draft-ietf-netmod-acl-model-02.txt   draft-ietf-netmod-acl-model-03.txt 
NETMOD WG D. Bogdanovic NETMOD WG D. Bogdanovic
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Standards Track K. Sreenivasa Intended status: Standards Track K. Sreenivasa
Expires: September 6, 2015 Brocade Communications System Expires: December 27, 2015 Brocade Communications System
L. Huang L. Huang
Juniper Networks
D. Blair D. Blair
Cisco Systems Cisco Systems
March 5, 2015 June 25, 2015
Network Access Control List (ACL) YANG Data Model Network Access Control List (ACL) YANG Data Model
draft-ietf-netmod-acl-model-02 draft-ietf-netmod-acl-model-03
Abstract Abstract
This document describes a data model of Access Control List (ACL) This document describes a data model of Access Control List (ACL)
basic building blocks. basic building blocks.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 35 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2015. This Internet-Draft will expire on December 27, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 12 skipping to change at page 2, line 12
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3
3. Design of the ACL Model . . . . . . . . . . . . . . . . . . . 3 3. Design of the ACL Model . . . . . . . . . . . . . . . . . . . 4
3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 4
4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 5 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. IETF-ACL module . . . . . . . . . . . . . . . . . . . . . 5 4.1. IETF Access Contorl List module . . . . . . . . . . . . . 6
4.2. IETF-PACKET-FIELDS module . . . . . . . . . . . . . . . . 11 4.2. IETF-PACKET-FIELDS module . . . . . . . . . . . . . . . . 10
4.3. An ACL Example . . . . . . . . . . . . . . . . . . . . . 16 4.3. An ACL Example . . . . . . . . . . . . . . . . . . . . . 15
4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 17 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 16
5. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 17 5. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . 19 9.1. Normative References . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . 19 9.2. Informative References . . . . . . . . . . . . . . . . . 19
Appendix A. Extending ACL model examples . . . . . . . . . . . . 20 Appendix A. Extending ACL model examples . . . . . . . . . . . . 20
A.1. Example of extending existing model for route filtering . 20 A.1. Example of extending existing model for route filtering . 20
A.2. A company proprietary module example . . . . . . . . . . 22 A.2. A company proprietary module example . . . . . . . . . . 22
A.3. Attaching Access Control List to interfaces . . . . . . . 25 A.3. Attaching Access Control List to interfaces . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
Access Control List (ACL) is one of the basic elements to configure Access Control List (ACL) is one of the basic elements to configure
device forwarding behavior. It is used in many networking concepts device forwarding behavior. It is used in many networking concepts
such as Policy Based Routing, Firewalls etc. such as Policy Based Routing, Firewalls etc.
An ACL is an ordered set of rules that is used to filter traffic on a An ACL is an ordered set of rules that is used to filter traffic on a
networking device. Each rule is represented by an Access Control networking device. Each rule is represented by an Access Control
skipping to change at page 3, line 15 skipping to change at page 3, line 15
o Metadata matches apply to fields associated with the packet but o Metadata matches apply to fields associated with the packet but
not in the packet header such as input interface or overall packet not in the packet header such as input interface or overall packet
length length
The actions specify what to do with the packet when the matching The actions specify what to do with the packet when the matching
criteria is met. These actions are any operations that would apply criteria is met. These actions are any operations that would apply
to the packet, such as counting, policing, or simply forwarding.The to the packet, such as counting, policing, or simply forwarding.The
list of potential actions is endless depending on the innovations of list of potential actions is endless depending on the innovations of
the networked devices. the networked devices.
Access Control List is also widely knowns as ACL (pronounce as [ak-uh
l]) or Access List. In this document, Access Control List, ACL and
Access List are interchangeable.
1.1. Definitions and Acronyms 1.1. Definitions and Acronyms
ACE: Access Control Entry ACE: Access Control Entry
ACL: Access Control List ACL: Access Control List
AFI: Address Field Identifier AFI: Address Field Identifier
DSCP: Differentiated Services Code Point DSCP: Differentiated Services Code Point
skipping to change at page 3, line 45 skipping to change at page 3, line 49
TCP: Transmission Control Protocol TCP: Transmission Control Protocol
2. Problem Statement 2. Problem Statement
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of ACLs. It is very important that model can be easily configuration of ACLs. It is very important that model can be easily
reused between vendors and between applications. reused between vendors and between applications.
ACL implementations in every device may vary greatly in terms of the ACL implementations in every device may vary greatly in terms of the
filter constructs and actions that they support. Therefore this filter constructs and actions that they support. Therefore this
draft proposes a simple model that can be augmented by vendor draft proposes a simple model that can be augmented by standard
proprietary models. extensions and vendor proprietary models.
3. Design of the ACL Model 3. Design of the ACL Model
Although different vendors have different ACL data models, there is a Although different vendors have different ACL data models, there is a
common understanding of what access control list (ACL) is. A network common understanding of what access control list (ACL) is. A network
system usually have a list of ACLs, and each ACL contains an ordered system usually have a list of ACLs, and each ACL contains an ordered
list of rules, also known as access list entries - ACEs. Each ACE list of rules, also known as access list entries - ACEs. Each ACE
has a group of match criteria and a group of action criteria. The has a group of match criteria and a group of action criteria. The
match criteria consist of packet header matching and metadata match criteria consist of packet header matching and metadata
matching. Packet header matching applies to fields visible in the matching. Packet header matching applies to fields visible in the
packet such as address or class of service or port numbers. Metadata packet such as address or class of service or port numbers. Metadata
matching applies to fields associated with the packet, but not in the matching applies to fields associated with the packet, but not in the
packet header such as input interface, packet length, or source or packet header such as input interface, packet length, or source or
destination prefix length. The actions can be any sort of operation destination prefix length. The actions can be any sort of operation
from logging to rate limiting or dropping to simply forwarding. from logging to rate limiting or dropping to simply forwarding.
Actions on the first matching ACE are applied with no processing of Actions on the first matching ACE are applied with no processing of
subsequent ACEs. The model also includes overall operational state subsequent ACEs. The model also includes a container to hold overall
for the ACL and operational state for each ACE, targets where the ACL operational state for each ACL and operational state for each ACE.
applied. One ACL can be applied to multiple targets within the One ACL can be applied to multiple targets within the device, such as
device, such as interfaces of a networked device, applications or interfaces of a networked device, applications or features running in
features running in the device, etc. When applied to interfaces of a the device, etc. When applied to interfaces of a networked device,
networked device, the ACL is applied in a direction which indicates the ACL is applied in a direction which indicates if it should be
if it should be applied to packet entering (input) or leaving the applied to packet entering (input) or leaving the device (output).
device (output). An example in the appendix shows how to express it in YNAG model.
