< draft-ietf-rtgwg-policy-model-09.txt   draft-ietf-rtgwg-policy-model-10.txt >
RTGWG Y. Qu RTGWG Y. Qu
Internet-Draft Futurewei Internet-Draft Futurewei
Intended status: Standards Track J. Tantsura Intended status: Standards Track J. Tantsura
Expires: September 5, 2020 Apstra Expires: November 23, 2020 Apstra
A. Lindem A. Lindem
Cisco Cisco
X. Liu X. Liu
Volta Networks Volta Networks
March 4, 2020 May 22, 2020
A YANG Data Model for Routing Policy Management A YANG Data Model for Routing Policy Management
draft-ietf-rtgwg-policy-model-09 draft-ietf-rtgwg-policy-model-10
Abstract Abstract
This document defines a YANG data model for configuring and managing This document defines a YANG data model for configuring and managing
routing policies in a vendor-neutral way and based on actual routing policies in a vendor-neutral way and based on actual
operational practice. The model provides a generic policy framework operational practice. The model provides a generic policy framework
which can be augmented with protocol-specific policy configuration. which can be augmented with protocol-specific policy configuration.
Status of This Memo Status of This Memo
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 5, 2020. This Internet-Draft will expire on November 23, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Goals and approach . . . . . . . . . . . . . . . . . . . 3 1.1. Goals and approach . . . . . . . . . . . . . . . . . . . 2
2. Terminology and Notation . . . . . . . . . . . . . . . . . . 3 2. Terminology and Notation . . . . . . . . . . . . . . . . . . 3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Prefixes in Data Node Names . . . . . . . . . . . . . . . 4 2.2. Prefixes in Data Node Names . . . . . . . . . . . . . . . 4
3. Model overview . . . . . . . . . . . . . . . . . . . . . . . 5 3. Model overview . . . . . . . . . . . . . . . . . . . . . . . 5
4. Route policy expression . . . . . . . . . . . . . . . . . . . 5 4. Route policy expression . . . . . . . . . . . . . . . . . . . 5
4.1. Defined sets for policy matching . . . . . . . . . . . . 6 4.1. Defined sets for policy matching . . . . . . . . . . . . 6
4.2. Policy conditions . . . . . . . . . . . . . . . . . . . . 7 4.2. Policy conditions . . . . . . . . . . . . . . . . . . . . 7
4.3. Policy actions . . . . . . . . . . . . . . . . . . . . . 8 4.3. Policy actions . . . . . . . . . . . . . . . . . . . . . 8
4.4. Policy subroutines . . . . . . . . . . . . . . . . . . . 9 4.4. Policy subroutines . . . . . . . . . . . . . . . . . . . 9
5. Policy evaluation . . . . . . . . . . . . . . . . . . . . . . 10 5. Policy evaluation . . . . . . . . . . . . . . . . . . . . . . 10
6. Applying routing policy . . . . . . . . . . . . . . . . . . . 10 6. Applying routing policy . . . . . . . . . . . . . . . . . . . 10
7. Routing protocol-specific policies . . . . . . . . . . . . . 11 7. Routing protocol-specific policies . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
10. YANG modules . . . . . . . . . . . . . . . . . . . . . . . . 14 10. YANG modules . . . . . . . . . . . . . . . . . . . . . . . . 14
10.1. Routing policy model . . . . . . . . . . . . . . . . . . 14 10.1. Routing policy model . . . . . . . . . . . . . . . . . . 15
11. Policy examples . . . . . . . . . . . . . . . . . . . . . . . 35 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 36
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 11.1. Normative references . . . . . . . . . . . . . . . . . . 36
12.1. Normative references . . . . . . . . . . . . . . . . . . 35 11.2. Informative references . . . . . . . . . . . . . . . . . 37
12.2. Informative references . . . . . . . . . . . . . . . . . 36 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 38
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 36 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
This document describes a YANG [RFC6020] [RFC7950] data model for This document describes a YANG [RFC7950] data model for routing
routing policy configuration based on operational usage and best policy configuration based on operational usage and best practices in
practices in a variety of service provider networks. The model is a variety of service provider networks. The model is intended to be
intended to be vendor-neutral, in order to allow operators to manage vendor-neutral, in order to allow operators to manage policy
policy configuration in a consistent, intuitive way in heterogeneous configuration in a consistent, intuitive way in heterogeneous
environments with routers supplied by multiple vendors. environments with routers supplied by multiple vendors.
The YANG modules in this document conform to the Network Management The YANG modules in this document conform to the Network Management
Datastore Architecture (NMDA) [RFC8342]. Datastore Architecture (NMDA) [RFC8342].
1.1. Goals and approach 1.1. Goals and approach
This model does not aim to be feature complete -- it is a subset of This model does not aim to be feature complete -- it is a subset of
the policy configuration parameters available in a variety of vendor the policy configuration parameters available in a variety of vendor
implementations, but supports widely used constructs for managing how implementations, but supports widely used constructs for managing how
skipping to change at page 6, line 14 skipping to change at page 6, line 14
Conditions may include multiple match or comparison operations, and Conditions may include multiple match or comparison operations, and
similarly, actions may effect multiple changes to route attributes, similarly, actions may effect multiple changes to route attributes,
or indicate a final disposition of accepting or rejecting the route. or indicate a final disposition of accepting or rejecting the route.
This structure is shown below. This structure is shown below.
+--rw routing-policy +--rw routing-policy
+--rw policy-definitions +--rw policy-definitions
+--rw policy-definition* [name] +--rw policy-definition* [name]
+--rw name string +--rw name string
+--rw policy-statements +--rw statements
+--rw statement* [name] +--rw statement* [name]
+--rw name string +--rw name string
+--rw conditions +--rw conditions
| ... | ...
+--rw actions +--rw actions
... ...
4.1. Defined sets for policy matching 4.1. Defined sets for policy matching
The models provides a set of generic sets that can be used for The models provides a set of generic sets that can be used for
skipping to change at page 7, line 12 skipping to change at page 7, line 12
The model structure for defined sets is shown below. The model structure for defined sets is shown below.
+--rw routing-policy +--rw routing-policy
+--rw defined-sets +--rw defined-sets
| +--rw prefix-sets | +--rw prefix-sets
| | +--rw prefix-set* [name] | | +--rw prefix-set* [name]
| | +--rw name string | | +--rw name string
| | +--rw mode? enumeration | | +--rw mode? enumeration
| | +--rw prefixes | | +--rw prefixes
| | +--rw prefix-list* [ip-prefix masklength-lower | | +--rw prefix-list* [ip-prefix mask-length-lower
| | masklength-upper] | | mask-length-upper]
| | +--rw ip-prefix inet:ip-prefix | | +--rw ip-prefix inet:ip-prefix
| | +--rw masklength-lower uint8 | | +--rw mask-length-lower uint8
| | +--rw masklength-upper uint8 | | +--rw mask-length-upper uint8
| +--rw neighbor-sets | +--rw neighbor-sets
| | +--rw neighbor-set* [name] | | +--rw neighbor-set* [name]
| | +--rw name string | | +--rw name string
| | +--rw address* inet:ip-address | | +--rw address* inet:ip-address
| +--rw tag-sets | +--rw tag-sets
| +--rw tag-set* [name] | +--rw tag-set* [name]
| +--rw name string | +--rw name string
| +--rw tag-value* tag-type | +--rw tag-value* tag-type
4.2. Policy conditions 4.2. Policy conditions
skipping to change at page 8, line 19 skipping to change at page 8, line 19
While most policy conditions will be added by individual routing While most policy conditions will be added by individual routing
protocol models via augmentation, this routing policy model includes protocol models via augmentation, this routing policy model includes
several generic match conditions and also the ability to test which several generic match conditions and also the ability to test which
protocol or mechanism installed a route (e.g., BGP, IGP, static, protocol or mechanism installed a route (e.g., BGP, IGP, static,
etc.). The conditions included in the model are shown below. etc.). The conditions included in the model are shown below.
