--- 1/draft-ietf-netmod-acl-model-12.txt 2017-09-12 10:13:11.237548642 -0700 +++ 2/draft-ietf-netmod-acl-model-13.txt 2017-09-12 10:13:11.313550474 -0700 @@ -1,23 +1,23 @@ NETMOD WG M. Jethanandani Internet-Draft Cisco Systems, Inc Intended status: Standards Track L. Huang -Expires: March 5, 2018 General Electric +Expires: March 16, 2018 General Electric S. Agarwal Cisco Systems, Inc. D. Blair Cisco Systems, INc - September 1, 2017 + September 12, 2017 Network Access Control List (ACL) YANG Data Model - draft-ietf-netmod-acl-model-12 + draft-ietf-netmod-acl-model-13 Abstract This document describes a data model of Access Control List (ACL) basic building blocks. Editorial Note (To be removed by RFC Editor) This draft contains many placeholder values that need to be replaced with finalized values at the time of publication. This note @@ -43,21 +43,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 5, 2018. + This Internet-Draft will expire on March 16, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -242,21 +242,21 @@ | | +--rw length? uint16 | | +--rw ttl? uint8 | | +--rw protocol? uint8 | | +--rw source-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number | | | +--rw operation? operator | | +--rw destination-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number - | | | +--rw opearations? operator + | | | +--rw operations? operator | | +--rw ihl? uint8 | | +--rw flags? bits | | +--rw offset? uint16 | | +--rw identification? uint16 | | +--rw destination-ipv4-network? inet:ipv4-prefi x | | +--rw source-ipv4-network? inet:ipv4-prefi x | +--rw ipv6-acl {ipv6-acl}? | | +--rw dscp? inet:dscp @@ -264,21 +264,21 @@ | | +--rw length? uint16 | | +--rw ttl? uint8 | | +--rw protocol? uint8 | | +--rw source-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number | | | +--rw operation? operator | | +--rw destination-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number - | | | +--rw opearations? operator + | | | +--rw operations? operator | | +--rw next-header? uint8 | | +--rw destination-ipv6-network? inet:ipv6-prefi x | | +--rw source-ipv6-network? inet:ipv6-prefi x | | +--rw flow-label? inet:ipv6-flow- label | +--rw l2-l3-ipv4-acl {mixed-ipv4-acl}? | | +--rw destination-mac-address? yang:mac-ad dress @@ -295,21 +295,21 @@ | | +--rw length? uint16 | | +--rw ttl? uint8 | | +--rw protocol? uint8 | | +--rw source-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number | | | +--rw operation? operator | | +--rw destination-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number - | | | +--rw opearations? operator + | | | +--rw operations? operator | | +--rw ihl? uint8 | | +--rw flags? bits | | +--rw offset? uint16 | | +--rw identification? uint16 | | +--rw destination-ipv4-network? inet:ipv4-p refix | | +--rw source-ipv4-network? inet:ipv4-p refix | +--rw l2-l3-ipv6-acl {mixed-ipv6-acl}? | | +--rw destination-mac-address? yang:mac-ad @@ -326,21 +326,21 @@ | | +--rw length? uint16 | | +--rw ttl? uint8 | | +--rw protocol? uint8 | | +--rw source-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number | | | +--rw operation? operator | | +--rw destination-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number - | | | +--rw opearations? operator + | | | +--rw operations? operator | | +--rw next-header? uint8 | | +--rw destination-ipv6-network? inet:ipv6-p refix | | +--rw source-ipv6-network? inet:ipv6-p refix | | +--rw flow-label? | | inet:ipv6-flow-label | +--rw l2-l3-ipv4-ipv6-acl {l2-l3-ipv4-ipv6-acl}? | | +--rw destination-mac-address? yang:mac-ad dress @@ -356,21 +356,21 @@ | | +--rw length? uint16 | | +--rw ttl? uint8 | | +--rw protocol? uint8 | | +--rw source-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number | | | +--rw operation? operator | | +--rw destination-port-range! | | | +--rw lower-port inet:port-number | | | +--rw upper-port? inet:port-number - | | | +--rw opearations? operator + | | | +--rw operations? operator | | +--rw ihl? uint8 | | +--rw flags? bits | | +--rw offset? uint16 | | +--rw identification? uint16 | | +--rw destination-ipv4-network? inet:ipv4-p refix | | +--rw source-ipv4-network? inet:ipv4-p refix | | +--rw next-header? uint8 | | +--rw destination-ipv6-network? inet:ipv6-p @@ -417,21 +417,21 @@ associated with the "acl-name". Each of the entries in the list("access-list-entries"), indexed by the string "rule-name", has containers defining "matches" and "actions". The "matches" define criteria used to identify patterns in "ietf- packet-fields". The "actions" define behavior to undertake once a "match" has been identified. In addition to permit and deny for actions, a logging option allows for a match to be logged that can be used to determine which rule was matched upon. - file "ietf-access-control-list@2017-09-01.yang" + file "ietf-access-control-list@2017-09-12.yang" module ietf-access-control-list { namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; prefix acl; import ietf-yang-types { prefix yang; } import ietf-packet-fields { @@ -468,21 +468,21 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision 2017-09-01 { + revision 2017-09-12 { description "Added feature and identity statements for different types of rule matches. Split the matching rules based on the feature statement and added a must statement within each container."; reference "RFC XXX: Network Access Control List (ACL) YANG Data Model."; } /* @@ -851,21 +851,21 @@ get included for any given ACL with the exception of TCP, UDP and ICMP header fields. Those fields can be used in conjunction with any of the above layer 2 or layer 3 fields. Since the number of match criteria is very large, the base draft does not include these directly but references them by "uses" to keep the base module simple. In case more match conditions are needed, those can be added by augmenting choices within container "matches" in ietf-access-control-list.yang model. - file "ietf-packet-fields@2017-09-01.yang" + file "ietf-packet-fields@2017-09-12.yang" module ietf-packet-fields { namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; prefix packet-fields; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; @@ -898,21 +898,21 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision 2017-09-01 { + revision 2017-09-12 { description "Added header fields for TCP, UDP, and ICMP."; reference "RFC XXX: Network Access Control List (ACL) YANG Data Model."; } /* * Typedefs */ typedef operator { @@ -969,21 +969,21 @@ error-message "The upper-port must be greater than or equal to lower-port"; } description "Upper boundary for port. If it exists, the upper port must be greater or equal to lower-port."; } leaf operation { type operator; - must "(lower-port and not(upper-port))" { + must "(../lower-port and not(../upper-port))" { error-message "If lower-port is specified, and an operator is also specified, then upper-port should not be specified."; description "If lower-port is specified, and an operator is also specified, then upper-port should not be specified."; } default eq; description "Operator to be applied on the lower-port."; @@ -1012,23 +1012,23 @@ type inet:port-number; must ". >= ../lower-port" { error-message "The upper-port must be greater than or equal to lower-port"; } description "Upper boundary for port. If existing, the upper port must be greater or equal to lower-port"; } - leaf opearations { + leaf operations { type operator; - must "(lower-port and not(upper-port))" { + must "(../lower-port and not(../upper-port))" { error-message "If lower-port is specified, and an operator is also specified, then upper-port should not be specified."; description "If lower-port is specified, and an operator is also specified, then upper-port should not be specified."; } default eq; description "Operator to be applied on the lower-port."; @@ -1681,21 +1681,21 @@ | +--:(v4-lower-bound) | | +--rw v4-lower-bound? inet:ipv4-prefix | +--:(v4-upper-bound) | +--rw v4-upper-bound? inet:ipv4-prefix +--rw (ipv6-range)? +--:(v6-lower-bound) | +--rw v6-lower-bound? inet:ipv6-prefix +--:(v6-upper-bound) +--rw v6-upper-bound? inet:ipv6-prefix - file "example-ext-route-filter@2017-09-01.yang" + file "example-ext-route-filter@2017-09-12.yang" module example-ext-route-filter { namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter"; prefix example-ext-route-filter; import ietf-inet-types { prefix "inet"; } import ietf-access-control-list { prefix "ietf-acl"; } @@ -1707,21 +1707,21 @@ "abc@abc.com"; description " This module describes route filter as a collection of match prefixes. When specifying a match prefix, you can specify an exact match with a particular route or a less precise match. You can configure either a common action that applies to the entire list or an action associated with each prefix. "; - revision 2017-09-01 { + revision 2017-09-12 { description "Creating Route-Filter extension model based on ietf-access-control-list model"; reference "Example route filter"; } augment "/ietf-acl:access-lists/ietf-acl:acl/" + "ietf-acl:aces/ietf-acl:ace/ietf-acl:matches" { description " This module augments the matches container in the ietf-acl @@ -1858,21 +1858,21 @@ } organization "Newco model group."; contact "abc@newco.com"; description "This YANG module augments IETF ACL Yang."; - revision 2017-09-01 { + revision 2017-09-12 { description "Creating NewCo proprietary extensions to ietf-acl model"; reference "RFC XXXX: Network Access Control List (ACL) YANG Data Model"; } augment "/ietf-acl:access-lists/ietf-acl:acl/" + "ietf-acl:aces/ietf-acl:ace/" +