This draft tries to address the commonalities between all vendors and This draft tries to address the commonalities between all vendors and
create a common model, which can be augmented with proprietary create a common model, which can be augmented with proprietary
models. The base model is very simple and with this design we hope models. The base model is very simple and with this design we hope
to achieve needed flexibility for each vendor to extend the base to achieve needed flexibility for each vendor to extend the base
model. model.
3.1. ACL Modules 3.1. ACL Modules
There are two YANG modules in the model. The first module, "ietf- There are two YANG modules in the model. The first module, "ietf-
acl", defines generic ACL aspects which are common to all ACLs access-control-list", defines generic ACL aspects which are common to
regardless of their type or vendor. In effect, the module can be all ACLs regardless of their type or vendor. In effect, the module
viewed as providing a generic ACL "superclass". It imports the can be viewed as providing a generic ACL "superclass". It imports
second module, "ietf-packet-fields". The match container in "ietf- the second module, "ietf-packet-fields". The match container in
acl" uses groupings in "ietf-packet-fields". The "ietf-packet- "ietf-access-control-list" uses groupings in "ietf-packet-fields".
fields" modules can easily be extended to reuse definitions from If there is a need to define new "matches" choice, such as IPFIX
other modules such as IPFIX [RFC5101] or migrate proprietary [RFC5101], the container "matches" can be augmented.
augmented module definitions into the standard module.
module: ietf-acl
+--rw access-lists
+--rw access-list* [access-control-list-name]
+--rw access-control-list-name string
+--rw access-control-list-type? access-control-list-type
+--ro access-control-list-oper-data
| +--ro (targets)?
| +--:(interface-name)
| +--ro interface-name* string
+--rw access-list-entries
+--rw access-list-entry* [rule-name]
+--rw rule-name string
+--rw matches
| +--rw (access-list-entries-type)?
| | +--:(access-list-entries-ip)
| | | +--rw source-port-range
| | | | +--rw lower-port inet:port-number
| | | | +--rw upper-port? inet:port-number
| | | +--rw destination-port-range
| | | | +--rw lower-port inet:port-number
| | | | +--rw upper-port? inet:port-number
| | | +--rw dscp? inet:dscp
| | | +--rw protocol? uint8
| | | +--rw (access-list-entries-ip-version)?
| | | +--:(access-list-entries-ipv4)
| | | | +--rw destination-ipv4-network? inet:ipv4-prefix
| | | | +--rw source-ipv4-network? inet:ipv4-prefix
| | | +--:(access-list-entries-ipv6)
| | | +--rw destination-ipv6-network? inet:ipv6-prefix
| | | +--rw source-ipv6-network? inet:ipv6-prefix
| | | +--rw flow-label? inet:ipv6-flow-label
| | +--:(access-list-entries-eth)
| | +--rw destination-mac-address? yang:mac-address
| | +--rw destination-mac-address-mask? yang:mac-address
| | +--rw source-mac-address? yang:mac-address
| | +--rw source-mac-address-mask? yang:mac-address
| +--rw input-interface? string
| +--rw absolute
| +--rw start? yang:date-and-time
| +--rw end? yang:date-and-time
| +--rw active? boolean
+--rw actions
| +--rw (packet-handling)?
| +--:(deny)
| | +--rw deny? empty
| +--:(permit)
| +--rw permit? empty
+--ro access-list-entries-oper-data
+--ro match-counter? yang:counter64
4. ACL YANG Models
4.1. IETF-ACL module
"ietf-acl" is the standard top level module for Access lists. It has
a container for "access-list" to store access list information. This
container has information identifying the access list by a name("acl-
name") and a list("access-list-entries") of rules associated with the
"acl-name". Each of the entries in the list("access-list-entries")
indexed by the string "rule-name" have containers defining "matches"
and "actions". The "matches" define criteria used to identify
patterns in "ietf-packet-fields". The "actions" define behavior to
undertake once a "match" has been identified.
<CODE BEGINS>file "ietf-acl@2015-03-04.yang"
module ietf-acl {
yang-version 1;
namespace "urn:ietf:params:xml:ns:yang:ietf-acl";
prefix access-control-list;
import ietf-yang-types {
prefix "yang";
}
import ietf-packet-fields {
prefix "packet-fields";
}
organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org
WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de
WG Chair: Tom Nadeau
tnadeau@lucidvision.com
Editor: Dean Bogdanovic
deanb@juniper.net
Editor: Kiran Agrahara Sreenivasa
kkoushik@brocade.com
Editor: Lisa Huang
yihuan@cisco.com
Editor: Dana Blair
dblair@cisco.com";
description
"This YANG module defines a component that describing the
configuration of Access Control Lists (ACLs).
Copyright (c) 2015 IETF Trust and the persons identified as
the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
revision 2015-03-04 {
description "Base model for Network Access Control List (ACL).";
reference
"RFC XXXX: Network Access Control List (ACL)
YANG Data Model";
}
identity access-control-list-base {
description "Base access control list type for all access control list type
identifiers.";
}
identity IP-access-control-list {
base "access-control-list:access-control-list-base";
description "IP-access control list is common name for layer 3 and 4 access
control list types. It is common among vendors to call 3-tupple or 5 tupple
IP access control lists";
}
identity eth-access-control-list {
base "access-control-list:access-control-list-base";
description "Ethernet access control list is name for layer 2 Ethernet
technology access control list types, like 10/100/1000baseT or WiFi
access control list";
}
typedef access-control-list-type {
type identityref {
base "access-control-list-base";
}
description
"This type is used to refer to an Access Control List
(ACL) type";
}
typedef access-control-list-ref {
type leafref {
path "/access-lists/access-list/access-control-list-name";
}
description "This type is used by data models that need to referenced an
access control list";
}
container access-lists {
description
"This is top level container for Access Control Lists. It can have one
or more Access Control List.";
list access-list {
key access-control-list-name;
description "An access list (acl) is an ordered list of
access list entries (ACE). Each access control entries has a
list of match criteria, and a list of actions.
