draft-ietf-netmod-acl-model-20.txt   draft-ietf-netmod-acl-model-21.txt 
NETMOD WG M. Jethanandani NETMOD WG M. Jethanandani
Internet-Draft VMware Internet-Draft VMware
Intended status: Standards Track S. Agarwal Intended status: Standards Track S. Agarwal
Expires: April 4, 2019 Cisco Systems, Inc. Expires: May 10, 2019 Cisco Systems, Inc.
L. Huang L. Huang
D. Blair D. Blair
October 1, 2018 November 6, 2018
Network Access Control List (ACL) YANG Data Model Network Access Control List (ACL) YANG Data Model
draft-ietf-netmod-acl-model-20 draft-ietf-netmod-acl-model-21
Abstract Abstract
This document defines a data model for Access Control List (ACL). An This document defines a data model for Access Control List (ACL). An
ACL is a user-ordered set of rules, used to configure the forwarding ACL is a user-ordered set of rules, used to configure the forwarding
behavior in device. Each rule is used to find a match on a packet, behavior in device. Each rule is used to find a match on a packet,
and define actions that will be performed on the packet. and define actions that will be performed on the packet.
Status of This Memo Status of This Memo
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 4, 2019. This Internet-Draft will expire on May 10, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 4 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
3. Understanding ACL's Filters and Actions . . . . . . . . . . . 5 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 5
3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 6
4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 10
4.1. IETF Access Control List module . . . . . . . . . . . . . 9 4.1. IETF Access Control List module . . . . . . . . . . . . . 10
4.2. IETF Packet Fields module . . . . . . . . . . . . . . . . 24 4.2. IETF Packet Fields module . . . . . . . . . . . . . . . . 24
4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 37 4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 37
4.4. Port Range Usage and Other Examples . . . . . . . . . . . 39 4.4. Port Range Usage and Other Examples . . . . . . . . . . . 39
5. Security Considerations . . . . . . . . . . . . . . . . . . . 43 5. Security Considerations . . . . . . . . . . . . . . . . . . . 43
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 44 6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 44
6.2. YANG Module Name Registration . . . . . . . . . . . . . . 44 6.2. YANG Module Name Registration . . . . . . . . . . . . . . 44
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 45 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 45
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 45
8.1. Normative References . . . . . . . . . . . . . . . . . . 45 8.1. Normative References . . . . . . . . . . . . . . . . . . 45
skipping to change at page 3, line 45 skipping to change at page 3, line 45
summarizes all of the substitutions that are needed. Please note summarizes all of the substitutions that are needed. Please note
that no other RFC Editor instructions are specified anywhere else in that no other RFC Editor instructions are specified anywhere else in
this document. this document.
Artwork in this document contains shorthand references to drafts in Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements progress. Please apply the following replacements
o "XXXX" --> the assigned RFC value for this draft both in this o "XXXX" --> the assigned RFC value for this draft both in this
draft and in the YANG models under the revision statement. draft and in the YANG models under the revision statement.
o Revision date in model, in the format 2018-10-01 needs to get o Revision date in model, in the format 2018-11-06 needs to get
updated with the date the draft gets approved. The date also updated with the date the draft gets approved. The date also
needs to get reflected on the line with <CODE BEGINS>. needs to get reflected on the line with <CODE BEGINS>.
1.1. Definitions and Acronyms 1.1. Definitions and Acronyms
ACE: Access Control Entry ACE: Access Control Entry
ACL: Access Control List ACL: Access Control List
CoS: Class of Service CoS: Class of Service
skipping to change at page 4, line 47 skipping to change at page 4, line 47
capitals, as shown here. capitals, as shown here.
1.3. Tree Diagram 1.3. Tree Diagram
For a reference to the annotations used in tree diagrams included in For a reference to the annotations used in tree diagrams included in
this draft, please see YANG Tree Diagrams [RFC8340]. this draft, please see YANG Tree Diagrams [RFC8340].
2. Problem Statement 2. Problem Statement
This document defines a YANG 1.1 [RFC7950] data model for the This document defines a YANG 1.1 [RFC7950] data model for the
configuration of ACLs. It is very important that model can be used configuration of ACLs. The model defines matching rules for commonly
easily by application/attachment models. used protocols such as, Ethernet, IPv4, IPv6, TCP, UDP and ICMP. If
more protocols need to be supported in the future, this base model
can be augmented. An example of such an augmentation can be seen in
the Appendix.
ACL implementations in every device may vary greatly in terms of the ACL implementations in every device may vary greatly in terms of the
filter constructs and actions that they support. Therefore this filter constructs and actions that they support. Therefore, this
draft proposes a model that can be augmented by standard extensions draft proposes a model that can be augmented by standard extensions
and vendor proprietary models. and vendor proprietary models.
