| draft-ietf-netmod-acl-model-20.txt | draft-ietf-netmod-acl-model-21.txt | |||
|---|---|---|---|---|
| NETMOD WG M. Jethanandani | NETMOD WG M. Jethanandani | |||
| Internet-Draft VMware | Internet-Draft VMware | |||
| Intended status: Standards Track S. Agarwal | Intended status: Standards Track S. Agarwal | |||
| Expires: April 4, 2019 Cisco Systems, Inc. | Expires: May 10, 2019 Cisco Systems, Inc. | |||
| L. Huang | L. Huang | |||
| D. Blair | D. Blair | |||
| October 1, 2018 | November 6, 2018 | |||
| Network Access Control List (ACL) YANG Data Model | Network Access Control List (ACL) YANG Data Model | |||
| draft-ietf-netmod-acl-model-20 | draft-ietf-netmod-acl-model-21 | |||
| Abstract | Abstract | |||
| This document defines a data model for Access Control List (ACL). An | This document defines a data model for Access Control List (ACL). An | |||
| ACL is a user-ordered set of rules, used to configure the forwarding | ACL is a user-ordered set of rules, used to configure the forwarding | |||
| behavior in device. Each rule is used to find a match on a packet, | behavior in device. Each rule is used to find a match on a packet, | |||
| and define actions that will be performed on the packet. | and define actions that will be performed on the packet. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 4, 2019. | This Internet-Draft will expire on May 10, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 4 | 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 | 1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 5 | 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 5 | |||
| 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9 | 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.1. IETF Access Control List module . . . . . . . . . . . . . 9 | 4.1. IETF Access Control List module . . . . . . . . . . . . . 10 | |||
| 4.2. IETF Packet Fields module . . . . . . . . . . . . . . . . 24 | 4.2. IETF Packet Fields module . . . . . . . . . . . . . . . . 24 | |||
| 4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 37 | 4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 4.4. Port Range Usage and Other Examples . . . . . . . . . . . 39 | 4.4. Port Range Usage and Other Examples . . . . . . . . . . . 39 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 43 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 43 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 44 | 6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 44 | |||
| 6.2. YANG Module Name Registration . . . . . . . . . . . . . . 44 | 6.2. YANG Module Name Registration . . . . . . . . . . . . . . 44 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 45 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 45 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 45 | |||
| skipping to change at page 3, line 45 ¶ | skipping to change at page 3, line 45 ¶ | |||
| summarizes all of the substitutions that are needed. Please note | summarizes all of the substitutions that are needed. Please note | |||
| that no other RFC Editor instructions are specified anywhere else in | that no other RFC Editor instructions are specified anywhere else in | |||
| this document. | this document. | |||
| Artwork in this document contains shorthand references to drafts in | Artwork in this document contains shorthand references to drafts in | |||
| progress. Please apply the following replacements | progress. Please apply the following replacements | |||
| o "XXXX" --> the assigned RFC value for this draft both in this | o "XXXX" --> the assigned RFC value for this draft both in this | |||
| draft and in the YANG models under the revision statement. | draft and in the YANG models under the revision statement. | |||
| o Revision date in model, in the format 2018-10-01 needs to get | o Revision date in model, in the format 2018-11-06 needs to get | |||
| updated with the date the draft gets approved. The date also | updated with the date the draft gets approved. The date also | |||
| needs to get reflected on the line with <CODE BEGINS>. | needs to get reflected on the line with <CODE BEGINS>. | |||
| 1.1. Definitions and Acronyms | 1.1. Definitions and Acronyms | |||
| ACE: Access Control Entry | ACE: Access Control Entry | |||
| ACL: Access Control List | ACL: Access Control List | |||
| CoS: Class of Service | CoS: Class of Service | |||
| skipping to change at page 4, line 47 ¶ | skipping to change at page 4, line 47 ¶ | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.3. Tree Diagram | 1.3. Tree Diagram | |||