+--rw routing-policy +--rw routing-policy
+--rw policy-definitions +--rw policy-definitions
+--rw policy-definition* [name] +--rw policy-definition* [name]
+--rw name string +--rw name string
+--rw policy-statements +--rw statements
+--rw statement* [name] +--rw statement* [name]
+--rw conditions +--rw conditions
| +--rw call-policy? | +--rw call-policy?
| +--rw install-protocol-eq? | +--rw source-protocol?
| +--rw match-interface | +--rw match-interface
| | +--rw interface? | | +--rw interface?
| | +--rw subinterface? | | +--rw subinterface?
| +--rw match-prefix-set | +--rw match-prefix-set
| | +--rw prefix-set? | | +--rw prefix-set?
| | +--rw match-set-options? | | +--rw match-set-options?
| +--rw match-neighbor-set | +--rw match-neighbor-set
| | +--rw neighbor-set? | | +--rw neighbor-set?
| +--rw match-tag-set | +--rw match-tag-set
| | +--rw tag-set? | | +--rw tag-set?
skipping to change at page 9, line 8 skipping to change at page 9, line 8
various attributes of the route being processed, or to indicate the various attributes of the route being processed, or to indicate the
final disposition of the route, i.e., accept or reject. final disposition of the route, i.e., accept or reject.
Similar to policy conditions, the routing policy model includes Similar to policy conditions, the routing policy model includes
generic actions in addition to the basic route disposition actions. generic actions in addition to the basic route disposition actions.
These are shown below. These are shown below.
+--rw routing-policy +--rw routing-policy
+--rw policy-definitions +--rw policy-definitions
+--rw policy-definition* [name] +--rw policy-definition* [name]
+--rw policy-statements +--rw statements
+--rw statement* [name] +--rw statement* [name]
+--rw actions +--rw actions
+--rw policy-result? policy-result-type +--rw policy-result? policy-result-type
+--rw set-metric +--rw set-metric
| +--rw metric-modificatiion? | +--rw metric-modificatiion?
| | metric-modification-type | | metric-modification-type
| +--rw metric? uint32 | +--rw metric? uint32
+--rw set-metric-type +--rw set-metric-type
| +--rw metric-type? identityref | +--rw metric-type? identityref
+--rw set-import-level +--rw set-import-level
skipping to change at page 11, line 22 skipping to change at page 11, line 22
policy configuration. The routing policy model assumes that policy configuration. The routing policy model assumes that
additional defined sets, conditions, and actions may all be added by additional defined sets, conditions, and actions may all be added by
other models. other models.
An example of this is shown below, in which the BGP configuration An example of this is shown below, in which the BGP configuration
model in [I-D.ietf-idr-bgp-model] adds new defined sets to match on model in [I-D.ietf-idr-bgp-model] adds new defined sets to match on
community values or AS paths. The model similarly augments BGP- community values or AS paths. The model similarly augments BGP-
specific conditions and actions in the corresponding sections of the specific conditions and actions in the corresponding sections of the
routing policy model. routing policy model.
+--rw routing-policy module: ietf-routing-policy
+--rw defined-sets +--rw routing-policy
| +--rw prefix-sets +--rw defined-sets
| | +--rw prefix-set* [name] | +--rw prefix-sets
| | +--rw name string | | +--rw prefix-set* [name]
| | +--rw mode? enumeration | | +--rw name string
| | +--rw prefixes | | +--rw mode? enumeration
| | +--rw prefix-list* [ip-prefix masklength-lower | | +--rw prefixes
| | masklength-upper] | | +--rw prefix-list* [ip-prefix mask-length-lower
| | +--rw ip-prefix inet:ip-prefix | | mask-length-upper]
| | +--rw masklength-lower uint8 | | +--rw ip-prefix inet:ip-prefix
| | +--rw masklength-upper uint8 | | +--rw mask-length-lower uint8
| +--rw neighbor-sets | | +--rw mask-length-upper uint8
| | +--rw neighbor-set* [name] | +--rw neighbor-sets
| | +--rw name string | | +--rw neighbor-set* [name]
| | +--rw address* inet:ip-address | | +--rw name string
| +--rw tag-sets | | +--rw address* inet:ip-address
| | +--rw tag-set* [name] | +--rw tag-sets
| | +--rw name string | | +--rw tag-set* [name]
| | +--rw tag-value* tag-type | | +--rw name string
| +--rw bgp-pol:bgp-defined-sets | | +--rw tag-value* tag-type
| +--rw bgp-pol:community-sets | +--rw bp:bgp-defined-sets
| | +--rw bgp-pol:community-set* [community-set-name] | +--rw bp:community-sets
| | +--rw bgp-pol:community-set-name string | | +--rw bp:community-set* [name]
| | +--rw bgp-pol:community-member* union | | +--rw bp:name string
| +--rw bgp-pol:ext-community-sets | | +--rw bp:member* union
| | +--rw bgp-pol:ext-community-set* [ext-community-set-name] | +--rw bp:ext-community-sets
| | +--rw bgp-pol:ext-community-set-name string | | +--rw bp:ext-community-set* [name]
| | +--rw bgp-pol:ext-community-member* union | | +--rw bp:name string
| +--rw bgp-pol:as-path-sets | | +--rw bp:member* union
| +--rw bgp-pol:as-path-set* [as-path-set-name] | +--rw bp:as-path-sets
| +--rw bgp-pol:as-path-set-name string | +--rw bp:as-path-set* [name]
| +--rw bgp-pol:as-path-set-member* string | +--rw bp:name string
+--rw policy-definitions | +--rw bp:member* string
+--rw policy-definition* [name] +--rw policy-definitions
+--rw name string +--rw policy-definition* [name]
+--rw policy-statements +--rw name string
+--rw statement* [name] +--rw statements
+--rw name string +--rw statement* [name]
+--rw conditions +--rw name string
| +--rw call-policy? +--rw conditions
| +--rw source-protocol? identityref | +--rw call-policy?
| +--rw match-interface | +--rw source-protocol? identityref
| | +--rw interface? | +--rw match-interface
| | +--rw subinterface? | | +--rw interface?
| +--rw match-prefix-set | | +--rw subinterface?
| | +--rw prefix-set? | +--rw match-prefix-set
| | +--rw match-set-options? match-set-options-type | | +--rw prefix-set? prefix-set/name
| +--rw match-neighbor-set | | +--rw match-set-options? match-set-options-type
| | +--rw neighbor-set? | +--rw match-neighbor-set
| +--rw match-tag-set | | +--rw neighbor-set?
| | +--rw tag-set? | +--rw match-tag-set
| | +--rw match-set-options? match-set-options-type | | +--rw tag-set?
| +--rw match-proto-route-type* identityref | | +--rw match-set-options? match-set-options-type
| +--rw bgp-pol:bgp-conditions | +--rw match-proto-route-type* identityref
| +--rw bgp-pol:med-eq? uint32 | +--rw bp:bgp-conditions
| +--rw bgp-pol:origin-eq? | +--rw bp:med-eq? uint32
| bgp-types:bgp-origin-attr-type | +--rw bp:origin-eq? bt:bgp-origin-attr-type
| +--rw bgp-pol:next-hop-in* | +--rw bp:next-hop-in* inet:ip-address-no-zone
| inet:ip-address-no-zone | +--rw bp:afi-safi-in* identityref
| +--rw bgp-pol:afi-safi-in* identityref | +--rw bp:local-pref-eq? uint32
| +--rw bgp-pol:local-pref-eq? uint32 | +--rw bp:route-type? enumeration
| +--rw bgp-pol:route-type? enumeration | +--rw bp:community-count
| +--rw bgp-pol:community-count | +--rw bp:as-path-length
| +--rw bgp-pol:as-path-length | +--rw bp:match-community-set
| +--rw bgp-pol:match-community-set | | +--rw bp:community-set?
| | +--rw bgp-pol:community-set? | | +--rw bp:match-set-options? match-set-options-type
| | +--rw bgp-pol:match-set-options? | +--rw bp:match-ext-community-set
| match-set-options-type | | +--rw bp:ext-community-set?
