idnits 2.17.1 draft-ietf-netmod-ip-cfg-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 153 has weird spacing: '...address yan...' == Line 160 has weird spacing: '...-length uin...' == Line 163 has weird spacing: '...address yan...' == Line 206 has weird spacing: '...-length uin...' -- The document date (March 28, 2014) is 3680 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-16) exists of draft-ietf-netmod-interfaces-cfg-12 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4941 (Obsoleted by RFC 8981) == Outdated reference: A later version (-25) exists of draft-ietf-netmod-routing-cfg-10 -- Obsolete informational reference (is this intentional?): RFC 6536 (Obsoleted by RFC 8341) Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track March 28, 2014 5 Expires: September 29, 2014 7 A YANG Data Model for IP Management 8 draft-ietf-netmod-ip-cfg-14 10 Abstract 12 This document defines a YANG data model for management of IP 13 implementations. The data model includes configuration data and 14 state data. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on September 29, 2014. 33 Copyright Notice 35 Copyright (c) 2014 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 53 2. IP Data Model . . . . . . . . . . . . . . . . . . . . . . . . 5 54 3. Relationship to IP-MIB . . . . . . . . . . . . . . . . . . . . 7 55 4. IP management YANG Module . . . . . . . . . . . . . . . . . . 9 56 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 57 6. Security Considerations . . . . . . . . . . . . . . . . . . . 25 58 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 59 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 60 8.1. Normative References . . . . . . . . . . . . . . . . . . . 28 61 8.2. Informative References . . . . . . . . . . . . . . . . . . 28 62 Appendix A. Example: NETCONF reply . . . . . . . . . . . . 30 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 32 65 1. Introduction 67 This document defines a YANG [RFC6020] data model for management of 68 IP implementations. 70 The data model covers configuration of per-interface IPv4 and IPv6 71 parameters, and mappings of IP addresses to link-layer addresses. It 72 also provides information about which IP addresses are operationally 73 used, and which link-layer mappings exist. Per-interface parameters 74 are added through augmentation of the interface data model defined in 75 [I-D.ietf-netmod-interfaces-cfg]. 77 1.1. Terminology 79 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 81 "OPTIONAL" in this document are to be interpreted as described in BCP 82 14, [RFC2119]. 84 The following terms are defined in [RFC6241] and are not redefined 85 here: 87 o client 89 o configuration data 91 o server 93 o state data 95 The following terms are defined in [RFC6020] and are not redefined 96 here: 98 o augment 100 o data model 102 o data node 104 The terminology for describing YANG data models is found in 105 [RFC6020]. 107 1.2. Tree Diagrams 109 A simplified graphical representation of the data model is used in 110 this document. The meaning of the symbols in these diagrams is as 111 follows: 113 o Brackets "[" and "]" enclose list keys. 115 o Abbreviations before data node names: "rw" means configuration 116 data (read-write) and "ro" state data (read-only). 118 o Symbols after data node names: "?" means an optional node, "!" 119 means a presence container, and "*" denotes a list and leaf-list. 121 o Parentheses enclose choice and case nodes, and case nodes are also 122 marked with a colon (":"). 124 o Ellipsis ("...") stands for contents of subtrees that are not 125 shown. 127 2. IP Data Model 129 This document defines the YANG module "ietf-ip", which augments the 130 "interface" and "interface-state" lists defined in the 131 "ietf-interfaces" module [I-D.ietf-netmod-interfaces-cfg] with IP 132 specific data nodes, and adds IP specific state data. 134 The data model has the following structure for IP configuration per 135 interface: 137 +--rw if:interfaces 138 +--rw if:interface* [name] 139 ... 140 +--rw ipv4! 141 | +--rw enabled? boolean 142 | +--rw forwarding? boolean 143 | +--rw mtu? uint16 144 | +--rw address* [ip] 145 | | +--rw ip inet:ipv4-address-no-zone 146 | | +--rw (subnet) 147 | | +--:(prefix-length) 148 | | | +--rw ip:prefix-length? uint8 149 | | +--:(netmask) 150 | | +--rw ip:netmask? yang:dotted-quad 151 | +--rw neighbor* [ip] 152 | +--rw ip inet:ipv4-address-no-zone 153 | +--rw link-layer-address yang:phys-address 154 +--rw ipv6! 