Since there are several kinds of access control lists
implemented with different attributes for
each and different for each vendor, this
model accommodates customizing access control lists for
each kind and for each vendor.";
leaf access-control-list-name {
type string;
description "The name of access-list. A device MAY restrict the length
and value of this name, possibly space and special characters are not
allowed.";
}
leaf access-control-list-type {
type access-control-list-type;
description "Type of access control list. When this
type is not explicitely specified, if vendor implementation permits,
the access control entires in the list can be mixed,
by containing L2, L3 and L4 entries";
}
container access-control-list-oper-data {
config false;
description "Overall access control list operational data";
choice targets{
description "List of targets where access control list is applied";
leaf-list interface-name {
type string;
description "Interfaces where access control list is applied";
}
}
}
container access-list-entries { module: ietf-access-control-list
description "The access-list-entries container contains +--rw access-lists
a list of access-list-entry(ACE)."; +--rw acl* [acl-name]
+--ro acl-oper-data
+--rw access-list-entries
| +--rw ace* [rule-name]
| +--rw matches
| | +--rw (ace-type)?
| | | +--:(ace-ip)
| | | | +-rw (ace-ip-version)?
| | | | | +--:(ace-ipv4)
| | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix
| | | | | | +--rw source-ipv4-network? inet:ipv4-prefix
| | | | | +--:(ace-ipv6)
| | | | | +--rw destination-ipv6-network? inet:ipv6-prefix
| | | | | +--rw source-ipv6-network? inet:ipv6-prefix
| | | | | +--rw flow-label? inet:ipv6-flow-label
| | | | +--rw dscp? inet:dscp
| | | | +--rw protocol? uint8
| | | | +--rw source-port-range
| | | | | +--rw lower-port? inet:port-number
| | | | | +--rw upper-port? inet:port-number
| | | | +--rw destination-port-range
| | | | +--rw lower-port? inet:port-number
| | | | +--rw upper-port? inet:port-number
| | | +--:(ace-eth)
| | | +--rw destination-mac-address? yang:mac-address
| | | +--rw destination-mac-address-mask? yang:mac-address
| | | +--rw source-mac-address? yang:mac-address
| | | +--rw source-mac-address-mask? yang:mac-address
| | +--rw input-interface? string
| | +--rw absolute-time
| | +--rw start? yang:date-and-time
| | +--rw end? yang:date-and-time
| | +--rw active? boolean
| +--rw actions
| | +--rw (packet-handling)?
| | +--:(deny)
| | | +--rw deny? empty
| | +--:(permit)
| | +--rw permit? empty
| +--ro ace-oper-data
| | +--ro match-counter? yang:counter64
| +--rw rule-name string
+--rw acl-name string
+--rw acl-type? acl-type
list access-list-entry { Figure 1
key rule-name;
ordered-by user;
description "List of access list entries(ACE)";
leaf rule-name {
type string;
description "Entry name.";
}
container matches { 4. ACL YANG Models
description "Define match criteria";
choice access-list-entries-type {
description "Type of access list entry.";
case access-list-entries-ip {
uses packet-fields:access-control-list-ip-header-fields;
choice access-list-entries-ip-version {
description "Choice of IP version.";
case access-list-entries-ipv4 {
uses packet-fields:access-control-list-ipv4-header-fields;
}
case access-list-entries-ipv6 {
uses packet-fields:access-control-list-ipv6-header-fields; 4.1. IETF Access Contorl List module
}
}
}
case access-list-entries-eth {
description "Ethernet MAC address entry.";
uses packet-fields:access-control-list-eth-header-fields;
}
}
uses packet-fields:metadata;
}
container actions { "ietf-access-control-list" is the standard top level module for
description "Define action criteria"; Access lists. The "access-lists" container stores a list of "acl".
choice packet-handling { Each "acl" has information identifying the access list by a
default deny; name("acl-name") and a list("access-list-entries") of rules
associated with the "acl-name". Each of the entries in the
list("access-list-entries"), indexed by the string "rule-name", has
containers defining "matches" and "actions". The "matches" define
criteria used to identify patterns in "ietf-packet-fields". The
"actions" define behavior to undertake once a "match" has been
identified.
description "Packet handling action."; <CODE BEGINS>file "ietf-access-control-list@2015-05-03.yang"
case deny { module ietf-access-control-list {
leaf deny { yang-version 1;
type empty; namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
description "Deny action."; prefix acl;
import ietf-yang-types {
prefix yang;
}
import ietf-packet-fields {
prefix packet-fields;
}
organization "IETF NETMOD (NETCONF Data Modeling Language)
Working Group";
contact
"WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org
WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de
WG Chair: Tom Nadeau
tnadeau@lucidvision.com
Editor: Dean Bogdanovic
deanb@juniper.net
Editor: Kiran Agrahara Sreenivasa
kkoushik@brocade.com
Editor: Lisa Huang
lyihuang@juniper.net
Editor: Dana Blair
dblair@cisco.com";
description
"This YANG module defines a component that describing the
configuration of Access Control Lists (ACLs).
Copyright (c) 2015 IETF Trust and the persons identified as
the document authors. All rights reserved.
} Redistribution and use in source and binary forms, with or
} without modification, is permitted pursuant to, and subject
case permit { to the license terms contained in, the Simplified BSD
leaf permit { License set forth in Section 4.c of the IETF Trust's Legal
type empty; Provisions Relating to IETF Documents
description "Permit action."; (http://trustee.ietf.org/license-info).
} This version of this YANG module is part of RFC XXXX; see
} the RFC itself for full legal notices.";
} revision 2015-03-17 {
} description
"Base model for Network Access Control List (ACL).";
reference
"RFC XXXX: Network Access Control List (ACL)
YANG Data Model";
}
identity acl-base {
description
"Base Access Control List type for all Access Control List type
identifiers.";
}
identity ip-acl {
base acl:acl-base;
description
"IP Access Control List is a common name for lists that contain
layer 3 and/or layer 4 match conditions.";
}
identity eth-acl {
base acl:acl-base;
description
"Ethernet Access Control List is name for layer 2 Ethernet
technology Access Control List types, like 10/100/1000baseT or
WiFi Access Control List";
}
typedef acl-type {
type identityref {
base acl-base;
}
description
"This type is used to refer to an Access Control List
(ACL) type";
}
typedef access-control-list-ref {
type leafref {
path "/access-lists/acl/acl-name";
}
description
"This type is used by data models that need to reference an
Access Control List";
container access-list-entries-oper-data { }
config false; container access-lists {
description
"This is a top level container for Access Control Lists.
It can have one or more Access Control Lists.";
list acl {
key "acl-name";
description
"An Access Control List(ACL) is an ordered list of
Access List Entries (ACE). Each Access Control Entry has a
list of match criteria and a list of actions.