| +--rw bgp-pol:match-ext-community-set | | +--rw bp:match-set-options? match-set-options-type
| | +--rw bgp-pol:ext-community-set? | +--rw bp:match-as-path-set
| | +--rw bgp-pol:match-set-options? | +--rw bp:as-path-set?
| | match-set-options-type | +--rw bp:match-set-options? match-set-options-type
| +--rw bgp-pol:match-as-path-set +--rw actions
| +--rw bgp-pol:as-path-set? +--rw policy-result? policy-result-type
| +--rw bgp-pol:match-set-options? +--rw set-metric
| match-set-options-type | +--rw metric-modification? metric-modification-type
+--rw actions | +--rw metric? uint32
+--rw policy-result? policy-result-type +--rw set-metric-type
+--rw set-metric | +--rw metric-type? identityref
| +--rw metric-modificatiion? +--rw set-import-level
| | metric-modification-type | +--rw import-level? identityref
| +--rw metric? uint32 +--rw set-preference? uint16
+--rw set-metric-type +--rw set-tag? tag-type
| +--rw metric-type? identityref +--rw set-application-tag? tag-type
+--rw set-import-level +--rw bp:bgp-actions
| +--rw import-level? identityref +--rw bp:set-route-origin? bt:bgp-origin-attr-type
+--rw set-preference? uint16 +--rw bp:set-local-pref? uint32
+--rw set-tag? tag-type +--rw bp:set-next-hop? bgp-next-hop-type
+--rw set-application-tag? tag-type +--rw bp:set-med? bgp-set-med-type
+--rw bgp-pol:bgp-actions +--rw bp:set-as-path-prepend
+--rw bgp-pol:set-route-origin? | +--rw bp:repeat-n? uint8
bgp-types:bgp-origin-attr-type +--rw bp:set-community
+--rw bgp-pol:set-local-pref? uint32 | +--rw bp:method? enumeration
+--rw bgp-pol:set-next-hop? bgp-next-hop-type | +--rw bp:options? bgp-set-community-option-type
+--rw bgp-pol:set-med? bgp-set-med-type | +--rw bp:inline
+--rw bgp-pol:set-as-path-prepend | | +--rw bp:communities* union
| +--rw bgp-pol:repeat-n? uint8 | +--rw bp:reference
+--rw bgp-pol:set-community | +--rw bp:community-set-ref?
| +--rw bgp-pol:method? enumeration +--rw bp:set-ext-community
| +--rw bgp-pol:options? +--rw bp:method? enumeration
bgp-set-community-option-type +--rw bp:options? bgp-set-community-option-type
| +--rw bgp-pol:inline +--rw bp:inline
| | +--rw bgp-pol:communities* union | +--rw bp:communities* union
| +--rw bgp-pol:reference +--rw bp:reference
| +--rw bgp-pol:community-set-ref? +--rw bp:ext-community-set-ref?
+--rw bgp-pol:set-ext-community
+--rw bgp-pol:method? enumeration
+--rw bgp-pol:options?
bgp-set-community-option-type
+--rw bgp-pol:inline
| +--rw bgp-pol:communities* union
+--rw bgp-pol:reference
+--rw bgp-pol:ext-community-set-ref?
8. Security Considerations 8. Security Considerations
The YANG modules specified in this document define a schema for data
that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446].
The NETCONF Access Control Model (NACM) [RFC8341] provides the means
to restrict access for particular NETCONF or RESTCONF users to a pre-
configured subset of all available NETCONF or RESTCONF protocol
operations and content.
There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability:
/routing-policy
/routing-policy/defined-sets/prefix-sets
/routing-policy/defined-sets/neighbor-sets
/routing-policy/defined-sets/tag-sets
/routing-policy/policy-definitions
Unauthorized access to any data node of these subtrees can disclose
the operational state information of routing policies on this device.
Routing policy configuration has a significant impact on network Routing policy configuration has a significant impact on network
operations, and, as such, any related model carries potential operations, and, as such, any related model carries potential
security risks. security risks. Unauthorized access or invalid data could cause
major disruption.
YANG data models are generally designed to be used with the NETCONF 9. IANA Considerations
protocol over an SSH transport. This provides an authenticated and
secure channel over which to transfer configuration and operational
data. Note that use of alternate transport or data encoding (e.g.,
JSON over HTTPS) would require similar mechanisms for authenticating
and securing access to configuration data.
Most of the data elements in the policy model could be considered This document registers a URI in the IETF XML registry [RFC3688].
sensitive from a security standpoint. Unauthorized access or invalid Following the format in [RFC3688], the following registration is
data could cause major disruption. requested to be made:
9. IANA Considerations URI: urn:ietf:params:xml:ns:yang:ietf-routing-policy
Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace.
This YANG data model and the component modules currently use a This document registers a YANG module in the YANG Module Names
temporary ad-hoc namespace. If and when it is placed on redirected registry [RFC6020].
for the standards track, an appropriate namespace URI will be
registered in the IETF XML Registry" [RFC3688]. The routing policy name: ietf-routing-policy
YANG modules will be registered in the "YANG Module Names" registry namespace: urn:ietf:params:xml:ns:yang:ietf-routing-policy
[RFC6020]. prefix: rt-pol
reference: RFC XXXX
10. YANG modules 10. YANG modules
The routing policy model is described by the YANG modules in the The routing policy model is described by the YANG modules in the
sections below. sections below.
10.1. Routing policy model 10.1. Routing policy model
<CODE BEGINS> file "ietf-routing-policy@2020-03-04.yang" <CODE BEGINS> file "ietf-routing-policy@2020-05-20.yang"
module ietf-routing-policy { module ietf-routing-policy {
yang-version "1.1";
namespace "urn:ietf:params:xml:ns:yang:ietf-routing-policy";
prefix rt-pol;
import ietf-inet-types {
prefix "inet";
}
import ietf-yang-types {
prefix "yang";
}
import ietf-interfaces {
prefix "if";
}
import ietf-routing {
prefix "rt";
}
import ietf-if-extensions { yang-version "1.1";
prefix if-ext;
}
import ietf-if-l3-vlan { namespace "urn:ietf:params:xml:ns:yang:ietf-routing-policy";
prefix "if-l3-vlan"; prefix rt-pol;
}
organization import ietf-inet-types {
"IETF RTGWG - Routing Area Working Group"; prefix "inet";
contact reference "RFC 6991: Common YANG Data Types";
"WG Web: <http://tools.ietf.org/wg/rtgwg/> }
WG List: <mailto:rtgwg@ietf.org>
Editor: Yingzhen Qu import ietf-yang-types {
<mailto:yingzhen.qu@futurewei.com> prefix "yang";
Jeff Tantsura reference "RFC 6991: Common YANG Data Types";
<mailto:jefftant.ietf@gmail.com> }
Acee Lindem
<mailto:acee@cisco.com>
Xufeng Liu
<mailto:xufeng.liu.ietf@gmail.com>";
description import ietf-interfaces {
"This module describes a YANG model for routing policy prefix "if";
configuration. It is a limited subset of all of the policy reference "RFC 8343: A YANG Data Model for Interface
configuration parameters available in the variety of vendor Management (NMDA Version)";
implementations, but supports widely used constructs for }
managing how routes are imported, exported, and modified across
different routing protocols. This module is intended to be
used in conjunction with routing protocol configuration modules
(e.g., BGP) defined in other models.
Copyright (c) 2020 IETF Trust and the persons identified as import ietf-routing {
authors of the code. All rights reserved. prefix "rt";
reference "RFC 8343: A YANG Data Model for Interface
Management (NMDA Version)";
}
Redistribution and use in source and binary forms, with or import ietf-if-extensions {
without modification, is permitted pursuant to, and subject to prefix if-ext;
the license terms contained in, the Simplified BSD License set reference "RFC YYYY: Common Interface Extension YANG
forth in Section 4.c of the IETF Trust's Legal Provisions Data Models. Please replace YYYY with
Relating to IETF Documents published RFC number for
(https://trustee.ietf.org/license-info). draft-ietf-netmod-intf-ext-yang.";
}
This version of this YANG module is part of RFC XXXX import ietf-if-l3-vlan {
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself prefix "if-l3-vlan";
for full legal notices. reference "RFC XXXX: Sub-interface VLAN YANG Data Models.