155 +--rw enabled? boolean 156 +--rw forwarding? boolean 157 +--rw mtu? uint32 158 +--rw address* [ip] 159 | +--rw ip inet:ipv6-address-no-zone 160 | +--rw prefix-length uint8 161 +--rw neighbor* [ip] 162 | +--rw ip inet:ipv6-address-no-zone 163 | +--rw link-layer-address yang:phys-address 164 +--rw dup-addr-detect-transmits? uint32 165 +--rw autoconf 166 +--rw create-global-addresses? boolean 167 +--rw create-temporary-addresses? boolean 168 +--rw temporary-valid-lifetime? uint32 169 +--rw temporary-preferred-lifetime? uint32 171 The data model defines two configuration containers per interface, 172 "ipv4" and "ipv6", representing the IPv4 and IPv6 address families. 173 In each container, there is a leaf "enabled" that controls if the 174 address family is enabled on that interface, and a leaf "forwarding" 175 that controls if IP packet forwarding for the address family is 176 enabled on the interface. In each container, there is also a list of 177 configured addresses, and a list of configured mappings from IP 178 addresses to link-layer addresses. 180 The data model has the following structure for IP state per 181 interface: 183 +--ro if:interfaces-state 184 +--ro if:interface* [name] 185 ... 186 +--ro ipv4! 187 | +--ro forwarding? boolean 188 | +--ro mtu? uint16 189 | +--ro address* [ip] 190 | | +--ro ip inet:ipv4-address-no-zone 191 | | +--ro (subnet)? 192 | | | +--:(prefix-length) 193 | | | | +--ro prefix-length? uint8 194 | | | +--:(netmask) 195 | | | +--ro netmask? yang:dotted-quad 196 | | +--ro origin? ip-address-origin 197 | +--ro neighbor* [ip] 198 | +--ro ip inet:ipv4-address-no-zone 199 | +--ro link-layer-address? yang:phys-address 200 | +--ro origin? neighbor-origin 201 +--ro ipv6! 202 +--ro forwarding? boolean 203 +--ro mtu? uint32 204 +--ro address* [ip] 205 | +--ro ip inet:ipv6-address-no-zone 206 | +--ro prefix-length uint8 207 | +--ro origin? ip-address-origin 208 | +--ro status? enumeration 209 +--ro neighbor* [ip] 210 +--ro ip inet:ipv6-address-no-zone 211 +--ro link-layer-address? yang:phys-address 212 +--ro origin? neighbor-origin 213 +--ro is-router? empty 214 +--ro state? enumeration 216 The data model defines two state containers per interface, "ipv4" and 217 "ipv6", representing the IPv4 and IPv6 address families. In each 218 container, there is a leaf "forwarding" that indicates if IP packet 219 forwarding is enabled on that interface. In each container there is 220 also a list of all addresses in use, and a list of known mappings 221 from IP addresses to link-layer addresses. 223 3. Relationship to IP-MIB 225 If the device implements IP-MIB [RFC4293], each entry in the "ipv4/ 226 address" and "ipv6/address" lists is mapped to one ipAddressEntry, 227 where the ipAddressIfIndex refers to the "address" entry's interface. 229 The IP-MIB defines objects to control IPv6 Router Advertisement. The 230 corresponding YANG data nodes are defined in 231 [I-D.ietf-netmod-routing-cfg]. 233 The entries in "ipv4/neighbor" and "ipv6/neighbor" are mapped to 234 ipNetToPhysicalTable. 236 The following tables list the YANG data nodes with corresponding 237 objects in the IP-MIB. 239 +----------------------------------+--------------------------------+ 240 | YANG data node in | IP-MIB object | 241 | /if:interfaces/if:interface | | 242 +----------------------------------+--------------------------------+ 243 | ipv4/enabled | ipv4InterfaceEnableStatus | 244 | ipv4/address | ipAddressEntry | 245 | ipv4/address/ip | ipAddressAddrType | 246 | | ipAddressAddr | 247 | ipv4/neighbor | ipNetToPhysicalEntry | 248 | ipv4/neighbor/ip | ipNetToPhysicalNetAddressType | 249 | | ipNetToPhysicalNetAddressAddr | 250 | ipv4/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 251 | ipv6/enabled | ipv6InterfaceEnableStatus | 252 | ipv6/forwarding | ipv6InterfaceForwarding | 253 | ipv6/address | ipAddressEntry | 254 | ipv6/address/ip | ipAddressAddrType | 255 | | ipAddressAddr | 256 | ipv6/neighbor | ipNetToPhysicalEntry | 257 | ipv6/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 258 | ipv6/neighbor/origin | ipNetToPhysicalType | 259 +----------------------------------+--------------------------------+ 261 YANG interface configuration data nodes and related