| < draft-ietf-netmod-acl-model-01.txt | draft-ietf-netmod-acl-model-02.txt > | |||
|---|---|---|---|---|
| NETMOD WG D. Bogdanovic | NETMOD WG D. Bogdanovic | |||
| Internet-Draft Juniper Networks | Internet-Draft Juniper Networks | |||
| Intended status: Standards Track K. Sreenivasa | Intended status: Standards Track K. Sreenivasa | |||
| Expires: August 9, 2015 Brocade Communications System | Expires: September 6, 2015 Brocade Communications System | |||
| L. Huang | L. Huang | |||
| D. Blair | D. Blair | |||
| Cisco Systems | Cisco Systems | |||
| February 05, 2015 | March 5, 2015 | |||
| Network Access Control List (ACL) YANG Data Model | Network Access Control List (ACL) YANG Data Model | |||
| draft-ietf-netmod-acl-model-01 | draft-ietf-netmod-acl-model-02 | |||
| Abstract | Abstract | |||
| This document describes a data model of Access Control List (ACL) | This document describes a data model of Access Control List (ACL) | |||
| basic building blocks. | basic building blocks. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 9, 2015. | This Internet-Draft will expire on September 6, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3 | |||
| 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Design of the ACL Model . . . . . . . . . . . . . . . . . . . 3 | 3. Design of the ACL Model . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. IETF-ACL module . . . . . . . . . . . . . . . . . . . . . 6 | 4.1. IETF-ACL module . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Packet Header module . . . . . . . . . . . . . . . . . . 11 | 4.2. IETF-PACKET-FIELDS module . . . . . . . . . . . . . . . . 11 | |||
| 4.3. A company proprietary module example . . . . . . . . . . 15 | 4.3. An ACL Example . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 4.4. An ACL Example . . . . . . . . . . . . . . . . . . . . . 17 | 4.4. Port Range Usage Example . . . . . . . . . . . . . . . . 17 | |||
| 4.5. Port Range Usage Example . . . . . . . . . . . . . . . . 18 | 5. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 5. Example of extending existing model for route filtering . . . 19 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 6. Linux nftables . . . . . . . . . . . . . . . . . . . . . . . 21 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 10. Change log [RFC Editor: Please remove] . . . . . . . . . . . 23 | 9.2. Informative References . . . . . . . . . . . . . . . . . 19 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | Appendix A. Extending ACL model examples . . . . . . . . . . . . 20 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 23 | A.1. Example of extending existing model for route filtering . 20 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 23 | A.2. A company proprietary module example . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | A.3. Attaching Access Control List to interfaces . . . . . . . 25 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 | ||||
| 1. Introduction | 1. Introduction | |||
| Access Control List (ACL) is one of the basic elements to configure | Access Control List (ACL) is one of the basic elements to configure | |||
| device forwarding behavior. It is used in many networking concepts | device forwarding behavior. It is used in many networking concepts | |||
| such as Policy Based Routing, Firewalls etc. | such as Policy Based Routing, Firewalls etc. | |||
| An ACL is an ordered set of rules that is used to filter traffic on a | An ACL is an ordered set of rules that is used to filter traffic on a | |||
| networking device. Each rule is represented by an Access Control | networking device. Each rule is represented by an Access Control | |||
| Entry (ACE). | Entry (ACE). | |||
| skipping to change at page 4, line 31 ¶ | skipping to change at page 4, line 31 ¶ | |||
| device (output). | device (output). | |||
| This draft tries to address the commonalities between all vendors and | This draft tries to address the commonalities between all vendors and | |||
| create a common model, which can be augmented with proprietary | create a common model, which can be augmented with proprietary | |||
| models. The base model is very simple and with this design we hope | models. The base model is very simple and with this design we hope | |||
| to achieve needed flexibility for each vendor to extend the base | to achieve needed flexibility for each vendor to extend the base | |||
| model. | model. | |||
| 3.1. ACL Modules | 3.1. ACL Modules | |||
| There are three YANG modules in the model. The first module, "ietf- | There are two YANG modules in the model. The first module, "ietf- | |||
| acl", defines generic ACL aspects which are common to all ACLs | acl", defines generic ACL aspects which are common to all ACLs | |||
| regardless of their type or vendor. In effect, the module can be | regardless of their type or vendor. In effect, the module can be | |||
| viewed as providing a generic ACL "superclass". It imports the | viewed as providing a generic ACL "superclass". It imports the | |||
| second module, "packet-headers". The match container in "ietf-acl" | second module, "ietf-packet-fields". The match container in "ietf- | |||
| uses groupings in "packet-headers". The "packet-headers" modules can | acl" uses groupings in "ietf-packet-fields". The "ietf-packet- | |||
| easily be extended to reuse definitions from other modules such as | fields" modules can easily be extended to reuse definitions from | |||
| IPFIX [RFC5101] or migrate proprietary augmented module definitions | other modules such as IPFIX [RFC5101] or migrate proprietary | |||
| into the standard module. | augmented module definitions into the standard module. | |||
| module: ietf-acl | module: ietf-acl | |||
| +--rw access-lists | +--rw access-lists | |||
| +--rw access-list* [acl-name] | +--rw access-list* [access-control-list-name] | |||
| +--rw acl-name string | +--rw access-control-list-name string | |||
| +--rw acl-type? acl-type | +--rw access-control-list-type? access-control-list-type | |||
| +--ro acl-oper-data | +--ro access-control-list-oper-data | |||
| | +--ro match-counter? ietf:counter64 | | +--ro (targets)? | |||
| | +--ro targets* string | | +--:(interface-name) | |||
| +--rw access-list-entries | | +--ro interface-name* string | |||
| +--rw access-list-entry* [rule-name] | +--rw access-list-entries | |||
| +--rw rule-name string | +--rw access-list-entry* [rule-name] | |||
| +--rw matches | +--rw rule-name string | |||
| | +--rw (ace-type)? | +--rw matches | |||
| | | +--:(ace-ip) | | +--rw (access-list-entries-type)? | |||
| | | | +--rw source-port-range | | | +--:(access-list-entries-ip) | |||
| | | | | +--rw lower-port inet:port-number | | | | +--rw source-port-range | |||
| | | | | +--rw upper-port? inet:port-number | | | | | +--rw lower-port inet:port-number | |||
| | | | +--rw destination-port-range | | | | | +--rw upper-port? inet:port-number | |||
| | | | | +--rw lower-port inet:port-number | | | | +--rw destination-port-range | |||
| | | | | +--rw upper-port? inet:port-number | | | | | +--rw lower-port inet:port-number | |||
| | | | +--rw dscp? inet:dscp | | | | | +--rw upper-port? inet:port-number | |||
| | | | +--rw protocol? uint8 | | | | +--rw dscp? inet:dscp | |||
| | | | +--rw (ace-ip-version)? | | | | +--rw protocol? uint8 | |||
| | | | +--:(ace-ipv4) | | | | +--rw (access-list-entries-ip-version)? | |||
| | | | | +--rw destination-ipv4-address? | | | | +--:(access-list-entries-ipv4) | |||
| inet:ipv4-prefix | | | | | +--rw destination-ipv4-network? inet:ipv4-prefix | |||
| | | | | +--rw source-ipv4-address? | | | | | +--rw source-ipv4-network? inet:ipv4-prefix | |||
| inet:ipv4-prefix | | | | +--:(access-list-entries-ipv6) | |||
| | | | +--:(ace-ipv6) | | | | +--rw destination-ipv6-network? inet:ipv6-prefix | |||
| | | | +--rw destination-ipv6-address? | | | | +--rw source-ipv6-network? inet:ipv6-prefix | |||
| inet:ipv6-prefix | | | | +--rw flow-label? inet:ipv6-flow-label | |||