| For a reference to the annotations used in tree diagrams included in | For a reference to the annotations used in tree diagrams included in | |||
| this draft, please see YANG Tree Diagrams [RFC8340]. | this draft, please see YANG Tree Diagrams [RFC8340]. | |||
| 2. Problem Statement | 2. Problem Statement | |||
| This document defines a YANG 1.1 [RFC7950] data model for the | This document defines a YANG 1.1 [RFC7950] data model for the | |||
| configuration of ACLs. It is very important that model can be used | configuration of ACLs. The model defines matching rules for commonly | |||
| easily by application/attachment models. | used protocols such as, Ethernet, IPv4, IPv6, TCP, UDP and ICMP. If | |||
| more protocols need to be supported in the future, this base model | ||||
| can be augmented. An example of such an augmentation can be seen in | ||||
| the Appendix. | ||||
| ACL implementations in every device may vary greatly in terms of the | ACL implementations in every device may vary greatly in terms of the | |||
| filter constructs and actions that they support. Therefore this | filter constructs and actions that they support. Therefore, this | |||
| draft proposes a model that can be augmented by standard extensions | draft proposes a model that can be augmented by standard extensions | |||
| and vendor proprietary models. | and vendor proprietary models. | |||
| 3. Understanding ACL's Filters and Actions | 3. Understanding ACL's Filters and Actions | |||
| Although different vendors have different ACL data models, there is a | Although different vendors have different ACL data models, there is a | |||
| common understanding of what Access Control List (ACL) is. A network | common understanding of what Access Control List (ACL) is. A network | |||
| system usually has a list of ACLs, and each ACL contains an ordered | system usually has a list of ACLs, and each ACL contains an ordered | |||
| list of rules, also known as Access Control Entries (ACE). Each ACE | list of rules, also known as Access Control Entries (ACE). Each ACE | |||
| has a group of match criteria and a group of actions. The match | has a group of match criteria and a group of actions. The match | |||
| skipping to change at page 10, line 32 ¶ | skipping to change at page 10, line 40 ¶ | |||
| ability for ACLs to be attached to a particular interface. | ability for ACLs to be attached to a particular interface. | |||
| Statistics in the ACL can be collected for an "ace" or for an | Statistics in the ACL can be collected for an "ace" or for an | |||
| "interface". The feature statements defined for statistics can be | "interface". The feature statements defined for statistics can be | |||
| used to determine whether statistics are being collected per "ace", | used to determine whether statistics are being collected per "ace", | |||
| or per "interface". | or per "interface". | |||
| This module imports definitions from Common YANG Data Types | This module imports definitions from Common YANG Data Types | |||
| [RFC6991], and A YANG Data Model for Interface Management [RFC8343]. | [RFC6991], and A YANG Data Model for Interface Management [RFC8343]. | |||
| <CODE BEGINS> file "ietf-access-control-list@2018-10-01.yang" | <CODE BEGINS> file "ietf-access-control-list@2018-11-06.yang" | |||
| module ietf-access-control-list { | module ietf-access-control-list { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | |||
| prefix acl; | prefix acl; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference | reference | |||
| "RFC 6991 - Common YANG Data Types."; | "RFC 6991 - Common YANG Data Types."; | |||
| skipping to change at page 11, line 28 ¶ | skipping to change at page 11, line 35 ¶ | |||
| mjethanandani@gmail.com | mjethanandani@gmail.com | |||
| Editor: Lisa Huang | Editor: Lisa Huang | |||
| lyihuang16@gmail.com | lyihuang16@gmail.com | |||
| Editor: Sonal Agarwal | Editor: Sonal Agarwal | |||
| sagarwal12@gmail.com | sagarwal12@gmail.com | |||
| Editor: Dana Blair | Editor: Dana Blair | |||
| dblair@cisco.com"; | dblair@cisco.com"; | |||
| description | description | |||
| "This YANG module defines a component that describe the | "This YANG module defines a component that describe the | |||
| configuration of Access Control Lists (ACLs). | configuration and monitoring of Access Control Lists (ACLs). | |||
| Copyright (c) 2018 IETF Trust and the persons identified as | Copyright (c) 2018 IETF Trust and the persons identified as | |||
| the document authors. All rights reserved. | the document authors. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2018-10-01 { | revision 2018-11-06 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC XXX: Network Access Control List (ACL) YANG Data Model."; | "RFC XXX: Network Access Control List (ACL) YANG Data Model."; | |||