Please replace XXXX with published RFC number
for draft-ietf-netmod-sub-intf-vlan-model.";
}
organization
"IETF RTGWG - Routing Area Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/rtgwg/>
WG List: <mailto:rtgwg@ietf.org>
Route policy expression: Editor: Yingzhen Qu
<mailto:yingzhen.qu@futurewei.com>
Jeff Tantsura
<mailto:jefftant.ietf@gmail.com>
Acee Lindem
<mailto:acee@cisco.com>
Xufeng Liu
<mailto:xufeng.liu.ietf@gmail.com>";
Policies are expressed as a set of top-level policy description
definitions, each of which consists of a sequence of policy "This module describes a YANG model for routing policy
statements. Policy statements consist of simple configuration. It is a limited subset of all of the policy
condition-action tuples. Conditions may include mutiple match configuration parameters available in the variety of vendor
or comparison operations, and similarly actions may be implementations, but supports widely used constructs for
multitude of changes to route attributes or a final disposition managing how routes are imported, exported, and modified across
of accepting or rejecting the route. different routing protocols. This module is intended to be
used in conjunction with routing protocol configuration modules
(e.g., BGP) defined in other models.
Route policy evaluation: Route policy expression:
Policy definitions are referenced in routing protocol Policies are expressed as a set of top-level policy
configurations using import and export configuration definitions, each of which consists of a sequence of policy
statements. The arguments are members of an ordered list of statements. Policy statements consist of simple
named policy definitions which comprise a policy chain, and condition-action tuples. Conditions may include multiple match
optionally, an explicit default policy action (i.e., reject or comparison operations, and similarly actions may be
or accept). multitude of changes to route attributes or a final disposition
of accepting or rejecting the route.
Evaluation of each policy definition proceeds by evaluating its Route policy evaluation:
corresponding individual policy statements in order. When a
condition statement in a policy statement is satisfied, the
corresponding action statement is executed. If the action
statement has either accept-route or reject-route actions,
policy evaluation of the current policy definition stops, and
no further policy definitions in the chain are evaluated.
If the condition is not satisfied, then evaluation proceeds to Policy definitions are referenced in routing protocol
the next policy statement. If none of the policy statement configurations using import and export configuration
conditions are satisfied, then evaluation of the current policy statements. The arguments are members of an ordered list of
definition stops, and the next policy definition in the chain named policy definitions which comprise a policy chain, and
is evaluated. When the end of the policy chain is reached, the optionally, an explicit default policy action (i.e., reject
default route disposition action is performed (i.e., or accept).
reject-route unless an alternate default action is specified
for the chain).
Policy 'subroutines' (or nested policies) are supported by Evaluation of each policy definition proceeds by evaluating its
allowing policy statement conditions to reference another corresponding individual policy statements in order. When a
policy definition which applies conditions and actions from condition statement in a policy statement is satisfied, the
the referenced policy before returning to the calling policy corresponding action statement is executed. If the action
statement and resuming evaluation. If the called policy statement has either accept-route or reject-route actions,
results in an accept-route (either explicit or by default), policy evaluation of the current policy definition stops, and
then the subroutine returns an effective true value to the no further policy definitions in the chain are evaluated.
calling policy. Similarly, a reject-route action returns
false. If the subroutine returns true, the calling policy
continues to evaluate the remaining conditions (using a
modified route if the subroutine performed any changes to the
route).";
revision "2020-03-04" { If the condition is not satisfied, then evaluation proceeds to
description the next policy statement. If none of the policy statement
"Initial revision."; conditions are satisfied, then evaluation of the current policy
reference definition stops, and the next policy definition in the chain
"RFC XXXX: Routing Policy Configuration Model for Service is evaluated. When the end of the policy chain is reached, the
Provider Networks"; default route disposition action is performed (i.e.,
} reject-route unless an alternate default action is specified
for the chain).
/* Identities */ Policy 'subroutines' (or nested policies) are supported by
allowing policy statement conditions to reference another
policy definition which applies conditions and actions from
the referenced policy before returning to the calling policy
statement and resuming evaluation. If the called policy
results in an accept-route (either explicit or by default),
then the subroutine returns an effective true value to the
calling policy. Similarly, a reject-route action returns
false. If the subroutine returns true, the calling policy
continues to evaluate the remaining conditions (using a
modified route if the subroutine performed any changes to the
route).
identity metric-type { Copyright (c) 2020 IETF Trust and the persons identified as
description "Base identity for route metric types."; authors of the code. All rights reserved.
}
identity ospf-type-1-metric { Redistribution and use in source and binary forms, with or
base metric-type; without modification, is permitted pursuant to, and subject to
description the license terms contained in, the Simplified BSD License set
"Identity for the OSPF type 1 external metric types. It forth in Section 4.c of the IETF Trust's Legal Provisions
is only applicable to OSPF routes."; Relating to IETF Documents
} (https://trustee.ietf.org/license-info).
identity ospf-type-2-metric { This version of this YANG module is part of RFC XXXX
base metric-type; (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
description for full legal notices.
"Identity for the OSPF type 2 external metric types. It
is only applicable to OSPF routes.";
}
identity isis-internal-metric { The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
base metric-type; NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
description 'MAY', and 'OPTIONAL' in this document are to be interpreted as
"Identity for the IS-IS internal metric types. It is only described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
applicable to IS-IS routes."; they appear in all capitals, as shown here.
}
identity isis-external-metric { This version of this YANG module is part of RFC XXXX;
base metric-type; see the RFC itself for full legal notices.";
description
"Identity for the IS-IS external metric types. It is only
applicable to IS-IS routes.";
}
identity import-level { revision "2020-05-20" {
description "Base identity for route import level."; description
} "Initial revision.";
reference
"RFC XXXX: Routing Policy Configuration Model for Service
Provider Networks";
}
identity ospf-normal { /* Identities */
base import-level;
description
"Identity for OSPF importation into normal areas
It is only applicable to routes imported
into the OSPF protocol.";
}
identity ospf-nssa-only { identity metric-type {
base import-level; description
description "Base identity for route metric types.";
"Identity for the OSPF NSSA area importation. It is only }
applicable to routes imported into the OSPF protocol.";
}
identity ospf-normal-nssa { identity ospf-type-1-metric {
base import-level; base metric-type;
description description
"Identity for OSPF importation into both normal and NSSA "Identity for the OSPF type 1 external metric types. It
areas, It is only applicable to routes imported into is only applicable to OSPF routes.";
the OSPF protocol."; }
}
identity isis-level-1 { identity ospf-type-2-metric {
base import-level; base metric-type;
description description
"Identity for IS-IS Level 1 area importation. It is only "Identity for the OSPF type 2 external metric types. It
applicable to routes imported into the IS-IS protocol."; is only applicable to OSPF routes.";
} }
identity isis-level-2 { identity isis-internal-metric {
base import-level; base metric-type;
description description
"Identity for IS-IS Level 2 area importation. It is only "Identity for the IS-IS internal metric types. It is only
applicable to routes imported into the IS-IS protocol."; applicable to IS-IS routes.";
} }
identity isis-level-1-2 { identity isis-external-metric {
base import-level; base metric-type;
description description
"Identity for IS-IS Level 1 and Level 2 ara importation. It "Identity for the IS-IS external metric types. It is only
is only applicable to routes imported into the IS-IS applicable to IS-IS routes.";
protocol."; }
}
identity proto-route-type { identity import-level {
description description
"Base identity for route type within a protocol."; "Base identity for route import level.";
} }
identity isis-level-1-type { identity ospf-normal {
base proto-route-type; base import-level;
description description
"Identity for IS-IS Level 1 route type. It is only "Identity for OSPF importation into normal areas
applicable to IS-IS routes."; It is only applicable to routes imported
} into the OSPF protocol.";
}
identity isis-level-2-type { identity ospf-nssa-only {
base proto-route-type; base import-level;
description description
"Identity for IS-IS Level 2 route type. It is only "Identity for the OSPF NSSA area importation. It is only
applicable to IS-IS routes."; applicable to routes imported into the OSPF protocol.";
} }
identity ospf-internal-type { identity ospf-normal-nssa {
base proto-route-type; base import-level;
description description
"Identity for OSPF intra-area or inter-area route type. "Identity for OSPF importation into both normal and NSSA
It is only applicable to OSPF routes."; areas, It is only applicable to routes imported into
} the OSPF protocol.";
}
identity ospf-external-type { identity isis-level-1 {
base proto-route-type; base import-level;
description description
"Identity for OSPF external type 1/2 route type. "Identity for IS-IS Level 1 area importation. It is only
It is only applicable to OSPF routes."; applicable to routes imported into the IS-IS protocol.";
} }
identity ospf-external-t1 { identity isis-level-2 {
base ospf-external-type; base import-level;
description description
"Identity for OSPF external type 1 route type. "Identity for IS-IS Level 2 area importation. It is only
It is only applicable to OSPF routes."; applicable to routes imported into the IS-IS protocol.";
} }
identity ospf-external-t2-type { identity isis-level-1-2 {
base ospf-external-type; base import-level;
description description
"Identity for OSPF external type 2 route type. "Identity for IS-IS Level 1 and Level 2 area importation. It
It is only applicable to OSPF routes."; is only applicable to routes imported into the IS-IS
} protocol.";
}
identity proto-route-type {
description
"Base identity for route type within a protocol.";
}
identity ospf-nssa-type { identity isis-level-1-type {
base proto-route-type; base proto-route-type;
description description
"Identity for OSPF NSSA type 1/2 route type. "Identity for IS-IS Level 1 route type. It is only
It is only applicable to OSPF routes."; applicable to IS-IS routes.";
} }
identity ospf-nssa-t1 {
base ospf-nssa-type;
description
"Identity for OSPF NSSA type 1 route type.