IP-MIB objects 263 +-----------------------------------+-------------------------------+ 264 | YANG data node in | IP-MIB object | 265 | /if:interfaces-state/if:interface | | 266 +-----------------------------------+-------------------------------+ 267 | ipv4 | ipv4InterfaceEnableStatus | 268 | ipv4/address | ipAddressEntry | 269 | ipv4/address/ip | ipAddressAddrType | 270 | | ipAddressAddr | 271 | ipv4/address/origin | ipAddressOrigin | 272 | ipv4/neighbor | ipNetToPhysicalEntry | 273 | ipv4/neighbor/ip | ipNetToPhysicalNetAddressType | 274 | | ipNetToPhysicalNetAddressAddr | 275 | ipv4/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 276 | ipv4/neighbor/origin | ipNetToPhysicalType | 277 | ipv6 | ipv6InterfaceEnableStatus | 278 | ipv6/forwarding | ipv6InterfaceForwarding | 279 | ipv6/address | ipAddressEntry | 280 | ipv6/address/ip | ipAddressAddrType | 281 | | ipAddressAddr | 282 | ipv6/address/origin | ipAddressOrigin | 283 | ipv6/address/status | ipAddressStatus | 284 | ipv6/neighbor | ipNetToPhysicalEntry | 285 | ipv6/neighbor/ip | ipNetToPhysicalNetAddressType | 286 | | ipNetToPhysicalNetAddressAddr | 287 | ipv6/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 288 | ipv6/neighbor/origin | ipNetToPhysicalType | 289 | ipv6/neighbor/state | ipNetToPhysicalState | 290 +-----------------------------------+-------------------------------+ 292 YANG interface state data nodes and related IP-MIB objects 294 4. IP management YANG Module 296 This module imports typedefs from [RFC6991] and 297 [I-D.ietf-netmod-interfaces-cfg], and references [RFC0791], 298 [RFC0826], [RFC2460], [RFC4861], [RFC4862], [RFC4941] and 299 [I-D.ietf-6man-stable-privacy-addresses]. 301 RFC Ed.: update the date below with the date of RFC publication and 302 remove this note. 304 file "ietf-ip@2014-03-28.yang" 306 module ietf-ip { 308 namespace "urn:ietf:params:xml:ns:yang:ietf-ip"; 309 prefix ip; 311 import ietf-interfaces { 312 prefix if; 313 } 314 import ietf-inet-types { 315 prefix inet; 316 } 317 import ietf-yang-types { 318 prefix yang; 319 } 321 organization 322 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 324 contact 325 "WG Web: 326 WG List: 328 WG Chair: Thomas Nadeau 329 331 WG Chair: Juergen Schoenwaelder 332 334 Editor: Martin Bjorklund 335 "; 337 description 338 "This module contains a collection of YANG definitions for 339 configuring IP implementations. 341 Copyright (c) 2013 IETF Trust and the persons identified as 342 authors of the code. All rights reserved. 344 Redistribution and use in source and binary forms, with or 345 without modification, is permitted pursuant to, and subject 346 to the license terms contained in, the Simplified BSD License 347 set forth in Section 4.c of the IETF Trust's Legal Provisions 348 Relating to IETF Documents 349 (http://trustee.ietf.org/license-info). 351 This version of this YANG module is part of RFC XXXX; see 352 the RFC itself for full legal notices."; 354 // RFC Ed.: replace XXXX with actual RFC number and remove this 355 // note. 357 // RFC Ed.: update the date below with the date of RFC publication 358 // and remove this note. 359 revision 2014-03-28 { 360 description 361 "Initial revision."; 362 reference 363 "RFC XXXX: A YANG Data Model for IP Management"; 364 } 366 /* 367 * Features 368 */ 370 feature ipv4-non-contiguous-netmasks { 371 description 372 "Indicates support for configuring non-contiguous 373 subnet masks."; 374 } 376 feature ipv6-privacy-autoconf { 377 description 378 "Indicates support for Privacy Extensions for Stateless Address 379 Autoconfiguration in IPv6."; 380 reference 381 "RFC 4941: Privacy Extensions for Stateless Address 382 Autoconfiguration in IPv6"; 383 } 385 /* 386 * Typedefs 387 */ 389 typedef ip-address-origin { 390 type enumeration { 391 enum other { 392 description 393 "None of the following."; 394 } 395 enum static { 396 description 397 "Indicates that the address has been statically 398 configured, for example using NETCONF or a Command Line 399 Interface."; 400 } 401 enum dhcp { 402 description 403 "Indicates an address that has been assigned to this 404 system by a DHCP server."; 405 } 406 enum link-layer { 407 description 408 "Indicates an address created by IPv6 stateless 409 auto-configuration that embeds a link-layer address in its 410 interface identifier."; 411 } 412 enum random { 413 description 