Since there are several kinds of Access Control Lists
implemented with different attributes for
different vendors, this
model accommodates customizing Access Control Lists for
each kind and for each vendor.";
container acl-oper-data {
config false;
description
"Overall Access Control List operational data";
}
container access-list-entries {
description
"The access-list-entries container contains
a list of access-list-entries(ACE).";
list ace {
key "rule-name";
ordered-by user;
description
"List of access list entries(ACE)";
container matches {
description
"Definitions for match criteria for this Access List
Entry.";
choice ace-type {
description
"Type of access list entry.";
case ace-ip {
description "IP Access List Entry.";
choice ace-ip-version {
description
"IP version used in this Acess List Entry.";
case ace-ipv4 {
uses packet-fields:acl-ipv4-header-fields;
}
case ace-ipv6 {
uses packet-fields:acl-ipv6-header-fields;
}
description "Per access list entries operational data"; }
leaf match-counter { uses packet-fields:acl-ip-header-fields;
type yang:counter64; }
description "Number of matches for an access list entry"; case ace-eth {
} description
} "Ethernet Access List entry.";
} uses packet-fields:acl-eth-header-fields;
} }
} }
} uses packet-fields:metadata;
} }
container actions {
description
"Definitions of action criteria for this Access List
Entry.";
choice packet-handling {
default "deny";
description
"Packet handling action.";
case deny {
leaf deny {
type empty;
description
"Deny action.";
}
}
case permit {
leaf permit {
type empty;
description
"Permit action.";
}
}
}
}
container ace-oper-data {
config false;
description
"Operational data for this Access List Entry.";
leaf match-counter {
type yang:counter64;
description
"Number of matches for this Access List Entry";
}
}
leaf rule-name {
type string;
description
"A unique name identifying this Access List
Entry(ACE).";
}
}
}
leaf acl-name {
type string;
description
"The name of access-list. A device MAY restrict the length
and value of this name, possibly space and special
characters are not allowed.";
}
leaf acl-type {
type acl-type;
description
"It is recommended to have an Access Control List with
uniform access list entries, all of the same type. When
this type is not explicitly specified, if vendor
implementation permits, the access control entries
in the list can be mixed,
by containing L2, L3 and L4 entries";
}
}
}
}
<CODE ENDS>
<CODE ENDS>
4.2. IETF-PACKET-FIELDS module 4.2. IETF-PACKET-FIELDS module
The packet fields module defines the necessary groups for matching on The packet fields module defines the necessary groups for matching on
fields in the packet including ethernet, ipv4, ipv6, transport layer fields in the packet including ethernet, ipv4, ipv6, transport layer
fields and metadata. These groupings can be augmented to include fields and metadata. Since the number of match criteria is very
other proprietary matching criteria. Since the number of match large, the base draft does not include these directly but references
criteria is very large, the base draft does not include these them by "uses" to keep the base module simple. In case more match
directly but references them by "uses" to keep the base module conditions are needed, those can be added by augmenting choices
simple. within container "matches" in ietf-access-control-list.yang model
<CODE BEGINS>file "ietf-packet-fields@2015-03-04.yang"
<CODE BEGINS>file "ietf-packet-fields@2015-06-11.yang"
module ietf-packet-fields { module ietf-packet-fields {
yang-version 1; yang-version 1;
namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
prefix packet-fields; prefix packet-fields;
import ietf-inet-types { import ietf-inet-types {
prefix "inet"; prefix inet;
} }
import ietf-yang-types { import ietf-yang-types {
prefix "yang"; prefix yang;
} }
organization "IETF NETMOD (NETCONF Data Modeling Language) Working
organization Group";
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: http://tools.ietf.org/wg/netmod/ "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org WG List: netmod@ietf.org
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de j.schoenwaelder@jacobs-university.de
WG Chair: Tom Nadeau WG Chair: Tom Nadeau
tnadeau@lucidvision.com tnadeau@lucidvision.com
Editor: Dean Bogdanovic Editor: Dean Bogdanovic
deanb@juniper.net deanb@juniper.net
Editor: Kiran Agrahara Sreenivasa Editor: Kiran Agrahara Sreenivasa
kkoushik@brocade.com kkoushik@brocade.com
Editor: Lisa Huang Editor: Lisa Huang
yihuan@cisco.com lyihuang@juniper.net
Editor: Dana Blair Editor: Dana Blair
dblair@cisco.com"; dblair@cisco.com";
description description
"This YANG module defines groupings that used by ietf-acl "This YANG module defines groupings that are used by
but not limited to acl. ietf-access-control-list YANG module. Their usage is not
limited to ietf-access-control-list and can be
used anywhere as applicable.
Copyright (c) 2015 IETF Trust and the persons identified as Copyright (c) 2015 IETF Trust and the persons identified as
the document authors. All rights reserved. the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2015-06-11 {
// RFC Ed.: replace XXXX with actual RFC number and remove this description
// note. "Initial version of packet fields used by
ietf-access-control-list";
revision 2015-03-04 {
description "Initial version of packet fields used by
access-lists";
reference reference
"RFC XXXX: Network Access Control List (ACL) "RFC XXXX: Network Access Control List (ACL)
YANG Data Model"; YANG Data Model";
} }
grouping acl-transport-header-fields {
grouping access-control-list-transport-header-fields { description
description "Transport header fields"; "Transport header fields";
container source-port-range { container source-port-range {
description "inclusive range of source ports"; description
"Inclusive range representing source ports to be used.
