| rfc8519v2.txt | rfc8519.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) M. Jethanandani | Internet Engineering Task Force (IETF) M. Jethanandani | |||
| Request for Comments: 8519 VMware | Request for Comments: 8519 VMware | |||
| Category: Standards Track S. Agarwal | Category: Standards Track S. Agarwal | |||
| ISSN: 2070-1721 Cisco Systems, Inc. | ISSN: 2070-1721 Cisco Systems, Inc. | |||
| L. Huang | L. Huang | |||
| D. Blair | D. Blair | |||
| February 2019 | March 2019 | |||
| YANG Data Model for Network Access Control Lists (ACLs) | YANG Data Model for Network Access Control Lists (ACLs) | |||
| Abstract | Abstract | |||
| This document defines a data model for Access Control Lists (ACLs). | This document defines a data model for Access Control Lists (ACLs). | |||
| An ACL is a user-ordered set of rules used to configure the | An ACL is a user-ordered set of rules used to configure the | |||
| forwarding behavior in a device. Each rule is used to find a match | forwarding behavior in a device. Each rule is used to find a match | |||
| on a packet and define actions that will be performed on the packet. | on a packet and define actions that will be performed on the packet. | |||
| skipping to change at page 2, line 17 ¶ | skipping to change at page 2, line 17 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 | 1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 4 | 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 4 | |||
| 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9 | 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1. IETF Access Control List Module . . . . . . . . . . . . . 9 | 4.1. IETF Access Control List Module . . . . . . . . . . . . . 9 | |||
| 4.2. IETF Packet Fields Module . . . . . . . . . . . . . . . . 24 | 4.2. IETF Packet Fields Module . . . . . . . . . . . . . . . . 24 | |||
| 4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 37 | 4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 4.4. Port Range Usage and Other Examples . . . . . . . . . . . 38 | 4.4. Port Range Usage and Other Examples . . . . . . . . . . . 38 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 42 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 42 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | |||
| 6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 43 | 6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 43 | |||
| 6.2. YANG Module Name Registration . . . . . . . . . . . . . . 43 | 6.2. YANG Module Name Registration . . . . . . . . . . . . . . 43 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 44 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 44 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 45 | 7.2. Informative References . . . . . . . . . . . . . . . . . 45 | |||
| Appendix A. Extending ACL Model Examples . . . . . . . . . . . . 46 | Appendix A. Extending ACL Model Examples . . . . . . . . . . . . 46 | |||
| A.1. Example of a Company's Proprietary Module . . . . . . . . 46 | A.1. Example of a Company's Proprietary Module . . . . . . . . 46 | |||
| skipping to change at page 10, line 10 ¶ | skipping to change at page 10, line 10 ¶ | |||
| interface. | interface. | |||
| Statistics in the ACL can be collected for an "ace" or for an | Statistics in the ACL can be collected for an "ace" or for an | |||
| "interface". The feature statements defined for statistics can be | "interface". The feature statements defined for statistics can be | |||
| used to determine whether statistics are being collected per "ace" or | used to determine whether statistics are being collected per "ace" or | |||
| per "interface". | per "interface". | |||
| This module imports definitions from "Common YANG Data Types" | This module imports definitions from "Common YANG Data Types" | |||
| [RFC6991] and "A YANG Data Model for Interface Management" [RFC8343]. | [RFC6991] and "A YANG Data Model for Interface Management" [RFC8343]. | |||
| <CODE BEGINS> file "ietf-access-control-list@2019-01-28.yang" | <CODE BEGINS> file "ietf-access-control-list@2019-03-04.yang" | |||
| module ietf-access-control-list { | module ietf-access-control-list { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | |||
