draft-ietf-netmod-acl-model-05.txt   draft-ietf-netmod-acl-model-06.txt 
NETMOD WG D. Bogdanovic NETMOD WG D. Bogdanovic
Internet-Draft Internet-Draft
Intended status: Standards Track K. Sreenivasa Intended status: Standards Track K. Sreenivasa
Expires: April 19, 2016 Brocade Communications System Expires: June 10, 2016 Cisco Systems
L. Huang L. Huang
Juniper Networks Juniper Networks
D. Blair D. Blair
Cisco Systems Cisco Systems
October 17, 2015 December 8, 2015
Network Access Control List (ACL) YANG Data Model Network Access Control List (ACL) YANG Data Model
draft-ietf-netmod-acl-model-05 draft-ietf-netmod-acl-model-06
Abstract Abstract
This document describes a data model of Access Control List (ACL) This document describes a data model of Access Control List (ACL)
basic building blocks. basic building blocks.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 19, 2016. This Internet-Draft will expire on June 10, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 25 skipping to change at page 3, line 25
Access Control List is also widely knowns as ACL (pronounce as [ak-uh Access Control List is also widely knowns as ACL (pronounce as [ak-uh
l]) or Access List. In this document, Access Control List, ACL and l]) or Access List. In this document, Access Control List, ACL and
Access List are interchangeable. Access List are interchangeable.
1.1. Definitions and Acronyms 1.1. Definitions and Acronyms
ACE: Access Control Entry ACE: Access Control Entry
ACL: Access Control List ACL: Access Control List
AFI: Address Field Identifier
DSCP: Differentiated Services Code Point DSCP: Differentiated Services Code Point
ICMP: Internet Control Message Protocol ICMP: Internet Control Message Protocol
IP: Internet Protocol IP: Internet Protocol
IPv4: Internet Protocol version 4 IPv4: Internet Protocol version 4
IPv6: Internet Protocol version 6 IPv6: Internet Protocol version 6
skipping to change at page 4, line 27 skipping to change at page 4, line 27
destination prefix length. The actions can be any sort of operation destination prefix length. The actions can be any sort of operation
from logging to rate limiting or dropping to simply forwarding. from logging to rate limiting or dropping to simply forwarding.
Actions on the first matching ACE are applied with no processing of Actions on the first matching ACE are applied with no processing of
subsequent ACEs. The model also includes a container to hold overall subsequent ACEs. The model also includes a container to hold overall
operational state for each ACL and operational state for each ACE. operational state for each ACL and operational state for each ACE.
One ACL can be applied to multiple targets within the device, such as One ACL can be applied to multiple targets within the device, such as
interfaces of a networked device, applications or features running in interfaces of a networked device, applications or features running in
the device, etc. When applied to interfaces of a networked device, the device, etc. When applied to interfaces of a networked device,
the ACL is applied in a direction which indicates if it should be the ACL is applied in a direction which indicates if it should be
applied to packet entering (input) or leaving the device (output). applied to packet entering (input) or leaving the device (output).
An example in the appendix shows how to express it in YNAG model. An example in the appendix shows how to express it in YANG model.
This draft tries to address the commonalities between all vendors and This draft tries to address the commonalities between all vendors and
create a common model, which can be augmented with proprietary create a common model, which can be augmented with proprietary
models. The base model is very simple and with this design we hope models. The base model is very simple and with this design we hope
to achieve needed flexibility for each vendor to extend the base to achieve needed flexibility for each vendor to extend the base
model. model.
3.1. ACL Modules 3.1. ACL Modules
There are two YANG modules in the model. The first module, "ietf- There are two YANG modules in the model. The first module, "ietf-
skipping to change at page 5, line 24 skipping to change at page 5, line 24
| | | | +--rw (ace-ip-version)? | | | | +--rw (ace-ip-version)?
| | | | | +--:(ace-ipv4) | | | | | +--:(ace-ipv4)
| | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix | | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix
| | | | | | +--rw source-ipv4-network? inet:ipv4-prefix | | | | | | +--rw source-ipv4-network? inet:ipv4-prefix
| | | | | +--:(ace-ipv6) | | | | | +--:(ace-ipv6)
| | | | | +--rw destination-ipv6-network? inet:ipv6-prefix | | | | | +--rw destination-ipv6-network? inet:ipv6-prefix
| | | | | +--rw source-ipv6-network? inet:ipv6-prefix | | | | | +--rw source-ipv6-network? inet:ipv6-prefix
| | | | | +--rw flow-label? inet:ipv6-flow-label | | | | | +--rw flow-label? inet:ipv6-flow-label
| | | | +--rw dscp? inet:dscp | | | | +--rw dscp? inet:dscp
| | | | +--rw protocol? uint8 | | | | +--rw protocol? uint8
| | | | +--rw source-port-range | | | | +--rw source-port-range!
