draft-ietf-netmod-acl-model-13.txt   draft-ietf-netmod-acl-model-14.txt 
NETMOD WG M. Jethanandani NETMOD WG M. Jethanandani
Internet-Draft Cisco Systems, Inc Internet-Draft Cisco Systems, Inc
Intended status: Standards Track L. Huang Intended status: Standards Track L. Huang
Expires: March 16, 2018 General Electric Expires: April 6, 2018 General Electric
S. Agarwal S. Agarwal
Cisco Systems, Inc. Cisco Systems, Inc.
D. Blair D. Blair
Cisco Systems, INc Cisco Systems, INc
September 12, 2017 October 03, 2017
Network Access Control List (ACL) YANG Data Model Network Access Control List (ACL) YANG Data Model
draft-ietf-netmod-acl-model-13 draft-ietf-netmod-acl-model-14
Abstract Abstract
This document describes a data model of Access Control List (ACL) This document describes a data model of Access Control List (ACL)
basic building blocks. basic building blocks.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
skipping to change at page 1, line 47 skipping to change at page 1, line 47
line with <CODE BEGINS>. line with <CODE BEGINS>.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 16, 2018. This Internet-Draft will expire on April 6, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
3. Understanding ACL's Filters and Actions . . . . . . . . . . . 4 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 4
3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5
4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 10
4.1. IETF Access Control List module . . . . . . . . . . . . . 9 4.1. IETF Access Control List module . . . . . . . . . . . . . 10
4.2. IETF Packet Fields module . . . . . . . . . . . . . . . . 18 4.2. IETF Packet Fields module . . . . . . . . . . . . . . . . 23
4.3. An ACL Example . . . . . . . . . . . . . . . . . . . . . 31 4.3. An ACL Example . . . . . . . . . . . . . . . . . . . . . 35
4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 32 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 36
5. Security Considerations . . . . . . . . . . . . . . . . . . . 33 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 38
8. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 35 8. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 39
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 39
9.1. Normative References . . . . . . . . . . . . . . . . . . 35 9.1. Normative References . . . . . . . . . . . . . . . . . . 39
9.2. Informative References . . . . . . . . . . . . . . . . . 36 9.2. Informative References . . . . . . . . . . . . . . . . . 40
Appendix A. Extending ACL model examples . . . . . . . . . . . . 36 Appendix A. Extending ACL model examples . . . . . . . . . . . . 40
A.1. Example of extending existing model for route filtering . 36 A.1. Example of extending existing model for route filtering . 40
A.2. A company proprietary module example . . . . . . . . . . 38 A.2. A company proprietary module example . . . . . . . . . . 42
A.3. Linux nftables . . . . . . . . . . . . . . . . . . . . . 44 A.3. Linux nftables . . . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 A.4. Ethertypes . . . . . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
1. Introduction 1. Introduction
Access Control List (ACL) is one of the basic elements used to Access Control List (ACL) is one of the basic elements used to
configure device forwarding behavior. It is used in many networking configure device forwarding behavior. It is used in many networking
technologies such as Policy Based Routing, Firewalls etc. technologies such as Policy Based Routing, Firewalls etc.
An ACL is an ordered set of rules that is used to filter traffic on a An ACL is an ordered set of rules that is used to filter traffic on a
networking device. Each rule is represented by an Access Control networking device. Each rule is represented by an Access Control
Entry (ACE). Entry (ACE).
skipping to change at page 5, line 36 skipping to change at page 5, line 36
If there is a need to define new "matches" choice, such as IPFIX If there is a need to define new "matches" choice, such as IPFIX
[RFC5101], the container "matches" can be augmented. [RFC5101], the container "matches" can be augmented.
For a reference to the annotations used in the diagram below, see For a reference to the annotations used in the diagram below, see
YANG Tree Diagrams [I-D.ietf-netmod-yang-tree-diagrams]. YANG Tree Diagrams [I-D.ietf-netmod-yang-tree-diagrams].
module: ietf-access-control-list module: ietf-access-control-list
+--rw access-lists +--rw access-lists
+--rw acl* [acl-type acl-name] +--rw acl* [acl-type acl-name]
+--rw acl-name string | +--rw acl-name string
+--rw acl-type acl-type | +--rw acl-type acl-type
+--ro acl-oper-data | +--rw aces
+--rw aces | +--rw ace* [rule-name]
+--rw ace* [rule-name] | +--rw rule-name string
+--rw rule-name string | +--rw matches
+--rw matches | | +--rw l2-acl {l2-acl}?
| +--rw l2-acl {l2-acl}? | | | +--rw destination-mac-address? yang:mac-ad
| | +--rw destination-mac-address? yang:mac-ad
dress dress
| | +--rw destination-mac-address-mask? yang:mac-ad | | | +--rw destination-mac-address-mask? yang:mac-ad
dress dress
| | +--rw source-mac-address? yang:mac-ad | | | +--rw source-mac-address? yang:mac-ad
dress dress
| | +--rw source-mac-address-mask? yang:mac-ad | | | +--rw source-mac-address-mask? yang:mac-ad
dress dress
| | +--rw ether-type? string | | | +--rw ethertype? eth:etherty
| +--rw ipv4-acl {ipv4-acl}?
| | +--rw dscp? inet:dscp pe
| | +--rw ecn? uint8 | | +--rw ipv4-acl {ipv4-acl}?
| | +--rw length? uint16 | | | +--rw dscp? inet:dscp
| | +--rw ttl? uint8 | | | +--rw ecn? uint8
| | +--rw protocol? uint8 | | | +--rw length? uint16
| | +--rw source-port-range! | | | +--rw ttl? uint8
| | | +--rw lower-port inet:port-number | | | +--rw protocol? uint8
| | | +--rw upper-port? inet:port-number | | | +--rw source-port-range!
| | | +--rw operation? operator | | | | +--rw lower-port inet:port-number
| | +--rw destination-port-range! | | | | +--rw upper-port? inet:port-number
| | | +--rw lower-port inet:port-number | | | | +--rw operation? operator
| | | +--rw upper-port? inet:port-number | | | +--rw destination-port-range!
| | | +--rw operations? operator | | | | +--rw lower-port inet:port-number
| | +--rw ihl? uint8 | | | | +--rw upper-port? inet:port-number
| | +--rw flags? bits | | | | +--rw operations? operator
| | +--rw offset? uint16 | | | +--rw ihl? uint8
| | +--rw identification? uint16 | | | +--rw flags? bits
| | +--rw destination-ipv4-network? inet:ipv4-prefi | | | +--rw offset? uint16
| | | +--rw identification? uint16
| | | +--rw destination-ipv4-network? inet:ipv4-prefi
x x
| | +--rw source-ipv4-network? inet:ipv4-prefi | | | +--rw source-ipv4-network? inet:ipv4-prefi
x x
| +--rw ipv6-acl {ipv6-acl}? | | +--rw ipv6-acl {ipv6-acl}?
| | +--rw dscp? inet:dscp | | | +--rw dscp? inet:dscp
| | +--rw ecn? uint8 | | | +--rw ecn? uint8
| | +--rw length? uint16 | | | +--rw length? uint16
| | +--rw ttl? uint8 | | | +--rw ttl? uint8
| | +--rw protocol? uint8 | | | +--rw protocol? uint8
| | +--rw source-port-range! | | | +--rw source-port-range!
| | | +--rw lower-port inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | | +--rw upper-port? inet:port-number
| | | +--rw operation? operator | | | | +--rw operation? operator
| | +--rw destination-port-range! | | | +--rw destination-port-range!
| | | +--rw lower-port inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | | +--rw upper-port? inet:port-number
| | | +--rw operations? operator | | | | +--rw operations? operator
| | +--rw next-header? uint8 | | | +--rw next-header? uint8
| | +--rw destination-ipv6-network? inet:ipv6-prefi | | | +--rw destination-ipv6-network? inet:ipv6-prefi
x x
| | +--rw source-ipv6-network? inet:ipv6-prefi | | | +--rw source-ipv6-network? inet:ipv6-prefi
x x
| | +--rw flow-label? inet:ipv6-flow- | | | +--rw flow-label? inet:ipv6-flow-
label label
| +--rw l2-l3-ipv4-acl {mixed-ipv4-acl}? | | +--rw l2-l3-ipv4-acl {mixed-ipv4-acl}?