414 "Indicates an address chosen by the system at 415 random, e.g., an IPv4 address within 169.254/16, an 416 RFC 4941 temporary address, or a semantically opaque 417 address [I-D.ietf-6man-stable-privacy-addresses]"; 418 } 419 } 420 description 421 "The origin of an address."; 422 } 424 typedef neighbor-origin { 425 type enumeration { 426 enum other { 427 description 428 "None of the following."; 429 } 430 enum static { 431 description 432 "Indicates that the mapping has been statically 433 configured, for example using NETCONF or a Command Line 434 Interface."; 435 } 436 enum dynamic { 437 description 438 "Indicates that the mapping has been dynamically resolved 439 using e.g., IPv4 ARP or the IPv6 Neighbor Discovery 440 protocol."; 441 } 442 } 443 description 444 "The origin of a neighbor entry."; 445 } 447 /* 448 * Configuration data nodes 449 */ 451 augment "/if:interfaces/if:interface" { 452 description 453 "Parameters for configuring IP on interfaces. 455 If an interface is not capable of running IP, the server 456 must not allow the client to configure these parameters."; 458 container ipv4 { 459 presence 460 "Enables IPv4 unless the 'enabled' leaf 461 (which defaults to 'true') is set to 'false'"; 462 description 463 "Parameters for the IPv4 address family."; 465 leaf enabled { 466 type boolean; 467 default true; 468 description 469 "Controls if IPv4 is enabled or disabled on this 470 interface. When IPv4 is enabled, this interface is 471 connected to an IPv4 stack, and the interface can send 472 and receive IPv4 packets."; 473 } 474 leaf forwarding { 475 type boolean; 476 default false; 477 description 478 "Controls IPv4 packet forwarding of datagrams received by, 479 but not addressed to, this interface. IPv4 routers 480 forward datagrams. IPv4 hosts do not (except those 481 source-routed via the host)"; 482 } 483 leaf mtu { 484 type uint16 { 485 range "68..max"; 487 } 488 units octets; 489 description 490 "The size, in octets, of the largest IPv4 packet that the 491 interface will send and receive. 493 The server may restrict the allowed values for this leaf 494 depending on the interface's type. 496 If this leaf is not configured, the operationally used mtu 497 depends on the interface's type."; 498 reference 499 "RFC 791: Internet Protocol"; 500 } 501 list address { 502 key "ip"; 503 description 504 "The list of configured IPv4 addresses on the interface."; 506 leaf ip { 507 type inet:ipv4-address-no-zone; 508 description 509 "The IPv4 address on the interface."; 510 } 511 choice subnet { 512 mandatory true; 513 description 514 "The subnet can be specified as a prefix-length, or, 515 if the server supports non-contiguous netmasks, as 516 a netmask."; 517 leaf prefix-length { 518 type uint8 { 519 range "0..32"; 520 } 521 description 522 "The length of the subnet prefix."; 523 } 524 leaf netmask { 525 if-feature ipv4-non-contiguous-netmasks; 526 type yang:dotted-quad; 527 description 528 "The subnet specified as a netmask."; 529 } 530 } 531 } 532 list neighbor { 533 key "ip"; 534 description 535 "A list of mappings from IPv4 addresses to 536 link-layer addresses. 538 Entries in this list are used as static entries in the 539 ARP cache."; 540 reference 541 "RFC 826: An Ethernet Address Resolution Protocol"; 543 leaf ip { 544 type inet:ipv4-address-no-zone; 545 description 546 "The IPv4 address of the neighbor node."; 547 } 548 leaf link-layer-address { 549 type yang:phys-address; 550 mandatory true; 551 description 552 "The link-layer address of the neighbor node."; 553 } 554 } 556 } 557 container ipv6 { 558 presence 559 "Enables IPv6 unless the 'enabled' leaf 560 (which defaults to 'true') is set to 'false'"; 561 description 562 "Parameters for the IPv6 address family."; 564 leaf enabled { 565 type boolean; 566 default true; 567 description 568 "Controls if IPv6 is enabled or disabled on this 569 interface. When IPv6 is enabled, this interface is 570 connected to an IPv6 stack, and the interface can send 571 and receive IPv6 packets."; 572 } 573 leaf forwarding { 574 type boolean; 575 default false; 576 description 577 "Controls IPv6 packet forwarding of datagrams received by, 578 but not addressed to, this interface. IPv6 routers 579 forward datagrams. IPv6 hosts do not (except those 580 source-routed via the host)"; 581 reference 582 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 583 Section 6.2.1, IsRouter"; 584 } 585 leaf mtu { 586 type uint32 { 587 range "1280..max"; 588 } 589 units octets; 590 description 591 "The size, in octets, of the largest IPv6 packet that the 592 interface will send and receive. 