| | | | | +--rw lower-port inet:port-number | | | | | +--rw lower-port inet:port-number
| | | | | +--rw upper-port? inet:port-number | | | | | +--rw upper-port? inet:port-number
| | | | +--rw destination-port-range | | | | +--rw destination-port-range!
| | | | +--rw lower-port inet:port-number | | | | +--rw lower-port inet:port-number
| | | | +--rw upper-port? inet:port-number | | | | +--rw upper-port? inet:port-number
| | | +--:(ace-eth) | | | +--:(ace-eth)
| | | +--rw destination-mac-address? yang:mac-address | | | +--rw destination-mac-address? yang:mac-address
| | | +--rw destination-mac-address-mask? yang:mac-address | | | +--rw destination-mac-address-mask? yang:mac-address
| | | +--rw source-mac-address? yang:mac-address | | | +--rw source-mac-address? yang:mac-address
| | | +--rw source-mac-address-mask? yang:mac-address | | | +--rw source-mac-address-mask? yang:mac-address
| | +--rw input-interface? string | | +--rw input-interface? string
| | +--rw absolute-time
| | +--rw start? yang:date-and-time
| | +--rw end? yang:date-and-time
| | +--rw active? boolean
| +--rw actions | +--rw actions
| | +--rw (packet-handling)? | | +--rw (packet-handling)?
| | +--:(deny) | | +--:(deny)
| | | +--rw deny? empty | | | +--rw deny? empty
| | +--:(permit) | | +--:(permit)
| | +--rw permit? empty | | +--rw permit? empty
| +--ro ace-oper-data | +--ro ace-oper-data
| | +--ro match-counter? yang:counter64 | | +--ro match-counter? yang:counter64
| +--rw rule-name string | +--rw rule-name string
+--rw acl-name string +--rw acl-name string
+--rw acl-type acl-type +--rw acl-type acl-type
Figure 1 Figure 1
4. ACL YANG Models 4. ACL YANG Models
4.1. IETF Access Contorl List module 4.1. IETF Access Contorl List module
"ietf-access-control-list" is the standard top level module for "ietf-access-control-list" is the standard top level module for
Access lists. The "access-lists" container stores a list of "acl". access lists. The "access-lists" container stores a list of "acl".
Each "acl" has information identifying the access list by a Each "acl" has information identifying the access list by a
name("acl-name") and a list("access-list-entries") of rules name("acl-name") and a list("access-list-entries") of rules
associated with the "acl-name". Each of the entries in the associated with the "acl-name". Each of the entries in the
list("access-list-entries"), indexed by the string "rule-name", has list("access-list-entries"), indexed by the string "rule-name", has
containers defining "matches" and "actions". The "matches" define containers defining "matches" and "actions". The "matches" define
criteria used to identify patterns in "ietf-packet-fields". The criteria used to identify patterns in "ietf-packet-fields". The
"actions" define behavior to undertake once a "match" has been "actions" define behavior to undertake once a "match" has been
identified. identified.
<CODE BEGINS>file "ietf-access-control-list@2015-10-11.yang" <CODE BEGINS>file "ietf-access-control-list@2015-12-08.yang"
module ietf-access-control-list { module ietf-access-control-list {
yang-version 1; yang-version 1;
namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
prefix acl; prefix acl;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-packet-fields { import ietf-packet-fields {
prefix packet-fields; prefix packet-fields;
} }
skipping to change at page 6, line 43 skipping to change at page 6, line 43
contact contact
"WG Web: http://tools.ietf.org/wg/netmod/ "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org WG List: netmod@ietf.org
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de j.schoenwaelder@jacobs-university.de
WG Chair: Tom Nadeau WG Chair: Tom Nadeau
tnadeau@lucidvision.com tnadeau@lucidvision.com
Editor: Dean Bogdanovic Editor: Dean Bogdanovic
ivandean@gmail.com ivandean@gmail.com
Editor: Kiran Agrahara Sreenivasa Editor: Kiran Agrahara Sreenivasa
kkoushik@brocade.com kkoushik@cisco.com
Editor: Lisa Huang Editor: Lisa Huang
lyihuang@juniper.net lyihuang@juniper.net
Editor: Dana Blair Editor: Dana Blair
dblair@cisco.com"; dblair@cisco.com";
description description
"This YANG module defines a component that describing the "This YANG module defines a component that describing the
configuration of Access Control Lists (ACLs). configuration of Access Control Lists (ACLs).