It is only applicable to OSPF routes.";
}
identity ospf-nssa-t2 { identity isis-level-2-type {
base ospf-nssa-type; base proto-route-type;
description description
"Identity for OSPF NSSA type 2 route type. "Identity for IS-IS Level 2 route type. It is only
It is only applicable to OSPF routes."; applicable to IS-IS routes.";
} }
identity bgp-local { identity ospf-internal-type {
base proto-route-type; base proto-route-type;
description description
"Identity for BGP local route type. "Identity for OSPF intra-area or inter-area route type.
It is only applicable to BGP routes."; It is only applicable to OSPF routes.";
} }
identity bgp-external { identity ospf-external-type {
base proto-route-type; base proto-route-type;
description description
"Identity for BGP external route type. "Identity for OSPF external type 1/2 route type.
It is only applicable to BGP routes."; It is only applicable to OSPF routes.";
} }
/* Type Definitions */ identity ospf-external-t1 {
base ospf-external-type;
description
"Identity for OSPF external type 1 route type.
It is only applicable to OSPF routes.";
}
typedef default-policy-type { identity ospf-external-t2-type {
/* This typedef retained for name compatibiity with default base ospf-external-type;
import and export policy. */ description
type enumeration { "Identity for OSPF external type 2 route type.
enum accept-route { It is only applicable to OSPF routes.";
description }
"Default policy to accept the route";
}
enum reject-route {
description
"Default policy to reject the route";
}
}
description
"Type used to specify route disposition in
a policy chain";
}
typedef policy-result-type {
type enumeration {
enum accept-route {
description "Policy accepts the route";
}
enum reject-route {
description "Policy rejects the route";
}
}
description
"Type used to specify route disposition in
a policy chain";
}
typedef tag-type { identity ospf-nssa-type {
type union { base proto-route-type;
type uint32; description
type yang:hex-string; "Identity for OSPF NSSA type 1/2 route type.
} It is only applicable to OSPF routes.";
description "Type for expressing route tags on a local system, }
including IS-IS and OSPF; may be expressed as either decimal
or hexadecimal integer";
reference
"RFC 2178 - OSPF Version 2
RFC 5130 - A Policy Control Mechanism in IS-IS Using
Administrative Tags";
}
typedef match-set-options-type { identity ospf-nssa-t1 {
type enumeration { base ospf-nssa-type;
enum any { description
description "Match is true if given value matches any member "Identity for OSPF NSSA type 1 route type.
of the defined set"; It is only applicable to OSPF routes.";
} }
enum all {
description "Match is true if given value matches all
members of the defined set";
}
enum invert {
description "Match is true if given value does not match any
member of the defined set";
}
}
default any;
description
"Options that govern the behavior of a match statement. The
default behavior is any, i.e., the given value matches any
of the members of the defined set";
} identity ospf-nssa-t2 {
base ospf-nssa-type;
description
"Identity for OSPF NSSA type 2 route type.
It is only applicable to OSPF routes.";
}
typedef metric-modification-type { identity bgp-local {
type enumeration { base proto-route-type;
enum set-metric { description
description "Set the metric to the specified value"; "Identity for BGP local route type.
} It is only applicable to BGP routes.";
enum add-metric { }
description
"Add the specified value to the existing metric.
If the result would exceed the the maximum metric
(0xffffffff), set the metric to the maximum.";
}
enum subtract-metric {
description
"Subtract the specified value to the existing metric.
If the result would be less than 0, set the metric to 0.";
}
}
description
"Type used to specify how to set the metric given the
specified value";
}
/* Groupings */ identity bgp-external {
base proto-route-type;
description
"Identity for BGP external route type.
It is only applicable to BGP routes.";
}
grouping prefix-set { /* Type Definitions */
description
"Configuration data for prefix sets used in policy
definitions.";
leaf name { typedef default-policy-type {
type string; type enumeration {
description enum accept-route {
"Name of the prefix set -- this is used as a label to description
reference the set in match conditions"; "Default policy to accept the route.";
} }
enum reject-route {
description
"Default policy to reject the route.";
}
}
description
"Type used to specify route disposition in
a policy chain. This typedef retained for
name compatibility with default import and
export policy.";
}
leaf mode { typedef policy-result-type {
type enumeration { type enumeration {
enum ipv4 { enum accept-route {
description description
"Prefix set contains IPv4 prefixes only"; "Policy accepts the route.";
} }
enum ipv6 { enum reject-route {
description description
"Prefix set contains IPv6 prefixes only"; "Policy rejects the route.";
} }
enum mixed { }
description description
"Prefix set contains mixed IPv4 and IPv6 prefixes"; "Type used to specify route disposition in
} a policy chain.";
} }
description
"Indicates the mode of the prefix set, in terms of which
address families (IPv4, IPv6, or both) are present. The
mode provides a hint, but the device must validate that all
prefixes are of the indicated type, and is expected to
reject the configuration if there is a discrepancy. The
MIXED mode may not be supported on devices that require
prefix sets to be of only one address family.";
}
} typedef tag-type {
type union {
type uint32;
type yang:hex-string;
}
description
"Type for expressing route tags on a local system,
including IS-IS and OSPF; may be expressed as either decimal
or hexadecimal integer.";
reference
"RFC 2178 - OSPF Version 2
RFC 5130 - A Policy Control Mechanism in IS-IS Using
Administrative Tags";
}
grouping prefix { typedef match-set-options-type {
description type enumeration {
"Configuration data for a prefix definition"; enum any {
description
"Match is true if given value matches any member
of the defined set.";
}
enum all {
description
"Match is true if given value matches all
members of the defined set.";
leaf ip-prefix { }
type inet:ip-prefix; enum invert {
mandatory true; description
description "Match is true if given value does not match any
"The prefix member in CIDR notation -- while the member of the defined set.";
prefix may be either IPv4 or IPv6, most }
implementations require all members of the prefix set }
to be the same address family. Mixing address types in default any;
the same prefix set is likely to cause an error."; description
} "Options that govern the behavior of a match statement. The
default behavior is any, i.e., the given value matches any
of the members of the defined set.";
}
leaf masklength-lower { typedef metric-modification-type {
type uint8; type enumeration {
description enum set-metric {
"Masklength range lower bound."; description
} "Set the metric to the specified value.";
leaf masklength-upper { }
type uint8 { enum add-metric {
range "1..128"; description
} "Add the specified value to the existing metric.
must "../masklength-upper >= ../masklength-lower" { If the result would exceed the the maximum metric
error-message "The upper bound should not be less" (0xffffffff), set the metric to the maximum.";
+ "than lower bound."; }
} enum subtract-metric {
description description
"Masklength range upper bound. "Subtract the specified value to the existing metric.