| | +--rw destination-mac-address? yang:mac-ad | | | +--rw destination-mac-address? yang:mac-ad
dress dress
| | +--rw destination-mac-address-mask? yang:mac-ad | | | +--rw destination-mac-address-mask? yang:mac-ad
dress dress
| | +--rw source-mac-address? yang:mac-ad | | | +--rw source-mac-address? yang:mac-ad
dress dress
| | +--rw source-mac-address-mask? yang:mac-ad | | | +--rw source-mac-address-mask? yang:mac-ad
dress dress
| | +--rw ether-type? string | | | +--rw ethertype? eth:etherty
| | +--rw dscp? inet:dscp pe
| | +--rw ecn? uint8 | | | +--rw dscp? inet:dscp
| | +--rw length? uint16 | | | +--rw ecn? uint8
| | +--rw ttl? uint8 | | | +--rw length? uint16
| | +--rw protocol? uint8 | | | +--rw ttl? uint8
| | +--rw source-port-range! | | | +--rw protocol? uint8
| | | +--rw lower-port inet:port-number | | | +--rw source-port-range!
| | | +--rw upper-port? inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw operation? operator | | | | +--rw upper-port? inet:port-number
| | +--rw destination-port-range! | | | | +--rw operation? operator
| | | +--rw lower-port inet:port-number | | | +--rw destination-port-range!
| | | +--rw upper-port? inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw operations? operator | | | | +--rw upper-port? inet:port-number
| | +--rw ihl? uint8 | | | | +--rw operations? operator
| | +--rw flags? bits | | | +--rw ihl? uint8
| | +--rw offset? uint16 | | | +--rw flags? bits
| | +--rw identification? uint16 | | | +--rw offset? uint16
| | +--rw destination-ipv4-network? inet:ipv4-p | | | +--rw identification? uint16
| | | +--rw destination-ipv4-network? inet:ipv4-p
refix refix
| | +--rw source-ipv4-network? inet:ipv4-p | | | +--rw source-ipv4-network? inet:ipv4-p
refix refix
| +--rw l2-l3-ipv6-acl {mixed-ipv6-acl}? | | +--rw l2-l3-ipv6-acl {mixed-ipv6-acl}?
| | +--rw destination-mac-address? yang:mac-ad | | | +--rw destination-mac-address? yang:mac-ad
dress dress
| | +--rw destination-mac-address-mask? yang:mac-ad | | | +--rw destination-mac-address-mask? yang:mac-ad
dress dress
| | +--rw source-mac-address? yang:mac-ad | | | +--rw source-mac-address? yang:mac-ad
dress dress
| | +--rw source-mac-address-mask? yang:mac-ad | | | +--rw source-mac-address-mask? yang:mac-ad
dress dress
| | +--rw ether-type? string | | | +--rw ethertype? eth:etherty
| | +--rw dscp? inet:dscp pe
| | +--rw ecn? uint8 | | | +--rw dscp? inet:dscp
| | +--rw length? uint16 | | | +--rw ecn? uint8
| | +--rw ttl? uint8 | | | +--rw length? uint16
| | +--rw protocol? uint8 | | | +--rw ttl? uint8
| | +--rw source-port-range! | | | +--rw protocol? uint8
| | | +--rw lower-port inet:port-number | | | +--rw source-port-range!
| | | +--rw upper-port? inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw operation? operator | | | | +--rw upper-port? inet:port-number
| | +--rw destination-port-range! | | | | +--rw operation? operator
| | | +--rw lower-port inet:port-number | | | +--rw destination-port-range!
| | | +--rw upper-port? inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw operations? operator | | | | +--rw upper-port? inet:port-number
| | +--rw next-header? uint8 | | | | +--rw operations? operator
| | +--rw destination-ipv6-network? inet:ipv6-p | | | +--rw next-header? uint8
| | | +--rw destination-ipv6-network? inet:ipv6-p
refix refix
| | +--rw source-ipv6-network? inet:ipv6-p | | | +--rw source-ipv6-network? inet:ipv6-p
refix refix
| | +--rw flow-label? | | | +--rw flow-label?
| | inet:ipv6-flow-label | | | inet:ipv6-flow-label
| +--rw l2-l3-ipv4-ipv6-acl {l2-l3-ipv4-ipv6-acl}? | | +--rw l2-l3-ipv4-ipv6-acl {l2-l3-ipv4-ipv6-acl}?
| | +--rw destination-mac-address? yang:mac-ad | | | +--rw destination-mac-address? yang:mac-ad
dress dress
| | +--rw destination-mac-address-mask? yang:mac-ad | | | +--rw destination-mac-address-mask? yang:mac-ad
dress dress
| | +--rw source-mac-address? yang:mac-ad | | | +--rw source-mac-address? yang:mac-ad
dress dress
| | +--rw source-mac-address-mask? yang:mac-ad | | | +--rw source-mac-address-mask? yang:mac-ad
dress dress
| | +--rw ether-type? string | | | +--rw ethertype? eth:etherty
| | +--rw dscp? inet:dscp pe
| | +--rw ecn? uint8 | | | +--rw dscp? inet:dscp
| | +--rw length? uint16 | | | +--rw ecn? uint8
| | +--rw ttl? uint8 | | | +--rw length? uint16
| | +--rw protocol? uint8 | | | +--rw ttl? uint8
| | +--rw source-port-range! | | | +--rw protocol? uint8
| | | +--rw lower-port inet:port-number | | | +--rw source-port-range!
| | | +--rw upper-port? inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw operation? operator | | | | +--rw upper-port? inet:port-number
| | +--rw destination-port-range! | | | | +--rw operation? operator
| | | +--rw lower-port inet:port-number | | | +--rw destination-port-range!
| | | +--rw upper-port? inet:port-number | | | | +--rw lower-port inet:port-number
| | | +--rw operations? operator | | | | +--rw upper-port? inet:port-number
| | +--rw ihl? uint8 | | | | +--rw operations? operator
| | +--rw flags? bits | | | +--rw ihl? uint8
| | +--rw offset? uint16 | | | +--rw flags? bits
| | +--rw identification? uint16 | | | +--rw offset? uint16
| | +--rw destination-ipv4-network? inet:ipv4-p | | | +--rw identification? uint16
| | | +--rw destination-ipv4-network? inet:ipv4-p
refix refix
| | +--rw source-ipv4-network? inet:ipv4-p | | | +--rw source-ipv4-network? inet:ipv4-p
refix refix
| | +--rw next-header? uint8 | | | +--rw next-header? uint8
| | +--rw destination-ipv6-network? inet:ipv6-p | | | +--rw destination-ipv6-network? inet:ipv6-p
refix refix
| | +--rw source-ipv6-network? inet:ipv6-p | | | +--rw source-ipv6-network? inet:ipv6-p
refix refix
| | +--rw flow-label? | | | +--rw flow-label?
| | inet:ipv6-flow-label | | | inet:ipv6-flow-label
| +--rw tcp-acl {tcp-acl}? | | +--rw tcp-acl {tcp-acl}?
| | +--rw sequence-number? uint32 | | | +--rw sequence-number? uint32
| | +--rw acknowledgement-number? uint32 | | | +--rw acknowledgement-number? uint32
| | +--rw data-offset? uint8 | | | +--rw data-offset? uint8
| | +--rw reserved? uint8 | | | +--rw reserved? uint8
| | +--rw flags? bits | | | +--rw flags? bits
| | +--rw window-size? uint16 | | | +--rw window-size? uint16
| | +--rw urgent-pointer? uint16 | | | +--rw urgent-pointer? uint16
| | +--rw options? uint32 | | | +--rw options? uint32
| +--rw udp-acl {udp-acl}? | | +--rw udp-acl {udp-acl}?