| | | | +--rw source-ipv6-address? | | | +--:(access-list-entries-eth) | |||
| inet:ipv6-prefix | | | +--rw destination-mac-address? yang:mac-address | |||
| | | | +--rw flow-label? inet:ipv6-flow-label | | | +--rw destination-mac-address-mask? yang:mac-address | |||
| | | +--:(ace-eth) | | | +--rw source-mac-address? yang:mac-address | |||
| | | +--rw destination-mac-address? | | | +--rw source-mac-address-mask? yang:mac-address | |||
| yang:mac-address | | +--rw input-interface? string | |||
| | | +--rw destination-mac-address-mask? | | +--rw absolute | |||
| yang:mac-address | | +--rw start? yang:date-and-time | |||
| | | +--rw source-mac-address? | | +--rw end? yang:date-and-time | |||
| yang:mac-address | | +--rw active? boolean | |||
| | | +--rw source-mac-address-mask? | +--rw actions | |||
| yang:mac-address | | +--rw (packet-handling)? | |||
| | +--rw input-interface? string | | +--:(deny) | |||
| | +--rw absolute | | | +--rw deny? empty | |||
| | +--rw start? yang:date-and-time | | +--:(permit) | |||
| | +--rw end? yang:date-and-time | | +--rw permit? empty | |||
| | +--rw active? boolean | +--ro access-list-entries-oper-data | |||
| +--rw actions | +--ro match-counter? yang:counter64 | |||
| | +--rw (packet-handling)? | ||||
| | +--:(deny) | ||||
| | | +--rw deny? empty | ||||
| | +--:(permit) | ||||
| | +--rw permit? empty | ||||
| +--ro ace-oper-data | ||||
| +--ro match-counter? ietf:counter64 | ||||
| Module "newco-acl" is an example of company proprietary model, that | ||||
| augments "ietf-acl" module. It shows how to add additional match | ||||
| criteria, action criteria, and default actions when no ACE matches | ||||
| found. All these are company proprietary extensions or system | ||||
| feature extensions. "newco-acl" is just an example and it is expected | ||||
| from vendors to create their own propietary models. | ||||
| module: newco-acl | ||||
| augment /ietf-acl:access-list/ietf-acl:access-list-entries/ietf-acl:matches: | ||||
| +--rw (protocol_payload_choice)? | ||||
| +--:(protocol_payload) | ||||
| +--rw protocol_payload* [value_keyword] | ||||
| +--rw value_keyword enumeration | ||||
| augment /ietf-acl:access-list/ietf-acl:access-list-entries/ietf-acl:actions: | ||||
| +--rw (action)? | ||||
| +--:(count) | ||||
| | +--rw count? string | ||||
| +--:(policer) | ||||
| | +--rw policer? string | ||||
| +--:(hiearchical-policer) | ||||
| +--rw hierarchitacl-policer? string | ||||
| augment /ietf-acl:access-lists/ietf-acl:access-list: | ||||
| +--rw default-actions | ||||
| +--rw deny? empty | ||||
| 4. ACL YANG Models | 4. ACL YANG Models | |||
| 4.1. IETF-ACL module | 4.1. IETF-ACL module | |||
| "ietf-acl" is the standard top level module for Access lists. It has | "ietf-acl" is the standard top level module for Access lists. It has | |||
| a container for "access-list" to store access list information. This | a container for "access-list" to store access list information. This | |||
| container has information identifying the access list by a name("acl- | container has information identifying the access list by a name("acl- | |||
| name") and a list("access-list-entries") of rules associated with the | name") and a list("access-list-entries") of rules associated with the | |||
| "acl-name". Each of the entries in the list("access-list-entries") | "acl-name". Each of the entries in the list("access-list-entries") | |||
| indexed by the string "rule-name" have containers defining "matches" | indexed by the string "rule-name" have containers defining "matches" | |||
| and "actions". The "matches" define criteria used to identify | and "actions". The "matches" define criteria used to identify | |||
| patterns in "packet-fields". The "actions" define behavior to | patterns in "ietf-packet-fields". The "actions" define behavior to | |||
| undertake once a "match" has been identified. | undertake once a "match" has been identified. | |||
| module ietf-acl { | <CODE BEGINS>file "ietf-acl@2015-03-04.yang" | |||
| yang-version 1; | module ietf-acl { | |||
| yang-version 1; | ||||
| namespace "urn:ietf:params:xml:ns:yang:ietf-acl"; | namespace "urn:ietf:params:xml:ns:yang:ietf-acl"; | |||
| prefix acl; | prefix access-control-list; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix "ietf"; | prefix "yang"; | |||
| } | } | |||
| import packet-fields { | import ietf-packet-fields { | |||
| prefix "packet-fields"; | prefix "packet-fields"; | |||
| } | } | |||
| organization | organization | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | |||
| contact | contact | |||
| "WG Web: http://tools.ietf.org/wg/netmod/ | "WG Web: http://tools.ietf.org/wg/netmod/ | |||
| WG List: netmod@ietf.org | WG List: netmod@ietf.org | |||
| WG Chair: Juergen Schoenwaelder | WG Chair: Juergen Schoenwaelder | |||
| j.schoenwaelder@jacobs-university.de | j.schoenwaelder@jacobs-university.de | |||
| WG Chair: Tom Nadeau | WG Chair: Tom Nadeau | |||
| tnadeau@lucidvision.com | tnadeau@lucidvision.com | |||
| Editor: Dean Bogdanovic | Editor: Dean Bogdanovic | |||
| deanb@juniper.net | deanb@juniper.net | |||
| Editor: Kiran Agrahara Sreenivasa | Editor: Kiran Agrahara Sreenivasa | |||
| kkoushik@brocade.com | kkoushik@brocade.com | |||
| Editor: Lisa Huang | Editor: Lisa Huang | |||
| yihuan@cisco.com | yihuan@cisco.com | |||
| Editor: Dana Blair | Editor: Dana Blair | |||
| dblair@cisco.com"; | dblair@cisco.com"; | |||
| description | description | |||
| "This YANG module defines a component that describing the | "This YANG module defines a component that describing the | |||
| configuration of Access Control Lists (ACLs)."; | configuration of Access Control Lists (ACLs). | |||
| revision 2014-10-10 { | Copyright (c) 2015 IETF Trust and the persons identified as | |||
| description "Creating base model for netmod."; | the document authors. All rights reserved. | |||
| reference | ||||
| "RFC 6020: YANG - A Data Modeling Language for the | ||||
| Network Configuration Protocol (NETCONF)"; | ||||
| } | ||||
| identity acl-base { | Redistribution and use in source and binary forms, with or | |||
| description "Base acl type for all ACL type identifiers."; | without modification, is permitted pursuant to, and subject | |||
| } | to the license terms contained in, the Simplified BSD | |||
| License set forth in Section 4.c of the IETF Trust's Legal | ||||
| Provisions Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info). | ||||
| identity ip-acl { | This version of this YANG module is part of RFC XXXX; see | |||
| base "acl:acl-base"; | the RFC itself for full legal notices."; | |||
| description "layer 3 ACL type"; | ||||
| } | ||||
| identity eth-acl { | ||||
| base "acl:acl-base"; | ||||
| description "layer 2 ACL type"; | ||||
| } | ||||
| typedef acl-type { | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| type identityref { | // note. | |||
| base "acl-base"; | ||||
| } | ||||
| description | ||||
| "This type is used to refer to an Access Control List | ||||
| (ACL) type"; | ||||
| } | ||||
| typedef acl-ref { | revision 2015-03-04 { | |||
| type leafref { | description "Base model for Network Access Control List (ACL)."; | |||
| path "/acl:access-lists/acl:access-list/acl:acl-name"; | reference | |||
| } | "RFC XXXX: Network Access Control List (ACL) | |||
| description "This type is used by data models that | YANG Data Model"; | |||
| need to referenced an acl"; | } | |||
| } | ||||
| container access-lists { | identity access-control-list-base { | |||
| description | description "Base access control list type for all access control list type | |||
| "Access control lists."; | identifiers."; | |||
| } | ||||
| list access-list { | identity IP-access-control-list { | |||
| key acl-name; | base "access-control-list:access-control-list-base"; | |||
| description " | description "IP-access control list is common name for layer 3 and 4 access | |||
