| rfc8519v3.txt | rfc8519.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) M. Jethanandani | Internet Engineering Task Force (IETF) M. Jethanandani | |||
| Request for Comments: 8519 VMware | Request for Comments: 8519 VMware | |||
| Category: Standards Track S. Agarwal | Category: Standards Track S. Agarwal | |||
| ISSN: 2070-1721 Cisco Systems, Inc. | ISSN: 2070-1721 Cisco Systems, Inc. | |||
| L. Huang | L. Huang | |||
| D. Blair | D. Blair | |||
| February 2019 | March 2019 | |||
| YANG Data Model for Network Access Control Lists (ACLs) | YANG Data Model for Network Access Control Lists (ACLs) | |||
| Abstract | Abstract | |||
| This document defines a data model for Access Control Lists (ACLs). | This document defines a data model for Access Control Lists (ACLs). | |||
| An ACL is a user-ordered set of rules used to configure the | An ACL is a user-ordered set of rules used to configure the | |||
| forwarding behavior in a device. Each rule is used to find a match | forwarding behavior in a device. Each rule is used to find a match | |||
| on a packet and define actions that will be performed on the packet. | on a packet and define actions that will be performed on the packet. | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 | 1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 4 | 3. Understanding ACL's Filters and Actions . . . . . . . . . . . 4 | |||
| 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9 | 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1. IETF Access Control List Module . . . . . . . . . . . . . 9 | 4.1. IETF Access Control List Module . . . . . . . . . . . . . 9 | |||
| 4.2. IETF Packet Fields Module . . . . . . . . . . . . . . . . 23 | 4.2. IETF Packet Fields Module . . . . . . . . . . . . . . . . 24 | |||
| 4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 36 | 4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 4.4. Port Range Usage and Other Examples . . . . . . . . . . . 37 | 4.4. Port Range Usage and Other Examples . . . . . . . . . . . 39 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 41 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 41 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 42 | 6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 42 | |||
| 6.2. YANG Module Name Registration . . . . . . . . . . . . . . 42 | 6.2. YANG Module Name Registration . . . . . . . . . . . . . . 43 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 43 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 43 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 44 | 7.2. Informative References . . . . . . . . . . . . . . . . . 44 | |||
| Appendix A. Extending ACL Model Examples . . . . . . . . . . . . 45 | Appendix A. Extending ACL Model Examples . . . . . . . . . . . . 46 | |||
| A.1. Example of a Company's Proprietary Module . . . . . . . . 45 | A.1. Example of a Company's Proprietary Module . . . . . . . . 46 | |||
| A.2. Linux nftables . . . . . . . . . . . . . . . . . . . . . 49 | A.2. Linux nftables . . . . . . . . . . . . . . . . . . . . . 49 | |||
| A.3. Ethertypes . . . . . . . . . . . . . . . . . . . . . . . 50 | A.3. Ethertypes . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 59 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 1. Introduction | 1. Introduction | |||
| An Access Control List (ACL) is one of the basic elements used to | An Access Control List (ACL) is one of the basic elements used to | |||
| configure device-forwarding behavior. It is used in many networking | configure device-forwarding behavior. It is used in many networking | |||
| technologies such as Policy-Based Routing (PBR), firewalls, etc. | technologies such as Policy-Based Routing (PBR), firewalls, etc. | |||
| An ACL is a user-ordered set of rules that is used to filter traffic | An ACL is a user-ordered set of rules that is used to filter traffic | |||
| on a networking device. Each rule is represented by an Access | on a networking device. Each rule is represented by an Access | |||
| skipping to change at page 10, line 10 ¶ | skipping to change at page 10, line 23 ¶ | |||
| interface. | interface. | |||
| Statistics in the ACL can be collected for an "ace" or for an | Statistics in the ACL can be collected for an "ace" or for an | |||
| "interface". The feature statements defined for statistics can be | "interface". The feature statements defined for statistics can be | |||
| used to determine whether statistics are being collected per "ace" or | used to determine whether statistics are being collected per "ace" or | |||
| per "interface". | per "interface". | |||
| This module imports definitions from "Common YANG Data Types" | This module imports definitions from "Common YANG Data Types" | |||
| [RFC6991] and "A YANG Data Model for Interface Management" [RFC8343]. | [RFC6991] and "A YANG Data Model for Interface Management" [RFC8343]. | |||
| <CODE BEGINS> file "ietf-access-control-list@2019-01-28.yang" | <CODE BEGINS> file "ietf-access-control-list@2019-03-04.yang" | |||
| module ietf-access-control-list { | module ietf-access-control-list { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | |||
| prefix acl; | prefix acl; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference | reference | |||
| "RFC 6991 - Common YANG Data Types."; | "RFC 6991 - Common YANG Data Types."; | |||
| skipping to change at page 11, line 18 ¶ | skipping to change at page 11, line 35 ¶ | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8519; see | This version of this YANG module is part of RFC 8519; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| /* | /* | |||
| * Identities | * Identities | |||
| */ | */ | |||
| skipping to change at page 24, line 20 ¶ | skipping to change at page 25, line 5 ¶ | |||
| [RFC6991] and references "Internet Protocol" [RFC0791], "Internet | [RFC6991] and references "Internet Protocol" [RFC0791], "Internet | |||
| Control Message Protocol" [RFC0792], "Transmission Control Protocol" | Control Message Protocol" [RFC0792], "Transmission Control Protocol" | |||
| [RFC0793], "Definition of the Differentiated Services Field (DS | [RFC0793], "Definition of the Differentiated Services Field (DS | |||