| | +--rw length? uint16 | | | +--rw length? uint16
| +--rw icmp-acl {icmp-acl}? | | +--rw icmp-acl {icmp-acl}?
| | +--rw type? uint8 | | | +--rw type? uint8
| | +--rw code? uint8 | | | +--rw code? uint8
| | +--rw rest-of-header? uint32 | | | +--rw rest-of-header? uint32
| +--rw any-acl! {any-acl}? | | +--rw any-acl! {any-acl}?
| +--rw interface? if:interface-ref | | +--rw interface? if:interface-ref
+--rw actions | +--rw actions
| +--rw (packet-handling)? | | {acl-aggregate-stats or interface-acl-aggregate
| | +--:(deny) }?
| | | +--rw deny? empty | | +--rw forwarding identityref
| | +--:(permit) | | +--rw logging? identityref
| | +--rw permit? empty | | +--rw icmp-off? boolean
| +--rw logging? boolean | +--ro matched-packets? yang:counter64
+--ro ace-oper-data | +--ro matched-octets? yang:counter64
+--ro match-counter? yang:counter64 +--rw interfaces
+--rw interface* [interface-id]
+--rw interface-id if:interface-ref
+--rw ingress
| +--rw acl-sets
| +--rw acl-set* [set-name type]
| +--rw set-name -> ../../../../../../acl/acl-na
me
| +--rw type -> ../../../../../../acl/acl-ty
pe
| +--rw ace* [rule-name]
| {interface-stats or interface-acl-aggrega
te}?
| +--rw rule-name leafref
| +--ro matched-packets? yang:counter64
| +--ro matched-octets? yang:counter64
+--rw egress
+--rw acl-sets
+--rw acl-set* [set-name type]
+--rw set-name -> ../../../../../../acl/acl-na
me
+--rw type -> ../../../../../../acl/acl-ty
pe
+--rw ace* [rule-name]
{interface-stats or interface-acl-aggrega
te}?
+--rw rule-name leafref
+--ro matched-packets? yang:counter64
+--ro matched-octets? yang:counter64
4. ACL YANG Models 4. ACL YANG Models
4.1. IETF Access Control List module 4.1. IETF Access Control List module
"ietf-access-control-list" is the standard top level module for "ietf-access-control-list" is the standard top level module for
access lists. The "access-lists" container stores a list of "acl". access lists. The "access-lists" container stores a list of "acl".
Each "acl" has information identifying the access list by a Each "acl" has information identifying the access list by a
name("acl-name") and a list("access-list-entries") of rules name("acl-name") and a list("access-list-entries") of rules
associated with the "acl-name". Each of the entries in the associated with the "acl-name". Each of the entries in the
list("access-list-entries"), indexed by the string "rule-name", has list("access-list-entries"), indexed by the string "rule-name", has
containers defining "matches" and "actions". containers defining "matches" and "actions".
The model uses defines several ACL types in the form of identities
and features. Features are used by implementors to select the ACL
types the system can support. These types are implicitly inherited
by the "ace", thus safeguarding against misconfiguration of "ace"
types in an "acl".
The "matches" define criteria used to identify patterns in "ietf- The "matches" define criteria used to identify patterns in "ietf-
packet-fields". The "actions" define behavior to undertake once a packet-fields". The "actions" define behavior to undertake once a
"match" has been identified. In addition to permit and deny for "match" has been identified. In addition to permit and deny for
actions, a logging option allows for a match to be logged that can be actions, a logging option allows for a match to be logged that can be
used to determine which rule was matched upon. used to determine which rule was matched upon. The model also
defines the ability for ACL's to be attached to a particular
interface.
<CODE BEGINS> file "ietf-access-control-list@2017-09-12.yang" Statistics in the ACL can be collected for an "ace" or for an
"interface". The feature statements defined for statistics can be
used to determine whether statistics are being collected per "ace",
per "interface" or both.
<CODE BEGINS> file "ietf-access-control-list@2017-10-03.yang"
module ietf-access-control-list { module ietf-access-control-list {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
prefix acl; prefix acl;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-packet-fields { import ietf-packet-fields {
prefix packet-fields; prefix packet-fields;
} }
skipping to change at page 10, line 31 skipping to change at page 11, line 28
contact contact
"WG Web: http://tools.ietf.org/wg/netmod/ "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org WG List: netmod@ietf.org
Editor: Mahesh Jethanandani Editor: Mahesh Jethanandani
mjethanandani@gmail.com mjethanandani@gmail.com
Editor: Lisa Huang Editor: Lisa Huang
lyihuang16@gmail.com lyihuang16@gmail.com
Editor: Sonal Agarwal Editor: Sonal Agarwal
agarwaso@cisco.com sagarwal12@cisco.com
Editor: Dana Blair Editor: Dana Blair
dblair@cisco.com"; dblair@cisco.com";
description description
"This YANG module defines a component that describe the "This YANG module defines a component that describe the
configuration of Access Control Lists (ACLs). configuration of Access Control Lists (ACLs).
Copyright (c) 2017 IETF Trust and the persons identified as Copyright (c) 2017 IETF Trust and the persons identified as
the document authors. All rights reserved. the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-09-12 { revision 2017-10-03 {
description description
"Added feature and identity statements for different types "Added feature and identity statements for different types
of rule matches. Split the matching rules based on the of rule matches. Split the matching rules based on the
feature statement and added a must statement within feature statement and added a must statement within
each container."; each container.";
reference reference
"RFC XXX: Network Access Control List (ACL) YANG Data Model."; "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
} }
/* /*
* Identities * Identities
*/ */
/*
* Forwarding actions for a packet
*/
identity forwarding-action {
description
"Base identity for actions in the forwarding category";
}
identity accept {
base forwarding-action;
description
"Accept the packet";
}
identity drop {
base forwarding-action;
description
"Drop packet without sending any ICMP error message";
}
identity reject {
base forwarding-action;
description
"Drop the packet and send an ICMP error message to the source";
}
/*
* Logging actions for a packet
*/
identity log-action {
description
"Base identity for defining the destination for logging actions";
}
identity log-syslog {
base log-action;
description
"System log (syslog) the information for the packet";
}
identity log-none {
base log-action;
description
"No logging for the packet";
}
identity acl-base { identity acl-base {
description description
"Base Access Control List type for all Access Control List type "Base Access Control List type for all Access Control List type
identifiers."; identifiers.";
} }
identity ipv4-acl { identity ipv4-acl {
base acl:acl-base; base acl:acl-base;
description description
"ACL that primarily matches on fields from the IPv4 header "ACL that primarily matches on fields from the IPv4 header
(e.g. IPv4 destination address) and layer 4 headers (e.g. TCP (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
destination port). An acl of type ipv4-acl does not contain destination port). An acl of type ipv4-acl does not contain
matches on fields in the ethernet header or the IPv6 header."; matches on fields in the ethernet header or the IPv6 header.";
} }
identity ipv6-acl { identity ipv6-acl {
base acl:acl-base; base acl:acl-base;
description description
"ACL that primarily matches on fields from the IPv6 header "ACL that primarily matches on fields from the IPv6 header
(e.g. IPv6 destination address) and layer 4 headers (e.g. TCP (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
destination port). An acl of type ipv6-acl does not contain destination port). An acl of type ipv6-acl does not contain
matches on fields in the ethernet header or the IPv4 header."; matches on fields in the ethernet header or the IPv4 header.";
} }
identity eth-acl { identity eth-acl {
base acl:acl-base; base acl:acl-base;
description description
"ACL that primarily matches on fields in the ethernet header, "ACL that primarily matches on fields in the ethernet header,
like 10/100/1000baseT or WiFi Access Control List. An acl of like 10/100/1000baseT or WiFi Access Control List. An acl of
type eth-acl does not contain matches on fields in the IPv4 type eth-acl does not contain matches on fields in the IPv4
header, IPv6 header or layer 4 headers."; header, IPv6 header or layer 4 headers.";
} }
identity mixed-l2-l3-ipv4-acl { identity mixed-l2-l3-ipv4-acl {
base "acl:acl-base"; base "acl:acl-base";
description description
"ACL that contains a mix of entries that "ACL that contains a mix of entries that
primarily match on fields in ethernet headers, primarily match on fields in ethernet headers,
entries that primarily match on IPv4 headers. entries that primarily match on IPv4 headers.