If the result would be less than 0, set the metric to 0.";
}
}
description
"Type used to specify how to set the metric given the
specified value.";
}
The combination of masklength-lower and masklength-upper /* Groupings */
define a range for the mask length, or single 'exact'
length if masklength-lower and masklenght-upper are equal.
Example: 10.3.192.0/21 through 10.3.192.0/24 would be grouping prefix-set {
expressed as prefix: 10.3.192.0/21, description
masklength-lower=21, "Configuration data for prefix sets used in policy
masklength-upper=24 definitions.";
Example: 10.3.192.0/21 (an exact match) would be leaf name {
expressed as prefix: 10.3.192.0/21, type string;
masklength-lower=21, description
masklength-upper=21"; "Name of the prefix set -- this is used as a label to
} reference the set in match conditions.";
} }
grouping neighbor-set { leaf mode {
description type enumeration {
"This grouping provides neighbor set definitions"; enum ipv4 {
description
"Prefix set contains IPv4 prefixes only.";
}
enum ipv6 {
description
"Prefix set contains IPv6 prefixes only.";
}
enum mixed {
description
"Prefix set contains mixed IPv4 and IPv6 prefixes.";
}
}
description
"Indicates the mode of the prefix set, in terms of which
address families (IPv4, IPv6, or both) are present. The
mode provides a hint, but the device must validate that all
prefixes are of the indicated type, and is expected to
reject the configuration if there is a discrepancy. The
MIXED mode may not be supported on devices that require
prefix sets to be of only one address family.";
}
leaf name { }
type string;
description
"Name of the neighbor set -- this is used as a label
to reference the set in match conditions";
}
leaf-list address { grouping prefix {
type inet:ip-address; description
description "Configuration data for a prefix definition.";
"List of IP addresses in the neighbor set";
}
}
grouping tag-set { leaf ip-prefix {
description type inet:ip-prefix;
"This grouping provides tag set definitions."; mandatory true;
description
"The prefix member in CIDR notation -- while the
prefix may be either IPv4 or IPv6, most
implementations require all members of the prefix set
to be the same address family. Mixing address types in
the same prefix set is likely to cause an error.";
}
leaf name { leaf mask-length-lower {
type string; type uint8;
description description
"Name of the tag set -- this is used as a label to reference "Mask length range lower bound.";
the set in match conditions"; }
} leaf mask-length-upper {
type uint8 {
range "1..128";
}
must "../mask-length-upper >= ../mask-length-lower" {
error-message "The upper bound should not be less"
+ "than lower bound.";
}
description
"Mask length range upper bound.
leaf-list tag-value { The combination of mask-length-lower and mask-length-upper
type tag-type; define a range for the mask length, or single 'exact'
description length if mask-length-lower and mask-length-upper are equal.
"Value of the tag set member";
}
}
grouping match-set-options-group { Example: 192.0.2.0/24 through 192.0.2.0/26 would be
description expressed as prefix: 192.0.2.0/24,
"Grouping containing options relating to how a particular set mask-length-lower=24,
should be matched"; mask-length-upper=26
leaf match-set-options { Example: 192.0.2.0/24 (an exact match) would be
type match-set-options-type; expressed as prefix: 192.0.2.0/24,
description mask-length-lower=24,
"Optional parameter that governs the behavior of the mask-length-upper=24";
match operation"; }
} }
}
grouping match-set-options-restricted-group { grouping neighbor-set {
description description
"Grouping for a restricted set of match operation modifiers"; "This grouping provides neighbor set definitions.";
leaf match-set-options { leaf name {
type match-set-options-type { type string;
enum any { description
description "Match is true if given value matches any "Name of the neighbor set -- this is used as a label
member of the defined set"; to reference the set in match conditions.";
} }
enum invert {
description "Match is true if given value does not match
any member of the defined set";
}
}
description
"Optional parameter that governs the behavior of the
match operation. This leaf only supports matching on ANY
member of the set or inverting the match. Matching on ALL
is not supported";
}
}
grouping match-interface-condition { leaf-list address {
description type inet:ip-address;
"This grouping provides interface match condition"; description
"List of IP addresses in the neighbor set.";
}
}
container match-interface { grouping tag-set {
leaf interface { description
type leafref { "This grouping provides tag set definitions.";
path "/if:interfaces/if:interface/if:name";
}
description
"Reference to a base interface. If a reference to a
subinterface is required, this leaf must be specified
to indicate the base interface.";
}
leaf subinterface {
type leafref {
path "/if:interfaces/if:interface/if-ext:encapsulation"
+ "/if-l3-vlan:dot1q-vlan"
+ "/if-l3-vlan:outer-tag/if-l3-vlan:vlan-id";
}
description
"Reference to a subinterface -- this requires the base
interface to be specified using the interface leaf in
this container. If only a reference to a base interface
is requuired, this leaf should not be set.";
}
description leaf name {
"Container for interface match conditions"; type string;
} description
} "Name of the tag set -- this is used as a label to reference
the set in match conditions.";
}
grouping match-proto-route-type-condition { leaf-list tag-value {
description type tag-type;
"This grouping provides route-type match condition"; description
"Value of the tag set member.";
}
}
leaf-list match-proto-route-type { grouping match-set-options-group {
type identityref { description
base proto-route-type; "Grouping containing options relating to how a particular set
} should be matched.";
description
"Condition to check the protocol specific type
of route. This is normally used during route
importation to select routes or to set protocol
specific attributes based on the route type.";
}
}
grouping prefix-set-condition { leaf match-set-options {
description type match-set-options-type;
"This grouping provides prefix-set conditions"; description
"Optional parameter that governs the behavior of the
match operation.";
}
}
container match-prefix-set { grouping match-set-options-restricted-group {
leaf prefix-set { description
type leafref { "Grouping for a restricted set of match operation modifiers.";
path "../../../../../../../defined-sets/" +
"prefix-sets/prefix-set/name";
}
description "References a defined prefix set";
}
uses match-set-options-restricted-group;
description leaf match-set-options {
"Match a referenced prefix-set according to the logic type match-set-options-type {
defined in the match-set-options leaf"; enum any {
} description
} "Match is true if given value matches any
member of the defined set.";
}
enum invert {
description
"Match is true if given value does not match
any member of the defined set.";
}
}
description
"Optional parameter that governs the behavior of the
match operation. This leaf only supports matching on
'any' member of the set or 'invert' the match.