Copyright (c) 2015 IETF Trust and the persons identified as Copyright (c) 2015 IETF Trust and the persons identified as
the document authors. All rights reserved. the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2015-03-17 { revision 2015-12-08 {
description description
"Base model for Network Access Control List (ACL)."; "Base model for Network Access Control List (ACL).";
reference reference
"RFC XXXX: Network Access Control List (ACL) "RFC XXXX: Network Access Control List (ACL)
YANG Data Model"; YANG Data Model";
} }
identity acl-base { identity acl-base {
description description
"Base Access Control List type for all Access Control List type "Base Access Control List type for all Access Control List type
identifiers."; identifiers.";
skipping to change at page 7, line 44 skipping to change at page 7, line 44
base acl:acl-base; base acl:acl-base;
description description
"ACL that primarily matches on fields from the IPv6 header "ACL that primarily matches on fields from the IPv6 header
(e.g. IPv6 destination address) and layer 4 headers (e.g. TCP (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
destination port). An acl of type ipv6-acl does not contain destination port). An acl of type ipv6-acl does not contain
matches on fields in the ethernet header or the IPv4 header."; matches on fields in the ethernet header or the IPv4 header.";
} }
identity eth-acl { identity eth-acl {
base acl:acl-base; base acl:acl-base;
description description
"ACL that primarily matches on fields in the ethernet header. "ACL that primarily matches on fields in the ethernet header,
An acl of type eth-acl does not contain matches on fields in like 10/100/1000baseT or WiFi Access Control List. An acl of
the IPv4 header, IPv6 header or layer 4 headers."; type eth-acl does not contain matches on fields in the IPv4
header, IPv6 header or layer 4 headers.";
} }
typedef acl-type { typedef acl-type {
type identityref { type identityref {
base acl-base; base acl-base;
} }
description description
"This type is used to refer to an Access Control List "This type is used to refer to an Access Control List
(ACL) type"; (ACL) type";
} }
typedef access-control-list-ref { typedef access-control-list-ref {
skipping to change at page 10, line 48 skipping to change at page 10, line 49
4.2. IETF-PACKET-FIELDS module 4.2. IETF-PACKET-FIELDS module
The packet fields module defines the necessary groups for matching on The packet fields module defines the necessary groups for matching on
fields in the packet including ethernet, ipv4, ipv6, transport layer fields in the packet including ethernet, ipv4, ipv6, transport layer
fields and metadata. Since the number of match criteria is very fields and metadata. Since the number of match criteria is very
large, the base draft does not include these directly but references large, the base draft does not include these directly but references
them by "uses" to keep the base module simple. In case more match them by "uses" to keep the base module simple. In case more match
conditions are needed, those can be added by augmenting choices conditions are needed, those can be added by augmenting choices
within container "matches" in ietf-access-control-list.yang model within container "matches" in ietf-access-control-list.yang model
<CODE BEGINS>file "ietf-packet-fields@2015-06-11.yang" <CODE BEGINS>
module ietf-packet-fields { module ietf-packet-fields {
yang-version 1; yang-version 1;
namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
prefix packet-fields; prefix packet-fields;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
skipping to change at page 11, line 23 skipping to change at page 11, line 24
contact contact
"WG Web: http://tools.ietf.org/wg/netmod/ "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org WG List: netmod@ietf.org
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de j.schoenwaelder@jacobs-university.de
WG Chair: Tom Nadeau WG Chair: Tom Nadeau
tnadeau@lucidvision.com tnadeau@lucidvision.com
Editor: Dean Bogdanovic Editor: Dean Bogdanovic
deanb@juniper.net deanb@juniper.net
Editor: Kiran Agrahara Sreenivasa Editor: Kiran Agrahara Sreenivasa
kkoushik@brocade.com kkoushik@cisco.com
Editor: Lisa Huang Editor: Lisa Huang
lyihuang@juniper.net lyihuang@juniper.net
Editor: Dana Blair Editor: Dana Blair
dblair@cisco.com"; dblair@cisco.com";
description description
"This YANG module defines groupings that are used by "This YANG module defines groupings that are used by
ietf-access-control-list YANG module. Their usage is not ietf-access-control-list YANG module. Their usage is not
limited to ietf-access-control-list and can be limited to ietf-access-control-list and can be
used anywhere as applicable. used anywhere as applicable.