| An access list (acl) is an ordered list of | control list types. It is common among vendors to call 3-tupple or 5 tupple | |||
| access list entries (ace). Each ace has a | IP access control lists"; | |||
| sequence number to define the order, list | } | |||
| of match criteria, and a list of actions. | ||||
| Since there are several kinds of acls | ||||
| implementeded with different attributes for | ||||
| each and different for each vendor, this | ||||
| model accomodates customizing acls for | ||||
| each kind and for each vendor. | ||||
| "; | ||||
| leaf acl-name { | identity eth-access-control-list { | |||
| type string; | base "access-control-list:access-control-list-base"; | |||
| description "The name of access-list. | description "Ethernet access control list is name for layer 2 Ethernet | |||
| A device MAY restrict the length and value of | technology access control list types, like 10/100/1000baseT or WiFi | |||
| this name, possibly space and special | access control list"; | |||
| characters are not allowed."; | } | |||
| } | typedef access-control-list-type { | |||
| type identityref { | ||||
| base "access-control-list-base"; | ||||
| } | ||||
| description | ||||
| "This type is used to refer to an Access Control List | ||||
| (ACL) type"; | ||||
| } | ||||
| leaf acl-type { | typedef access-control-list-ref { | |||
| type acl-type; | type leafref { | |||
| description "Type of ACL"; | path "/access-lists/access-list/access-control-list-name"; | |||
| } | } | |||
| description "This type is used by data models that need to referenced an | ||||
| access control list"; | ||||
| container acl-oper-data { | } | |||
| config false; | ||||
| description "Overall ACL operational data"; | container access-lists { | |||
| leaf match-counter { | description | |||
| type ietf:counter64; | "This is top level container for Access Control Lists. It can have one | |||
| description "Total match count for ACL"; | or more Access Control List."; | |||
| } | ||||
| leaf-list targets { | list access-list { | |||
| type string; | key access-control-list-name; | |||
| description "List of targets where ACL is applied"; | description "An access list (acl) is an ordered list of | |||
| } | access list entries (ACE). Each access control entries has a | |||
| } | list of match criteria, and a list of actions. | |||
| Since there are several kinds of access control lists | ||||
| implemented with different attributes for | ||||
| each and different for each vendor, this | ||||
| model accommodates customizing access control lists for | ||||
| each kind and for each vendor."; | ||||
| container access-list-entries { | leaf access-control-list-name { | |||
| description "The access-list-entries container contains | type string; | |||
| a list of access-list-entry(ACE)."; | description "The name of access-list. A device MAY restrict the length | |||
| and value of this name, possibly space and special characters are not | ||||
| allowed."; | ||||
| } | ||||
| list access-list-entry { | leaf access-control-list-type { | |||
| key rule-name; | type access-control-list-type; | |||
| ordered-by user; | description "Type of access control list. When this | |||
| type is not explicitely specified, if vendor implementation permits, | ||||
| the access control entires in the list can be mixed, | ||||
| by containing L2, L3 and L4 entries"; | ||||
| } | ||||
| container access-control-list-oper-data { | ||||
| config false; | ||||
| description "Overall access control list operational data"; | ||||
| description "List of access list entries(ACE)"; | choice targets{ | |||
| leaf rule-name { | description "List of targets where access control list is applied"; | |||
| type string; | leaf-list interface-name { | |||
| description "Entry name."; | type string; | |||
| } | description "Interfaces where access control list is applied"; | |||
| } | ||||
| } | ||||
| } | ||||
| container matches { | container access-list-entries { | |||
| description "Define match criteria"; | description "The access-list-entries container contains | |||
| choice ace-type { | a list of access-list-entry(ACE)."; | |||
| description "Type of ace."; | ||||
| case ace-ip { | ||||
| uses packet-fields:acl-ip-header-fields; | ||||
| choice ace-ip-version { | ||||
| description "Choice of IP version."; | ||||
| case ace-ipv4 { | ||||
| uses packet-fields:acl-ipv4-header-fields; | ||||
| } | ||||
| case ace-ipv6 { | ||||
| uses packet-fields:acl-ipv6-header-fields; | ||||
| } | ||||
| } | ||||
| } | ||||
| case ace-eth { | ||||
| uses packet-fields:acl-eth-header-fields; | ||||
| } | ||||
| } | ||||
| uses packet-fields:metadata; | ||||
| } | ||||
| container actions { | list access-list-entry { | |||
| description "Define action criteria"; | key rule-name; | |||
| choice packet-handling { | ordered-by user; | |||
| default deny; | description "List of access list entries(ACE)"; | |||
| leaf rule-name { | ||||
| type string; | ||||
| description "Entry name."; | ||||
| } | ||||
| description "Packet handling action."; | container matches { | |||
| case deny { | description "Define match criteria"; | |||
| leaf deny { | choice access-list-entries-type { | |||
| type empty; | description "Type of access list entry."; | |||
| description "Deny action."; | case access-list-entries-ip { | |||
| } | uses packet-fields:access-control-list-ip-header-fields; | |||
| } | choice access-list-entries-ip-version { | |||
| case permit { | description "Choice of IP version."; | |||
| leaf permit { | case access-list-entries-ipv4 { | |||
| type empty; | uses packet-fields:access-control-list-ipv4-header-fields; | |||
| description "Permit action."; | } | |||
| } | case access-list-entries-ipv6 { | |||
| } | ||||
| } | ||||
| } | ||||
| container ace-oper-data { | uses packet-fields:access-control-list-ipv6-header-fields; | |||
| config false; | } | |||
| } | ||||
| } | ||||
| case access-list-entries-eth { | ||||
| description "Ethernet MAC address entry."; | ||||
| uses packet-fields:access-control-list-eth-header-fields; | ||||
| } | ||||
| } | ||||
| uses packet-fields:metadata; | ||||
| } | ||||
| description "Per ace operational data"; | container actions { | |||
| leaf match-counter { | description "Define action criteria"; | |||
| type ietf:counter64; | choice packet-handling { | |||
| description "Number of matches for an ace"; | default deny; | |||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| 4.2. Packet Header module | description "Packet handling action."; | |||
| case deny { | ||||
| leaf deny { | ||||
| type empty; | ||||
| description "Deny action."; | ||||
| } | ||||
| } | ||||
| case permit { | ||||
| leaf permit { | ||||
| type empty; | ||||
| description "Permit action."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| container access-list-entries-oper-data { | ||||
| config false; | ||||
| description "Per access list entries operational data"; | ||||
| leaf match-counter { | ||||
| type yang:counter64; | ||||
| description "Number of matches for an access list entry"; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| 4.2. IETF-PACKET-FIELDS module | ||||
| The packet fields module defines the necessary groups for matching on | The packet fields module defines the necessary groups for matching on | |||
| fields in the packet including ethernet, ipv4, ipv6, transport layer | fields in the packet including ethernet, ipv4, ipv6, transport layer | |||
| fields and metadata. These groupings can be augmented to include | fields and metadata. These groupings can be augmented to include | |||
| other proprietary matching criteria. Since the number of match | other proprietary matching criteria. Since the number of match | |||
| criteria is very large, the base draft does not include these | criteria is very large, the base draft does not include these | |||
| directly but references them by "uses" to keep the base module | directly but references them by "uses" to keep the base module | |||