Matching on layer 4 header fields may also exist in the Matching on layer 4 header fields may also exist in the
list."; list.";
} }
identity mixed-l2-l3-ipv6-acl { identity mixed-l2-l3-ipv6-acl {
base "acl:acl-base"; base "acl:acl-base";
description description
"ACL that contains a mix of entries that "ACL that contains a mix of entries that
primarily match on fields in ethernet headers, entries primarily match on fields in ethernet headers, entries
skipping to change at page 13, line 45 skipping to change at page 15, line 43
description description
"ICMP header ACL supported."; "ICMP header ACL supported.";
} }
feature any-acl { feature any-acl {
description description
"ACL for any pattern."; "ACL for any pattern.";
} }
/* /*
* Stats Features
*/
feature interface-stats {
description
"ACL counters are available and reported only per interface";
}
feature acl-aggregate-stats {
description
"ACL counters are aggregated over all interfaces, and reported
only per ACL entry";
}
feature interface-acl-aggregate {
description
"ACL counters are reported per interface, and also aggregated
and reported per ACL entry";
}
/*
* Typedefs * Typedefs
*/ */
typedef acl-type { typedef acl-type {
type identityref { type identityref {
base acl-base; base acl-base;
} }
description description
"This type is used to refer to an Access Control List "This type is used to refer to an Access Control List
(ACL) type"; (ACL) type";
} }
typedef acl-ref { typedef acl-ref {
type leafref { type leafref {
path "/access-lists/acl/acl-name"; path "/access-lists/acl/acl-name";
} }
description description
"This type is used by data models that need to reference an "This type is used by data models that need to reference an
Access Control List"; Access Control List";
}
grouping interface-acl {
description
"Grouping for per-interface ingress ACL data";
container acl-sets {
description
"Enclosing container the list of ingress ACLs on the
interface";
list acl-set {
key "set-name type";
ordered-by user;
description
"List of ingress ACLs on the interface";
leaf set-name {
type leafref {
path "../../../../../../acl/acl-name";
}
description
"Reference to the ACL set name applied on ingress";
}
leaf type {
type leafref {
path "../../../../../../acl/acl-type";
}
description
"Reference to the ACL set type applied on ingress";
}
list ace {
if-feature "interface-stats or interface-acl-aggregate";
key "rule-name";
description
"List of access list entries(ACE)";
leaf rule-name {
type leafref {
path "../../../../../../../acl/aces/ace/rule-name";
}
description
"The ace rule-name";
}
uses acl-counters;
}
}
}
}
grouping acl-counters {
description
"Common grouping for ACL counters";
leaf matched-packets {
type yang:counter64;
config false;
description
"Count of the number of packets matching the current ACL
entry.
An implementation should provide this counter on a
per-interface per-ACL-entry if possible.
If an implementation only supports ACL counters per entry
(i.e., not broken out per interface), then the value
should be equal to the aggregate count across all interfaces.
An implementation that provides counters per entry per
interface is not required to also provide an aggregate count,
e.g., per entry -- the user is expected to be able implement
the required aggregation if such a count is needed.";
}
leaf matched-octets {
type yang:counter64;
config false;
description
"Count of the number of octets (bytes) matching the current
ACL entry.
An implementation should provide this counter on a
per-interface per-ACL-entry if possible.
If an implementation only supports ACL counters per entry
(i.e., not broken out per interface), then the value
should be equal to the aggregate count across all interfaces.
An implementation that provides counters per entry per
interface is not required to also provide an aggregate count,
e.g., per entry -- the user is expected to be able implement
the required aggregation if such a count is needed.";
}
} }
/* /*
* Configuration data nodes * Configuration data nodes
*/ */
container access-lists { container access-lists {
description description
"This is a top level container for Access Control Lists. "This is a top level container for Access Control Lists.
It can have one or more Access Control Lists."; It can have one or more Access Control Lists.";
list acl { list acl {
skipping to change at page 14, line 36 skipping to change at page 18, line 51
description description
"An Access Control List(ACL) is an ordered list of "An Access Control List(ACL) is an ordered list of
Access List Entries (ACE). Each Access Control Entry has a Access List Entries (ACE). Each Access Control Entry has a
list of match criteria and a list of actions. list of match criteria and a list of actions.
Since there are several kinds of Access Control Lists Since there are several kinds of Access Control Lists
implemented with different attributes for implemented with different attributes for
different vendors, this different vendors, this
model accommodates customizing Access Control Lists for model accommodates customizing Access Control Lists for
each kind and for each vendor."; each kind and for each vendor.";
leaf acl-name { leaf acl-name {
type string; type string {
length "1..64";
}
description description
"The name of access-list. A device MAY restrict the length "The name of access-list. A device MAY restrict the length
and value of this name, possibly space and special and value of this name, possibly space and special
characters are not allowed."; characters are not allowed.";
} }
leaf acl-type { leaf acl-type {
type acl-type; type acl-type;
description description
"Type of access control list. Indicates the primary intended "Type of access control list. Indicates the primary intended
type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, type of match criteria (e.g. ethernet, IPv4, IPv6, mixed,
etc) used in the list instance."; etc) used in the list instance.";
} }
container acl-oper-data {
config false;
description
"Overall Access Control List operational data";
}
container aces { container aces {
description description
"The access-list-entries container contains "The access-list-entries container contains
a list of access-list-entries(ACE)."; a list of access-list-entries(ACE).";
list ace { list ace {
key "rule-name"; key "rule-name";
ordered-by user; ordered-by user;
description description
"List of access list entries(ACE)"; "List of access list entries(ACE)";
leaf rule-name { leaf rule-name {
type string; type string {
length "1..64";
}
description description
"A unique name identifying this Access List "A unique name identifying this Access List
Entry(ACE)."; Entry(ACE).";
} }
container matches { container matches {
description description
"The rules in this set determine what fields will be "The rules in this set determine what fields will be
matched upon before any action is taken on them. matched upon before any action is taken on them.