Copyright (c) 2015 IETF Trust and the persons identified as Copyright (c) 2015 IETF Trust and the persons identified as
the document authors. All rights reserved. the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2015-06-11 { revision 2015-12-08 {
description description
"Initial version of packet fields used by "Initial version of packet fields used by
ietf-access-control-list"; ietf-access-control-list";
reference reference
"RFC XXXX: Network Access Control List (ACL) "RFC XXXX: Network Access Control List (ACL)
YANG Data Model"; YANG Data Model";
} }
grouping acl-transport-header-fields { grouping acl-transport-header-fields {
description description
"Transport header fields"; "Transport header fields";
skipping to change at page 12, line 18 skipping to change at page 12, line 19
description description
"Inclusive range representing source ports to be used. "Inclusive range representing source ports to be used.
When only lower-port is present, it represents a single port."; When only lower-port is present, it represents a single port.";
leaf lower-port { leaf lower-port {
type inet:port-number; type inet:port-number;
mandatory true; mandatory true;
description description
"Lower boundary for port."; "Lower boundary for port.";
} }
leaf upper-port { leaf upper-port {
type inet:port-number;
must ". >= ../lower-port" { must ". >= ../lower-port" {
error-message error-message
"The upper-port must be greater than or equal to lower-port"; "The upper-port must be greater than or equal to lower-port";
} }
type inet:port-number;
description description
"Upper boundary for port . If existing, the upper port "Upper boundary for port . If existing, the upper port
must be greater or equal to lower-port."; must be greater or equal to lower-port.";
} }
} }
container destination-port-range { container destination-port-range {
presence "Enables setting destination port range"; presence "Enables setting destination port range";
description description
"Inclusive range representing destination ports to be used. When "Inclusive range representing destination ports to be used. When
only lower-port is present, it represents a single port."; only lower-port is present, it represents a single port.";
leaf lower-port { leaf lower-port {
type inet:port-number; type inet:port-number;
mandatory true; mandatory true;
description description
"Lower boundary for port."; "Lower boundary for port.";
} }
leaf upper-port { leaf upper-port {
must ". >= ../lower-port" {
error-message
"The upper-port must be greater than or equal to lower-port";
}
type inet:port-number; type inet:port-number;
must ". >= ../lower-port" {
error-message
"The upper-port must be greater than or equal to lower-port";
}
description description
"Upper boundary for port. If existing, the upper port must "Upper boundary for port. If existing, the upper port must
be greater or equal to lower-port"; be greater or equal to lower-port";
} }
} }
} }
grouping acl-ip-header-fields { grouping acl-ip-header-fields {
description description
"IP header fields common to ipv4 and ipv6"; "IP header fields common to ipv4 and ipv6";
leaf dscp { leaf dscp {
type inet:dscp; type inet:dscp;
description description
"Value of dscp."; "Value of dscp.";
} }
leaf protocol { leaf protocol {
skipping to change at page 14, line 34 skipping to change at page 14, line 36
} }
leaf source-mac-address-mask { leaf source-mac-address-mask {
type yang:mac-address; type yang:mac-address;
description description
"Source IEEE 802 MAC address mask."; "Source IEEE 802 MAC address mask.";
} }
reference reference
"IEEE 802: IEEE Standard for Local and Metropolitan Area "IEEE 802: IEEE Standard for Local and Metropolitan Area
Networks: Overview and Architecture."; Networks: Overview and Architecture.";
} }
grouping timerange {
description
"Time range contains time
segments to allow access-control-list to be
active/inactive when the system time
is between the range.";
container absolute-time {
description
"Absolute time and date that
the associated function starts
going into effect.";
leaf start {
type yang:date-and-time;
description
"Absolute start time and date";
}
leaf end {
type yang:date-and-time;
description
"Absolute end time and date";
}
leaf active {
type boolean;
default "true";
description
"This object indicates whether the
the ACL will be active(true) or
inactive(false) during this time range.";
}
}
}
grouping metadata { grouping metadata {
description description
"Fields associated with a packet whick are not in "Fields associated with a packet whick are not in
the header."; the header.";
leaf input-interface { leaf input-interface {
type string; type string;
description description
"Packet was received on this interface."; "Packet was received on this interface.";
} }
uses timerange;
} }
} }
<CODE ENDS> <CODE ENDS>
4.3. An ACL Example 4.3. An ACL Example
Requirement: Deny All traffic from 10.10.10.1 bound for host Requirement: Deny All traffic from 10.10.10.1 bound for host
10.10.10.255 from leaving. 10.10.10.255 from leaving.