Matching on 'all' is not supported.";
}
}
grouping neighbor-set-condition { grouping match-interface-condition {
description description
"This grouping provides neighbor-set conditions"; "This grouping provides interface match condition.";
container match-neighbor-set { container match-interface {
leaf neighbor-set { leaf interface {
type leafref { type leafref {
path "../../../../../../../defined-sets/neighbor-sets/" + path "/if:interfaces/if:interface/if:name";
"neighbor-set/name"; }
require-instance true; description
} "Reference to a base interface. If a reference to a
description "References a defined neighbor set"; subinterface is required, this leaf must be specified
} to indicate the base interface.";
}
leaf subinterface {
type leafref {
path "/if:interfaces/if:interface/if-ext:encapsulation"
+ "/if-l3-vlan:dot1q-vlan"
+ "/if-l3-vlan:outer-tag/if-l3-vlan:vlan-id";
}
description
"Reference to a subinterface -- this requires the base
interface to be specified using the interface leaf in
this container. If only a reference to a base interface
is required, this leaf should not be set.";
}
description description
"Match a referenced neighbor set according to the logic "Container for interface match conditions";
defined in the match-set-options-leaf"; }
} }
}
grouping tag-set-condition { grouping match-proto-route-type-condition {
description description
"This grouping provides tag-set conditions"; "This grouping provides route-type match condition";
container match-tag-set { leaf-list match-proto-route-type {
leaf tag-set { type identityref {
type leafref { base proto-route-type;
path "../../../../../../../defined-sets/tag-sets" + }
"/tag-set/name"; description
require-instance true; "Condition to check the protocol specific type
} of route. This is normally used during route
description "References a defined tag set"; importation to select routes or to set protocol
} specific attributes based on the route type.";
uses match-set-options-restricted-group; }
description }
"Match a referenced tag set according to the logic defined
in the match-options-set leaf";
}
}
grouping generic-conditions { grouping prefix-set-condition {
description "Condition statement definitions for checking description
membership in a generic defined set"; "This grouping provides prefix-set conditions.";
uses match-interface-condition; container match-prefix-set {
uses prefix-set-condition; leaf prefix-set {
uses neighbor-set-condition; type leafref {
uses tag-set-condition; path "../../../../../../../defined-sets/" +
uses match-proto-route-type-condition; "prefix-sets/prefix-set/name";
}
description
"References a defined prefix set.";
}
uses match-set-options-restricted-group;
} description
"Match a referenced prefix-set according to the logic
defined in the match-set-options leaf.";
}
}
grouping policy-conditions { grouping neighbor-set-condition {
description description
"Data for general policy conditions, i.e., those "This grouping provides neighbor-set conditions.";
not related to match-sets";
leaf call-policy { container match-neighbor-set {
type leafref { leaf neighbor-set {
path "../../../../../../" + type leafref {
"rt-pol:policy-definitions/" + path "../../../../../../../defined-sets/neighbor-sets/" +
"rt-pol:policy-definition/rt-pol:name"; "neighbor-set/name";
require-instance true; require-instance true;
} }
description description
"Applies the statements from the specified policy "References a defined neighbor set.";
definition and then returns control the current }
policy statement. Note that the called policy may
itself call other policies (subject to
implementation limitations). This is intended to
provide a policy 'subroutine' capability. The
called policy should contain an explicit or a
default route disposition that returns an
effective true (accept-route) or false
(reject-route), otherwise the behavior may be
ambiguous and implementation dependent";
}
leaf source-protocol { description
type identityref { "Match a referenced neighbor set according to the logic
base rt:control-plane-protocol; defined in the match-set-options-leaf.";
} }
description }
"Condition to check the protocol / method used to install grouping tag-set-condition {
the route into the local routing table"; description
} "This grouping provides tag-set conditions.";
}
grouping policy-actions { container match-tag-set {
description leaf tag-set {
"Top-level grouping for policy actions"; type leafref {
path "../../../../../../../defined-sets/tag-sets" +
"/tag-set/name";
require-instance true;
}
description
"References a defined tag set.";
}
uses match-set-options-restricted-group;
container actions { description
description "Match a referenced tag set according to the logic defined
"Top-level container for policy action statements"; in the match-options-set leaf.";
}
}
leaf policy-result { grouping generic-conditions {
type policy-result-type; description
description "Condition statement definitions for checking
"Select the final disposition for the route, either membership in a generic defined set.";
accept or reject.";
}
container set-metric {
leaf metric-modificatiion {
type metric-modification-type;
description
"Indicates how to modify the metric.";
}
leaf metric {
type uint32;
description
"Metric value to set, add, or subtract.";
}
description
"Set the metric for the route.";
}
container set-metric-type {
leaf metric-type {
type identityref {
base metric-type;
}
description
"Route metric type.";
}
description
"Set the metric type for the route.";
}
container set-import-level {
leaf import-level {
type identityref {
base import-level;
}
description
"Route importation level.";
}
description
"Set the import level for importation of routes.";
}
leaf set-preference {
type uint16;
description
"Set the preference for the route.";
}
leaf set-tag {
type tag-type;
description
"Set the tag for the route.";
}
leaf set-application-tag {
type tag-type;
description
"Set the application tag for the route.";
}
}
}
grouping policy-statements { uses match-interface-condition;
description uses prefix-set-condition;
"Grouping for the policy statements list"; uses neighbor-set-condition;
uses tag-set-condition;
uses match-proto-route-type-condition;
container policy-statements { }
description
"Enclosing container for policy statements";
list statement { grouping policy-conditions {
key "name"; description
ordered-by user; "Data for general policy conditions, i.e., those
description not related to match-sets.";
"Policy statements group conditions and actions
within a policy definition. They are evaluated in
the order specified (see the description of policy
evaluation at the top of this module.";
leaf name { leaf call-policy {
type string; type leafref {
description path "../../../../../../" +
"Name of the policy statement"; "rt-pol:policy-definitions/" +
} "rt-pol:policy-definition/rt-pol:name";
container conditions { require-instance true;
description }
"Condition statements for the current policy statement"; description
"Applies the statements from the specified policy
definition and then returns control the current
policy statement. Note that the called policy may
itself call other policies (subject to
implementation limitations). This is intended to
provide a policy 'subroutine' capability. The
called policy should contain an explicit or a
default route disposition that returns an
effective true (accept-route) or false
(reject-route), otherwise the behavior may be
ambiguous and implementation dependent.";
}
uses policy-conditions; leaf source-protocol {
type identityref {
base rt:control-plane-protocol;
}
description
"Condition to check the protocol / method used to install
the route into the local routing table.";
}
}
uses generic-conditions; grouping policy-actions {
} description
"Top-level grouping for policy actions.";
uses policy-actions; container actions {
} description
} "Top-level container for policy action statements.";
}
grouping policy-definitions { leaf policy-result {
description type policy-result-type;
"This grouping provides policy definitions"; description
"Select the final disposition for the route, either
accept or reject.";
}
container set-metric {
leaf metric-modification {
type metric-modification-type;
description
"Indicates how to modify the metric.";
}
leaf metric {
type uint32;
description
"Metric value to set, add, or subtract.";
}
description
"Set the metric for the route.";
}
container set-metric-type {
leaf metric-type {
type identityref {
base metric-type;
}
description
"Route metric type.";
}
description
"Set the metric type for the route.";
}
container set-import-level {
leaf import-level {
type identityref {
base import-level;
}
description
"Route importation level.";
}
description
"Set the import level for importation of routes.";
}
leaf set-preference {
type uint16;
description
"Set the preference for the route.";
}
leaf set-tag {
type tag-type;
description
"Set the tag for the route.";
}
leaf set-application-tag {
type tag-type;
description
"Set the application tag for the route.";
}
}
}
leaf name { grouping apply-policy-import {
type string; description
description "Grouping for applying import policies.";
"Name of the top-level policy definition -- this name
is used in references to the current policy";
}
}
grouping apply-policy-import { leaf-list import-policy {
description type leafref {
"Grouping for applying import policies"; path "/rt-pol:routing-policy/rt-pol:policy-definitions/" +
"rt-pol:policy-definition/rt-pol:name";
require-instance true;
}
ordered-by user;
description
"List of policy names in sequence to be applied on
receiving a routing update in the current context, e.g.,
for the current peer group, neighbor, address family,
etc.";
}
leaf-list import-policy { leaf default-import-policy {
type leafref { type default-policy-type;
path "/rt-pol:routing-policy/rt-pol:policy-definitions/" + default reject-route;
"rt-pol:policy-definition/rt-pol:name"; description
require-instance true; "Explicitly set a default policy if no policy definition
} in the import policy chain is satisfied.";
ordered-by user; }
description
"List of policy names in sequence to be applied on
receiving a routing update in the current context, e.g.,
for the current peer group, neighbor, address family,
etc.";
}
leaf default-import-policy { }
type default-policy-type;
default reject-route;
description
"Explicitly set a default policy if no policy definition
in the import policy chain is satisfied.";
}
} grouping apply-policy-export {
description
"Grouping for applying export policies.";
grouping apply-policy-export { leaf-list export-policy {
description type leafref {
"Grouping for applying export policies"; path "/rt-pol:routing-policy/rt-pol:policy-definitions/" +
"rt-pol:policy-definition/rt-pol:name";
require-instance true;
}
ordered-by user;
description
"List of policy names in sequence to be applied on
sending a routing update in the current context, e.g.,
for the current peer group, neighbor, address family,
etc.";
}
leaf-list export-policy { leaf default-export-policy {
type leafref { type default-policy-type;
path "/rt-pol:routing-policy/rt-pol:policy-definitions/" + default reject-route;
"rt-pol:policy-definition/rt-pol:name"; description
require-instance true; "Explicitly set a default policy if no policy definition
} in the export policy chain is satisfied.";
ordered-by user; }
description
"List of policy names in sequence to be applied on
sending a routing update in the current context, e.g.,
for the current peer group, neighbor, address family,
etc.";
}
leaf default-export-policy { }
type default-policy-type;
default reject-route;
description
"Explicitly set a default policy if no policy definition
in the export policy chain is satisfied.";
}
}
grouping apply-policy { grouping apply-policy {
description description
"Configuration data for routing policies"; "Configuration data for routing policies.";
uses apply-policy-import; uses apply-policy-import;
uses apply-policy-export; uses apply-policy-export;
} }
grouping apply-policy-group { grouping apply-policy-group {
description description
"Top level container for routing policy applications. This "Top level container for routing policy applications. This
grouping is intended to be used in routing models where grouping is intended to be used in routing models where
needed."; needed.";
container apply-policy { container apply-policy {
description description
"Anchor point for routing policies in the model. "Anchor point for routing policies in the model.