| prefix acl; | prefix acl; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference | reference | |||
| "RFC 6991 - Common YANG Data Types."; | "RFC 6991 - Common YANG Data Types."; | |||
| } | } | |||
| import ietf-packet-fields { | import ietf-packet-fields { | |||
| prefix pf; | prefix pf; | |||
| reference | reference | |||
| "RFC 8519 - YANG Data Model for Network Access Control | "RFC 8519 - YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| import ietf-interfaces { | import ietf-interfaces { | |||
| prefix if; | prefix if; | |||
| reference | reference | |||
| "RFC 8343 - A YANG Data Model for Interface Management."; | "RFC 8343 - A YANG Data Model for Interface Management."; | |||
| } | } | |||
| organization | organization | |||
| "IETF NETMOD (Network Modeling) Working Group."; | "IETF NETMOD (Network Modeling) Working Group."; | |||
| skipping to change at page 11, line 22 ¶ | skipping to change at page 11, line 22 ¶ | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8519; see | This version of this YANG module is part of RFC 8519; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| /* | /* | |||
| * Identities | * Identities | |||
| */ | */ | |||
| skipping to change at page 13, line 23 ¶ | skipping to change at page 13, line 25 ¶ | |||
| base acl:acl-base; | base acl:acl-base; | |||
| if-feature "eth"; | if-feature "eth"; | |||
| description | description | |||
| "An ACL that matches on fields in the Ethernet header, | "An ACL that matches on fields in the Ethernet header, | |||
| like 10/100/1000baseT or a Wi-Fi Access Control List. An ACL | like 10/100/1000baseT or a Wi-Fi Access Control List. An ACL | |||
| of type ethernet does not contain matches on fields in the | of type ethernet does not contain matches on fields in the | |||
| IPv4 header, the IPv6 header, or Layer 4 headers."; | IPv4 header, the IPv6 header, or Layer 4 headers."; | |||
| } | } | |||
| identity mixed-eth-ipv4-acl-type { | identity mixed-eth-ipv4-acl-type { | |||
| base "acl:eth-acl-type"; | base acl:eth-acl-type; | |||
| base "acl:ipv4-acl-type"; | base acl:ipv4-acl-type; | |||
| if-feature "mixed-eth-ipv4"; | if-feature "mixed-eth-ipv4"; | |||
| description | description | |||
| "An ACL that contains a mix of entries that match | "An ACL that contains a mix of entries that match | |||
| on fields in Ethernet headers and in IPv4 headers. | on fields in Ethernet headers and in IPv4 headers. | |||
| Matching on Layer 4 header fields may also exist in the | Matching on Layer 4 header fields may also exist in the | |||
| list."; | list."; | |||
| } | } | |||
| identity mixed-eth-ipv6-acl-type { | identity mixed-eth-ipv6-acl-type { | |||
| base "acl:eth-acl-type"; | base acl:eth-acl-type; | |||
| base "acl:ipv6-acl-type"; | base acl:ipv6-acl-type; | |||
| if-feature "mixed-eth-ipv6"; | if-feature "mixed-eth-ipv6"; | |||
| description | description | |||
| "An ACL that contains a mix of entries that match on fields | "An ACL that contains a mix of entries that match on fields | |||
| in Ethernet headers and in IPv6 headers. Matching | in Ethernet headers and in IPv6 headers. Matching | |||
| on Layer 4 header fields may also exist in the list."; | on Layer 4 header fields may also exist in the list."; | |||
| } | } | |||
| identity mixed-eth-ipv4-ipv6-acl-type { | identity mixed-eth-ipv4-ipv6-acl-type { | |||
| base "acl:eth-acl-type"; | base acl:eth-acl-type; | |||
| base "acl:ipv4-acl-type"; | base acl:ipv4-acl-type; | |||
| base "acl:ipv6-acl-type"; | base acl:ipv6-acl-type; | |||
| if-feature "mixed-eth-ipv4-ipv6"; | if-feature "mixed-eth-ipv4-ipv6"; | |||
| description | description | |||
| "An ACL that contains a mix of entries that | "An ACL that contains a mix of entries that | |||
| match on fields in Ethernet headers, IPv4 headers, and IPv6 | match on fields in Ethernet headers, IPv4 headers, and IPv6 | |||
| headers. Matching on Layer 4 header fields may also exist | headers. Matching on Layer 4 header fields may also exist | |||
| in the list."; | in the list."; | |||
| } | } | |||
| /* | /* | |||
| * Features | * Features | |||
| skipping to change at page 15, line 32 ¶ | skipping to change at page 15, line 34 ¶ | |||