| simple. | simple. | |||
| module packet-fields { | <CODE BEGINS>file "ietf-packet-fields@2015-03-04.yang" | |||
| yang-version 1; | ||||
| namespace "urn:ietf:params:xml:ns:yang:packet-fields"; | module ietf-packet-fields { | |||
| yang-version 1; | ||||
| prefix packet-fields; | namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; | |||
| import ietf-inet-types { | prefix packet-fields; | |||
| prefix "inet"; | ||||
| } | ||||
| import ietf-yang-types { | import ietf-inet-types { | |||
| prefix "yang"; | prefix "inet"; | |||
| } | ||||
| organization | } | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | import ietf-yang-types { | |||
| "WG Web: http://tools.ietf.org/wg/netmod/ | prefix "yang"; | |||
| WG List: netmod@ietf.org | } | |||
| WG Chair: Juergen Schoenwaelder | organization | |||
| j.schoenwaelder@jacobs-university.de | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | |||
| WG Chair: Tom Nadeau | contact | |||
| tnadeau@lucidvision.com | "WG Web: http://tools.ietf.org/wg/netmod/ | |||
| WG List: netmod@ietf.org | ||||
| Editor: Dean Bogdanovic | WG Chair: Juergen Schoenwaelder | |||
| deanb@juniper.net | j.schoenwaelder@jacobs-university.de | |||
| Editor: Kiran Agrahara Sreenivasa | WG Chair: Tom Nadeau | |||
| kkoushik@brocade.com | tnadeau@lucidvision.com | |||
| Editor: Lisa Huang | Editor: Dean Bogdanovic | |||
| yihuan@cisco.com | deanb@juniper.net | |||
| Editor: Dana Blair | Editor: Kiran Agrahara Sreenivasa | |||
| dblair@cisco.com"; | kkoushik@brocade.com | |||
| description | Editor: Lisa Huang | |||
| "This YANG module defines groupings that used by ietf-acl | yihuan@cisco.com | |||
| but not limited to acl."; | ||||
| revision 2014-11-06 { | Editor: Dana Blair | |||
| description "Initial version of packet fields used by | ||||
| access-lists"; | ||||
| reference | ||||
| "RFC 6020: YANG - A Data Modeling Language for the | ||||
| Network Configuration Protocol (NETCONF)"; | ||||
| } | ||||
| grouping acl-transport-header-fields { | dblair@cisco.com"; | |||
| description "Transport header fields"; | ||||
| container source-port-range { | description | |||
| description "inclusive range of source ports"; | "This YANG module defines groupings that used by ietf-acl | |||
| leaf lower-port { | but not limited to acl. | |||
| type inet:port-number; | ||||
| mandatory true; | ||||
| description "Lower boundary."; | ||||
| } | ||||
| leaf upper-port { | ||||
| type inet:port-number; | ||||
| description "Upper boundary."; | ||||
| } | ||||
| } | ||||
| container destination-port-range { | Copyright (c) 2015 IETF Trust and the persons identified as | |||
| description "inclusive range of destination ports"; | the document authors. All rights reserved. | |||
| leaf lower-port { | ||||
| type inet:port-number; | ||||
| mandatory true; | ||||
| description "Lower boundary."; | ||||
| } | ||||
| leaf upper-port { | ||||
| type inet:port-number; | ||||
| description "Upper boundary."; | ||||
| } | ||||
| } | ||||
| } | ||||
| grouping acl-ip-header-fields { | Redistribution and use in source and binary forms, with or | |||
| description "Header fields common to ipv4 and ipv6"; | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD | ||||
| License set forth in Section 4.c of the IETF Trust's Legal | ||||
| Provisions Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info). | ||||
| uses acl-transport-header-fields; | This version of this YANG module is part of RFC XXXX; see | |||
| leaf dscp { | the RFC itself for full legal notices."; | |||
| type inet:dscp; | ||||
| description "Value of dscp."; | ||||
| } | ||||
| leaf protocol { | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| type uint8; | // note. | |||
| description "Internet Protocol number."; | ||||
| } | ||||
| } | revision 2015-03-04 { | |||
| description "Initial version of packet fields used by | ||||
| access-lists"; | ||||
| reference | ||||
| "RFC XXXX: Network Access Control List (ACL) | ||||
| YANG Data Model"; | ||||
| } | ||||
| grouping acl-ipv4-header-fields { | grouping access-control-list-transport-header-fields { | |||
| description "fields in IPv4 header"; | description "Transport header fields"; | |||
| leaf destination-ipv4-network { | container source-port-range { | |||
| type inet:ipv4-prefix; | description "inclusive range of source ports"; | |||
| description "One or more ip addresses."; | leaf lower-port { | |||
| } | type inet:port-number; | |||
| mandatory true; | ||||
| description "Lower boundary."; | ||||
| } | ||||
| leaf upper-port { | ||||
| type inet:port-number; | ||||
| description "Upper boundary. If exist, upper port must be greater or | ||||
| equal to lower port."; | ||||
| leaf source-ipv4-network { | } | |||
| type inet:ipv4-prefix; | } | |||
| description "One or more ip addresses."; | ||||
| } | ||||
| } | container destination-port-range { | |||
| description "inclusive range of destination ports"; | ||||
| leaf lower-port { | ||||
| type inet:port-number; | ||||
| mandatory true; | ||||
| description "Lower boundary."; | ||||
| } | ||||
| leaf upper-port { | ||||
| type inet:port-number; | ||||
| description "Upper boundary."; | ||||
| } | ||||
| } | ||||
| } | ||||
| grouping acl-ipv6-header-fields { | grouping access-control-list-ip-header-fields { | |||
| description "fields in IPv6 header"; | description "Header fields common to ipv4 and ipv6"; | |||
| leaf destination-ipv6-network { | uses access-control-list-transport-header-fields; | |||
| type inet:ipv6-prefix; | ||||
| description "One or more ip addresses."; | ||||
| } | ||||
| leaf source-ipv6-network { | leaf dscp { | |||
| type inet:ipv6-prefix; | type inet:dscp; | |||
| description "One or more ip addresses."; | ||||
| } | ||||
| leaf flow-label { | description "Value of dscp."; | |||
| type inet:ipv6-flow-label; | } | |||
| description "Flow label."; | ||||
| } | ||||
| } | leaf protocol { | |||
| type uint8; | ||||
| description "Internet Protocol number."; | ||||
| } | ||||
| grouping acl-eth-header-fields { | } | |||
| description "fields in ethernet header"; | ||||
| leaf destination-mac-address { | grouping access-control-list-ipv4-header-fields { | |||
| type yang:mac-address; | description "fields in IPv4 header"; | |||
| description "Mac addresses."; | ||||
| } | ||||
| leaf destination-mac-address-mask { | leaf destination-ipv4-network { | |||
| type yang:mac-address; | type inet:ipv4-prefix; | |||
| description "Mac addresses mask."; | description "One or more ip addresses."; | |||
| } | } | |||
| leaf source-mac-address { | leaf source-ipv4-network { | |||
| type yang:mac-address; | type inet:ipv4-prefix; | |||
| description "Mac addresses."; | description "One or more ip addresses."; | |||
| } | } | |||
| leaf source-mac-address-mask { | } | |||
| type yang:mac-address; | ||||
| description "Mac addresses mask."; | ||||
| } | ||||
| } | ||||
| grouping timerange { | grouping access-control-list-ipv6-header-fields { | |||
| description "Define time range entries to restrict | description "fields in IPv6 header"; | |||
| the access. The time range is identified by a name | ||||
| and then referenced by a function, so that those | ||||
| time restrictions are imposed on the function itself."; | ||||
| container absolute { | leaf destination-ipv6-network { | |||
| description | type inet:ipv6-prefix; | |||
| "Absolute time and date that | description "One or more ip addresses."; | |||
| the associated function starts | } | |||
| going into effect."; | ||||
| leaf start { | leaf source-ipv6-network { | |||
| type yang:date-and-time; | type inet:ipv6-prefix; | |||
| description | description "One or more ip addresses."; | |||
| "Start time and date"; | } | |||
| } | ||||
| leaf end { | ||||
| type yang:date-and-time; | ||||
| description "Absolute end time and date"; | ||||
| } | ||||
| leaf active { | ||||
| type boolean; | ||||
| default "true"; | ||||
| description | ||||
| "Specify the associated function | ||||