In order to achieve the requirement, an name Access Control List is In order to achieve the requirement, an name Access Control List is
needed. The acl and aces can be described in CLI as the following: needed. The acl and aces can be described in CLI as the following:
access-list ip sample-ip-acl access-list ip sample-ip-acl
deny tcp host 10.10.10.1 host 10.10.10.255 deny tcp host 10.10.10.1 host 10.10.10.255
skipping to change at page 16, line 28 skipping to change at page 16, line 37
</source-port-range> </source-port-range>
<destination-port-range> <destination-port-range>
<lower-port /> <lower-port />
<upper-port /> <upper-port />
</destination-port-range> </destination-port-range>
<destination-mac-address /> <destination-mac-address />
<destination-mac-address-mask /> <destination-mac-address-mask />
<source-mac-address /> <source-mac-address />
<source-mac-address-mask /> <source-mac-address-mask />
<input-interface /> <input-interface />
<absolute-time>
<start />
<end />
</absolute-time>
</matches> </matches>
<actions> <actions>
<deny /> <deny />
<permit /> <permit />
</actions> </actions>
<ace-oper-data> <ace-oper-data>
<match-counter /> <match-counter />
</ace-oper-data> </ace-oper-data>
<rule-name>rule1<rule-name/> <rule-name>rule1<rule-name/>
</ace> </ace>
skipping to change at page 20, line 48 skipping to change at page 20, line 48
prefixes. Much like ACLs, they include some match criteria and prefixes. Much like ACLs, they include some match criteria and
corresponding match action(s). For that reason, it is very simple to corresponding match action(s). For that reason, it is very simple to
extend existing ACL model with route filtering. The combination of a extend existing ACL model with route filtering. The combination of a
route prefix and prefix length along with the type of match route prefix and prefix length along with the type of match
determines how route filters are evaluated against incoming routes. determines how route filters are evaluated against incoming routes.
Different vendors have different match types and in this model we are Different vendors have different match types and in this model we are
using only ones that are common across all vendors participating in using only ones that are common across all vendors participating in
this draft. As in this example, the base ACL model can be extended this draft. As in this example, the base ACL model can be extended
with company proprietary extensions, described in the next section. with company proprietary extensions, described in the next section.
file "ietf-example-ext-route-filter@2015-02-14.yang" file "example-ext-route-filter@2015-12-08.yang"
module example-ext-route-filter {
yang-version 1;
namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter";
prefix example-ext-route-filter;
import ietf-inet-types {
prefix "inet";
}
import ietf-access-control-list {
prefix "ietf-acl";
}
module ietf-example-ext-route-filter { organization
yang-version 1; "Route model group.";
namespace "urn:ietf:params:xml:ns:yang:ietf-example-ext-route-filter";
prefix ietf-example-ext-route-filter;
import ietf-inet-types {
prefix "inet";
}
import ietf-access-control-list {
prefix "ietf-acl";
}
organization
"Route modele group.";
contact contact
"abc@abc.com"; "abc@abc.com";
description " description "
This module describes route filter as a collection of This module describes route filter as a collection of
match prefixes. When specifying a match prefix, you match prefixes. When specifying a match prefix, you
can specify an exact match with a particular route or can specify an exact match with a particular route or
a less precise match. You can configure either a a less precise match. You can configure either a
common action that applies to the entire list or an common action that applies to the entire list or an
action associated with each prefix. action associated with each prefix.
