||
| description "Ethernet frame with MPLS multicast payload"; | ||||
| } | ||||
| leaf ipv4 { | ||||
| type uint16; | ||||
| description "Ethernet frame with IPv4 unicast payload"; | ||||
| } | ||||
| leaf ipv6 { | ||||
| type uint16; | ||||
| description "Ethernet frame with IPv4 unicast payload"; | ||||
| } | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" { | augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" { | |||
| when "ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-type = 'ipv4-acl'"; | ||||
| description "additional IP header information"; | ||||
| leaf ipv4-ttl { | ||||
| type uint8; | ||||
| description "time to live of a given packet as defined in RFC791"; | ||||
| } | ||||
| leaf ipv4-len { | ||||
| type uint16; | ||||
| description "total packet length as defined in RFC791"; | ||||
| } | ||||
| leaf ipv4-ihl { | ||||
| type uint8 { | ||||
| range 0..15; | ||||
| } | ||||
| description "Internet Header Length in 32 bit words (see RFC791). Note | ||||
| that while the minimum value for this field in a packet is | ||||
| 5, we leave open the possibility here that the packet has | ||||
| been corrupted."; | ||||
| } | ||||
| leaf ipv4-id { | ||||
| type uint16; | ||||
| description "Identification as decribed in RFC791"; | ||||
| } | ||||
| leaf ipv4-flags { | ||||
| type ipv4-flags-type; | ||||
| description "IPv4 flags as defined in RFC791"; | ||||
| } | ||||
| leaf ipv4-offset { | ||||
| type uint16 { | ||||
| range 0..8191; | ||||
| } | ||||
| description "Matches on the packet fragment offset"; | ||||
| } | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" { | ||||
| description "Newco proprietary simple filter matches"; | description "Newco proprietary simple filter matches"; | |||
| choice protocol-payload-choice { | choice protocol-payload-choice { | |||
| description "Newo proprietary payload match condition"; | description "Newo proprietary payload match condition"; | |||
| list protocol-payload { | list protocol-payload { | |||
| key value-keyword; | key value-keyword; | |||
| ordered-by user; | ordered-by user; | |||
| description "Match protocol payload"; | description "Match protocol payload"; | |||
| uses match-simple-payload-protocol-value; | uses match-simple-payload-protocol-value; | |||
| } | } | |||
| } | } | |||
| skipping to change at page 26, line 46 ¶ | skipping to change at page 29, line 31 ¶ | |||
| description "Access Control List name."; | description "Access Control List name."; | |||
| } | } | |||
| leaf match-counter { | leaf match-counter { | |||
| type yang:counter64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total match count for Access Control | "Total match count for Access Control | |||
| List on this interface"; | List on this interface"; | |||
| } | } | |||
| choice direction { | choice direction { | |||
| leaf in { type empty;} | description "Applying ACL in which traffic direction"; | |||
| leaf out { type empty;} | leaf in { | |||
| type empty; | ||||
| description "Inbound traffic"; | ||||
| } | ||||
| leaf out { | ||||
| type empty; | ||||
| description "Outbound traffic"; | ||||
| } | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data" { | augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data" { | |||
| description | description | |||
| "This is an example on how to apply acl to a target to collect | "This is an example on how to apply acl to a target to collect | |||
| operational data"; | operational data"; | |||
| container targets{ | container targets{ | |||
| description "To which object is the ACL attached to"; | ||||
| choice interface{ | choice interface{ | |||
| description "Access Control List was attached to this interface"; | ||||
| leaf-list interface-name{ | leaf-list interface-name{ | |||
| type ietf-if:interface-ref { | type ietf-if:interface-ref { | |||
| require-instance true; | require-instance true; | |||
| } | } | |||
| description "Access Control List was attached to this interface"; | description "Attached to this interface name"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| Draft authors expect that different vendors will provide their own | Draft authors expect that different vendors will provide their own | |||
| yang models as in the example above, which is the augmentation of the | yang models as in the example above, which is the augmentation of the | |||
| base model | base model | |||
| End of changes. 14 change blocks. | ||||
| 12 lines changed or deleted | 150 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||