594 The server may restrict the allowed values for this leaf 595 depending on the interface's type. 597 If this leaf is not configured, the operationally used mtu 598 depends on the interface's type."; 599 reference 600 "RFC 2460: IPv6 Specification 601 Section 5"; 602 } 603 list address { 604 key "ip"; 605 description 606 "The list of configured IPv6 addresses on the interface."; 608 leaf ip { 609 type inet:ipv6-address-no-zone; 610 description 611 "The IPv6 address on the interface."; 612 } 613 leaf prefix-length { 614 type uint8 { 615 range "0..128"; 616 } 617 mandatory true; 618 description 619 "The length of the subnet prefix."; 620 } 621 } 622 list neighbor { 623 key "ip"; 624 description 625 "A list of mappings from IPv6 addresses to 626 link-layer addresses. 628 Entries in this list are used as static entries in the 629 Neighbor Cache."; 630 reference 631 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 633 leaf ip { 634 type inet:ipv6-address-no-zone; 635 description 636 "The IPv6 address of the neighbor node."; 637 } 638 leaf link-layer-address { 639 type yang:phys-address; 640 mandatory true; 641 description 642 "The link-layer address of the neighbor node."; 643 } 644 } 645 leaf dup-addr-detect-transmits { 646 type uint32; 647 default 1; 648 description 649 "The number of consecutive Neighbor Solicitation messages 650 sent while performing Duplicate Address Detection on a 651 tentative address. A value of zero indicates that 652 Duplicate Address Detection is not performed on 653 tentative addresses. A value of one indicates a single 654 transmission with no follow-up retransmissions."; 655 reference 656 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 657 } 658 container autoconf { 659 description 660 "Parameters to control the autoconfiguration of IPv6 661 addresses, as described in RFC 4862."; 662 reference 663 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 665 leaf create-global-addresses { 666 type boolean; 667 default true; 668 description 669 "If enabled, the host creates global addresses as 670 described in section 5.5 of RFC 4862."; 671 reference 672 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 673 } 674 leaf create-temporary-addresses { 675 if-feature ipv6-privacy-autoconf; 676 type boolean; 677 default false; 678 description 679 "If enabled, the host creates temporary addresses as 680 described in RFC 4941."; 681 reference 682 "RFC 4941: Privacy Extensions for Stateless Address 683 Autoconfiguration in IPv6"; 684 } 685 leaf temporary-valid-lifetime { 686 if-feature ipv6-privacy-autoconf; 687 type uint32; 688 units "seconds"; 689 default 604800; 690 description 691 "The time period during which the temporary address 692 is valid."; 693 reference 694 "RFC 4941: Privacy Extensions for Stateless Address 695 Autoconfiguration in IPv6 696 - TEMP_VALID_LIFETIME"; 697 } 698 leaf temporary-preferred-lifetime { 699 if-feature ipv6-privacy-autoconf; 700 type uint32; 701 units "seconds"; 702 default 86400; 703 description 704 "The time period during which the temporary address is 705 preferred."; 706 reference 707 "RFC 4941: Privacy Extensions for Stateless Address 708 Autoconfiguration in IPv6 709 - TEMP_PREFERRED_LIFETIME"; 710 } 711 } 712 } 713 } 715 /* 716 * Operational state data nodes 717 */ 719 augment "/if:interfaces-state/if:interface" { 720 description 721 "Data nodes for the operational state of IP on interfaces."; 723 container ipv4 { 724 presence "Present if IPv4 is enabled on this interface"; 725 config false; 726 description 727 "Interface specific parameters for the IPv4 address family."; 729 leaf forwarding { 730 type boolean; 731 description 732 "Indicates if IPv4 packet forwarding is enabled or disabled 733 on this interface."; 734 } 735 leaf mtu { 736 type uint16 { 737 range "68..max"; 738 } 739 units octets; 740 description 741 "The size, in octets, of the largest IPv4 packet that the 742 interface will send and receive."; 743 reference 744 "RFC 791: Internet Protocol"; 745 } 746 list address { 747 key "ip"; 748 description 749 "The list of IPv4 addresses on the interface."; 751 leaf