3. Understanding ACL's Filters and Actions 3. Understanding ACL's Filters and Actions
Although different vendors have different ACL data models, there is a Although different vendors have different ACL data models, there is a
common understanding of what Access Control List (ACL) is. A network common understanding of what Access Control List (ACL) is. A network
system usually has a list of ACLs, and each ACL contains an ordered system usually has a list of ACLs, and each ACL contains an ordered
list of rules, also known as Access Control Entries (ACE). Each ACE list of rules, also known as Access Control Entries (ACE). Each ACE
has a group of match criteria and a group of actions. The match has a group of match criteria and a group of actions. The match
skipping to change at page 10, line 32 skipping to change at page 10, line 40
ability for ACLs to be attached to a particular interface. ability for ACLs to be attached to a particular interface.
Statistics in the ACL can be collected for an "ace" or for an Statistics in the ACL can be collected for an "ace" or for an
"interface". The feature statements defined for statistics can be "interface". The feature statements defined for statistics can be
used to determine whether statistics are being collected per "ace", used to determine whether statistics are being collected per "ace",
or per "interface". or per "interface".
This module imports definitions from Common YANG Data Types This module imports definitions from Common YANG Data Types
[RFC6991], and A YANG Data Model for Interface Management [RFC8343]. [RFC6991], and A YANG Data Model for Interface Management [RFC8343].
<CODE BEGINS> file "ietf-access-control-list@2018-10-01.yang" <CODE BEGINS> file "ietf-access-control-list@2018-11-06.yang"
module ietf-access-control-list { module ietf-access-control-list {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
prefix acl; prefix acl;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"RFC 6991 - Common YANG Data Types."; "RFC 6991 - Common YANG Data Types.";
skipping to change at page 11, line 28 skipping to change at page 11, line 35
mjethanandani@gmail.com mjethanandani@gmail.com
Editor: Lisa Huang Editor: Lisa Huang
lyihuang16@gmail.com lyihuang16@gmail.com
Editor: Sonal Agarwal Editor: Sonal Agarwal
sagarwal12@gmail.com sagarwal12@gmail.com
Editor: Dana Blair Editor: Dana Blair
dblair@cisco.com"; dblair@cisco.com";
description description
"This YANG module defines a component that describe the "This YANG module defines a component that describe the
configuration of Access Control Lists (ACLs). configuration and monitoring of Access Control Lists (ACLs).
Copyright (c) 2018 IETF Trust and the persons identified as Copyright (c) 2018 IETF Trust and the persons identified as
the document authors. All rights reserved. the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-10-01 { revision 2018-11-06 {
description description
"Initial version."; "Initial version.";
reference reference
"RFC XXX: Network Access Control List (ACL) YANG Data Model."; "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
} }
/* /*
* Identities * Identities
*/ */
/* /*
* Forwarding actions for a packet * Forwarding actions for a packet
skipping to change at page 17, line 44 skipping to change at page 18, line 4
If an implementation only supports ACL counters per entry If an implementation only supports ACL counters per entry
(i.e., not broken out per interface), then the value (i.e., not broken out per interface), then the value
should be equal to the aggregate count across all interfaces. should be equal to the aggregate count across all interfaces.
An implementation that provides counters per entry per An implementation that provides counters per entry per
interface is not required to also provide an aggregate count, interface is not required to also provide an aggregate count,
e.g., per entry -- the user is expected to be able implement e.g., per entry -- the user is expected to be able implement
the required aggregation if such a count is needed."; the required aggregation if such a count is needed.";
} }
} }
/* /*
* Configuration data nodes * Configuration and monitoring data nodes
*/ */
container acls { container acls {
description description
"This is a top level container for Access Control Lists. "This is a top level container for Access Control Lists.
It can have one or more acl nodes."; It can have one or more acl nodes.";
list acl { list acl {
key "name"; key "name";
description description
"An Access Control List (ACL) is an ordered list of "An Access Control List (ACL) is an ordered list of
Access Control Entries (ACE). Each ACE has a Access Control Entries (ACE). Each ACE has a
list of match criteria and a list of actions. list of match criteria and a list of actions.
Since there are several kinds of Access Control Lists Since there are several kinds of Access Control Lists
implemented with different attributes for implemented with different attributes for
different vendors, this model accommodates customizing different vendors, this model accommodates customizing
skipping to change at page 25, line 7 skipping to change at page 25, line 15
within container "matches" in ietf-access-control-list.yang model. within container "matches" in ietf-access-control-list.yang model.
This module imports definitions from Common YANG Data Types [RFC6991] This module imports definitions from Common YANG Data Types [RFC6991]
and references IP [RFC0791], ICMP [RFC0792], TCP [RFC0793], and references IP [RFC0791], ICMP [RFC0792], TCP [RFC0793],
Definition of the Differentiated Services Field in the IPv4 and IPv6 Definition of the Differentiated Services Field in the IPv4 and IPv6
Headers [RFC2474], The Addition of Explicit Congestion Notification Headers [RFC2474], The Addition of Explicit Congestion Notification
(ECN) to IP [RFC3168], , IPv6 Scoped Address Architecture [RFC4007], (ECN) to IP [RFC3168], , IPv6 Scoped Address Architecture [RFC4007],
IPv6 Addressing Architecture [RFC4291], A Recommendation for IPv6 IPv6 Addressing Architecture [RFC4291], A Recommendation for IPv6
Address Text Representation [RFC5952], IPv6 [RFC8200]. Address Text Representation [RFC5952], IPv6 [RFC8200].