| active or inactive state when | ||||
| starts going into effect"; | ||||
| } | ||||
| } // container absolute | ||||
| } //grouping timerange | ||||
| grouping metadata { | leaf flow-label { | |||
| description "Fields associated with a packet but not in | type inet:ipv6-flow-label; | |||
| the header"; | description "Flow label."; | |||
| } | ||||
| leaf input-interface { | } | |||
| type string; | ||||
| description "Packet was received on this interface"; | ||||
| } | ||||
| uses timerange; | ||||
| } | ||||
| } | ||||
| 4.3. A company proprietary module example | grouping access-control-list-eth-header-fields { | |||
| In the figure below is an example how proprietary models can be | description "fields in ethernet header"; | |||
| created on top of base ACL module. It is a simple example of how to | ||||
| use 'augment' with an XPath expression which extends instances of a | ||||
| particular type. In this example, all /ietf-acl:access-list/ietf- | ||||
| acl:access-list-entries/ietf-acl:matches are augmented with a new | ||||
| choice, protocol-payload-choice. The protocol-payload-choice uses a | ||||
| grouping with an enumeration of all supported protocol values. In | ||||
| other example, /ietf-acl:access-list/ietf-acl:access-list-entries/ | ||||
| ietf-acl:actions are augmented with new choice of actions. Here is | ||||
| an inclusive list of cases listed within a choice statement. | ||||
| module newco-acl { | leaf destination-mac-address { | |||
| yang-version 1; | type yang:mac-address; | |||
| description "Mac addresses."; | ||||
| } | ||||
| namespace "urn:newco:params:xml:ns:yang:newco-acl"; | leaf destination-mac-address-mask { | |||
| type yang:mac-address; | ||||
| description "Mac addresses mask."; | ||||
| } | ||||
| prefix newco-acl; | leaf source-mac-address { | |||
| type yang:mac-address; | ||||
| description "Mac addresses."; | ||||
| } | ||||
| import ietf-acl { | leaf source-mac-address-mask { | |||
| prefix "ietf-acl"; | type yang:mac-address; | |||
| } | description "Mac addresses mask."; | |||
| } | ||||
| } | ||||
| revision 2014-05-21{ | grouping timerange { | |||
| description "creating newo proprietary extensions to ietf-acl model"; | description "Time range contains time | |||
| segments to allow access-control-list to be | ||||
| active/inactive when the system time | ||||
| is within the time segments."; | ||||
| container absolute { | ||||
| description | ||||
| "Absolute time and date that | ||||
| the associated function starts | ||||
| going into effect."; | ||||
| leaf start { | ||||
| type yang:date-and-time; | ||||
| description | ||||
| "Start time and date"; | ||||
| } | } | |||
| augment "/ietf-acl:access-lists/ietf-acl:access-list | leaf end { | |||
| /ietf-acl:access-list-entries/ietf-acl:access-list-entry/ietf-acl:matches" { | type yang:date-and-time; | |||
| description "Newco proprietry simple filter matches"; | description "Absolute end time and date"; | |||
| choice protocol-payload-choice { | ||||
| list protocol-payload { | ||||
| key value-keyword; | ||||
| ordered-by user; | ||||
| description "Match protocol payload"; | ||||
| uses match-simple-payload-protocol-value; | ||||
| } | ||||
| } | ||||
| } | } | |||
| leaf active { | ||||
| type boolean; | ||||
| default "true"; | ||||
| description | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list | "Specify the associated function | |||
| /ietf-acl:access-list-entries/ietf-acl:access-list-entry/ietf-acl:actions" { | ||||
| description "Newco proprietary simple filter actions"; | ||||
| choice action { | ||||
| case count { | ||||
| description "Count the packet in the named counter"; | ||||
| leaf count { | ||||
| type string; | ||||
| } | ||||
| } | ||||
| case policer { | ||||
| description "Name of policer to use to rate-limit traffic"; | ||||
| leaf policer { | ||||
| type string; | ||||
| } | ||||
| } | ||||
| case hiearchical-policer { | ||||
| description "Name of hierarchical policer to use to rate-limit traffic"; | ||||
| leaf hierarchitacl-policer{ | ||||
| type string; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list" { | active or inactive state when | |||
| container default-actions { | starts going into effect"; | |||
| description "Actions that occur if no access-list entry is matched."; | ||||
| leaf deny { | ||||
| type empty; | ||||
| } | ||||
| } | ||||
| } | } | |||
| } // container absolute | ||||
| } //grouping timerange | ||||
| grouping match-simple-payload-protocol-value { | grouping metadata { | |||
| leaf value-keyword { | description "Fields associated with a packet but not in | |||
| description "(null)"; | the header"; | |||
| type enumeration { | ||||
| enum icmp { | ||||
| description "Internet Control Message Protocol"; | ||||
| } | ||||
| enum icmp6 { | ||||
| description "Internet Control Message Protocol Version 6"; | ||||
| } | ||||
| enum range { | ||||
| description "Range of values"; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| Dratf authors expect that different vendors will provide their own | leaf input-interface { | |||
| yang models as in the example above, which is the extension of the | type string; | |||
| base model | description "Packet was received on this interface"; | |||
| } | ||||
| uses timerange; | ||||
| } | ||||
| } | ||||
| 4.4. An ACL Example | <CODE ENDS> | |||
| 4.3. An ACL Example | ||||
| Requirement: Deny All traffic from 1.1.1.1 bound for host 2.2.2.2 | Requirement: Deny All traffic from 10.10.10.1 bound for host | |||
| from leaving. | 10.10.10.255 from leaving. | |||
| In order to achieve the requirement, an name access control list is | In order to achieve the requirement, an name access control list is | |||
| needed. The acl and aces can be described in CLI as the following: | needed. The acl and aces can be described in CLI as the following: | |||
| access-list ip iacl | access-list ip iacl | |||
| deny tcp host 1.1.1.1 host 2.2.2.2 | deny tcp host 10.10.10.1 host 10.10.10.255 | |||
| Figure 1 | Figure 1 | |||
| Here is the example acl configuration xml: | Here is the example acl configuration xml: | |||
| <rpc message-id="101" xmlns:nc="urn:cisco:params:xml:ns:yang:ietf-acl:1.0"> | <rpc message-id="101" xmlns:nc="urn:cisco:params:xml:ns:yang:ietf-acl:1.0"> | |||
| // replace with IANA namespace when assigned | // replace with IANA namespace when assigned | |||
| <edit-config> | <edit-config> | |||
| <target> | <target> | |||
| <running/> | <running/> | |||
| </target> | </target> | |||
| <config> | <config> | |||
| <top xmlns="http://example.com/schema/1.2/config"> | <top xmlns="http://example.com/schema/1.2/config"> | |||
| <access-lists> | <access-lists> | |||
| <access-list> | <access-list> | |||
| <acl-name>sample-ip-acl</acl-name> | <access-control-list-name>sample-ip-acl</access-control-list-name> | |||
| <access-list-entries> | <access-list-entries> | |||
| <access-list-entry> | <access-list-entry> | |||
| <rule-name>telnet-block-rule</rule-name> | <rule-name>telnet-block-rule</rule-name> | |||
| <matches> | <matches> | |||
| <destination-ipv4-address>2.2.2.2/32</destination-ipv4-address> | <destination-ipv4-address>10.10.10.255/24</destination-ipv4-address> | |||
| <source-ipv4-address>1.1.1.1/32</source-ipv4-address> | <source-ipv4-address>10.10.10.1/24</source-ipv4-address> | |||
| </matches> | </matches> | |||
| <actions> | <actions> | |||
| <deny/> | <deny/> | |||
| </actions> | </actions> | |||
| </access-list-entry> | </access-list-entry> | |||
| </access-list-entries> | </access-list-entries> | |||
| </access-list> | </access-list> | |||
| </access-lists> | </access-lists> | |||
| </top> | </top> | |||
| </config> | </config> | |||
| </edit-config> | </edit-config> | |||
| </rpc> | </rpc> | |||
| Figure 2 | Figure 2 | |||
| 4.5. Port Range Usage Example | 4.4. Port Range Usage Example | |||
| When a lower-port and an upper-port are both present, it represents a | When a lower-port and an upper-port are both present, it represents a | |||