ip { 752 type inet:ipv4-address-no-zone; 753 description 754 "The IPv4 address on the interface."; 755 } 756 choice subnet { 757 description 758 "The subnet can be specified as a prefix-length, or, 759 if the server supports non-contiguous netmasks, as 760 a netmask."; 761 leaf prefix-length { 762 type uint8 { 763 range "0..32"; 764 } 765 description 766 "The length of the subnet prefix."; 767 } 768 leaf netmask { 769 if-feature ipv4-non-contiguous-netmasks; 770 type yang:dotted-quad; 771 description 772 "The subnet specified as a netmask."; 773 } 774 } 775 leaf origin { 776 type ip-address-origin; 777 description 778 "The origin of this address."; 779 } 780 } 781 list neighbor { 782 key "ip"; 783 description 784 "A list of mappings from IPv4 addresses to 785 link-layer addresses. 787 This list represents the ARP Cache."; 788 reference 789 "RFC 826: An Ethernet Address Resolution Protocol"; 791 leaf ip { 792 type inet:ipv4-address-no-zone; 793 description 794 "The IPv4 address of the neighbor node."; 795 } 796 leaf link-layer-address { 797 type yang:phys-address; 798 description 799 "The link-layer address of the neighbor node."; 800 } 801 leaf origin { 802 type neighbor-origin; 803 description 804 "The origin of this neighbor entry."; 805 } 806 } 808 } 810 container ipv6 { 811 presence "Present if IPv6 is enabled on this interface"; 812 config false; 813 description 814 "Parameters for the IPv6 address family."; 816 leaf forwarding { 817 type boolean; 818 default false; 819 description 820 "Indicates if IPv6 packet forwarding is enabled or disabled 821 on this interface."; 822 reference 823 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 824 Section 6.2.1, IsRouter"; 825 } 826 leaf mtu { 827 type uint32 { 828 range "1280..max"; 829 } 830 units octets; 831 description 832 "The size, in octets, of the largest IPv6 packet that the 833 interface will send and receive."; 834 reference 835 "RFC 2460: IPv6 Specification 836 Section 5"; 837 } 838 list address { 839 key "ip"; 840 description 841 "The list of IPv6 addresses on the interface."; 843 leaf ip { 844 type inet:ipv6-address-no-zone; 845 description 846 "The IPv6 address on the interface."; 847 } 848 leaf prefix-length { 849 type uint8 { 850 range "0..128"; 851 } 852 mandatory true; 853 description 854 "The length of the subnet prefix."; 855 } 856 leaf origin { 857 type ip-address-origin; 858 description 859 "The origin of this address."; 860 } 861 leaf status { 862 type enumeration { 863 enum preferred { 864 description 865 "This is a valid address that can appear as the 866 destination or source address of a packet."; 867 } 868 enum deprecated { 869 description 870 "This is a valid but deprecated address that should 871 no longer be used as a source address in new 872 communications, but packets addressed to such an 873 address are processed as expected."; 874 } 875 enum invalid { 876 description 877 "This isn't a valid address and it shouldn't appear 878 as the destination or source address of a packet."; 879 } 880 enum inaccessible { 881 description 882 "The address is not accessible because the interface 883 to which this address is assigned is not 884 operational."; 885 } 886 enum unknown { 887 description 888 "The status cannot be determined for some reason."; 889 } 890 enum tentative { 891 description 892 "The uniqueness of the address on the link is being 893 verified. Addresses in this state should not be 894 used for general communication and should only be 895 used to determine the uniqueness of the address."; 896 } 897 enum duplicate { 898 description 899 "The address has been determined to be non-unique on 900 the link and so must not be used."; 901 } 902 enum optimistic { 903 description 904 "The address is available for use, subject to 905 restrictions, while its uniqueness on a link is 906 being verified."; 907 } 908 } 909 description 910 "The status of an address. Most of the states correspond 911 to states from the IPv6 Stateless Address 912 Autoconfiguration protocol."; 913 reference 914 "RFC 4293: Management Information Base for the 915 Internet Protocol (IP) 916 - IpAddressStatusTC 917 RFC 4862: IPv6 Stateless Address Autoconfiguration"; 918 } 920 } 921 list neighbor { 922 key "ip"; 923 description 924 "A list of mappings from IPv6 addresses to 925 link-layer addresses. 