| "Ethernet and IPv4 ACL combinations supported."; | "Ethernet and IPv4 ACL combinations supported."; | |||
| } | } | |||
| feature mixed-eth-ipv6 { | feature mixed-eth-ipv6 { | |||
| if-feature "match-on-eth and match-on-ipv6"; | if-feature "match-on-eth and match-on-ipv6"; | |||
| description | description | |||
| "Ethernet and IPv6 ACL combinations supported."; | "Ethernet and IPv6 ACL combinations supported."; | |||
| } | } | |||
| feature mixed-eth-ipv4-ipv6 { | feature mixed-eth-ipv4-ipv6 { | |||
| if-feature "match-on-eth and match-on-ipv4 | if-feature | |||
| and match-on-ipv6"; | "match-on-eth and match-on-ipv4 | |||
| and match-on-ipv6"; | ||||
| description | description | |||
| "Ethernet, IPv4, and IPv6 ACL combinations supported."; | "Ethernet, IPv4, and IPv6 ACL combinations supported."; | |||
| } | } | |||
| /* | /* | |||
| * Stats Features | * Stats Features | |||
| */ | */ | |||
| feature interface-stats { | feature interface-stats { | |||
| description | description | |||
| "ACL counters are available and reported only per interface."; | "ACL counters are available and reported only per interface."; | |||
| skipping to change at page 18, line 37 ¶ | skipping to change at page 18, line 41 ¶ | |||
| matched upon before any action is taken on them. | matched upon before any action is taken on them. | |||
| The rules are selected based on the feature set | The rules are selected based on the feature set | |||
| defined by the server and the acl-type defined. | defined by the server and the acl-type defined. | |||
| If no matches are defined in a particular container, | If no matches are defined in a particular container, | |||
| then any packet will match that container. If no | then any packet will match that container. If no | |||
| matches are specified at all in an ACE, then any | matches are specified at all in an ACE, then any | |||
| packet will match the ACE."; | packet will match the ACE."; | |||
| choice l2 { | choice l2 { | |||
| container eth { | container eth { | |||
| when "derived-from-or-self(/acls/acl/type, " + | when "derived-from-or-self(/acls/acl/type, " | |||
| "'acl:eth-acl-type')"; | + "'acl:eth-acl-type')"; | |||
| if-feature match-on-eth; | if-feature "match-on-eth"; | |||
| uses pf:acl-eth-header-fields; | uses pf:acl-eth-header-fields; | |||
| description | description | |||
| "Rule set that matches Ethernet headers."; | "Rule set that matches Ethernet headers."; | |||
| } | } | |||
| description | description | |||
| "Match Layer 2 headers, for example, Ethernet | "Match Layer 2 headers, for example, Ethernet | |||
| header fields."; | header fields."; | |||
| } | } | |||
| choice l3 { | choice l3 { | |||
| container ipv4 { | container ipv4 { | |||
| when "derived-from-or-self(/acls/acl/type, " + | when "derived-from-or-self(/acls/acl/type, " | |||
| "'acl:ipv4-acl-type')"; | + "'acl:ipv4-acl-type')"; | |||
| if-feature match-on-ipv4; | if-feature "match-on-ipv4"; | |||
| uses pf:acl-ip-header-fields; | uses pf:acl-ip-header-fields; | |||
| uses pf:acl-ipv4-header-fields; | uses pf:acl-ipv4-header-fields; | |||
| description | description | |||
| "Rule set that matches IPv4 headers."; | "Rule set that matches IPv4 headers."; | |||
| } | } | |||
| container ipv6 { | container ipv6 { | |||
| when "derived-from-or-self(/acls/acl/type, " + | when "derived-from-or-self(/acls/acl/type, " | |||
| "'acl:ipv6-acl-type')"; | + "'acl:ipv6-acl-type')"; | |||
| if-feature match-on-ipv6; | if-feature "match-on-ipv6"; | |||
| uses pf:acl-ip-header-fields; | uses pf:acl-ip-header-fields; | |||
| uses pf:acl-ipv6-header-fields; | uses pf:acl-ipv6-header-fields; | |||
| description | description | |||
| "Rule set that matches IPv6 headers."; | "Rule set that matches IPv6 headers."; | |||
| } | } | |||
| description | description | |||
| "Choice of either IPv4 or IPv6 headers"; | "Choice of either IPv4 or IPv6 headers"; | |||
| } | } | |||
| choice l4 { | choice l4 { | |||
| container tcp { | container tcp { | |||
| if-feature match-on-tcp; | if-feature "match-on-tcp"; | |||
| uses pf:acl-tcp-header-fields; | uses pf:acl-tcp-header-fields; | |||
| container source-port { | container source-port { | |||
| choice source-port { | choice source-port { | |||
| case range-or-operator { | case range-or-operator { | |||