| range between lower-port and upper-port with both the lower-port and | range between lower-port and upper-port with both the lower-port and | |||
| upper-port are included. When only a lower-port presents, it | upper-port are included. When only a lower-port presents, it | |||
| represents a single port. | represents a single port. | |||
| With the follow XML snippet: | With the follow XML snippet: | |||
| <source-port-range> | <source-port-range> | |||
| <lower-port>16384</lower-port> | <lower-port>16384</lower-port> | |||
| <upper-port>16387</upper-port> | <upper-port>16387</upper-port> | |||
| </source-port-range> | </source-port-range> | |||
| This represents source ports 16384,16385, 16386, and 16387. | This represents source ports 16384,16385, 16386, and 16387. | |||
| With the follow XML snippet: | With the follow XML snippet: | |||
| <source-port-range> | <source-port-range> | |||
| <lower-port>16384</lower-port> | <lower-port>16384</lower-port> | |||
| <upper-port>65535</upper-port> | <upper-port>65535</upper-port> | |||
| </source-port-range> | </source-port-range> | |||
| This represents source ports greater than/equal to 16384. | This represents source ports greater than/equal to 16384. | |||
| With the follow XML snippet: | With the follow XML snippet: | |||
| <source-port-range> | <source-port-range> | |||
| <lower-port>21</lower-port> | <lower-port>21</lower-port> | |||
| </source-port-range> | </source-port-range> | |||
| This represents port 21. | This represents port 21. | |||
| 5. Example of extending existing model for route filtering | 5. Linux nftables | |||
| With proposed modular design, it is easy to extend the model with | ||||
| other features. Those features can be standard features, like route | ||||
| filters. Route filters match on specific IP addresses or ranges of | ||||
| prefixes. Much like ACLs, they include some match criteria and | ||||
| corresponding match action(s). For that reason, it is very simple to | ||||
| extend existing ACL model with route filtering. The combination of a | ||||
| route prefix and prefix length along with the type of match | ||||
| determines how route filters are evaluated against incoming routes. | ||||
| Different vendors have different match types and in this model we are | ||||
| using only ones that are common across all vendors participating in | ||||
| this draft. As in this example, the base ACL model can be extended | ||||
| with company proprietary extensions, described in the next section. | ||||
| module ietf-route-filter { | ||||
| yang-version 1; | ||||
| namespace "urn:ietf:params:xml:ns:yang:ietf-route-filter"; | ||||
| prefix ietf-route-filter; | ||||
| import ietf-inet-types { | ||||
| prefix "ietf-types"; | ||||
| } | ||||
| import ietf-acl { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| organization | ||||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | ||||
| "WG Web: http://tools.ietf.org/wg/netmod/ | ||||
| WG List: netmod@ietf.org | ||||
| WG Chair: Juergen Schoenwaelder | ||||
| j.schoenwaelder@jacobs-university.de | ||||
| WG Chair: Tom Nadeau | ||||
| tnadeau@lucidvision.com | ||||
| Editor: Dean Bogdanovic | ||||
| deanb@juniper.net | ||||
| Editor: Kiran Agrahara Sreenivasa | ||||
| kkoushik@brocade.com | ||||
| Editor: Lisa Huang | ||||
| yihuan@cisco.com | ||||
| Editor: Dana Blair | ||||
| dblair@cisco.com"; | ||||
| description " | ||||
| This module describes route filter as a collection of | ||||
| match prefixes. When specifying a match prefix, you | ||||
| can specify an exact match with a particular route or | ||||
| a less precise match. You can configure either a | ||||
| common action that applies to the entire list or an | ||||
| action associated with each prefix. | ||||
| "; | ||||
| revision 2014-08-15 { | ||||
| description "creating Route-Filter extensions to ietf-acl model"; | ||||
| reference " "; | ||||
| } | ||||
| augment "/ietf-acl:access-list/ietf-acl:access-list-entries/ietf-acl:matches"{ | ||||
| description " | ||||
| This module augments the matches container in the ietf-acl | ||||
| module with route filter specific actions | ||||
| "; | ||||
| choice route-prefix{ | ||||
| description "Define route filter match criteria"; | ||||
| case range { | ||||
| description " | ||||
| Route falls between the lower prefix/prefix-length and the upper | ||||
| prefix/prefix-length. | ||||
| "; | ||||
| choice ipv4-range { | ||||
| description "Defines the lower IPv4 prefix/prefix range"; | ||||
| leaf v4-lower-bound { | ||||
| type ietf-types:ipv4-prefix; | ||||
| description "Defines the lower IPv4 prefix/prefix length"; | ||||
| } | ||||
| leaf v4-upper-bound { | ||||
| type ietf-types:ipv4-prefix; | ||||
| description "Defines the upper IPv4 prefix/prefix length"; | ||||
| } | ||||
| } | ||||
| choice ipv6-range { | ||||
| description "Defines the IPv6 prefix/prefix range"; | ||||
| leaf v6-lower-bound { | ||||
| type ietf-types:ipv6-prefix; | ||||
| description "Defines the lower IPv6 prefix/prefix length"; | ||||
| } | ||||
| leaf v6-upper-bound { | ||||
| type ietf-types:ipv6-prefix; | ||||
| description "Defines the upper IPv6 prefix/prefix length"; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| 6. Linux nftables | ||||
| As Linux platform is becoming more popular as networking platform, | As Linux platform is becoming more popular as networking platform, | |||
| the Linux data model is changing. Previously ACLs in Linux were | the Linux data model is changing. Previously ACLs in Linux were | |||
| highly protocol specific and different utilities were used for it | highly protocol specific and different utilities were used for it | |||
| (iptables, ip6tables, arptables, ebtables). Recently, this has | (iptables, ip6tables, arptables, ebtables). Recently, this has | |||
| changed and a single utility, nftables, has been provided. This | changed and a single utility, nftables, has been provided. This | |||
| utility follows very similarly the same base model as proposed in | utility follows very similarly the same base model as proposed in | |||
| this draft. The nftables support input and output ACEs and each ACE | this draft. The nftables support input and output ACEs and each ACE | |||
| can be defined with match and action. | can be defined with match and action. | |||
| 7. Security Considerations | 6. Security Considerations | |||
| The YANG module defined in this memo is designed to be accessed via | The YANG module defined in this memo is designed to be accessed via | |||
| the NETCONF protocol [RFC6241] [RFC6241]. The lowest NETCONF layer | the NETCONF protocol [RFC6241] [RFC6241]. The lowest NETCONF layer | |||
| is the secure transport layer and the mandatory-to-implement secure | is the secure transport layer and the mandatory-to-implement secure | |||
| transport is SSH [RFC6242] [RFC6242]. The NETCONF access control | transport is SSH [RFC6242] [RFC6242]. The NETCONF access control | |||
| model [RFC6536] [RFC6536] provides the means to restrict access for | model [RFC6536] [RFC6536] provides the means to restrict access for | |||
| particular NETCONF users to a pre-configured subset of all available | particular NETCONF users to a pre-configured subset of all available | |||
| NETCONF protocol operations and content. | NETCONF protocol operations and content. | |||
| There are a number of data nodes defined in the YANG module which are | There are a number of data nodes defined in the YANG module which are | |||
| writable/creatable/deletable (i.e., config true, which is the | writable/creatable/deletable (i.e., config true, which is the | |||
| default). These data nodes may be considered sensitive or vulnerable | default). These data nodes may be considered sensitive or vulnerable | |||
| in some network environments. Write operations (e.g., <edit-config>) | in some network environments. Write operations (e.g., <edit-config>) | |||