| } | } | |||
| /* | /* | |||
| * Identities | * Identities | |||
| */ | */ | |||
| /* | /* | |||
| * Forwarding actions for a packet | * Forwarding actions for a packet | |||
| skipping to change at page 17, line 44 ¶ | skipping to change at page 18, line 4 ¶ | |||
| If an implementation only supports ACL counters per entry | If an implementation only supports ACL counters per entry | |||
| (i.e., not broken out per interface), then the value | (i.e., not broken out per interface), then the value | |||
| should be equal to the aggregate count across all interfaces. | should be equal to the aggregate count across all interfaces. | |||
| An implementation that provides counters per entry per | An implementation that provides counters per entry per | |||
| interface is not required to also provide an aggregate count, | interface is not required to also provide an aggregate count, | |||
| e.g., per entry -- the user is expected to be able implement | e.g., per entry -- the user is expected to be able implement | |||
| the required aggregation if such a count is needed."; | the required aggregation if such a count is needed."; | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * Configuration data nodes | * Configuration and monitoring data nodes | |||
| */ | */ | |||
| container acls { | container acls { | |||
| description | description | |||
| "This is a top level container for Access Control Lists. | "This is a top level container for Access Control Lists. | |||
| It can have one or more acl nodes."; | It can have one or more acl nodes."; | |||
| list acl { | list acl { | |||
| key "name"; | key "name"; | |||
| description | description | |||
| "An Access Control List (ACL) is an ordered list of | "An Access Control List (ACL) is an ordered list of | |||
| Access Control Entries (ACE). Each ACE has a | Access Control Entries (ACE). Each ACE has a | |||
| list of match criteria and a list of actions. | list of match criteria and a list of actions. | |||
| Since there are several kinds of Access Control Lists | Since there are several kinds of Access Control Lists | |||
| implemented with different attributes for | implemented with different attributes for | |||
| different vendors, this model accommodates customizing | different vendors, this model accommodates customizing | |||
| skipping to change at page 25, line 7 ¶ | skipping to change at page 25, line 15 ¶ | |||
| within container "matches" in ietf-access-control-list.yang model. | within container "matches" in ietf-access-control-list.yang model. | |||
| This module imports definitions from Common YANG Data Types [RFC6991] | This module imports definitions from Common YANG Data Types [RFC6991] | |||
| and references IP [RFC0791], ICMP [RFC0792], TCP [RFC0793], | and references IP [RFC0791], ICMP [RFC0792], TCP [RFC0793], | |||
| Definition of the Differentiated Services Field in the IPv4 and IPv6 | Definition of the Differentiated Services Field in the IPv4 and IPv6 | |||
| Headers [RFC2474], The Addition of Explicit Congestion Notification | Headers [RFC2474], The Addition of Explicit Congestion Notification | |||
| (ECN) to IP [RFC3168], , IPv6 Scoped Address Architecture [RFC4007], | (ECN) to IP [RFC3168], , IPv6 Scoped Address Architecture [RFC4007], | |||
| IPv6 Addressing Architecture [RFC4291], A Recommendation for IPv6 | IPv6 Addressing Architecture [RFC4291], A Recommendation for IPv6 | |||
| Address Text Representation [RFC5952], IPv6 [RFC8200]. | Address Text Representation [RFC5952], IPv6 [RFC8200]. | |||
| <CODE BEGINS> file "ietf-packet-fields@2018-10-01.yang" | <CODE BEGINS> file "ietf-packet-fields@2018-11-06.yang" | |||
| module ietf-packet-fields { | module ietf-packet-fields { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | |||
| prefix packet-fields; | prefix packet-fields; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference | reference | |||
| "RFC 6991 - Common YANG Data Types."; | "RFC 6991 - Common YANG Data Types."; | |||
| skipping to change at page 26, line 19 ¶ | skipping to change at page 26, line 28 ¶ | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2018-10-01 { | revision 2018-11-06 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC XXX: Network Access Control List (ACL) YANG Data Model."; | "RFC XXX: Network Access Control List (ACL) YANG Data Model."; | |||
| } | } | |||
| /* | /* | |||
| * Typedefs | * Typedefs | |||
| */ | */ | |||