| uses pf:port-range-or-operator; | uses pf:port-range-or-operator; | |||
| description | description | |||
| "Source port definition from range or | "Source port definition from range or | |||
| operator."; | operator."; | |||
| } | } | |||
| description | description | |||
| skipping to change at page 20, line 20 ¶ | skipping to change at page 20, line 23 ¶ | |||
| group of destination ports to be referenced."; | group of destination ports to be referenced."; | |||
| } | } | |||
| description | description | |||
| "Destination port definition."; | "Destination port definition."; | |||
| } | } | |||
| description | description | |||
| "Rule set that matches TCP headers."; | "Rule set that matches TCP headers."; | |||
| } | } | |||
| container udp { | container udp { | |||
| if-feature match-on-udp; | if-feature "match-on-udp"; | |||
| uses pf:acl-udp-header-fields; | uses pf:acl-udp-header-fields; | |||
| container source-port { | container source-port { | |||
| choice source-port { | choice source-port { | |||
| case range-or-operator { | case range-or-operator { | |||
| uses pf:port-range-or-operator; | uses pf:port-range-or-operator; | |||
| description | description | |||
| "Source port definition from range or | "Source port definition from range or | |||
| operator."; | operator."; | |||
| } | } | |||
| description | description | |||
| skipping to change at page 21, line 4 ¶ | skipping to change at page 21, line 7 ¶ | |||
| uses pf:port-range-or-operator; | uses pf:port-range-or-operator; | |||
| description | description | |||
| "Destination port definition from range or | "Destination port definition from range or | |||
| operator."; | operator."; | |||
| } | } | |||
| description | description | |||
| "Choice of destination port definition using | "Choice of destination port definition using | |||
| range/operator or a choice to support future | range/operator or a choice to support future | |||
| 'case' statements, such as one enabling a | 'case' statements, such as one enabling a | |||
| group of destination ports to be referenced."; | group of destination ports to be referenced."; | |||
| } | } | |||
| description | description | |||
| "Destination port definition."; | "Destination port definition."; | |||
| } | } | |||
| description | description | |||
| "Rule set that matches UDP headers."; | "Rule set that matches UDP headers."; | |||
| } | } | |||
| container icmp { | container icmp { | |||
| if-feature match-on-icmp; | if-feature "match-on-icmp"; | |||
| uses pf:acl-icmp-header-fields; | uses pf:acl-icmp-header-fields; | |||
| description | description | |||
| "Rule set that matches ICMP headers."; | "Rule set that matches ICMP headers."; | |||
| } | } | |||
| description | description | |||
| "Choice of TCP, UDP, or ICMP headers."; | "Choice of TCP, UDP, or ICMP headers."; | |||
| } | } | |||
| leaf egress-interface { | leaf egress-interface { | |||
| type if:interface-ref; | type if:interface-ref; | |||
| skipping to change at page 21, line 50 ¶ | skipping to change at page 22, line 4 ¶ | |||
| container actions { | container actions { | |||
| description | description | |||
| "Definition of actions for this ace entry."; | "Definition of actions for this ace entry."; | |||
| leaf forwarding { | leaf forwarding { | |||
| type identityref { | type identityref { | |||
| base forwarding-action; | base forwarding-action; | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Specifies the forwarding action per ace entry."; | "Specifies the forwarding action per ace entry."; | |||
| } | } | |||
| leaf logging { | leaf logging { | |||
| type identityref { | type identityref { | |||
| base log-action; | base log-action; | |||
| } | } | |||
| default log-none; | default "log-none"; | |||
| description | description | |||
| "Specifies the log action and destination for | "Specifies the log action and destination for | |||
| matched packets. Default value is not to log the | matched packets. Default value is not to log the | |||
| packet."; | packet."; | |||
| } | } | |||
| } | } | |||
| container statistics { | container statistics { | |||