927 This list represents the Neighbor Cache."; 928 reference 929 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 931 leaf ip { 932 type inet:ipv6-address-no-zone; 933 description 934 "The IPv6 address of the neighbor node."; 935 } 936 leaf link-layer-address { 937 type yang:phys-address; 938 description 939 "The link-layer address of the neighbor node."; 940 } 941 leaf origin { 942 type neighbor-origin; 943 description 944 "The origin of this neighbor entry."; 945 } 946 leaf is-router { 947 type empty; 948 description 949 "Indicates that the neighbor node acts as a router."; 950 } 951 leaf state { 952 type enumeration { 953 enum incomplete { 954 description 955 "Address resolution is in progress and the link-layer 956 address of the neighbor has not yet been 957 determined."; 958 } 959 enum reachable { 960 description 961 "Roughly speaking, the neighbor is known to have been 962 reachable recently (within tens of seconds ago)."; 963 } 964 enum stale { 965 description 966 "The neighbor is no longer known to be reachable but 967 until traffic is sent to the neighbor, no attempt 968 should be made to verify its reachability."; 969 } 970 enum delay { 971 description 972 "The neighbor is no longer known to be reachable, and 973 traffic has recently been sent to the neighbor. 974 Rather than probe the neighbor immediately, however, 975 delay sending probes for a short while in order to 976 give upper-layer protocols a chance to provide 977 reachability confirmation."; 978 } 979 enum probe { 980 description 981 "The neighbor is no longer known to be reachable, and 982 unicast Neighbor Solicitation probes are being sent 983 to verify reachability."; 984 } 985 } 986 description 987 "The Neighbor Unreachability Detection state of this 988 entry."; 989 reference 990 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 991 Section 7.3.2"; 992 } 993 } 994 } 995 } 996 } 998 1000 5. IANA Considerations 1002 This document registers a URI in the IETF XML registry [RFC3688]. 1003 Following the format in RFC 3688, the following registration is 1004 requested to be made. 1006 URI: urn:ietf:params:xml:ns:yang:ietf-ip 1008 Registrant Contact: The NETMOD WG of the IETF. 1010 XML: N/A, the requested URI is an XML namespace. 1012 This document registers a YANG module in the YANG Module Names 1013 registry [RFC6020]. 1015 name: ietf-ip 1016 namespace: urn:ietf:params:xml:ns:yang:ietf-ip 1017 prefix: ip 1018 reference: RFC XXXX 1020 6. Security Considerations 1022 The YANG module defined in this memo is designed to be accessed via 1023 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 1024 secure transport layer and the mandatory-to-implement secure 1025 transport is SSH [RFC6242]. The NETCONF access control model 1026 [RFC6536] provides the means to restrict access for particular 1027 NETCONF users to a pre-configured subset of all available NETCONF 1028 protocol operations and content. 1030 There are a number of data nodes defined in the YANG module which are 1031 writable/creatable/deletable (i.e., config true, which is the 1032 default). These data nodes may be considered sensitive or vulnerable 1033 in some network environments. Write operations (e.g., edit-config) 1034 to these data nodes without proper protection can have a negative 1035 effect on network operations. These are the subtrees and data nodes 1036 and their sensitivity/vulnerability: 1038 ipv4/enabled and ipv6/enabled: These leafs are used to enable or 1039 disable IPv4 and IPv6 on a specific interface. By enabling a 1040 protocol on an interface, an attacker might be able to create an 1041 unsecured path into a node (or through it if routing is also 1042 enabled). By disabling a protocol on an interface, an attacker 1043 might be able to force packets to be routed through some other 1044 interface or deny access to some or all of the network via that 1045 protocol. 1047 ipv4/address and ipv6/address: These lists specify the configured IP 1048 addresses on an interface. By modifying this information, an 1049 attacker can cause a node to either ignore messages destined to it 1050 or accept (at least at the IP layer) messages it would otherwise 1051 ignore. The use of filtering or security associations may reduce 1052 the potential damage in the latter case. 1054 ipv4/forwarding and ipv6/forwarding: These leafs allow a client to 1055 enable or disable the forwarding functions on the entity. By 1056 disabling the forwarding functions, an attacker would possibly be 1057 able to deny service to users. By enabling the forwarding 1058 functions, an attacker could open a conduit into an area. This 1059 might result in the area providing transit for packets it 1060 shouldn't or might allow the attacker access to the area bypassing 1061 security safeguards. 