| typedef operator { | typedef operator { | |||
| skipping to change at page 48, line 41 ¶ | skipping to change at page 48, line 41 ¶ | |||
| } | } | |||
| organization | organization | |||
| "Newco model group."; | "Newco model group."; | |||
| contact | contact | |||
| "abc@newco.com"; | "abc@newco.com"; | |||
| description | description | |||
| "This YANG module augments IETF ACL Yang."; | "This YANG module augments IETF ACL Yang."; | |||
| revision 2018-10-01 { | revision 2018-11-06 { | |||
| description | description | |||
| "Creating NewCo proprietary extensions to ietf-acl model"; | "Creating NewCo proprietary extensions to ietf-acl model"; | |||
| reference | reference | |||
| "RFC XXXX: Network Access Control List (ACL) | "RFC XXXX: Network Access Control List (ACL) | |||
| YANG Data Model"; | YANG Data Model"; | |||
| } | } | |||
| augment "/acl:acls/acl:acl/" + | augment "/acl:acls/acl:acl/" + | |||
| "acl:aces/acl:ace/" + | "acl:aces/acl:ace/" + | |||
| skipping to change at page 52, line 24 ¶ | skipping to change at page 52, line 24 ¶ | |||
| this draft and Linux nftables. | this draft and Linux nftables. | |||
| A.3. Ethertypes | A.3. Ethertypes | |||
| The ACL module is dependent on the definition of ethertypes. IEEE | The ACL module is dependent on the definition of ethertypes. IEEE | |||
| owns the allocation of those ethertypes. This model is being | owns the allocation of those ethertypes. This model is being | |||
| included here to enable definition of those types till such time that | included here to enable definition of those types till such time that | |||
| IEEE takes up the task of publication of the model that defines those | IEEE takes up the task of publication of the model that defines those | |||
| ethertypes. At that time, this model can be deprecated. | ethertypes. At that time, this model can be deprecated. | |||
| <CODE BEGINS> file "ietf-ethertypes@2018-10-01.yang" | <CODE BEGINS> file "ietf-ethertypes@2018-11-06.yang" | |||
| module ietf-ethertypes { | module ietf-ethertypes { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; | |||
| prefix ethertypes; | prefix ethertypes; | |||
| organization | organization | |||
| "IETF NETMOD (NETCONF Data Modeling Language)"; | "IETF NETMOD (NETCONF Data Modeling Language)"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | "WG Web: <http://tools.ietf.org/wg/netmod/> | |||
| skipping to change at page 52, line 49 ¶ | skipping to change at page 52, line 49 ¶ | |||
| description | description | |||
| "This module contains the common definitions for the | "This module contains the common definitions for the | |||
| Ethertype used by different modules. It is a | Ethertype used by different modules. It is a | |||
| placeholder module, till such time that IEEE | placeholder module, till such time that IEEE | |||
| starts a project to define these Ethertypes | starts a project to define these Ethertypes | |||
| and publishes a standard. | and publishes a standard. | |||
| At that time this module can be deprecated."; | At that time this module can be deprecated."; | |||
| revision 2018-10-01 { | revision 2018-11-06 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: IETF Ethertype YANG Data Module."; | "RFC XXXX: IETF Ethertype YANG Data Module."; | |||
| } | } | |||
| typedef ethertype { | typedef ethertype { | |||
| type union { | type union { | |||
| type uint16; | type uint16; | |||
| skipping to change at page 55, line 26 ¶ | skipping to change at page 55, line 26 ¶ | |||
| enum esp { | enum esp { | |||
| value 34825; | value 34825; | |||
| description | description | |||
| "Ethernet Slow Protocol. Hex value of 0x8809."; | "Ethernet Slow Protocol. Hex value of 0x8809."; | |||
| reference | reference | |||
| "IEEE Std. 802.3-2015"; | "IEEE Std. 802.3-2015"; | |||
| } | } | |||
| enum cobranet { | enum cobranet { | |||
| value 34841; | value 34841; | |||
| description | description | |||
| "CobraNet. Hex value of 0x"; | "CobraNet. Hex value of 0x8819"; | |||
| } | } | |||
| enum mpls-unicast { | enum mpls-unicast { | |||
| value 34887; | value 34887; | |||
| description | description | |||
| "MultiProtocol Label Switch (MPLS) unicast traffic. | "MultiProtocol Label Switch (MPLS) unicast traffic. | |||
| Hex value of 0x8847."; | Hex value of 0x8847."; | |||
| reference | reference | |||
| "RFC 3031: Multiprotocol Label Switching Architecture."; | "RFC 3031: Multiprotocol Label Switching Architecture."; | |||
| } | } | |||
| enum mpls-multicast { | enum mpls-multicast { | |||
| End of changes. 21 change blocks. | ||||
| 22 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||