The rules are selected based on the feature set The rules are selected based on the feature set
defined by the server and the acl-type defined."; defined by the server and the acl-type defined.";
container l2-acl { container l2-acl {
if-feature l2-acl; if-feature l2-acl;
must "../../../../acl-type = 'eth-acl'"; must "derived-from(../../../../acl-type, 'acl:eth-acl')";
uses packet-fields:acl-eth-header-fields; uses packet-fields:acl-eth-header-fields;
description description
"Rule set for L2 ACL."; "Rule set for L2 ACL.";
} }
container ipv4-acl { container ipv4-acl {
if-feature ipv4-acl; if-feature ipv4-acl;
must "../../../../acl-type = 'ipv4-acl'"; must "derived-from(../../../../acl-type, " +
"'acl:ipv4-acl')";
uses packet-fields:acl-ip-header-fields; uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv4-header-fields; uses packet-fields:acl-ipv4-header-fields;
description description
"Rule set that supports IPv4 headers."; "Rule set that supports IPv4 headers.";
} }
container ipv6-acl { container ipv6-acl {
if-feature ipv6-acl; if-feature ipv6-acl;
must "../../../../acl-type = 'ipv6-acl'"; must "derived-from(../../../../acl-type, " +
"'acl:ipv6-acl')";
uses packet-fields:acl-ip-header-fields; uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv6-header-fields; uses packet-fields:acl-ipv6-header-fields;
description description
"Rule set that supports IPv6 headers."; "Rule set that supports IPv6 headers.";
} }
container l2-l3-ipv4-acl { container l2-l3-ipv4-acl {
if-feature mixed-ipv4-acl; if-feature mixed-ipv4-acl;
must "../../../../acl-type = 'mixed-l2-l3-ipv4-acl'"; must "derived-from(../../../../acl-type, " +
"'acl:mixed-l2-l3-ipv4-acl')";
uses packet-fields:acl-eth-header-fields; uses packet-fields:acl-eth-header-fields;
uses packet-fields:acl-ip-header-fields; uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv4-header-fields; uses packet-fields:acl-ipv4-header-fields;
description description
"Rule set that is a logical AND (&&) of l2 "Rule set that is a logical AND (&&) of l2
and ipv4 headers."; and ipv4 headers.";
} }
container l2-l3-ipv6-acl { container l2-l3-ipv6-acl {
if-feature mixed-ipv6-acl; if-feature mixed-ipv6-acl;
must "../../../../acl-type = 'mixed-l2-l3-ipv6-acl'"; must "derived-from(../../../../acl-type, " +
"'acl:mixed-l2-l3-ipv6-acl')";
uses packet-fields:acl-eth-header-fields; uses packet-fields:acl-eth-header-fields;
uses packet-fields:acl-ip-header-fields; uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv6-header-fields; uses packet-fields:acl-ipv6-header-fields;
description description
"Rule set that is a logical AND (&&) of L2 "Rule set that is a logical AND (&&) of L2
&& IPv6 headers."; && IPv6 headers.";
} }
container l2-l3-ipv4-ipv6-acl { container l2-l3-ipv4-ipv6-acl {
if-feature l2-l3-ipv4-ipv6-acl; if-feature l2-l3-ipv4-ipv6-acl;
must "../../../../acl-type = 'mixed-l2-l3-ipv4-ipv6-acl'"; must "derived-from(../../../../acl-type, " +
"'acl:mixed-l2-l3-ipv4-ipv6-acl')";
uses packet-fields:acl-eth-header-fields; uses packet-fields:acl-eth-header-fields;
uses packet-fields:acl-ip-header-fields; uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv4-header-fields; uses packet-fields:acl-ipv4-header-fields;
uses packet-fields:acl-ipv6-header-fields; uses packet-fields:acl-ipv6-header-fields;
description description
"Rule set that is a logical AND (&&) of L2 "Rule set that is a logical AND (&&) of L2
&& IPv4 && IPv6 headers."; && IPv4 && IPv6 headers.";
} }
container tcp-acl { container tcp-acl {
skipping to change at page 17, line 16 skipping to change at page 21, line 34
container icmp-acl { container icmp-acl {
if-feature icmp-acl; if-feature icmp-acl;
uses packet-fields:acl-icmp-header-fields; uses packet-fields:acl-icmp-header-fields;
description description
"Rule set that defines ICMP headers."; "Rule set that defines ICMP headers.";
} }
container any-acl { container any-acl {
if-feature any-acl; if-feature any-acl;
must "../../../../acl-type = 'any-acl'"; must "derived-from(../../../../acl-type, 'acl:any-acl')";
presence "Matches any"; presence "Matches any";
description description
"Rule set that allows for a any ACL."; "Rule set that allows for a any ACL.";
} }
leaf interface { leaf interface {
type if:interface-ref; type if:interface-ref;
description description
"Interface name that is specified to "Interface name that is specified to
match upon."; match upon.";
} }
} }
container actions { container actions {
if-feature "acl-aggregate-stats or interface-acl-aggregate";
description description
"Definitions of action criteria for this Access List "Definitions of action criteria for this ace entry";
Entry."; leaf forwarding {
choice packet-handling { type identityref {
default "deny"; base forwarding-action;
description }
"Packet handling action."; mandatory true;
case deny {
leaf deny {
type empty;
description description
"Deny action."; "Specifies the forwarding action per ace entry";
} }
}
case permit { leaf logging {
leaf permit { type identityref {
type empty; base log-action;
}
default log-none;
description description
"Permit action."; "Specifies the log action and destination for
matched packets. Default value is not to log the
packet.";
} }
}
} leaf icmp-off {
leaf logging { type boolean;
type boolean; default "false";
default "false"; description
description "true indicates ICMP errors will never be generated
"Log the rule on which the match occurred. in response to an ICMP error message. false indicates
Setting the value to true enables logging, ICMP error will be generated.";
whereas setting the value to false disables it."; }
}
}
/*
* Operational state data nodes
*/
container ace-oper-data {
config false;
description
"Operational data for this Access List Entry.";
leaf match-counter {
type yang:counter64;
description
"Number of matches for this Access List Entry";
}
} }
uses acl-counters;
}
}
}
container interfaces {
description
"Enclosing container for the list of interfaces on which
ACLs are set";
list interface {
key "interface-id";
description
"List of interfaces on which ACLs are set";
leaf interface-id {
type if:interface-ref;
description
"Reference to the interface id list key";
}
container ingress {
uses interface-acl;
description
"The ACL's applied to ingress interface";
}
container egress {
uses interface-acl;
description
"The ACL's applied to egress interface";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.2. IETF Packet Fields module 4.2. IETF Packet Fields module
skipping to change at page 18, line 51 skipping to change at page 23, line 36
get included for any given ACL with the exception of TCP, UDP and get included for any given ACL with the exception of TCP, UDP and
ICMP header fields. Those fields can be used in conjunction with any ICMP header fields. Those fields can be used in conjunction with any
of the above layer 2 or layer 3 fields. of the above layer 2 or layer 3 fields.
Since the number of match criteria is very large, the base draft does Since the number of match criteria is very large, the base draft does
not include these directly but references them by "uses" to keep the not include these directly but references them by "uses" to keep the
base module simple. In case more match conditions are needed, those base module simple. In case more match conditions are needed, those
can be added by augmenting choices within container "matches" in can be added by augmenting choices within container "matches" in
ietf-access-control-list.yang model. ietf-access-control-list.yang model.
<CODE BEGINS> file "ietf-packet-fields@2017-09-12.yang" <CODE BEGINS> file "ietf-packet-fields@2017-10-03.yang"
module ietf-packet-fields { module ietf-packet-fields {
namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
prefix packet-fields; prefix packet-fields;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-ethertypes {
prefix eth;
}
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working "IETF NETMOD (NETCONF Data Modeling Language) Working
Group"; Group";
contact contact
"WG Web: http://tools.ietf.org/wg/netmod/ "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org WG List: netmod@ietf.org
Editor: Mahesh Jethanandani Editor: Mahesh Jethanandani
mjethanandani@gmail.com mjethanandani@gmail.com
skipping to change at page 19, line 50 skipping to change at page 24, line 41
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-09-12 { revision 2017-10-03 {
description description
"Added header fields for TCP, UDP, and ICMP."; "Added header fields for TCP, UDP, and ICMP.";
reference reference
"RFC XXX: Network Access Control List (ACL) YANG Data Model."; "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
} }
/* /*
* Typedefs * Typedefs
*/ */
typedef operator { typedef operator {
skipping to change at page 26, line 33 skipping to change at page 31, line 23
leaf source-mac-address { leaf source-mac-address {
type yang:mac-address; type yang:mac-address;
description description
"Source IEEE 802 MAC address."; "Source IEEE 802 MAC address.";
} }
leaf source-mac-address-mask { leaf source-mac-address-mask {
type yang:mac-address; type yang:mac-address;
description description
"Source IEEE 802 MAC address mask."; "Source IEEE 802 MAC address mask.";
} }
leaf ether-type { leaf ethertype {
type string { type eth:ethertype;
pattern '[0-9a-fA-F]{4}';
}
description description
"The Ethernet Type (or Length) value represented "The Ethernet Type (or Length) value represented
in the canonical order defined by IEEE 802. in the canonical order defined by IEEE 802.
The canonical representation uses lowercase The canonical representation uses lowercase
characters. characters.";
Note: This is not the most ideal way to define
ether-types. Ether-types are well known types
and are registered with RAC in IEEE. So they
should well defined types with values. For now
this model is defining it as a string.