| if-feature "acl-aggregate-stats"; | if-feature "acl-aggregate-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| skipping to change at page 23, line 28 ¶ | skipping to change at page 23, line 26 ¶ | |||
| description | description | |||
| "Name of the ace entry."; | "Name of the ace entry."; | |||
| } | } | |||
| uses acl-counters; | uses acl-counters; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| list interface { | list interface { | |||
| if-feature interface-attachment; | if-feature "interface-attachment"; | |||
| key "interface-id"; | key "interface-id"; | |||
| description | description | |||
| "List of interfaces on which ACLs are set."; | "List of interfaces on which ACLs are set."; | |||
| leaf interface-id { | leaf interface-id { | |||
| type if:interface-ref; | type if:interface-ref; | |||
| description | description | |||
| "Reference to the interface id list key."; | "Reference to the interface id list key."; | |||
| } | } | |||
| skipping to change at page 24, line 36 ¶ | skipping to change at page 24, line 33 ¶ | |||
| [RFC6991] and references "Internet Protocol" [RFC0791], "Internet | [RFC6991] and references "Internet Protocol" [RFC0791], "Internet | |||
| Control Message Protocol" [RFC0792], "Transmission Control Protocol" | Control Message Protocol" [RFC0792], "Transmission Control Protocol" | |||
| [RFC0793], "Definition of the Differentiated Services Field (DS | [RFC0793], "Definition of the Differentiated Services Field (DS | |||
| Field) in the IPv4 and IPv6 Headers" [RFC2474], "The Addition of | Field) in the IPv4 and IPv6 Headers" [RFC2474], "The Addition of | |||
| Explicit Congestion Notification (ECN) to IP" [RFC3168], "IPv6 Scoped | Explicit Congestion Notification (ECN) to IP" [RFC3168], "IPv6 Scoped | |||
| Address Architecture" [RFC4007], "IP Version 6 Addressing | Address Architecture" [RFC4007], "IP Version 6 Addressing | |||
| Architecture" [RFC4291], "A Recommendation for IPv6 Address Text | Architecture" [RFC4291], "A Recommendation for IPv6 Address Text | |||
| Representation" [RFC5952], and "Internet Protocol, Version 6 (IPv6) | Representation" [RFC5952], and "Internet Protocol, Version 6 (IPv6) | |||
| Specification" [RFC8200]. | Specification" [RFC8200]. | |||
| <CODE BEGINS> file "ietf-packet-fields@2019-01-28.yang" | <CODE BEGINS> file "ietf-packet-fields@2019-03-04.yang" | |||
| module ietf-packet-fields { | module ietf-packet-fields { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | |||
| prefix packet-fields; | prefix packet-fields; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference | reference | |||
| "RFC 6991 - Common YANG Data Types."; | "RFC 6991 - Common YANG Data Types."; | |||
| skipping to change at page 25, line 32 ¶ | skipping to change at page 25, line 29 ¶ | |||
| mjethanandani@gmail.com | mjethanandani@gmail.com | |||
| Editor: Lisa Huang | Editor: Lisa Huang | |||
| lyihuang16@gmail.com | lyihuang16@gmail.com | |||
| Editor: Sonal Agarwal | Editor: Sonal Agarwal | |||
| sagarwal12@gmail.com | sagarwal12@gmail.com | |||
| Editor: Dana Blair | Editor: Dana Blair | |||
| dblair@cisco.com"; | dblair@cisco.com"; | |||
| description | description | |||
| "This YANG module defines groupings that are used by | "This YANG module defines groupings that are used by | |||
| the ietf-access-control-list YANG module. Their usage | the ietf-access-control-list YANG module. Their usage | |||
| is not limited to ietf-access-control-list and can be | is not limited to ietf-access-control-list and can be | |||
| used anywhere as applicable. | used anywhere as applicable. | |||
| Copyright (c) 2019 IETF Trust and the persons identified as | Copyright (c) 2019 IETF Trust and the persons identified as | |||
| the document authors. All rights reserved. | the document authors. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8519; see | This version of this YANG module is part of RFC 8519; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| /* | /* | |||
| * Typedefs | * Typedefs | |||
| */ | */ | |||
| typedef operator { | typedef operator { | |||
| type enumeration { | type enumeration { | |||
| enum lte { | enum lte { | |||
| description | description | |||
| "Less than or equal to."; | "Less than or equal to."; | |||
| skipping to change at page 26, line 46 ¶ | skipping to change at page 26, line 45 ¶ | |||