<CODE BEGINS> file "ietf-packet-fields@2018-10-01.yang" <CODE BEGINS> file "ietf-packet-fields@2018-11-06.yang"
module ietf-packet-fields { module ietf-packet-fields {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
prefix packet-fields; prefix packet-fields;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"RFC 6991 - Common YANG Data Types."; "RFC 6991 - Common YANG Data Types.";
skipping to change at page 26, line 19 skipping to change at page 26, line 28
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-10-01 { revision 2018-11-06 {
description description
"Initial version."; "Initial version.";
reference reference
"RFC XXX: Network Access Control List (ACL) YANG Data Model."; "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
} }
/* /*
* Typedefs * Typedefs
*/ */
typedef operator { typedef operator {
skipping to change at page 48, line 41 skipping to change at page 48, line 41
} }
organization organization
"Newco model group."; "Newco model group.";
contact contact
"abc@newco.com"; "abc@newco.com";
description description
"This YANG module augments IETF ACL Yang."; "This YANG module augments IETF ACL Yang.";
revision 2018-10-01 { revision 2018-11-06 {
description description
"Creating NewCo proprietary extensions to ietf-acl model"; "Creating NewCo proprietary extensions to ietf-acl model";
reference reference
"RFC XXXX: Network Access Control List (ACL) "RFC XXXX: Network Access Control List (ACL)
YANG Data Model"; YANG Data Model";
} }
augment "/acl:acls/acl:acl/" + augment "/acl:acls/acl:acl/" +
"acl:aces/acl:ace/" + "acl:aces/acl:ace/" +
skipping to change at page 52, line 24 skipping to change at page 52, line 24
this draft and Linux nftables. this draft and Linux nftables.
A.3. Ethertypes A.3. Ethertypes
The ACL module is dependent on the definition of ethertypes. IEEE The ACL module is dependent on the definition of ethertypes. IEEE
owns the allocation of those ethertypes. This model is being owns the allocation of those ethertypes. This model is being
included here to enable definition of those types till such time that included here to enable definition of those types till such time that
IEEE takes up the task of publication of the model that defines those IEEE takes up the task of publication of the model that defines those
ethertypes. At that time, this model can be deprecated. ethertypes. At that time, this model can be deprecated.
<CODE BEGINS> file "ietf-ethertypes@2018-10-01.yang" <CODE BEGINS> file "ietf-ethertypes@2018-11-06.yang"
module ietf-ethertypes { module ietf-ethertypes {
namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes";
prefix ethertypes; prefix ethertypes;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language)"; "IETF NETMOD (NETCONF Data Modeling Language)";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
skipping to change at page 52, line 49 skipping to change at page 52, line 49
description description
"This module contains the common definitions for the "This module contains the common definitions for the
Ethertype used by different modules. It is a Ethertype used by different modules. It is a
placeholder module, till such time that IEEE placeholder module, till such time that IEEE
starts a project to define these Ethertypes starts a project to define these Ethertypes
and publishes a standard. and publishes a standard.
At that time this module can be deprecated."; At that time this module can be deprecated.";
revision 2018-10-01 { revision 2018-11-06 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: IETF Ethertype YANG Data Module."; "RFC XXXX: IETF Ethertype YANG Data Module.";
} }
typedef ethertype { typedef ethertype {
type union { type union {
type uint16; type uint16;
skipping to change at page 55, line 26 skipping to change at page 55, line 26
enum esp { enum esp {
value 34825; value 34825;
description description
"Ethernet Slow Protocol. Hex value of 0x8809."; "Ethernet Slow Protocol. Hex value of 0x8809.";
reference reference
"IEEE Std. 802.3-2015"; "IEEE Std. 802.3-2015";
} }
enum cobranet { enum cobranet {
value 34841; value 34841;
description description
"CobraNet. Hex value of 0x"; "CobraNet. Hex value of 0x8819";
} }
enum mpls-unicast { enum mpls-unicast {
value 34887; value 34887;
description description
"MultiProtocol Label Switch (MPLS) unicast traffic. "MultiProtocol Label Switch (MPLS) unicast traffic.
Hex value of 0x8847."; Hex value of 0x8847.";
reference reference
"RFC 3031: Multiprotocol Label Switching Architecture."; "RFC 3031: Multiprotocol Label Switching Architecture.";
} }
enum mpls-multicast { enum mpls-multicast {
 End of changes. 21 change blocks. 
22 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/