There is a note out to IEEE that needs to be
turned into a liaison statement asking them to
define all ether-types for the industry to use.";
reference reference
"IEEE 802-2014 Clause 9.2"; "IEEE 802-2014 Clause 9.2";
} }
reference reference
"IEEE 802: IEEE Standard for Local and Metropolitan "IEEE 802: IEEE Standard for Local and Metropolitan
Area Networks: Overview and Architecture."; Area Networks: Overview and Architecture.";
} }
grouping acl-tcp-header-fields { grouping acl-tcp-header-fields {
description description
skipping to change at page 35, line 14 skipping to change at page 39, line 14
Dean Bogdanovic, Kiran Agrahara Sreenivasa, Lisa Huang, and Dana Dean Bogdanovic, Kiran Agrahara Sreenivasa, Lisa Huang, and Dana
Blair each evaluated the YANG model in previous drafts separately, Blair each evaluated the YANG model in previous drafts separately,
and then worked together to created a ACL draft that was supported by and then worked together to created a ACL draft that was supported by
different vendors. That draft removed vendor specific features, and different vendors. That draft removed vendor specific features, and
gave examples to allow vendors to extend in their own proprietary gave examples to allow vendors to extend in their own proprietary
ACL. The earlier draft was superseded with this updated draft and ACL. The earlier draft was superseded with this updated draft and
received more participation from many vendors. received more participation from many vendors.
Authors would like to thank Jason Sterne, Lada Lhotka, Juergen Authors would like to thank Jason Sterne, Lada Lhotka, Juergen
Schoenwalder, and David Bannister for their review of and suggestions Schoenwalder, David Bannister, and Jeff Haas for their review of and
to the draft. suggestions to the draft.
8. Open Issues 8. Open Issues
o The current model does not support the concept of "containers" o The current model does not support the concept of "containers"
used to contain multiple addresses per rule entry. used to contain multiple addresses per rule entry.
o The model defines 'ether-type' node as a string. Ideally, this
should be a well defined list of all Ethernet Types assigned by
IEEE.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, <https://www.rfc- DOI 10.17487/RFC3688, January 2004,
editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, <https://www.rfc- DOI 10.17487/RFC6020, October 2010,
editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012, <https://www.rfc- DOI 10.17487/RFC6536, March 2012,
editor.org/info/rfc6536>. <https://www.rfc-editor.org/info/rfc6536>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-netmod-yang-tree-diagrams] [I-D.ietf-netmod-yang-tree-diagrams]
Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
ietf-netmod-yang-tree-diagrams-01 (work in progress), June ietf-netmod-yang-tree-diagrams-01 (work in progress), June
2017. 2017.
[RFC5101] Claise, B., Ed., "Specification of the IP Flow Information [RFC5101] Claise, B., Ed., "Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP Traffic Export (IPFIX) Protocol for the Exchange of IP Traffic
skipping to change at page 36, line 50 skipping to change at page 40, line 50
| +--:(v4-lower-bound) | +--:(v4-lower-bound)
| | +--rw v4-lower-bound? inet:ipv4-prefix | | +--rw v4-lower-bound? inet:ipv4-prefix
| +--:(v4-upper-bound) | +--:(v4-upper-bound)
| +--rw v4-upper-bound? inet:ipv4-prefix | +--rw v4-upper-bound? inet:ipv4-prefix
+--rw (ipv6-range)? +--rw (ipv6-range)?
+--:(v6-lower-bound) +--:(v6-lower-bound)
| +--rw v6-lower-bound? inet:ipv6-prefix | +--rw v6-lower-bound? inet:ipv6-prefix
+--:(v6-upper-bound) +--:(v6-upper-bound)
+--rw v6-upper-bound? inet:ipv6-prefix +--rw v6-upper-bound? inet:ipv6-prefix
file "example-ext-route-filter@2017-09-12.yang" file "example-ext-route-filter@2017-10-03.yang"
module example-ext-route-filter { module example-ext-route-filter {
namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter"; namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter";
prefix example-ext-route-filter; prefix example-ext-route-filter;
import ietf-inet-types { import ietf-inet-types {
prefix "inet"; prefix "inet";
} }
import ietf-access-control-list { import ietf-access-control-list {
prefix "ietf-acl"; prefix "ietf-acl";
} }
skipping to change at page 37, line 27 skipping to change at page 41, line 27
"abc@abc.com"; "abc@abc.com";
description " description "
This module describes route filter as a collection of This module describes route filter as a collection of
match prefixes. When specifying a match prefix, you match prefixes. When specifying a match prefix, you
can specify an exact match with a particular route or can specify an exact match with a particular route or
a less precise match. You can configure either a a less precise match. You can configure either a
common action that applies to the entire list or an common action that applies to the entire list or an
action associated with each prefix. action associated with each prefix.
"; ";
revision 2017-09-12 { revision 2017-10-03 {
description description
"Creating Route-Filter extension model based on "Creating Route-Filter extension model based on
ietf-access-control-list model"; ietf-access-control-list model";
reference "Example route filter"; reference "Example route filter";
} }
augment "/ietf-acl:access-lists/ietf-acl:acl/" + augment "/ietf-acl:access-lists/ietf-acl:acl/" +
"ietf-acl:aces/ietf-acl:ace/ietf-acl:matches" { "ietf-acl:aces/ietf-acl:ace/ietf-acl:matches" {
description " description "
This module augments the matches container in the ietf-acl This module augments the matches container in the ietf-acl
skipping to change at page 38, line 32 skipping to change at page 42, line 32
"Defines the upper IPv6 prefix/prefix length"; "Defines the upper IPv6 prefix/prefix length";
} }
} }
} }
} }
} }
} }
A.2. A company proprietary module example A.2. A company proprietary module example
Access control list typically does not exist in isolation. Instead,
they are associated with a certain scope in which they are applied,
for example, an interface of a set of interfaces. How to attach an
access control list to an interface (or other system artifact) is
outside the scope of this model, as it depends on the specifics of
the system model that is being applied. However, in general, the
general design pattern will involved adding a data node with a
reference, or set of references, to ACLs that are to be applied to
the interface. For this purpose, the type definition "access-
control-list-ref" can be used.
Module "example-newco-acl" is an example of company proprietary model Module "example-newco-acl" is an example of company proprietary model
that augments "ietf-acl" module. It shows how to use 'augment' with that augments "ietf-acl" module. It shows how to use 'augment' with
an XPath expression to add additional match criteria, action an XPath expression to add additional match criteria, action
criteria, and default actions when no ACE matches found, as well how criteria, and default actions when no ACE matches found. All these
to attach an Access Control List to an interface. All these are are company proprietary extensions or system feature extensions.
company proprietary extensions or system feature extensions.
"example-newco-acl" is just an example and it is expected from "example-newco-acl" is just an example and it is expected from
vendors to create their own proprietary models. vendors to create their own proprietary models.
The following figure is the tree structure of example-newco-acl. In The following figure is the tree structure of example-newco-acl. In
this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf- this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf-
acl:ace/ietf-acl:matches are augmented with two new choices, acl:ace/ietf-acl:matches are augmented with two new choices,
protocol-payload-choice and metadata. The protocol-payload-choice protocol-payload-choice and metadata. The protocol-payload-choice
uses a grouping with an enumeration of all supported protocol values. uses a grouping with an enumeration of all supported protocol values.
Metadata matches apply to fields associated with the packet but not Metadata matches apply to fields associated with the packet but not
in the packet header such as input interface or overall packet in the packet header such as overall packet length. In other
length. In other example, /ietf-acl:access-lists/ietf-acl:acl/ietf- example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf-
acl:aces/ietf-acl:ace/ietf-acl:actions are augmented with new choice acl:ace/ietf-acl:actions are augmented with new choice of actions.
of actions.
module: example-newco-acl module: example-newco-acl
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf-acl:ac augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf-acl:ac
e/ietf-acl:matches: e/ietf-acl:matches:
+--rw (protocol-payload-choice)? +--rw (protocol-payload-choice)?
| +--:(protocol-payload) | +--:(protocol-payload)
| +--rw protocol-payload* [value-keyword] | +--rw protocol-payload* [value-keyword]
| +--rw value-keyword enumeration | +--rw value-keyword enumeration
+--rw (metadata)? +--rw (metadata)?