| to these data nodes without proper protection can have a negative | to these data nodes without proper protection can have a negative | |||
| effect on network operations. | effect on network operations. | |||
| TBD: List specific Subtrees and data nodes and their sensitivity/ | These are the subtrees and data nodes and their sensitivity/ | |||
| vulnerability. | vulnerability: | |||
| 8. IANA Considerations | /ietf-acl:access-lists/access-list/access-list-entries: This list | |||
| specifies all the configured access list entries on the device. | ||||
| Unauthorized write access to this list can allow intruders to access | ||||
| and control the system. Unauthorized read access to this list can | ||||
| allow intruders to spoof packets with authorized addresses thereby | ||||
| compromising the system. | ||||
| 7. IANA Considerations | ||||
| This document registers a URI in the IETF XML registry [RFC3688] | This document registers a URI in the IETF XML registry [RFC3688] | |||
| [RFC3688]. Following the format in RFC 3688, the following | [RFC3688]. Following the format in RFC 3688, the following | |||
| registration is requested to be made: | registration is requested to be made: | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-acl | URI: urn:ietf:params:xml:ns:yang:ietf-acl | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-packet-fields | ||||
| Registrant Contact: The IESG. | Registrant Contact: The IESG. | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A, the requested URI is an XML namespace. | |||
| This document registers a YANG module in the YANG Module Names | This document registers a YANG module in the YANG Module Names | |||
| registry [RFC6020]. | registry [RFC6020]. | |||
| name: ietf-acl namespace: urn:ietf:params:xml:ns:yang:ietf-acl | name: ietf-acl namespace: urn:ietf:params:xml:ns:yang:ietf-acl | |||
| prefix: ietf-acl reference: RFC XXXX | prefix: ietf-acl reference: RFC XXXX | |||
| name: ietf-packet-fields namespace: urn:ietf:params:xml:ns:yang:ietf- | ||||
| packet-fields prefix: ietf-packet-fields reference: RFC XXXX | ||||
| 9. Acknowledgements | 8. Acknowledgements | |||
| Alex Clemm, Andy Bierman and Lisa Huang started it by sketching out | Alex Clemm, Andy Bierman and Lisa Huang started it by sketching out | |||
| an initial IETF draft in several past IETF meetings. That draft | an initial IETF draft in several past IETF meetings. That draft | |||
| included an ACL YANG model structure and a rich set of match filters, | included an ACL YANG model structure and a rich set of match filters, | |||
| and acknowledged contributions by Louis Fourie, Dana Blair, Tula | and acknowledged contributions by Louis Fourie, Dana Blair, Tula | |||
| Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen, | Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen, | |||
| and Phil Shafer. Many people have reviewed the various earlier | and Phil Shafer. Many people have reviewed the various earlier | |||
| drafts that made the draft went into IETF charter. | drafts that made the draft went into IETF charter. | |||
| Dean Bogdanovic, Kiran Agrahara Sreenivasa, Lisa Huang, and Dana | Dean Bogdanovic, Kiran Agrahara Sreenivasa, Lisa Huang, and Dana | |||
| Blair each evaluated the YANG model in previous draft separately and | Blair each evaluated the YANG model in previous draft separately and | |||
| then work together, to created a new ACL draft that can be supported | then work together, to created a new ACL draft that can be supported | |||
| by different vendors. The new draft removes vendor specific | by different vendors. The new draft removes vendor specific | |||
| features, and gives examples to allow vendors to extend in their own | features, and gives examples to allow vendors to extend in their own | |||
| proprietary ACL. The earlier draft was superseded with the new one | proprietary ACL. The earlier draft was superseded with the new one | |||
| that received more participation from many vendors. | that received more participation from many vendors. | |||
| 10. Change log [RFC Editor: Please remove] | 9. References | |||
| 11. References | ||||
| 11.1. Normative References | 9.1. Normative References | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| January 2004. | January 2004. | |||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| October 2010. | October 2010. | |||
| [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | |||
| Bierman, "Network Configuration Protocol (NETCONF)", RFC | Bierman, "Network Configuration Protocol (NETCONF)", RFC | |||
| 6241, June 2011. | 6241, June 2011. | |||
| [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | |||
| Shell (SSH)", RFC 6242, June 2011. | Shell (SSH)", RFC 6242, June 2011. | |||
| [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Protocol (NETCONF) Access Control Model", RFC 6536, March | Protocol (NETCONF) Access Control Model", RFC 6536, March | |||
| 2012. | 2012. | |||
| 11.2. Informative References | 9.2. Informative References | |||
| [RFC5101] Claise, B., "Specification of the IP Flow Information | [RFC5101] Claise, B., "Specification of the IP Flow Information | |||
| Export (IPFIX) Protocol for the Exchange of IP Traffic | Export (IPFIX) Protocol for the Exchange of IP Traffic | |||
| Flow Information", RFC 5101, January 2008. | Flow Information", RFC 5101, January 2008. | |||
| Appendix A. Extending ACL model examples | ||||
| A.1. Example of extending existing model for route filtering | ||||
| With proposed modular design, it is easy to extend the model with | ||||
| other features. Those features can be standard features, like route | ||||
| filters. Route filters match on specific IP addresses or ranges of | ||||
| prefixes. Much like ACLs, they include some match criteria and | ||||
| corresponding match action(s). For that reason, it is very simple to | ||||
| extend existing ACL model with route filtering. The combination of a | ||||
| route prefix and prefix length along with the type of match | ||||
| determines how route filters are evaluated against incoming routes. | ||||
| Different vendors have different match types and in this model we are | ||||
| using only ones that are common across all vendors participating in | ||||
| this draft. As in this example, the base ACL model can be extended | ||||
| with company proprietary extensions, described in the next section. | ||||
| <CODE BEGINS> file "std-ext-route-filter@2015-02-14.yang" | ||||
| module std-ext-route-filter { | ||||
| yang-version 1; | ||||
| namespace "urn:ietf:params:xml:ns:yang:ietf-route-filter"; | ||||
| prefix std-ext-route-filter; | ||||
| import ietf-inet-types { | ||||
| prefix "inet"; | ||||
| } | ||||
| import ietf-acl { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| organization | ||||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | ||||
| "WG Web: http://tools.ietf.org/wg/netmod/ | ||||
| WG List: netmod@ietf.org | ||||
| WG Chair: Juergen Schoenwaelder | ||||
| j.schoenwaelder@jacobs-university.de | ||||
| WG Chair: Tom Nadeau | ||||
| tnadeau@lucidvision.com | ||||
| Editor: Dean Bogdanovic | ||||
| deanb@juniper.net | ||||
| Editor: Kiran Agrahara Sreenivasa | ||||
| kkoushik@brocade.com | ||||
| Editor: Lisa Huang | ||||
| yihuan@cisco.com | ||||
| Editor: Dana Blair | ||||
| dblair@cisco.com"; | ||||
| description " | ||||
| This module describes route filter as a collection of | ||||
| match prefixes. When specifying a match prefix, you | ||||
| can specify an exact match with a particular route or | ||||
| a less precise match. You can configure either a | ||||
| common action that applies to the entire list or an | ||||
| action associated with each prefix. | ||||
| "; | ||||
| revision 2015-02-14 { | ||||
| description "creating Route-Filter extension model based on ietf-acl model"; | ||||
| reference " "; | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list | ||||
| /ietf-acl:access-list-entries/ | ||||