| } | } | |||
| /* | /* | |||
| * Groupings | * Groupings | |||
| */ | */ | |||
| grouping port-range-or-operator { | grouping port-range-or-operator { | |||
| choice port-range-or-operator { | choice port-range-or-operator { | |||
| case range { | case range { | |||
| leaf lower-port { | leaf lower-port { | |||
| type inet:port-number; | type inet:port-number; | |||
| must ". <= ../upper-port" { | must '. <= ../upper-port' { | |||
| error-message | error-message | |||
| "The lower-port must be less than or equal to | "The lower-port must be less than or equal to | |||
| the upper-port."; | the upper-port."; | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Lower boundary for a port."; | "Lower boundary for a port."; | |||
| } | } | |||
| leaf upper-port { | leaf upper-port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Upper boundary for a port."; | "Upper boundary for a port."; | |||
| } | } | |||
| } | } | |||
| case operator { | case operator { | |||
| leaf operator { | leaf operator { | |||
| skipping to change at page 27, line 17 ¶ | skipping to change at page 27, line 16 ¶ | |||
| leaf upper-port { | leaf upper-port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Upper boundary for a port."; | "Upper boundary for a port."; | |||
| } | } | |||
| } | } | |||
| case operator { | case operator { | |||
| leaf operator { | leaf operator { | |||
| type operator; | type operator; | |||
| default eq; | default "eq"; | |||
| description | description | |||
| "Operator to be applied on the port below."; | "Operator to be applied on the port below."; | |||
| } | } | |||
| leaf port { | leaf port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Port number along with the operator on which to | "Port number along with the operator on which to | |||
| match."; | match."; | |||
| } | } | |||
| skipping to change at page 28, line 4 ¶ | skipping to change at page 27, line 51 ¶ | |||
| "RFC 791: Internet Protocol."; | "RFC 791: Internet Protocol."; | |||
| leaf dscp { | leaf dscp { | |||
| type inet:dscp; | type inet:dscp; | |||
| description | description | |||
| "Differentiated Services Code Point."; | "Differentiated Services Code Point."; | |||
| reference | reference | |||
| "RFC 2474: Definition of the Differentiated Services | "RFC 2474: Definition of the Differentiated Services | |||
| Field (DS Field) in the IPv4 and IPv6 | Field (DS Field) in the IPv4 and IPv6 | |||
| Headers."; | Headers."; | |||
| } | } | |||
| leaf ecn { | leaf ecn { | |||
| type uint8 { | type uint8 { | |||
| range 0..3; | range "0..3"; | |||
| } | } | |||
| description | description | |||
| "Explicit Congestion Notification."; | "Explicit Congestion Notification."; | |||
| reference | reference | |||
| "RFC 3168: The Addition of Explicit Congestion | "RFC 3168: The Addition of Explicit Congestion | |||
| Notification (ECN) to IP."; | Notification (ECN) to IP."; | |||
| } | } | |||
| leaf length { | leaf length { | |||
| type uint16; | type uint16; | |||
| skipping to change at page 31, line 18 ¶ | skipping to change at page 31, line 11 ¶ | |||
| description | description | |||
| "Choice of specifying a destination IPv6 address | "Choice of specifying a destination IPv6 address | |||
| or referring to a group of IPv6 destination | or referring to a group of IPv6 destination | |||
| addresses."; | addresses."; | |||
| } | } | |||
| choice source-network { | choice source-network { | |||
| case source-ipv6-network { | case source-ipv6-network { | |||
| leaf source-ipv6-network { | leaf source-ipv6-network { | |||
| type inet:ipv6-prefix; | type inet:ipv6-prefix; | |||
| description | description | |||
| "Source IPv6 address prefix."; | "Source IPv6 address prefix."; | |||
| } | } | |||
| } | } | |||
| description | description | |||
| "Choice of specifying a source IPv6 address or | "Choice of specifying a source IPv6 address or | |||
| referring to a group of IPv6 source addresses."; | referring to a group of IPv6 source addresses."; | |||
| } | } | |||
| leaf flow-label { | leaf flow-label { | |||
| type inet:ipv6-flow-label; | type inet:ipv6-flow-label; | |||
| description | description | |||
| skipping to change at page 47, line 9 ¶ | skipping to change at page 47, line 9 ¶ | |||