"; ";
revision 2015-05-03 { revision 2015-12-08 {
description description
"Creating Route-Filter extension model based on "Creating Route-Filter extension model based on
ietf-access-control-list model"; ietf-access-control-list model";
reference " "; reference " ";
} }
augment "/ietf-acl:access-lists/ietf-acl:acl/ augment "/ietf-acl:access-lists/ietf-acl:acl/"
ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches"{ + "ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches"{
description " description "
This module augments the matches container in the ietf-acl This module augments the matches container in the ietf-acl
module with route filter specific actions module with route filter specific actions
"; ";
choice route-prefix{ choice route-prefix{
description "Define route filter match criteria"; description "Define route filter match criteria";
case range { case range {
description description
" Route falls between the lower prefix/prefix-length "Route falls between the lower prefix/prefix-length
and the upperprefix/prefix-length."; and the upperprefix/prefix-length.";
choice ipv4-range { choice ipv4-range {
description "Defines the IPv4 prefix range"; description "Defines the IPv4 prefix range";
leaf v4-lower-bound { leaf v4-lower-bound {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"Defines the lower IPv4 prefix/prefix length"; "Defines the lower IPv4 prefix/prefix length";
} }
leaf v4-upper-bound { leaf v4-upper-bound {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"Defines the upper IPv4 prefix/prefix length"; "Defines the upper IPv4 prefix/prefix length";
} }
} }
choice ipv6-range { choice ipv6-range {
description "Defines the IPv6 prefix/prefix range"; description "Defines the IPv6 prefix/prefix range";
leaf v6-lower-bound { leaf v6-lower-bound {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"Defines the lower IPv6 prefix/prefix length"; "Defines the lower IPv6 prefix/prefix length";
} }
leaf v6-upper-bound { leaf v6-upper-bound {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"Defines the upper IPv6 prefix/prefix length"; "Defines the upper IPv6 prefix/prefix length";
} }
} }
} }
} }
} }
} }
A.2. A company proprietary module example A.2. A company proprietary module example
Module "example-newco-acl" is an example of company proprietary model Module "example-newco-acl" is an example of company proprietary model
that augments "ietf-acl" module. It shows how to use 'augment' with that augments "ietf-acl" module. It shows how to use 'augment' with
an XPath expression to add additional match criteria, action an XPath expression to add additional match criteria, action
criteria, and default actions when no ACE matches found. All these criteria, and default actions when no ACE matches found. All these
are company proprietary extensions or system feature extensions. are company proprietary extensions or system feature extensions.
"example-newco-acl" is just an example and it is expected from "example-newco-acl" is just an example and it is expected from
vendors to create their own proprietary models. vendors to create their own proprietary models.
The following figure is the tree structure of example-newco-acl. In The following figure is the tree structure of example-newco-acl. In
this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- this example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-
list-entries/ ietf-acl:ace/ietf-acl:matches are augmented with a new list-entries/ ietf-acl:ace/ietf-acl:matches are augmented with a new
choice, protocol-payload-choice. The protocol-payload-choice uses a choice, protocol-payload-choice. The protocol-payload-choice uses a
grouping with an enumeration of all supported protocol values. In grouping with an enumeration of all supported protocol values. In
other example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access- other example, /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-
list-entries/ ietf-acl:ace/ietf-acl:actions are augmented with new list-entries/ ietf-acl:ace/ietf-acl:actions are augmented with new
choice of actions. choice of actions.
module: example-newco-acl module: example-newco-acl
augment /ietf-acl:access-lists/ietf-acl:acl/ augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/
ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: ietf-acl:ace/ietf-acl:matches:
+--rw (protocol-payload-choice)? +--rw (protocol-payload-choice)?
+--:(protocol-payload) +--:(protocol-payload)
+--rw protocol-payload* [value-keyword] +--rw protocol-payload* [value-keyword]
+--rw value-keyword enumeration +--rw value-keyword enumeration
augment /ietf-acl:access-lists/ietf-acl:acl/ augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/
ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions: ietf-acl:ace/ietf-acl:actions:
+--rw (action)? +--rw (action)?