1063 ipv6/autoconf: The leafs in this branch control the 1064 autoconfiguration of IPv6 addresses and in particular whether 1065 temporary addresses are used or not. By modifying the 1066 corresponding leafs, an attacker might impact the addresses used 1067 by a node and thus indirectly the privacy of the users using the 1068 node. 1070 ipv4/mtu and ipv6/mtu: Setting these leafs to very small values can 1071 be used to slow down interfaces. 1073 7. Acknowledgments 1075 The author wishes to thank Jeffrey Lange, Ladislav Lhotka, Juergen 1076 Schoenwaelder, and Dave Thaler for their helpful comments. 1078 8. References 1080 8.1. Normative References 1082 [I-D.ietf-netmod-interfaces-cfg] 1083 Bjorklund, M., "A YANG Data Model for Interface 1084 Configuration", draft-ietf-netmod-interfaces-cfg-12 (work 1085 in progress), July 2012. 1087 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1088 September 1981. 1090 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1091 Requirement Levels", BCP 14, RFC 2119, March 1997. 1093 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1094 (IPv6) Specification", RFC 2460, December 1998. 1096 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1097 January 2004. 1099 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 1100 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 1101 September 2007. 1103 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1104 Address Autoconfiguration", RFC 4862, September 2007. 1106 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 1107 Extensions for Stateless Address Autoconfiguration in 1108 IPv6", RFC 4941, September 2007. 1110 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1111 Network Configuration Protocol (NETCONF)", RFC 6020, 1112 October 2010. 1114 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 1115 Bierman, "Network Configuration Protocol (NETCONF)", 1116 RFC 6241, June 2011. 1118 [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, 1119 July 2013. 1121 8.2. Informative References 1123 [I-D.ietf-6man-stable-privacy-addresses] 1124 Gont, F., "A Method for Generating Semantically Opaque 1125 Interface Identifiers with IPv6 Stateless Address 1126 Autoconfiguration (SLAAC)", 1127 draft-ietf-6man-stable-privacy-addresses-17 (work in 1128 progress), January 2014. 1130 [I-D.ietf-netmod-routing-cfg] 1131 Lhotka, L., "A YANG Data Model for Routing Configuration", 1132 draft-ietf-netmod-routing-cfg-10 (work in progress), 1133 July 2012. 1135 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 1136 converting network protocol addresses to 48.bit Ethernet 1137 address for transmission on Ethernet hardware", STD 37, 1138 RFC 826, November 1982. 1140 [RFC4293] Routhier, S., "Management Information Base for the 1141 Internet Protocol (IP)", RFC 4293, April 2006. 1143 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1144 Shell (SSH)", RFC 6242, June 2011. 1146 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1147 Protocol (NETCONF) Access Control Model", RFC 6536, 1148 March 2012. 1150 Appendix A. Example: NETCONF reply 1152 This section gives an example of a reply to the NETCONF request 1153 for a device that implements the data model defined in this document. 1155 1158 1159 1162 1163 eth0 1164 ianaift:ethernetCsmacd 1165 1166
1167 192.0.2.1 1168 24 1169
1170 1171 1172 1280 1173
1174 2001:db8::10 1175 32 1176
1177 0 1178 1179 1180 1182 1185 1186 eth0 1187 ianaift:ethernetCsmacd 1188 1190 1191 false 1192 1500 1193
1194 192.0.2.1 1195 24 1196 static 1197
1198 1199 192.0.2.2 1200 00:01:02:03:04:05 1201 1202 1203 1204 false 1205 1500 1206
1207 2001:db8::10 1208 32 1209 static 1210 preferred 1211
1212
1213 2001:db8::1:100 1214 32 1215 dhcp 1216 preferred 1217
1218 1219 2001:db8::1 1220 00:01:02:03:04:05 1221 dynamic 1222 1223 reachable 1224 1225 1226 2001:db8::4 1227 dynamic 1228 incomplete 1229 1230 1231 1232 1233 1234 1236 Author's Address 1238 Martin Bjorklund 1239 Tail-f Systems 1241 Email: mbj@tail-f.com