draft-ietf-netmod-acl-model-09.txt   draft-ietf-netmod-acl-model-10.txt 
NETMOD WG D. Bogdanovic NETMOD WG D. Bogdanovic
Internet-Draft Volta Networks Internet-Draft Volta Networks
Intended status: Standards Track K. Sreenivasa Intended status: Standards Track K. Sreenivasa
Expires: April 15, 2017 Cisco Systems Expires: September 14, 2017 Cisco Systems
L. Huang L. Huang
General Electric General Electric
D. Blair D. Blair
Cisco Systems Cisco Systems
October 12, 2016 March 13, 2017
Network Access Control List (ACL) YANG Data Model Network Access Control List (ACL) YANG Data Model
draft-ietf-netmod-acl-model-09 draft-ietf-netmod-acl-model-10
Abstract Abstract
This document describes a data model of Access Control List (ACL) This document describes a data model of Access Control List (ACL)
basic building blocks. basic building blocks.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 15, 2017. This Internet-Draft will expire on September 14, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 45 skipping to change at page 2, line 45
4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 16 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 16
5. Security Considerations . . . . . . . . . . . . . . . . . . . 17 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
8.1. Normative References . . . . . . . . . . . . . . . . . . 19 8.1. Normative References . . . . . . . . . . . . . . . . . . 19
8.2. Informative References . . . . . . . . . . . . . . . . . 19 8.2. Informative References . . . . . . . . . . . . . . . . . 19
Appendix A. Extending ACL model examples . . . . . . . . . . . . 20 Appendix A. Extending ACL model examples . . . . . . . . . . . . 20
A.1. Example of extending existing model for route filtering . 20 A.1. Example of extending existing model for route filtering . 20
A.2. A company proprietary module example . . . . . . . . . . 22 A.2. A company proprietary module example . . . . . . . . . . 22
A.3. Example to augment model with mixed ACL type . . . . . . 27 A.3. Example to augment model with mixed ACL type . . . . . . 30
A.4. Linux nftables . . . . . . . . . . . . . . . . . . . . . 28 A.4. Linux nftables . . . . . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
Access Control List (ACL) is one of the basic elements to configure Access Control List (ACL) is one of the basic elements to configure
device forwarding behavior. It is used in many networking concepts device forwarding behavior. It is used in many networking concepts
such as Policy Based Routing, Firewalls etc. such as Policy Based Routing, Firewalls etc.
An ACL is an ordered set of rules that is used to filter traffic on a An ACL is an ordered set of rules that is used to filter traffic on a
networking device. Each rule is represented by an Access Control networking device. Each rule is represented by an Access Control
Entry (ACE). Entry (ACE).
skipping to change at page 23, line 7 skipping to change at page 23, line 7
new choices, protocol-payload-choice and metadata. The protocol- new choices, protocol-payload-choice and metadata. The protocol-
payload-choice uses a grouping with an enumeration of all supported payload-choice uses a grouping with an enumeration of all supported
protocol values. Metadata matches apply to fields associated with protocol values. Metadata matches apply to fields associated with
the packet but not in the packet header such as input interface or the packet but not in the packet header such as input interface or
overall packet length. In other example, /ietf-acl:access-lists/ overall packet length. In other example, /ietf-acl:access-lists/
ietf-acl:acl/ietf-acl:access-list-entries/ ietf-acl:ace/ietf- ietf-acl:acl/ietf-acl:access-list-entries/ ietf-acl:ace/ietf-
acl:actions are augmented with new choice of actions. acl:actions are augmented with new choice of actions.
module: example-newco-acl module: example-newco-acl
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches: augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches:
+--rw vlan-tagged? uint16
+--rw mpls-unicast? uint16
+--rw mpls-multicast? uint16
+--rw ipv4? uint16
+--rw ipv6? uint16
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches:
+--rw ipv4-ttl? uint8
+--rw ipv4-len? uint16
+--rw ipv4-ihl? uint8
+--rw ipv4-id? uint16
+--rw ipv4-flags? ipv4-flags-type
+--rw ipv4-offset? uint16
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches:
+--rw (protocol-payload-choice)? +--rw (protocol-payload-choice)?
| +--:(protocol-payload) | +--:(protocol-payload)
| +--rw protocol-payload* [value-keyword] | +--rw protocol-payload* [value-keyword]
| +--rw value-keyword enumeration | +--rw value-keyword enumeration
+--rw (metadata)? +--rw (metadata)?
+--:(interface-name) +--:(interface-name)
+--rw interface-name* [input-interface] +--rw interface-name* [input-interface]
+--rw input-interface ietf-if:interface-ref +--rw input-interface ietf-if:interface-ref
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions: augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:actions:
+--rw (action)? +--rw (action)?
skipping to change at page 23, line 41 skipping to change at page 24, line 5
+--:(in) +--:(in)
| +--rw in? empty | +--rw in? empty
+--:(out) +--:(out)
+--rw out? empty +--rw out? empty
augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data: augment /ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data:
+--ro targets +--ro targets
+--ro (interface)? +--ro (interface)?