+--:(count) +--:(count)
| +--rw count? string | +--rw count? string
+--:(policer) +--:(policer)
| +--rw policer? string | +--rw policer? string
+--:(hiearchical-policer) +--:(hiearchical-policer)
+--rw hierarchitacl-policer? string +--rw hierarchitacl-policer? string
augment /ietf-acl:access-lists/ietf-acl:acl: augment /ietf-acl:access-lists/ietf-acl:acl:
+--rw default-actions +--rw default-actions
+--rw deny? empty +--rw deny? empty
file "newco-acl@2015-03-04.yang"
file "newco-acl@2015-12-08.yang"
module example-newco-acl { module example-newco-acl {
yang-version 1; yang-version 1;
namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; namespace "urn:newco:params:xml:ns:yang:example-newco-acl";
prefix example-newco-acl; prefix example-newco-acl;
import ietf-acl { import ietf-access-control-list {
prefix "ietf-acl"; prefix "ietf-acl";
} }
revision 2015-05-03{ organization
description "Creating NewCo proprietary extensions to ietf-acl model"; "Newco model group.";
}
augment "/ietf-acl:access-lists/ietf-acl:access-list contact
/ietf-acl:access-list-entries/ "abc@newco.com";
ietf-acl:access-list-entry/ietf-acl:matches" { description
"This YANG module augment IETF ACL Yang.";
revision 2015-12-08{
description
"Creating NewCo proprietary extensions to ietf-acl model";
reference
"RFC XXXX: Network Access Control List (ACL)
YANG Data Model";
}
augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" {
description "Newco proprietary simple filter matches"; description "Newco proprietary simple filter matches";
choice protocol-payload-choice { choice protocol-payload-choice {
description "";
list protocol-payload { list protocol-payload {
key value-keyword; key value-keyword;
ordered-by user; ordered-by user;
description "Match protocol payload"; description "Match protocol payload";
uses match-simple-payload-protocol-value; uses match-simple-payload-protocol-value;
} }
} }
} }
augment "/ietf-acl:access-lists/ietf-acl:access-list/ augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions" {
ietf-acl:access-list-entries/ietf-acl:access-list-entry/
ietf-acl:actions" {
description "Newco proprietary simple filter actions"; description "Newco proprietary simple filter actions";
choice action { choice action {
description "";
case count { case count {
description "Count the packet in the named counter"; description "Count the packet in the named counter";
leaf count { leaf count {
type string; type string;
description "";
} }
} }
case policer { case policer {
description "Name of policer to use to rate-limit traffic"; description "Name of policer to use to rate-limit traffic";
leaf policer { leaf policer {
type string; type string;
description "";
} }
} }
case hiearchical-policer { case hiearchical-policer {
description "Name of hierarchical policer to use to description "Name of hierarchical policer to use to
rate-limit traffic"; rate-limit traffic";
leaf hierarchitacl-policer{ leaf hierarchitacl-policer{
type string; type string;
description "";
} }
} }
} }
} }
augment "/ietf-acl:access-lists/ietf-acl:access-list" { augment "/ietf-acl:access-lists/ietf-acl:acl" {
description "Newco proprietary default action";
container default-actions { container default-actions {
description "Actions that occur if no access-list entry is matched."; description
"Actions that occur if no access-list entry is matched.";
leaf deny { leaf deny {
type empty; type empty;
description "";
} }
} }
} }
grouping match-simple-payload-protocol-value { grouping match-simple-payload-protocol-value {
description "Newco proprietary payload";
leaf value-keyword { leaf value-keyword {
description "(null)";
type enumeration { type enumeration {
enum icmp { enum icmp {
description "Internet Control Message Protocol"; description "Internet Control Message Protocol";
} }
enum icmp6 { enum icmp6 {
description "Internet Control Message Protocol Version 6"; description "Internet Control Message Protocol Version 6";
} }
enum range { enum range {
description "Range of values"; description "Range of values";
} }
} }
description "(null)";
} }
} }
} }
Draft authors expect that different vendors will provide their own Draft authors expect that different vendors will provide their own
yang models as in the example above, which is the augmentation of the yang models as in the example above, which is the augmentation of the
base model base model
A.3. Attaching Access Control List to interfaces A.3. Attaching Access Control List to interfaces
skipping to change at page 27, line 38 skipping to change at page 27, line 38
layer 4 header fields may also exist in the list."; layer 4 header fields may also exist in the list.";
} }
Authors' Addresses Authors' Addresses
Dean Bogdanovic Dean Bogdanovic
Email: ivandean@gmail.com Email: ivandean@gmail.com
Kiran Agrahara Sreenivasa Kiran Agrahara Sreenivasa
Brocade Communications System Cisco Systems
Email: kkoushik@brocade.com Email: kkoushik@cisco.com
Lisa Huang Lisa Huang
Juniper Networks Juniper Networks
Email: lyihuang@juniper.net Email: lyihuang@juniper.net
Dana Blair Dana Blair
Cisco Systems Cisco Systems
Email: dblair@cisco.com Email: dblair@cisco.com
 End of changes. 52 change blocks. 
175 lines changed or deleted 150 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/