| proprietary models. | proprietary models. | |||
| module example-newco-acl { | module example-newco-acl { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "http://example.com/ns/example-newco-acl"; | namespace "http://example.com/ns/example-newco-acl"; | |||
| prefix example-newco-acl; | prefix example-newco-acl; | |||
| import ietf-access-control-list { | import ietf-access-control-list { | |||
| prefix "acl"; | prefix acl; | |||
| } | } | |||
| organization | organization | |||
| "Newco model group."; | "Newco model group."; | |||
| contact | contact | |||
| "abc@newco.com"; | "abc@newco.com"; | |||
| description | description | |||
| "This YANG module augments the IETF ACL YANG module."; | "This YANG module augments the IETF ACL YANG module."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Creating NewCo proprietary extensions to the ietf-acl | "Creating NewCo proprietary extensions to the ietf-acl | |||
| model."; | model."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| augment "/acl:acls/acl:acl/" + | augment "/acl:acls/acl:acl/" | |||
| "acl:aces/acl:ace/" + | + "acl:aces/acl:ace/" | |||
| "acl:matches" { | + "acl:matches" { | |||
| description "Newco proprietary simple filter matches."; | description | |||
| "Newco proprietary simple filter matches."; | ||||
| choice protocol-payload-choice { | choice protocol-payload-choice { | |||
| description "Newco proprietary payload match condition."; | description | |||
| "Newco proprietary payload match condition."; | ||||
| list protocol-payload { | list protocol-payload { | |||
| key value-keyword; | key "value-keyword"; | |||
| ordered-by user; | ordered-by user; | |||
| description "Match protocol payload."; | description | |||
| "Match protocol payload."; | ||||
| uses match-simple-payload-protocol-value; | uses match-simple-payload-protocol-value; | |||
| } | } | |||
| } | } | |||
| choice metadata { | choice metadata { | |||
| description "Newco proprietary interface match condition."; | description | |||
| "Newco proprietary interface match condition."; | ||||
| leaf packet-length { | leaf packet-length { | |||
| type uint16; | type uint16; | |||
| description "Match on packet length."; | description | |||
| "Match on packet length."; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| augment "/acl:acls/acl:acl/" + | ||||
| "acl:aces/acl:ace/" + | augment "/acl:acls/acl:acl/" | |||
| "acl:actions" { | + "acl:aces/acl:ace/" | |||
| description "Newco proprietary simple filter actions."; | + "acl:actions" { | |||
| description | ||||
| "Newco proprietary simple filter actions."; | ||||
| choice action { | choice action { | |||
| description "Newco proprietary action choices."; | description | |||
| "Newco proprietary action choices."; | ||||
| case count { | case count { | |||
| description "Count the packet in the named counter."; | description | |||
| "Count the packet in the named counter."; | ||||
| leaf count { | leaf count { | |||
| type uint32; | type uint32; | |||
| description "Count."; | description | |||
| "Count."; | ||||
| } | } | |||
| } | } | |||
| case policer { | case policer { | |||
| description "Name of policer used to rate-limit traffic."; | description | |||
| "Name of policer used to rate-limit traffic."; | ||||
| leaf policer { | leaf policer { | |||
| type string; | type string; | |||
| description "Name of the policer."; | description | |||
| "Name of the policer."; | ||||
| } | } | |||
| } | } | |||
| case hierarchical-policer { | case hierarchical-policer { | |||
| leaf hierarchical-policer { | leaf hierarchical-policer { | |||
| type string; | type string; | |||
| description | description | |||
| "Name of the hierarchical policer."; | "Name of the hierarchical policer."; | |||
| } | } | |||
| description | description | |||
| "Name of the hierarchical policer used to | "Name of the hierarchical policer used to | |||
| rate-limit traffic."; | rate-limit traffic."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment "/acl:acls/acl:acl" + | augment "/acl:acls/acl:acl" | |||
| "/acl:aces/acl:ace/" + | + "/acl:aces/acl:ace/" | |||
| "acl:actions" { | + "acl:actions" { | |||
| leaf default-action { | leaf default-action { | |||