| Field) in the IPv4 and IPv6 Headers" [RFC2474], "The Addition of | Field) in the IPv4 and IPv6 Headers" [RFC2474], "The Addition of | |||
| Explicit Congestion Notification (ECN) to IP" [RFC3168], "IPv6 Scoped | Explicit Congestion Notification (ECN) to IP" [RFC3168], "IPv6 Scoped | |||
| Address Architecture" [RFC4007], "IP Version 6 Addressing | Address Architecture" [RFC4007], "IP Version 6 Addressing | |||
| Architecture" [RFC4291], "A Recommendation for IPv6 Address Text | Architecture" [RFC4291], "A Recommendation for IPv6 Address Text | |||
| Representation" [RFC5952], and "Internet Protocol, Version 6 (IPv6) | Representation" [RFC5952], and "Internet Protocol, Version 6 (IPv6) | |||
| Specification" [RFC8200]. | Specification" [RFC8200]. | |||
| <CODE BEGINS> file "ietf-packet-fields@2019-01-28.yang" | <CODE BEGINS> file "ietf-packet-fields@2019-03-04.yang" | |||
| module ietf-packet-fields { | module ietf-packet-fields { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | |||
| prefix packet-fields; | prefix packet-fields; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference | reference | |||
| "RFC 6991 - Common YANG Data Types."; | "RFC 6991 - Common YANG Data Types."; | |||
| skipping to change at page 25, line 30 ¶ | skipping to change at page 26, line 18 ¶ | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8519; see | This version of this YANG module is part of RFC 8519; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| /* | /* | |||
| * Typedefs | * Typedefs | |||
| */ | */ | |||
| skipping to change at page 45, line 51 ¶ | skipping to change at page 46, line 19 ¶ | |||
| The "example-newco-acl" module is an example of a company's | The "example-newco-acl" module is an example of a company's | |||
| proprietary model that augments the "ietf-acl" module. It shows how | proprietary model that augments the "ietf-acl" module. It shows how | |||
| to use 'augment' with an XML Path Language (XPath) expression to add | to use 'augment' with an XML Path Language (XPath) expression to add | |||
| additional match criteria, actions, and default actions for when no | additional match criteria, actions, and default actions for when no | |||
| ACE matches are found. All these are company proprietary extensions | ACE matches are found. All these are company proprietary extensions | |||
| or system feature extensions. "example-newco-acl" is just an | or system feature extensions. "example-newco-acl" is just an | |||
| example, and it is expected that vendors will create their own | example, and it is expected that vendors will create their own | |||
| proprietary models. | proprietary models. | |||
| module example-newco-acl { | module example-newco-acl { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "http://example.com/ns/example-newco-acl"; | namespace "http://example.com/ns/example-newco-acl"; | |||
| prefix example-newco-acl; | prefix example-newco-acl; | |||
| import ietf-access-control-list { | import ietf-access-control-list { | |||
| prefix acl; | prefix acl; | |||
| } | } | |||
| organization | organization | |||
| "Newco model group."; | "Newco model group."; | |||
| contact | contact | |||
| "abc@newco.com"; | "abc@newco.com"; | |||
| description | description | |||
| "This YANG module augments the IETF ACL YANG module."; | "This YANG module augments the IETF ACL YANG module."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Creating NewCo proprietary extensions to the ietf-acl | "Creating NewCo proprietary extensions to the ietf-acl | |||
| model."; | model."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| augment "/acl:acls/acl:acl/" | augment "/acl:acls/acl:acl/" | |||
| + "acl:aces/acl:ace/" | + "acl:aces/acl:ace/" | |||
| + "acl:matches" { | + "acl:matches" { | |||
| description | description | |||
| "Newco proprietary simple filter matches."; | "Newco proprietary simple filter matches."; | |||
| skipping to change at page 50, line 24 ¶ | skipping to change at page 50, line 34 ¶ | |||
| in this document and Linux nftables. | in this document and Linux nftables. | |||
| A.3. Ethertypes | A.3. Ethertypes | |||
| The ACL module is dependent on the definition of Ethertypes. IEEE | The ACL module is dependent on the definition of Ethertypes. IEEE | |||
| owns the allocation of those Ethertypes. This model is being | owns the allocation of those Ethertypes. This model is being | |||
| included here to enable the definition of those types till such time | included here to enable the definition of those types till such time | |||
| that IEEE takes up the task of publication of the model that defines | that IEEE takes up the task of publication of the model that defines | |||
| those Ethertypes. At that time, this model can be deprecated. | those Ethertypes. At that time, this model can be deprecated. | |||
| <CODE BEGINS> file "ietf-ethertypes@2019-01-28.yang" | <CODE BEGINS> file "ietf-ethertypes@2019-03-04.yang" | |||
| module ietf-ethertypes { | module ietf-ethertypes { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; | |||
| prefix ethertypes; | prefix ethertypes; | |||
| organization | organization | |||
| "IETF NETMOD (Network Modeling) Working Group."; | "IETF NETMOD (Network Modeling) Working Group."; | |||
| contact | contact | |||
| "WG Web: <https://datatracker.ietf.org/wg/netmod/> | "WG Web: <https://datatracker.ietf.org/wg/netmod/> | |||
| skipping to change at page 51, line 15 ¶ | skipping to change at page 51, line 24 ¶ | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | License set forth in Section 4.c of the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8519; see | This version of this YANG module is part of RFC 8519; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2019-01-28 { | revision 2019-03-04 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC 8519: YANG Data Model for Network Access Control | "RFC 8519: YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| typedef ethertype { | typedef ethertype { | |||
| type union { | type union { | |||
| type uint16; | type uint16; | |||
| End of changes. 17 change blocks. | ||||
| 15 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||