| ietf-acl:access-list-entry/ietf-acl:matches"{ | ||||
| description " | ||||
| This module augments the matches container in the ietf-acl | ||||
| module with route filter specific actions | ||||
| "; | ||||
| choice route-prefix{ | ||||
| description "Define route filter match criteria"; | ||||
| case range { | ||||
| description " | ||||
| Route falls between the lower prefix/prefix-length and the upper | ||||
| prefix/prefix-length. | ||||
| "; | ||||
| choice ipv4-range { | ||||
| description "Defines the lower IPv4 prefix/prefix range"; | ||||
| leaf v4-lower-bound { | ||||
| type inet:ipv4-prefix; | ||||
| description "Defines the lower IPv4 prefix/prefix length"; | ||||
| } | ||||
| leaf v4-upper-bound { | ||||
| type inet:ipv4-prefix; | ||||
| description "Defines the upper IPv4 prefix/prefix length"; | ||||
| } | ||||
| } | ||||
| choice ipv6-range { | ||||
| description "Defines the IPv6 prefix/prefix range"; | ||||
| leaf v6-lower-bound { | ||||
| type inet:ipv6-prefix; | ||||
| description "Defines the lower IPv6 prefix/prefix length"; | ||||
| } | ||||
| leaf v6-upper-bound { | ||||
| type inet:ipv6-prefix; | ||||
| description "Defines the upper IPv6 prefix/prefix length"; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| A.2. A company proprietary module example | ||||
| Module "newco-acl" is an example of company proprietary model that | ||||
| augments "ietf-acl" module. It shows how to use 'augment' with an | ||||
| XPath expression to add additional match criteria, action criteria, | ||||
| and default actions when no ACE matches found. All these are company | ||||
| proprietary extensions or system feature extensions. "newco-acl" is | ||||
| just an example and it is expected from vendors to create their own | ||||
| proprietary models. | ||||
| The following figure is the tree structure of newco-acl. In this | ||||
| example, ietf-acl:access-lists/ietf-acl:access-list/ietf-acl:access- | ||||
| list-entries/ietf-acl:access-list-entry/ietf-acl:matches: are | ||||
| augmented with a new choice, protocol-payload-choice. The protocol- | ||||
| payload-choice uses a grouping with an enumeration of all supported | ||||
| protocol values. In other example, ietf-acl:access-lists/ietf-acl | ||||
| :access-list/ietf-acl:access-list-entries/ietf-acl:access-list-entry/ | ||||
| ietf-acl:actions are augmented with new choice of actions. | ||||
| module: newco-acl | ||||
| augment /ietf-acl:access-lists/ietf-acl:access-list | ||||
| /ietf-acl:access-list-entries/ | ||||
| ietf-acl:access-list-entry/ietf-acl:matches: | ||||
| +--rw (protocol-payload-choice)? | ||||
| +--:(protocol-payload) | ||||
| +--rw protocol-payload* [value-keyword] | ||||
| +--rw value-keyword enumeration | ||||
| augment /ietf-acl:access-lists/ietf-acl:access-list | ||||
| /ietf-acl:access-list-entries/ | ||||
| ietf-acl:access-list-entry/ietf-acl:actions: | ||||
| +--rw (action)? | ||||
| +--:(count) | ||||
| | +--rw count? string | ||||
| +--:(policer) | ||||
| | +--rw policer? string | ||||
| +--:(hiearchical-policer) | ||||
| +--rw hierarchitacl-policer? string | ||||
| augment /ietf-acl:access-lists/ietf-acl:access-list: | ||||
| +--rw default-actions | ||||
| +--rw deny? empty | ||||
| <CODE BEGINS> file "newco-acl@2015-03-04.yang" | ||||
| module newco-acl { | ||||
| yang-version 1; | ||||
| namespace "urn:newco:params:xml:ns:yang:newco-acl"; | ||||
| prefix newco-acl; | ||||
| import ietf-acl { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| revision 2015-03-04{ | ||||
| description "creating NewCo proprietary extensions to ietf-acl model"; | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list | ||||
| /ietf-acl:access-list-entries/ | ||||
| ietf-acl:access-list-entry/ietf-acl:matches" { | ||||
| description "Newco proprietary simple filter matches"; | ||||
| choice protocol-payload-choice { | ||||
| list protocol-payload { | ||||
| key value-keyword; | ||||
| ordered-by user; | ||||
| description "Match protocol payload"; | ||||
| uses match-simple-payload-protocol-value; | ||||
| } | ||||
| } | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list/ietf-acl:access-list-entries/ietf-acl:access-list-entry/ietf-acl:actions" { | ||||
| description "Newco proprietary simple filter actions"; | ||||
| choice action { | ||||
| case count { | ||||
| description "Count the packet in the named counter"; | ||||
| leaf count { | ||||
| type string; | ||||
| } | ||||
| } | ||||
| case policer { | ||||
| description "Name of policer to use to rate-limit traffic"; | ||||
| leaf policer { | ||||
| type string; | ||||
| } | ||||
| } | ||||
| case hiearchical-policer { | ||||
| description "Name of hierarchical policer to use to | ||||
| rate-limit traffic"; | ||||
| leaf hierarchitacl-policer{ | ||||
| type string; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| augment "/ietf-acl:access-lists/ietf-acl:access-list" { | ||||
| container default-actions { | ||||
| description "Actions that occur if no access-list entry is matched."; | ||||
| leaf deny { | ||||
| type empty; | ||||
| } | ||||
| } | ||||
| } | ||||
| grouping match-simple-payload-protocol-value { | ||||
| leaf value-keyword { | ||||
| description "(null)"; | ||||
| type enumeration { | ||||
| enum icmp { | ||||
| description "Internet Control Message Protocol"; | ||||
| } | ||||
| enum icmp6 { | ||||
| description "Internet Control Message Protocol Version 6"; | ||||
| } | ||||
| enum range { | ||||
| description "Range of values"; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| Draft authors expect that different vendors will provide their own | ||||
| yang models as in the example above, which is the extension of the | ||||
| base model | ||||
| A.3. Attaching Access Control List to interfaces | ||||
| Access control list typically does not exist in isolation. Instead, | ||||
| they are associated with a certain scope in which they are applied, | ||||
| for example, an interface of a set of interfaces. How to attach an | ||||
| SPF to an interface (or other system artifact) is outside the scope | ||||
| of this model, as it depends on the specifics of the system model | ||||
| that is being applied. However, in general, the general design | ||||
| pattern will involved adding a dada node with a reference, or set of | ||||
| references, to ACLs that are to be applied to the interface. For | ||||
| this purpose, the type definition "access-control-list-ref" can be | ||||
| used. | ||||
| This is an example of attaching an access control list to an | ||||
| interface. | ||||
| <CODE BEGINS> file "interface model augmentation with ACL | ||||
| @2015-03-04.yang" | ||||
| import ietf-acl { | ||||
| prefix "ietf-acl"; | ||||
| } | ||||
| import ietf-interface { | ||||
| prefix "ietf-if"; | ||||
| } | ||||
| import ietf-yang-types { | ||||
| prefix "yang"; | ||||
| } | ||||
| augment "/ietf-if:interfaces/ietf-if:interface" { | ||||
| description "Apply acl to interfaces"; | ||||
| container acl{ | ||||
| description "ACL related properties."; | ||||
| leaf acl-name { | ||||
| type ietf-acl:access-control-list-ref; | ||||
| mandatory true; | ||||
| description "Access Control List name."; | ||||
| } | ||||
| leaf match-counter { | ||||
| type yang:counter64; | ||||
| config false; | ||||
| description "Total match count for access control list "; | ||||
| } | ||||
| choice direction { | ||||
| leaf in { type empty;} | ||||
| leaf out { type empty;} | ||||
| } | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| Authors' Addresses | Authors' Addresses | |||
| Dean Bogdanovic | Dean Bogdanovic | |||
| Juniper Networks | Juniper Networks | |||
| Email: deanb@juniper.net | Email: deanb@juniper.net | |||
| Kiran Agrahara Sreenivasa | Kiran Agrahara Sreenivasa | |||
| Brocade Communications System | Brocade Communications System | |||
| End of changes. 122 change blocks. | ||||
| 677 lines changed or deleted | 796 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||