When only lower-port is present, it represents a single port.";
leaf lower-port { leaf lower-port {
type inet:port-number; type inet:port-number;
mandatory true; mandatory true;
description "Lower boundary."; description
"Lower boundary for port.";
} }
leaf upper-port { leaf upper-port {
must ". >= ../lower-port" {
error-message
"The upper-port must be greater than or equal to lower-port";
}
type inet:port-number; type inet:port-number;
description "Upper boundary. If exist, upper port must be greater or description
equal to lower port."; "Upper boundary for port . If existing, the upper port
must be greater or equal to lower-port.";
} }
} }
container destination-port-range { container destination-port-range {
description "inclusive range of destination ports"; description
"Inclusive range representing destination ports to be used. When
only lower-port is present, it represents a single port.";
leaf lower-port { leaf lower-port {
type inet:port-number; type inet:port-number;
mandatory true; mandatory true;
description "Lower boundary."; description
"Lower boundary for port.";
} }
leaf upper-port { leaf upper-port {
must ". >= ../lower-port" {
error-message
"The upper-port must be greater than or equal to lower-port";
}
type inet:port-number; type inet:port-number;
description "Upper boundary."; description
"Upper boundary for port. If existing, the upper port must
be greater or equal to lower-port";
} }
} }
} }
grouping acl-ip-header-fields {
grouping access-control-list-ip-header-fields { description
description "Header fields common to ipv4 and ipv6"; "IP header fields common to ipv4 and ipv6";
uses access-control-list-transport-header-fields;
leaf dscp { leaf dscp {
type inet:dscp; type inet:dscp;
description
description "Value of dscp."; "Value of dscp.";
} }
leaf protocol { leaf protocol {
type uint8; type uint8;
description "Internet Protocol number."; description
"Internet Protocol number.";
} }
uses acl-transport-header-fields;
} }
grouping acl-ipv4-header-fields {
grouping access-control-list-ipv4-header-fields { description
description "fields in IPv4 header"; "Fields in IPv4 header.";
leaf destination-ipv4-network { leaf destination-ipv4-network {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description "One or more ip addresses."; description
"Destination IPv4 address prefix.";
} }
leaf source-ipv4-network { leaf source-ipv4-network {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description "One or more ip addresses."; description
"Source IPv4 address prefix.";
} }
} }
grouping acl-ipv6-header-fields {
grouping access-control-list-ipv6-header-fields { description
description "fields in IPv6 header"; "Fields in IPv6 header";
leaf destination-ipv6-network { leaf destination-ipv6-network {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description "One or more ip addresses."; description
"Destination IPv6 address prefix.";
} }
leaf source-ipv6-network { leaf source-ipv6-network {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description "One or more ip addresses."; description
"Source IPv6 address prefix.";
} }
leaf flow-label { leaf flow-label {
type inet:ipv6-flow-label; type inet:ipv6-flow-label;
description "Flow label."; description
"IPv6 Flow label.";
} }
reference
"RFC 4291: IP Version 6 Addressing Architecture
RFC 4007: IPv6 Scoped Address Architecture
RFC 5952: A Recommendation for IPv6 Address Text Representation";
} }
grouping acl-eth-header-fields {
grouping access-control-list-eth-header-fields { description
"Fields in Ethernet header.";
description "fields in ethernet header";
leaf destination-mac-address { leaf destination-mac-address {
type yang:mac-address; type yang:mac-address;
description "Mac addresses."; description
"Destination IEEE 802 MAC address.";
} }
leaf destination-mac-address-mask { leaf destination-mac-address-mask {
type yang:mac-address; type yang:mac-address;
description "Mac addresses mask."; description
"Destination IEEE 802 MAC address mask.";
} }
leaf source-mac-address { leaf source-mac-address {
type yang:mac-address; type yang:mac-address;
description "Mac addresses."; description
"Source IEEE 802 MAC address.";
} }
leaf source-mac-address-mask { leaf source-mac-address-mask {
type yang:mac-address; type yang:mac-address;
description "Mac addresses mask."; description
"Source IEEE 802 MAC address mask.";
} }
reference
"IEEE 802: IEEE Standard for Local and Metropolitan Area
Networks: Overview and Architecture.";
} }
grouping timerange { grouping timerange {
description "Time range contains time description
segments to allow access-control-list to be "Time range contains time
active/inactive when the system time segments to allow access-control-list to be
is within the time segments."; active/inactive when the system time
is between the range.";
container absolute { container absolute-time {
description description
"Absolute time and date that "Absolute time and date that
the associated function starts the associated function starts
going into effect."; going into effect.";
leaf start { leaf start {
type yang:date-and-time; type yang:date-and-time;
description description
"Start time and date"; "Absolute start time and date";
} }
leaf end { leaf end {
type yang:date-and-time; type yang:date-and-time;
description "Absolute end time and date"; description
"Absolute end time and date";
} }
leaf active { leaf active {
type boolean; type boolean;
default "true"; default "true";
description description
"This object indicates whether the
"Specify the associated function the ACL will be active(true) or
inactive(false) during this time range.";
active or inactive state when
starts going into effect";
} }
} // container absolute }
} //grouping timerange }
grouping metadata { grouping metadata {
description "Fields associated with a packet but not in description
the header"; "Fields associated with a packet whick are not in
the header.";
leaf input-interface { leaf input-interface {
type string; type string;
description "Packet was received on this interface"; description
"Packet was received on this interface.";
} }
uses timerange; uses timerange;
} }
} }
<CODE ENDS> <CODE ENDS>
4.3. An ACL Example 4.3. An ACL Example
Requirement: Deny All traffic from 10.10.10.1 bound for host Requirement: Deny All traffic from 10.10.10.1 bound for host
10.10.10.255 from leaving. 10.10.10.255 from leaving.
In order to achieve the requirement, an name access control list is In order to achieve the requirement, an name Access Control List is
needed. The acl and aces can be described in CLI as the following: needed. The acl and aces can be described in CLI as the following:
access-list ip iacl access-list ip sample-ip-acl
deny tcp host 10.10.10.1 host 10.10.10.255 deny tcp host 10.10.10.1 host 10.10.10.255
Figure 1
Here is the example acl configuration xml: Here is the example acl configuration xml:
<rpc message-id="101" xmlns:nc="urn:cisco:params:xml:ns:yang:ietf-acl:1.0"> <rpc message-id="101" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
// replace with IANA namespace when assigned
<edit-config> <edit-config>
<target> <target>
<running/> <running/>
</target> </target>
<config> <config>
<top xmlns="http://example.com/schema/1.2/config"> <access-lists "urn:ietf:params:xml:ns:yang:ietf-acl:1.0">
<access-lists> <acl>
<access-list> <acl-name>sample-ip-acl</acl-name>
<access-control-list-name>sample-ip-acl</access-control-list-name>
<access-list-entries> <access-list-entries>
<access-list-entry> <ace>
<rule-name>telnet-block-rule</rule-name> <rule-name>rule1</rule-name>
<matches> <matches>
<destination-ipv4-address>10.10.10.255/24</destination-ipv4-address> <destination-ipv4-network>
<source-ipv4-address>10.10.10.1/24</source-ipv4-address> 10.10.10.255/24
</matches> </destination-ipv4-network>
<actions> <source-ipv4-network>
<deny/> 10.10.10.1/24
</actions> </source-ipv4-network>
</access-list-entry> </matches>
<actions>
<deny/>
</actions>
</ace>
</access-list-entries> </access-list-entries>
</access-list> </acl>
</access-lists> </access-lists>
</top>
</config> </config>
</edit-config> </edit-config>
</rpc> </rpc>
Figure 2
4.4. Port Range Usage Example 4.4. Port Range Usage Example
When a lower-port and an upper-port are both present, it represents a When a lower-port and an upper-port are both present, it represents a
range between lower-port and upper-port with both the lower-port and range between lower-port and upper-port with both the lower-port and
upper-port are included. When only a lower-port presents, it upper-port are included. When only a lower-port presents, it
represents a single port. represents a single port.