Import and export policies are with respect to the local Import and export policies are with respect to the local
routing table, i.e., export (send) and import (receive), routing table, i.e., export (send) and import (receive),
depending on the context."; depending on the context.";
uses apply-policy; uses apply-policy;
} }
} }
container routing-policy { container routing-policy {
description description
"Top-level container for all routing policy"; "Top-level container for all routing policy.";
container defined-sets { container defined-sets {
description description
"Predefined sets of attributes used in policy match "Predefined sets of attributes used in policy match
statements"; statements.";
container prefix-sets { container prefix-sets {
description description
"Data definitions for a list of IPv4 or IPv6 "Data definitions for a list of IPv4 or IPv6
prefixes which are matched as part of a policy"; prefixes which are matched as part of a policy.";
list prefix-set { list prefix-set {
key "name"; key "name";
description description
"List of the defined prefix sets"; "List of the defined prefix sets";
uses prefix-set; uses prefix-set;
container prefixes {
description
"Container for the list of prefixes in a policy
prefix list.";
container prefixes { list prefix-list {
description key "ip-prefix mask-length-lower mask-length-upper";
"Container for the list of prefixes in a policy description
prefix list"; "List of prefixes in the prefix set.";
list prefix-list { uses prefix;
key "ip-prefix masklength-lower masklength-upper"; }
description }
"List of prefixes in the prefix set"; }
}
uses prefix; container neighbor-sets {
} description
} "Data definition for a list of IPv4 or IPv6
} neighbors which can be matched in a routing policy.";
} list neighbor-set {
key "name";
description
"List of defined neighbor sets for use in policies.";
container neighbor-sets { uses neighbor-set;
description }
"Data definition for a list of IPv4 or IPv6 }
neighbors which can be matched in a routing policy";
list neighbor-set { container tag-sets {
key "name"; description
description "Data definitions for a list of tags which can
"List of defined neighbor sets for use in policies."; be matched in policies.";
uses neighbor-set; list tag-set {
} key "name";
} description
"List of tag set definitions.";
uses tag-set;
}
}
}
container tag-sets { container policy-definitions {
description description
"Data definitions for a list of tags which can "Enclosing container for the list of top-level policy
be matched in policies"; definitions.";
list tag-set { list policy-definition {
key "name"; key "name";
description description
"List of tag set definitions."; "List of top-level policy definitions, keyed by unique
uses tag-set; name. These policy definitions are expected to be
} referenced (by name) in policy chains specified in import
} or export configuration statements.";
}
container policy-definitions { leaf name {
description type string;
"Enclosing container for the list of top-level policy description
definitions"; "Name of the top-level policy definition -- this name
is used in references to the current policy.";
}
list policy-definition { container statements {
key "name"; description
description "Enclosing container for policy statements.";
"List of top-level policy definitions, keyed by unique
name. These policy definitions are expected to be
referenced (by name) in policy chains specified in import
or export configuration statements.";
uses policy-definitions; list statement {
key "name";
ordered-by user;
description
"Policy statements group conditions and actions
within a policy definition. They are evaluated in
the order specified (see the description of policy
evaluation at the top of this module.";
uses policy-statements; leaf name {
} type string;
} description
"Name of the policy statement.";
}
} container conditions {
} description
<CODE ENDS> "Condition statements for the current policy statement.";
11. Policy examples uses policy-conditions;
uses generic-conditions;
}
Below we show an example of XML-encoded configuration data using the uses policy-actions;
routing policy and BGP models to illustrate both how policies are }
defined, and also how they can be applied. Note that the XML has }
been simplified for readability. }
}
}
<?yfile include="file:///tmp/routing-policy-example-draft.xml"?> }
<CODE ENDS>
12. References 11. References
12.1. Normative references 11.1. Normative references
[I-D.ietf-netmod-intf-ext-yang] [I-D.ietf-netmod-intf-ext-yang]
Wilton, R., Ball, D., tapsingh@cisco.com, t., and S. Wilton, R., Ball, D., tapsingh@cisco.com, t., and S.
Sivaraj, "Common Interface Extension YANG Data Models", Sivaraj, "Common Interface Extension YANG Data Models",
draft-ietf-netmod-intf-ext-yang-08 (work in progress), draft-ietf-netmod-intf-ext-yang-08 (work in progress),
November 2019. November 2019.
[I-D.ietf-netmod-sub-intf-vlan-model] [I-D.ietf-netmod-sub-intf-vlan-model]
Wilton, R., Ball, D., tapsingh@cisco.com, t., and S. Wilton, R., Ball, D., tapsingh@cisco.com, t., and S.
Sivaraj, "Sub-interface VLAN YANG Data Models", draft- Sivaraj, "Sub-interface VLAN YANG Data Models", draft-
skipping to change at page 36, line 10 skipping to change at page 36, line 43
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006, DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>. <https://www.rfc-editor.org/info/rfc4271>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8343] Bjorklund, M., "A YANG Data Model for Interface [RFC8343] Bjorklund, M., "A YANG Data Model for Interface
Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
<https://www.rfc-editor.org/info/rfc8343>. <https://www.rfc-editor.org/info/rfc8343>.
[RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for [RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for
Routing Management (NMDA Version)", RFC 8349, Routing Management (NMDA Version)", RFC 8349,
DOI 10.17487/RFC8349, March 2018, DOI 10.17487/RFC8349, March 2018,
<https://www.rfc-editor.org/info/rfc8349>. <https://www.rfc-editor.org/info/rfc8349>.
12.2. Informative references [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
11.2. Informative references
[I-D.ietf-idr-bgp-model] [I-D.ietf-idr-bgp-model]
Jethanandani, M., Patel, K., Hares, S., and J. Haas, "BGP Jethanandani, M., Patel, K., Hares, S., and J. Haas, "BGP
YANG Model for Service Provider Networks", draft-ietf-idr- YANG Model for Service Provider Networks", draft-ietf-idr-
bgp-model-08 (work in progress), February 2020. bgp-model-08 (work in progress), February 2020.
Appendix A. Acknowledgements Appendix A. Acknowledgements
The routing policy module defined in this draft is based on the The routing policy module defined in this draft is based on the
OpenConfig route policy model. The authors would like to thank to OpenConfig route policy model. The authors would like to thank to
 End of changes. 159 change blocks. 
1019 lines changed or deleted 1079 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/