+--:(interface-name) +--:(packet-length)
+--rw interface-name* [input-interface] +--rw packet-length? uint16
+--rw input-interface ietf-if:interface-ref
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf-acl:ac augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf-acl:ac
e/ietf-acl:actions: e/ietf-acl:actions:
+--rw (action)? +--rw (action)?
+--:(count) +--:(count)
| +--rw count? string | +--rw count? string
+--:(policer) +--:(policer)
| +--rw policer? string | +--rw policer? string
+--:(hiearchical-policer) +--:(hiearchical-policer)
+--rw hierarchitacl-policer? string +--rw hierarchitacl-policer? string
augment /ietf-acl:access-lists/ietf-acl:acl: augment /ietf-acl:access-lists/ietf-acl:acl:
+--rw default-actions +--rw default-actions
+--rw deny? empty +--rw deny? empty
augment /ietf-if:interfaces/ietf-if:interface:
+--rw acl
+--rw acl-name? ietf-acl:acl-ref
+--ro match-counter? yang:counter64
+--rw (direction)?
+--:(in)
| +--rw in? empty
+--:(out)
+--rw out? empty
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:aces/ietf-acl:ac
e/ietf-acl:ace-oper-data:
+--ro targets
+--ro (interface)?
+--:(interface-name)
+--ro interface-name* ietf-if:interface-ref
module example-newco-acl { module example-newco-acl {
yang-version 1.1; yang-version 1.1;
namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; namespace "urn:newco:params:xml:ns:yang:example-newco-acl";
prefix example-newco-acl; prefix example-newco-acl;
import ietf-access-control-list { import ietf-access-control-list {
prefix "ietf-acl"; prefix "ietf-acl";
} }
import ietf-interfaces {
prefix "ietf-if";
}
import ietf-yang-types {
prefix yang;
}
organization organization
"Newco model group."; "Newco model group.";
contact contact
"abc@newco.com"; "abc@newco.com";
description description
"This YANG module augments IETF ACL Yang."; "This YANG module augments IETF ACL Yang.";
revision 2017-09-12 { revision 2017-10-03 {
description description
"Creating NewCo proprietary extensions to ietf-acl model"; "Creating NewCo proprietary extensions to ietf-acl model";
reference reference
"RFC XXXX: Network Access Control List (ACL) "RFC XXXX: Network Access Control List (ACL)
YANG Data Model"; YANG Data Model";
} }
augment "/ietf-acl:access-lists/ietf-acl:acl/" + augment "/ietf-acl:access-lists/ietf-acl:acl/" +
"ietf-acl:aces/ietf-acl:ace/" + "ietf-acl:aces/ietf-acl:ace/" +
skipping to change at page 41, line 48 skipping to change at page 44, line 24
list protocol-payload { list protocol-payload {
key value-keyword; key value-keyword;
ordered-by user; ordered-by user;
description "Match protocol payload"; description "Match protocol payload";
uses match-simple-payload-protocol-value; uses match-simple-payload-protocol-value;
} }
} }
choice metadata { choice metadata {
description "Newco proprietary interface match condition"; description "Newco proprietary interface match condition";
list interface-name { leaf packet-length {
key input-interface; type uint16;
ordered-by user; description "Match on packet length";
description "Match interface name";
uses metadata;
} }
} }
} }
augment "/ietf-acl:access-lists/ietf-acl:acl/" + augment "/ietf-acl:access-lists/ietf-acl:acl/" +
"ietf-acl:aces/ietf-acl:ace/" + "ietf-acl:aces/ietf-acl:ace/" +
"ietf-acl:actions" { "ietf-acl:actions" {
description "Newco proprietary simple filter actions"; description "Newco proprietary simple filter actions";
choice action { choice action {
description ""; description "";
skipping to change at page 43, line 4 skipping to change at page 45, line 25
description "Newco proprietary default action"; description "Newco proprietary default action";
container default-actions { container default-actions {
description description
"Actions that occur if no access-list entry is matched."; "Actions that occur if no access-list entry is matched.";
leaf deny { leaf deny {
type empty; type empty;
description ""; description "";
} }
} }
} }
grouping metadata {
description
"Fields associated with a packet which are not in
the header.";
leaf input-interface {
type ietf-if:interface-ref {
require-instance false;
}
description
"Packet was received on this interface";
}
}
grouping match-simple-payload-protocol-value { grouping match-simple-payload-protocol-value {
description "Newco proprietary payload"; description "Newco proprietary payload";
leaf value-keyword { leaf value-keyword {
type enumeration { type enumeration {
enum icmp { enum icmp {
description "Internet Control Message Protocol"; description "Internet Control Message Protocol";
} }
enum icmp6 { enum icmp6 {
description "Internet Control Message Protocol Version 6"; description "Internet Control Message Protocol Version 6";
} }
enum range { enum range {
description "Range of values"; description "Range of values";
} }
} }
description "(null)"; description "(null)";
} }
} }
augment "/ietf-if:interfaces/ietf-if:interface" {
description "Apply ACL to interfaces";
container acl {
description "ACL related properties.";
leaf acl-name {
type ietf-acl:acl-ref;
description "Access Control List name.";
}
leaf match-counter {
type yang:counter64;
config false;
description
"Total match count for Access Control
List on this interface";
}
choice direction {
description "Applying ACL in which traffic direction";
leaf in {
type empty;
description "Inbound traffic";
}
leaf out {
type empty;
description "Outbound traffic";
}
}
}
}
augment "/ietf-acl:access-lists/ietf-acl:acl/" +
"ietf-acl:aces/ietf-acl:ace/" +
"ietf-acl:ace-oper-data" {
description
"This is an example on how to apply acl to a target to collect
operational data";
container targets {
description "To which object is the ACL attached to";
choice interface {
description
"Access Control List was attached to this interface";
leaf-list interface-name{
type ietf-if:interface-ref {
require-instance true;
}
description "Attached to this interface name";
}
}
}
}
} }
Draft authors expect that different vendors will provide their own Draft authors expect that different vendors will provide their own
yang models as in the example above, which is the augmentation of the yang models as in the example above, which is the augmentation of the
base model base model
A.3. Linux nftables A.3. Linux nftables
As Linux platform is becoming more popular as networking platform, As Linux platform is becoming more popular as networking platform,
the Linux data model is changing. Previously ACLs in Linux were the Linux data model is changing. Previously ACLs in Linux were
skipping to change at page 45, line 30 skipping to change at page 46, line 39
chain input { chain input {
ip protocol tcp ip saddr 10.10.10.1/24 drop ip protocol tcp ip saddr 10.10.10.1/24 drop
} }
} }
We can see that there are many similarities between Linux nftables We can see that there are many similarities between Linux nftables
and IETF ACL YANG data models and its extension models. It should be and IETF ACL YANG data models and its extension models. It should be
fairly easy to do translation between ACL YANG model described in fairly easy to do translation between ACL YANG model described in
this draft and Linux nftables. this draft and Linux nftables.
A.4. Ethertypes
The ACL module is dependent on the definition of ethertypes. IEEE
owns the allocation of those ethertypes. This model is being
included here to enable definition of those types till such time that
IEEE takes up the task of publication of the model that defines those
ethertypes. At that time, this model can be deprecated.
<CODE BEGINS> file "ietf-ethertypes@2017-10-03.yang"
module ietf-ethertypes {
namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes";
prefix ie;
organization
"IETF NETMOD (NETCONF Data Modeling Language)";
contact
"WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org>
Editor: Mahesh Jethanandani
<mjethanandani@gmail.com>";
description
"This module contains the common definitions for the
Ethertype used by different modules. It is a
placeholder module, till such time that IEEE
starts a project to define these Ethertypes
and publishes a standard.