+--:(interface-name) +--:(interface-name)
+--ro interface-name* ietf-if:interface-ref +--ro interface-name* ietf-if:interface-ref
file "newco-acl@2016-10-12.yang"
module example-newco-acl { module example-newco-acl {
yang-version 1.1; yang-version 1.1;
namespace "urn:newco:params:xml:ns:yang:example-newco-acl"; namespace "urn:newco:params:xml:ns:yang:example-newco-acl";
prefix example-newco-acl; prefix example-newco-acl;
import ietf-access-control-list { import ietf-access-control-list {
prefix "ietf-acl"; prefix "ietf-acl";
skipping to change at page 24, line 31 skipping to change at page 24, line 41
"This YANG module augment IETF ACL Yang."; "This YANG module augment IETF ACL Yang.";
revision 2016-10-12{ revision 2016-10-12{
description description
"Creating NewCo proprietary extensions to ietf-acl model"; "Creating NewCo proprietary extensions to ietf-acl model";
reference reference
"RFC XXXX: Network Access Control List (ACL) "RFC XXXX: Network Access Control List (ACL)
YANG Data Model"; YANG Data Model";
} }
typedef known-ether-type {
type enumeration {
enum "ipv4" {
value 2048; // 0x0800
description "Internet Protocol version 4 (IPv4)";
}
enum "vlan-tagged" {
value 33024; // 0x8100
description "VLAN-tagged frame (IEEE 802.1Q) & Shortest Path Bridging IEEE 802.1aq[4]";
}
enum "ipv6" {
value 34525; // 0x86DD
description "Internet Protocol Version 6 (IPv6)";
}
enum "mpls-unicast" {
value 34887; // 0x8847
description "MPLS unicast";
}
enum "mpls-multicast" {
value 34888; // 0x8848
description "MPLS multicast";
}
}
description "Listing supported Ethertypes";
}
typedef ipv4-flags-type {
type bits {
bit ipv4-reserved {
position 0;
description "reserved bit";
}
bit ipv4-DF {
position 1;
description "DF bit";
}
bit ipv4-MF {
position 2;
description "MF bit";
}
}
description "IPv4 flag types";
}
augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" {
when "ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-type = 'ace-eth'";
description "additional MAC header matching";
leaf vlan-tagged {
type uint16;
description "Ethernet frame with VLAN tag";
}
leaf mpls-unicast {
type uint16;
description "Ethernet frame with MPLS unicast payload";
}
leaf mpls-multicast {
type uint16;
description "Ethernet frame with MPLS multicast payload";
}
leaf ipv4 {
type uint16;
description "Ethernet frame with IPv4 unicast payload";
}
leaf ipv6 {
type uint16;
description "Ethernet frame with IPv4 unicast payload";
}
}
augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" { augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" {
when "ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-type = 'ipv4-acl'";
description "additional IP header information";
leaf ipv4-ttl {
type uint8;
description "time to live of a given packet as defined in RFC791";
}
leaf ipv4-len {
type uint16;
description "total packet length as defined in RFC791";
}
leaf ipv4-ihl {
type uint8 {
range 0..15;
}
description "Internet Header Length in 32 bit words (see RFC791). Note
that while the minimum value for this field in a packet is
5, we leave open the possibility here that the packet has
been corrupted.";
}
leaf ipv4-id {
type uint16;
description "Identification as decribed in RFC791";
}
leaf ipv4-flags {
type ipv4-flags-type;
description "IPv4 flags as defined in RFC791";
}
leaf ipv4-offset {
type uint16 {
range 0..8191;
}
description "Matches on the packet fragment offset";
}
}
augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:access-list-entries/ietf-acl:ace/ietf-acl:matches" {
description "Newco proprietary simple filter matches"; description "Newco proprietary simple filter matches";
choice protocol-payload-choice { choice protocol-payload-choice {
description "Newo proprietary payload match condition"; description "Newo proprietary payload match condition";
list protocol-payload { list protocol-payload {
key value-keyword; key value-keyword;
ordered-by user; ordered-by user;
description "Match protocol payload"; description "Match protocol payload";
uses match-simple-payload-protocol-value; uses match-simple-payload-protocol-value;
} }
} }
skipping to change at page 26, line 46 skipping to change at page 29, line 31
description "Access Control List name."; description "Access Control List name.";
} }
leaf match-counter { leaf match-counter {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total match count for Access Control "Total match count for Access Control
List on this interface"; List on this interface";
} }
choice direction { choice direction {
leaf in { type empty;} description "Applying ACL in which traffic direction";
leaf out { type empty;} leaf in {
type empty;
description "Inbound traffic";
}
leaf out {
type empty;
description "Outbound traffic";
}
} }
} }
} }
augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data" { augment "/ietf-acl:access-lists/ietf-acl:acl/ietf-acl:acl-oper-data" {
description description
"This is an example on how to apply acl to a target to collect "This is an example on how to apply acl to a target to collect
operational data"; operational data";
container targets{ container targets{
description "To which object is the ACL attached to";
choice interface{ choice interface{
description "Access Control List was attached to this interface";
leaf-list interface-name{ leaf-list interface-name{
type ietf-if:interface-ref { type ietf-if:interface-ref {
require-instance true; require-instance true;
} }
description "Access Control List was attached to this interface"; description "Attached to this interface name";
} }
} }
} }
} }
} }
Draft authors expect that different vendors will provide their own Draft authors expect that different vendors will provide their own
yang models as in the example above, which is the augmentation of the yang models as in the example above, which is the augmentation of the
base model base model
 End of changes. 14 change blocks. 
12 lines changed or deleted 150 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/