| type identityref { | type identityref { | |||
| base acl:forwarding-action; | base acl:forwarding-action; | |||
| } | } | |||
| default acl:drop; | default "acl:drop"; | |||
| description | description | |||
| "Actions that occur if no ACE is matched."; | "Actions that occur if no ACE is matched."; | |||
| } | } | |||
| description | description | |||
| "Newco proprietary default action."; | "Newco proprietary default action."; | |||
| } | } | |||
| grouping match-simple-payload-protocol-value { | grouping match-simple-payload-protocol-value { | |||
| description "Newco proprietary payload"; | description | |||
| "Newco proprietary payload"; | ||||
| leaf value-keyword { | leaf value-keyword { | |||
| type enumeration { | type enumeration { | |||
| enum icmp { | enum icmp { | |||
| description "Internet Control Message Protocol."; | description | |||
| "Internet Control Message Protocol."; | ||||
| } | } | |||
| enum icmp6 { | enum icmp6 { | |||
| description | description | |||
| "Internet Control Message Protocol | "Internet Control Message Protocol | |||
| Version 6."; | Version 6."; | |||
| } | } | |||
| enum range { | enum range { | |||
| description "Range of values."; | description | |||
| "Range of values."; | ||||
| } | } | |||
| } | } | |||
| description "(null)."; | description | |||
| "(null)."; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| The following figure is the tree diagram of example-newco-acl. In | The following figure is the tree diagram of example-newco-acl. In | |||
| this example, /ietf-acl:acls/ietf-acl:acl/ietf-acl:aces/ietf-acl:ace/ | this example, /ietf-acl:acls/ietf-acl:acl/ietf-acl:aces/ietf-acl:ace/ | |||
| ietf-acl:matches are augmented with two new choices: protocol- | ietf-acl:matches are augmented with two new choices: protocol- | |||
| payload-choice and metadata. The protocol-payload-choice uses a | payload-choice and metadata. The protocol-payload-choice uses a | |||
| grouping with an enumeration of all supported protocol values. | grouping with an enumeration of all supported protocol values. | |||
| Metadata matches apply to fields associated with the packet, that are | Metadata matches apply to fields associated with the packet, that are | |||
| skipping to change at page 51, line 24 ¶ | skipping to change at page 51, line 24 ¶ | |||
| in this document and Linux nftables. | in this document and Linux nftables. | |||
| A.3. Ethertypes | A.3. Ethertypes | |||
| The ACL module is dependent on the definition of Ethertypes. IEEE | The ACL module is dependent on the definition of Ethertypes. IEEE | |||
| owns the allocation of those Ethertypes. This model is being | owns the allocation of those Ethertypes. This model is being | |||
| included here to enable the definition of those types till such time | included here to enable the definition of those types till such time | |||
| that IEEE takes up the task of publication of the model that defines | that IEEE takes up the task of publication of the model that defines | |||
| those Ethertypes. At that time, this model can be deprecated. | those Ethertypes. At that time, this model can be deprecated. | |||
| <CODE BEGINS> file "ietf-ethertypes@2019-01-28.yang" | <CODE BEGINS> file "ietf-ethertypes@2019-03-04.yang" | |||
| module ietf-ethertypes { | module ietf-ethertypes { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; | |||
| prefix ethertypes; | prefix ethertypes; | |||
| organization | organization | |||
| "IETF NETMOD (Network Modeling) Working Group."; | "IETF NETMOD (Network Modeling) Working Group."; | |||
| contact | contact | |||
| "WG Web: <https://datatracker.ietf.org/wg/netmod/> | "WG Web: <https://datatracker.ietf.org/wg/netmod/> | |||
| skipping to change at page 52, line 15 ¶ | skipping to change at page 52, line 15 ¶ | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8519; see | This version of this YANG module is part of RFC 8519; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| typedef ethertype { | typedef ethertype { | |||
| type union { | type union { | |||
| type uint16; | type uint16; | |||
| End of changes. 57 change blocks. | ||||
| 83 lines changed or deleted | 101 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||