At that time this module can be deprecated.";
revision 2017-10-03 {
description
"Initial revision.";
reference
"RFC XXXX: IETF Ethertype YANG Data Module.";
}
typedef ethertype {
type union {
type uint16;
type enumeration {
enum ipv4 {
value 2048;
description
"Internet Protocol version 4 (IPv4) with a
hex value of 0x0800.";
reference
"RFC 791, Internet Protocol.";
}
enum arp {
value 2054;
description
"Address Resolution Protocol (ARP) with a
hex value of 0x0806.";
reference
"RFC 826 An Ethernet Address Resolution Protocol.";
}
enum wlan {
value 2114;
description
"Wake-on-LAN. Hex value of 0x0842.";
}
enum trill {
value 8947;
description
"Transparent Interconnection of Lots of Links.
Hex value of 0x22F3.";
reference
"RFC 6325 Routing Bridges (RBridges): Base Protocol
Specification.";
}
enum srp {
value 8938;
description
"Stream Reservation Protocol. Hex value of
0x22EA.";
reference
"IEEE 801.1Q-2011.";
}
enum decnet {
value 24579;
description
"DECnet Phase IV. Hex value of 0x6003.";
}
enum rarp {
value 32821;
description
"Reverse Address Resolution Protocol.
Hex value 0x8035.";
reference
"RFC 903. A Reverse Address Resolution Protocol.";
}
enum appletalk {
value 32923;
description
"Appletalk (Ethertalk). Hex value 0x809B.";
}
enum aarp {
value 33011;
description
"Appletalk Address Resolution Protocol. Hex value
of 0x80F3.";
}
enum vlan {
value 33024;
description
"VLAN-tagged frame (802.1Q) and Shortest Path
Bridging IEEE 802.1aq with NNI compatibility.
Hex value 0x8100.";
reference
"802.1Q.";
}
enum ipx {
value 33079;
description
"Internetwork Packet Exchange (IPX). Hex value
of 0x8137.";
}
enum qnx {
value 33284;
description
"QNX Qnet. Hex value of 0x8204.";
}
enum ipv6 {
value 34525;
description
"Internet Protocol Version 6 (IPv6). Hex value
of 0x86DD.";
reference
"RFC 8200, 8201.";
}
enum efc {
value 34824;
description
"Ethernet flow control using pause frames.
Hex value of 0x8808";
reference
"IEEE Std. 802.1Qbb.";
}
enum esp {
value 34825;
description
"Ethernet Slow Protocol. Hex value of 0x8809.";
reference
"IEEE Std. 802.3-2015";
}
enum cobranet {
value 34841;
description
"CobraNet. Hex value of 0x";
}
enum mpls-unicast {
value 34887;
description
"MultiProtocol Label Switch (MPLS) unicast traffic.
Hex value of 0x8847.";
reference
"RFC 3031.";
}
enum mpls-multicast {
value 34888;
description
"MultiProtocol Label Switch (MPLS) multicast traffic.
Hex value of 0x8848.";
reference
"RFC 3031.";
}
enum pppoe-discovery {
value 34915;
description
"Point-to-Point Protocol over Ethernet. Used during
the discovery process. Hex value of 0x8863.";
reference
"RFC 2516.";
}
enum pppoe-session {
value 34916;
description
"Point-to-Point Protocol over Ethernet. Used during
session stage. Hex value of 0x8864.";
reference
"RFC 2516.";
}
enum intel-ans {
value 34925;
description
"Intel Advanced Networking Services. Hex value of
0x886D.";
}
enum jumbo-frames {
value 34928;
description
"Jumbo frames or Ethernet frames with more than
1500 bytes of payload, upto 9000 bytes.";
}
enum homeplug {
value 34939;
description
"Family name for the various power line
communications. Hex value of 0x887B.";
}
enum eap {
value 34958;
description
"Ethernet Access Protocol (EAP) over LAN. Hex value
of 0x888E.";
reference
"IEEE 802.1X";
}
enum profinet {
value 34962;
description
"PROcess FIeld Net (PROFINET). Hex value of 0x8892.";
}
enum hyperscsi {
value 34970;
description
"SCSI over Ethernet. Hex value of 0x889A";
}
enum aoe {
value 34978;
description
"Advanced Technology Advancement (ATA) over Ethernet.
Hex value of 0x88A2.";
}
enum ethercat {
value 34980;
description
"Ethernet for Control Automation Technology (EtherCAT).
Hex value of 0x88A4.";
}
enum provider-bridging {
value 34984;
description
"Provider Bridging (802.1ad) and Shortest Path Bridging
(801.1aq). Hex value of 0x88A8.";
reference
"IEEE 802.1ad, IEEE 802.1aq).";
}
enum ethernet-powerlink {
value 34987;
description
"Ethernet Powerlink. Hex value of 0x88AB.";
}
enum goose {
value 35000;
description
"Generic Object Oriented Substation Event (GOOSE).
Hex value of 0x88B8.";
reference
"IEC/ISO 8802-2 and 8802-3.";
}
enum gse {
value 35001;
description
"Generic Substation Events. Hex value of 88B9.";
reference
"IEC 61850.";
}
enum sv {
value 35002;
description
"Sampled Value Transmission. Hex value of 0x88BA.";
reference
"IEC 61850.";
}
enum lldp {
value 35020;
description
"Link Layer Discovery Protocol (LLDP). Hex value of
0x88CC.";
reference
"IEEE 802.1AB.";
}
enum sercos {
value 35021;
description
"Sercos Interface. Hex value of 0x88CD.";
}
enum wsmp {
value 35036;
description
"WAVE Short Message Protocl (WSMP). Hex value of
0x88DC.";
}
enum homeplug-av-mme {
value 35041;
description
"HomePlug AV MME. Hex value of 88E1.";
}
enum mrp {
value 35043;
description
"Media Redundancy Protocol (MRP). Hex value of
0x88E3.";
reference
"IEC62439-2.";
}
enum macsec {
value 35045;
description
"MAC Security. Hex value of 0x88E5.";
reference
"IEEE 802.1AE.";
}
enum pbb {
value 35047;
description
"Provider Backbone Bridges (PBB). Hex value of
0x88E7.";
reference
"IEEE 802.1ah.";
}
enum cfm {
value 35074;
description
"Connectivity Fault Management (CFM). Hex value of
0x8902.";
reference
"IEEE 802.1ag.";
}
enum fcoe {
value 35078;
description
"Fiber Channel over Ethernet (FCoE). Hex value of
0x8906.";
reference
"T11 FC-BB-5.";
}
enum fcoe-ip {
value 35092;
description
"FCoE Initialization Protocol. Hex value of 0x8914.";
}
enum roce {
value 35093;
description
"RDMA over Converged Ethernet (RoCE). Hex value of
0x8915.";
}
enum tte {
value 35101;
description
"TTEthernet Protocol Control Frame (TTE). Hex value
of 0x891D.";
reference
"SAE AS6802.";
}
enum hsr {
value 35119;
description
"High-availability Seamless Redundancy (HSR). Hex
value of 0x892F.";
reference
"IEC 62439-3:2016.";
}
enum ctp {
value 36864;
description
"Ethernet Configuration Test Protocol (CTP). Hex
value of 0x9000.";
}
enum vlan-double-tagged {
value 37120;
description
"VLAN-tagged frame with double tagging. Hex value
of 0x9100.";
}
}
}
description
"The uint16 type placeholder type is defined to enable
users to manage their own ethertypes not
covered by the module. Otherwise the module contains
enum definitions for the more commonly used ethertypes.";
}
}
<CODE ENDS>
Authors' Addresses Authors' Addresses
Mahesh Jethanandani Mahesh Jethanandani
Cisco Systems, Inc Cisco Systems, Inc
Email: mjethanandani@gmail.com Email: mjethanandani@gmail.com
Lisa Huang Lisa Huang
General Electric General Electric
 End of changes. 95 change blocks. 
389 lines changed or deleted 893 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/