With the follow XML snippet: With the follow XML snippet:
<source-port-range> <source-port-range>
<lower-port>16384</lower-port> <lower-port>16384</lower-port>
<upper-port>16387</upper-port> <upper-port>16387</upper-port>
</source-port-range> </source-port-range>
This represents source ports 16384,16385, 16386, and 16387. This represents source ports 16384,16385, 16386, and 16387.
With the follow XML snippet: With the follow XML snippet:
<source-port-range> <source-port-range>
<lower-port>16384</lower-port> <lower-port>16384</lower-port>
<upper-port>65535</upper-port> <upper-port>65535</upper-port>
</source-port-range> </source-port-range>
This represents source ports greater than/equal to 16384. This represents source ports greater than/equal to 16384.
With the follow XML snippet: With the follow XML snippet:
<source-port-range> <source-port-range>
<lower-port>21</lower-port> <lower-port>21</lower-port>
</source-port-range> </source-port-range>
This represents port 21. This represents port 21.
5. Linux nftables 5. Linux nftables
As Linux platform is becoming more popular as networking platform, As Linux platform is becoming more popular as networking platform,
the Linux data model is changing. Previously ACLs in Linux were the Linux data model is changing. Previously ACLs in Linux were
highly protocol specific and different utilities were used for it highly protocol specific and different utilities were used (iptables,
(iptables, ip6tables, arptables, ebtables). Recently, this has ip6tables, arptables, ebtables), so each one had separate data model.
changed and a single utility, nftables, has been provided. This Recently, this has changed and a single utility, nftables, has been
utility follows very similarly the same base model as proposed in developed. With a single application, it has a single data model for
this draft. The nftables support input and output ACEs and each ACE filewall filters and it follows very similarly to the ietf-access-
can be defined with match and action. control list module proposed in this draft. The nftables support
input and output ACEs and each ACE can be defined with match and
action.
In the example below, it shows nftable configuration that accepts and
count packets. It contains a
table ip filter {
chain output {
type filter hook output priority 0;
counter packets 1 bytes 84 accept
}
}
There are many similarities between Linux nftables and IETF ACL YANG
data models. It should be fairly easy to do translation between ACL
YANG model described in this draft and Linux nftables.
6. Security Considerations 6. Security Considerations
The YANG module defined in this memo is designed to be accessed via The YANG module defined in this memo is designed to be accessed via
the NETCONF protocol [RFC6241] [RFC6241]. The lowest NETCONF layer the NETCONF protocol [RFC6241] [RFC6241]. The lowest NETCONF layer
is the secure transport layer and the mandatory-to-implement secure is the secure transport layer and the mandatory-to-implement secure
transport is SSH [RFC6242] [RFC6242]. The NETCONF access control transport is SSH [RFC6242] [RFC6242]. The NETCONF access control
model [RFC6536] [RFC6536] provides the means to restrict access for model [RFC6536] [RFC6536] provides the means to restrict access for
particular NETCONF users to a pre-configured subset of all available particular NETCONF users to a pre-configured subset of all available
NETCONF protocol operations and content. NETCONF protocol operations and content.
skipping to change at page 18, line 25 skipping to change at page 18, line 25
There are a number of data nodes defined in the YANG module which are There are a number of data nodes defined in the YANG module which are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., <edit-config>) in some network environments. Write operations (e.g., <edit-config>)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. effect on network operations.
These are the subtrees and data nodes and their sensitivity/ These are the subtrees and data nodes and their sensitivity/
vulnerability: vulnerability:
/ietf-acl:access-lists/access-list/access-list-entries: This list /access-lists/acl/access-list-entries: This list specifies all the
specifies all the configured access list entries on the device. configured access list entries on the device. Unauthorized write
Unauthorized write access to this list can allow intruders to access access to this list can allow intruders to access and control the
and control the system. Unauthorized read access to this list can system. Unauthorized read access to this list can allow intruders to
allow intruders to spoof packets with authorized addresses thereby spoof packets with authorized addresses thereby compromising the
compromising the system. system.
7. IANA Considerations 7. IANA Considerations
This document registers a URI in the IETF XML registry [RFC3688] This document registers a URI in the IETF XML registry [RFC3688]
[RFC3688]. Following the format in RFC 3688, the following [RFC3688]. Following the format in RFC 3688, the following
registration is requested to be made: registration is requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-acl URI: urn:ietf:params:xml:ns:yang:ietf-access-control-list
URI: urn:ietf:params:xml:ns:yang:ietf-packet-fields URI: urn:ietf:params:xml:ns:yang:ietf-packet-fields
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [RFC6020]. registry [RFC6020].
name: ietf-acl namespace: urn:ietf:params:xml:ns:yang:ietf-acl name: ietf-access-control-list namespace:
prefix: ietf-acl reference: RFC XXXX urn:ietf:params:xml:ns:yang:ietf-access-control-list prefix: ietf-acl
reference: RFC XXXX
name: ietf-packet-fields namespace: urn:ietf:params:xml:ns:yang:ietf- name: ietf-packet-fields namespace: urn:ietf:params:xml:ns:yang:ietf-
packet-fields prefix: ietf-packet-fields reference: RFC XXXX packet-fields prefix: ietf-packet-fields reference: RFC XXXX
8. Acknowledgements 8. Acknowledgements
Alex Clemm, Andy Bierman and Lisa Huang started it by sketching out Alex Clemm, Andy Bierman and Lisa Huang started it by sketching out
an initial IETF draft in several past IETF meetings. That draft an initial IETF draft in several past IETF meetings. That draft
included an ACL YANG model structure and a rich set of match filters, included an ACL YANG model structure and a rich set of match filters,
and acknowledged contributions by Louis Fourie, Dana Blair, Tula and acknowledged contributions by Louis Fourie, Dana Blair, Tula
Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen, Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen,
skipping to change at page 20, line 22 skipping to change at page 20, line 22
prefixes. Much like ACLs, they include some match criteria and prefixes. Much like ACLs, they include some match criteria and
corresponding match action(s). For that reason, it is very simple to corresponding match action(s). For that reason, it is very simple to
extend existing ACL model with route filtering. The combination of a extend existing ACL model with route filtering. The combination of a
route prefix and prefix length along with the type of match route prefix and prefix length along with the type of match
determines how route filters are evaluated against incoming routes. determines how route filters are evaluated against incoming routes.
Different vendors have different match types and in this model we are Different vendors have different match types and in this model we are
using only ones that are common across all vendors participating in using only ones that are common across all vendors participating in
this draft. As in this example, the base ACL model can be extended this draft. As in this example, the base ACL model can be extended
with company proprietary extensions, described in the next section. with company proprietary extensions, described in the next section.
<CODE BEGINS> file "std-ext-route-filter@2015-02-14.yang" file "example-ext-route-filter@2015-02-14.yang"
module std-ext-route-filter {
yang-version 1;
namespace "urn:ietf:params:xml:ns:yang:ietf-route-filter";
prefix std-ext-route-filter;
import ietf-inet-types {
prefix "inet";
}
import ietf-acl {
prefix "ietf-acl";
}
organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org
WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de
WG Chair: Tom Nadeau
tnadeau@lucidvision.com
Editor: Dean Bogdanovic
deanb@juniper.net
Editor: Kiran Agrahara Sreenivasa
kkoushik@brocade.com
Editor: Lisa Huang
yihuan@cisco.com
Editor: Dana Blair module example-ext-route-filter {
dblair@cisco.com"; yang-version 1;
namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter";
prefix example-ext-route-filter;
import ietf-inet-types {
prefix "inet";
}
import ietf-access-control-list {
prefix "ietf-acl";
}
organization
"Route modele group.";
description " contact
This module describes route filter as a collection of "abc@abc.com";
match prefixes. When specifying a match prefix, you
can specify an exact match with a particular route or
a less precise match. You can configure either a
common action that applies to the entire list or an
action associated with each prefix.
";
revision 2015-02-14 { description "
description "creating Route-Filter extension model based on ietf-acl model"; This module describes route filter as a collection of
reference " "; match prefixes. When specifying a match prefix, you
} can specify an exact match with a particular route or
a less precise match. You can configure either a
common action that applies to the entire list or an
action associated with each prefix.
";
revision 2015-05-03 {
description
"Creating Route-Filter extension model based on
ietf-access-control-list model";
reference " ";
augment "/ietf-acl:access-lists/ietf-acl:access-list }
/ietf-acl:access-list-entries/ augment "/ietf-acl:access-lists/ietf-acl:acl/
ietf-acl:access-list-entry/ietf-acl:matches"{ ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches"{
description " description "
This module augments the matches container in the ietf-acl This module augments the matches container in the ietf-acl
module with route filter specific actions module with route filter specific actions
"; ";
choice route-prefix{ choice route-prefix{
description "Define route filter match criteria"; description "Define route filter match criteria";
case range { case range {
description " description
Route falls between the lower prefix/prefix-length and the upper " Route falls between the lower prefix/prefix-length
prefix/prefix-length. and the upperprefix/prefix-length.";
"; choice ipv4-range {
choice ipv4-range { description "Defines the IPv4 prefix range";
description "Defines the lower IPv4 prefix/prefix range"; leaf v4-lower-bound {
leaf v4-lower-bound { type inet:ipv4-prefix;
type inet:ipv4-prefix; description
description "Defines the lower IPv4 prefix/prefix length"; "Defines the lower IPv4 prefix/prefix length";
} }
leaf v4-upper-bound { leaf v4-upper-bound {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description "Defines the upper IPv4 prefix/prefix length"; description
} "Defines the upper IPv4 prefix/prefix length";
} }
choice ipv6-range { }
description "Defines the IPv6 prefix/prefix range"; choice ipv6-range {
leaf v6-lower-bound { description "Defines the IPv6 prefix/prefix range";
type inet:ipv6-prefix; leaf v6-lower-bound {
description "Defines the lower IPv6 prefix/prefix length"; type inet:ipv6-prefix;
} description
leaf v6-upper-bound { "Defines the lower IPv6 prefix/prefix length";
type inet:ipv6-prefix; }
description "Defines the upper IPv6 prefix/prefix length"; leaf v6-upper-bound {
} type inet:ipv6-prefix;
} description
} "Defines the upper IPv6 prefix/prefix length";
} }
} }
} }
<CODE ENDS> }
}
}
A.2. A company proprietary module example A.2. A company proprietary module example
Module "newco-acl" is an example of company proprietary model that Module "example-newco-acl" is an example of company proprietary model
augments "ietf-acl" module. It shows how to use 'augment' with an that augments "ietf-acl" module. It shows how to use 'augment' with
XPath expression to add additional match criteria, action criteria, an XPath expression to add additional match criteria, action
and default actions when no ACE matches found. All these are company criteria, and default actions when no ACE matches found. All these
proprietary extensions or system feature extensions. "newco-acl" is are company proprietary extensions or system feature extensions.
just an example and it is expected from vendors to create their own "example-newco-acl" is just an example and it is expected from
proprietary models. vendors to create their own proprietary models.
The following figure is the tree structure of newco-acl. In this The following figure is the tree structure of example-newco-acl. In
example, ietf-acl:access-lists/ietf-acl:access-list/ietf-acl:access- this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-
list-entries/ietf-acl:access-list-entry/ietf-acl:matches: are list-entries/ ietf-acl:ace/ietf-acl:matches are augmented with a new
augmented with a new choice, protocol-payload-choice. The protocol- choice, protocol-payload-choice. The protocol-payload-choice uses a
payload-choice uses a grouping with an enumeration of all supported grouping with an enumeration of all supported protocol values. In
protocol values. In other example, ietf-acl:access-lists/ietf-acl other example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-
:access-list/ietf-acl:access-list-entries/ietf-acl:access-list-entry/ list-entries/ ietf-acl:ace/ietf-acl:actions are augmented with new
ietf-acl:actions are augmented with new choice of actions. choice of actions.
module: newco-acl module: example-newco-acl
augment /ietf-acl:access-lists/ietf-acl:access-list augment /ietf-acl:access-lists/ietf-acl:acl/
/ietf-acl:access-list-entries/ ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches:
ietf-acl:access-list-entry/ietf-acl:matches: +--rw (protocol-payload-choice)?
+--rw (protocol-payload-choice)?
+--:(protocol-payload) +--:(protocol-payload)
+--rw protocol-payload* [value-keyword] +--rw protocol-payload* [value-keyword]
+--rw value-keyword enumeration +--rw value-keyword enumeration
augment /ietf-acl:access-lists/ietf-acl:access-list augment /ietf-acl:access-lists/ietf-acl:acl/
/ietf-acl:access-list-entries/ ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions:
ietf-acl:access-list-entry/ietf-acl:actions: +--rw (action)?
+--rw (action)?
+--:(count) +--:(count)
| +--rw count? string | +--rw count? string
+--:(policer) +--:(policer)
| +--rw policer? string | +--rw policer? string
+--:(hiearchical-policer) +--:(hiearchical-policer)
+--rw hierarchitacl-policer? string +--rw hierarchitacl-policer? string
augment /ietf-acl:access-lists/ietf-acl:access-list: augment /ietf-acl:access-lists/ietf-acl:acl:
+--rw default-actions +--rw default-actions
+--rw deny? empty +--rw deny? empty
<CODE BEGINS> file "newco-acl@2015-03-04.yang" file "newco-acl@2015-03-04.yang"
module newco-acl { module example-newco-acl {
yang-version 1; yang-version 1;
namespace "urn:newco:params:xml:ns:yang:newco-acl"; namespace "urn:newco:params:xml:ns:yang:example-newco-acl";
prefix newco-acl;
prefix example-newco-acl;
import ietf-acl { import ietf-acl {
prefix "ietf-acl"; prefix "ietf-acl";
} }
revision 2015-03-04{ revision 2015-05-03{
description "creating NewCo proprietary extensions to ietf-acl model"; description "Creating NewCo proprietary extensions to ietf-acl model";
} }
augment "/ietf-acl:access-lists/ietf-acl:access-list augment "/ietf-acl:access-lists/ietf-acl:access-list
/ietf-acl:access-list-entries/ /ietf-acl:access-list-entries/
ietf-acl:access-list-entry/ietf-acl:matches" { ietf-acl:access-list-entry/ietf-acl:matches" {
description "Newco proprietary simple filter matches"; description "Newco proprietary simple filter matches";
choice protocol-payload-choice { choice protocol-payload-choice {
list protocol-payload { list protocol-payload {
key value-keyword; key value-keyword;
ordered-by user; ordered-by user;
description "Match protocol payload"; description "Match protocol payload";
uses match-simple-payload-protocol-value; uses match-simple-payload-protocol-value;
} }
} }
} }
augment "/ietf-acl:access-lists/ietf-acl:access-list/ietf-acl:access-list-entries/ietf-acl:access-list-entry/ietf-acl:actions" { augment "/ietf-acl:access-lists/ietf-acl:access-list/
ietf-acl:access-list-entries/ietf-acl:access-list-entry/
ietf-acl:actions" {
description "Newco proprietary simple filter actions"; description "Newco proprietary simple filter actions";
choice action { choice action {
case count { case count {
description "Count the packet in the named counter"; description "Count the packet in the named counter";
leaf count { leaf count {
type string; type string;
} }
} }
case policer { case policer {
description "Name of policer to use to rate-limit traffic"; description "Name of policer to use to rate-limit traffic";
skipping to change at page 25, line 4 skipping to change at page 24, line 22
grouping match-simple-payload-protocol-value { grouping match-simple-payload-protocol-value {
leaf value-keyword { leaf value-keyword {
description "(null)"; description "(null)";
type enumeration { type enumeration {
enum icmp { enum icmp {
description "Internet Control Message Protocol"; description "Internet Control Message Protocol";
} }
enum icmp6 { enum icmp6 {
description "Internet Control Message Protocol Version 6"; description "Internet Control Message Protocol Version 6";
} }
enum range { enum range {
description "Range of values"; description "Range of values";
} }
} }
} }
} }
} }
<CODE ENDS>
Draft authors expect that different vendors will provide their own Draft authors expect that different vendors will provide their own
yang models as in the example above, which is the extension of the yang models as in the example above, which is the augmentation of the
base model base model
A.3. Attaching Access Control List to interfaces A.3. Attaching Access Control List to interfaces
Access control list typically does not exist in isolation. Instead, Access control list typically does not exist in isolation. Instead,
they are associated with a certain scope in which they are applied, they are associated with a certain scope in which they are applied,
for example, an interface of a set of interfaces. How to attach an for example, an interface of a set of interfaces. How to attach an
SPF to an interface (or other system artifact) is outside the scope access control list to an interface (or other system artifact) is
of this model, as it depends on the specifics of the system model outside the scope of this model, as it depends on the specifics of
that is being applied. However, in general, the general design the system model that is being applied. However, in general, the
pattern will involved adding a dada node with a reference, or set of general design pattern will involved adding a data node with a
references, to ACLs that are to be applied to the interface. For reference, or set of references, to ACLs that are to be applied to
this purpose, the type definition "access-control-list-ref" can be the interface. For this purpose, the type definition "access-
used. control-list-ref" can be used.
This is an example of attaching an access control list to an This is an example of attaching an Access Control List to an
interface. interface.
<CODE BEGINS> file "interface model augmentation with ACL import ietf-access-control-list {
@2015-03-04.yang"
import ietf-acl {
prefix "ietf-acl"; prefix "ietf-acl";
} }
import ietf-interface { import ietf-interface {
prefix "ietf-if"; prefix "ietf-if";
} }
import ietf-yang-types { import ietf-yang-types {
prefix "yang"; prefix "yang";
} }
augment "/ietf-if:interfaces/ietf-if:interface" { augment "/ietf-if:interfaces/ietf-if:interface" {
description "Apply acl to interfaces"; description "Apply ACL to interfaces";
container acl{ container acl{
description "ACL related properties."; description "ACL related properties.";
leaf acl-name { leaf acl-name {
type ietf-acl:access-control-list-ref; type ietf-acl:acl-ref;
mandatory true; mandatory true;
description "Access Control List name."; description "Access Control List name.";
} }
leaf match-counter { leaf match-counter {
type yang:counter64; type yang:counter64;
config false; config false;
description "Total match count for access control list "; description
"Total match count for Access Control
List on this interface";
} }
choice direction { choice direction {
leaf in { type empty;} leaf in { type empty;}
leaf out { type empty;} leaf out { type empty;}
} }
} }
} }
<CODE ENDS> augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data" {
description
"This is an example on how to apply acl to a target to collect
operational data";
container targets{
choice interface{
leaf-list interface-name{
type ietf-if:interface-ref;
}
}
}
}
Authors' Addresses Authors' Addresses
Dean Bogdanovic Dean Bogdanovic
Juniper Networks Juniper Networks
Email: deanb@juniper.net Email: deanb@juniper.net
Kiran Agrahara Sreenivasa Kiran Agrahara Sreenivasa
Brocade Communications System Brocade Communications System
skipping to change at page 27, line 4 skipping to change at page 26, line 16
Dean Bogdanovic Dean Bogdanovic
Juniper Networks Juniper Networks
Email: deanb@juniper.net Email: deanb@juniper.net
Kiran Agrahara Sreenivasa Kiran Agrahara Sreenivasa
Brocade Communications System Brocade Communications System
Email: kkoushik@brocade.com Email: kkoushik@brocade.com
Lisa Huang Lisa Huang
Cisco Systems Juniper Networks
Email: yihuan@cisco.com Email: lyihuang@juniper.net
Dana Blair Dana Blair
Cisco Systems Cisco Systems
Email: dblair@cisco.com Email: dblair@cisco.com
 End of changes. 133 change blocks. 
627 lines changed or deleted 607 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/