idnits 2.17.1 draft-bjorklund-netmod-rfc7277bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The abstract seems to indicate that this document obsoletes RFC7277, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 172 has weird spacing: '...address yan...' == Line 180 has weird spacing: '...-length uin...' == Line 185 has weird spacing: '...address yan...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (August 21, 2017) is 2411 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 1258, but no explicit reference was found in the text -- Possible downref: Normative reference to a draft: ref. 'I-D.bjorklund-netmod-rfc7223bis' == Outdated reference: A later version (-10) exists of draft-ietf-netmod-revised-datastores-03 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4941 (Obsoleted by RFC 8981) -- Obsolete informational reference (is this intentional?): RFC 6536 (Obsoleted by RFC 8341) -- Obsolete informational reference (is this intentional?): RFC 8022 (Obsoleted by RFC 8349) Summary: 2 errors (**), 0 flaws (~~), 8 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Obsoletes: rfc7277 (if approved) August 21, 2017 5 Intended status: Standards Track 6 Expires: February 22, 2018 8 A YANG Data Model for IP Management 9 draft-bjorklund-netmod-rfc7277bis-00 11 Abstract 13 This document defines a YANG data model for management of IP 14 implementations. The data model includes configuration and system 15 state. This document obsoletes RFC 7277. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on February 22, 2018. 34 Copyright Notice 36 Copyright (c) 2017 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Summary of Changes from RFC 7277 . . . . . . . . . . . . 2 53 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 55 2. IP Data Model . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3. Relationship to the IP-MIB . . . . . . . . . . . . . . . . . 6 57 4. IP Management YANG Module . . . . . . . . . . . . . . . . . . 7 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 59 6. Security Considerations . . . . . . . . . . . . . . . . . . . 26 60 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 62 8.1. Normative References . . . . . . . . . . . . . . . . . . 27 63 8.2. Informative References . . . . . . . . . . . . . . . . . 29 64 Appendix A. Example: NETCONF reply . . . . . . . . 29 65 Appendix B. Example: NETCONF Reply . . . . . . . . . 30 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 32 68 1. Introduction 70 This document defines a YANG [RFC7950] data model for management of 71 IP implementations. 73 The data model covers configuration of per-interface IPv4 and IPv6 74 parameters, and mappings of IP addresses to link-layer addresses. It 75 also provides information about which IP addresses are operationally 76 used, and which link-layer mappings exist. Per-interface parameters 77 are added through augmentation of the interface data model defined in 78 [I-D.bjorklund-netmod-rfc7223bis]. 80 This version of the IP data model supports the Network Management 81 Datastore Architecture (NMDA) [I-D.ietf-netmod-revised-datastores]. 83 1.1. Summary of Changes from RFC 7277 85 The "ipv4" and "ipv6" subtrees with "config false" data nodes in the 86 "/interfaces-state/interface" subtree are deprecated. All "config 87 false" data nodes are now present in the "ipv4" and "ipv6" subtrees 88 in the "/interfaces/interface" subtree. 90 Servers that do not implement NMDA, or that wish to support clients 91 that do not implement NMDA, MAY implement the deprecated "ipv4" and 92 "ipv6" subtrees in the "/interfaces-state/interface" subtree. 94 1.2. Terminology 96 The following terms are defined in 97 [I-D.ietf-netmod-revised-datastores] and are not redefined here: 99 o client 101 o server 103 o configuration 105 o system state 107 o operational state datastore 109 o running configuration datastore 111 o intended configuration datastore 113 The following terms are defined in [RFC7950] and are not redefined 114 here: 116 o augment 118 o data model 120 o data node 122 The terminology for describing YANG data models is found in 123 [RFC7950]. 125 1.3. Tree Diagrams 127 A simplified graphical representation of the data model is used in 128 this document. The meaning of the symbols in these diagrams is as 129 follows: 131 o Brackets "[" and "]" enclose list keys. 133 o Abbreviations before data node names: "rw" means configuration 134 data (read-write), and "ro" means state data (read-only). 136 o Symbols after data node names: "?" means an optional node, "!" 137 means a presence container, and "*" denotes a list and leaf-list. 139 o Parentheses enclose choice and case nodes, and case nodes are also 140 marked with a colon (":"). 142 o Ellipsis ("...") stands for contents of subtrees that are not 143 shown. 145 2. IP Data Model 147 This document defines the YANG module "ietf-ip", which augments the 148 "interface" and "interface-state" lists defined in the 149 "ietf-interfaces" module [I-D.bjorklund-netmod-rfc7223bis] with IP- 150 specific data nodes. 152 The data model has the following structure for IP data nodes per 153 interface, excluding the deprecated data nodes: 155 module: ietf-ip 156 augment /if:interfaces/if:interface: 157 +--rw ipv4! 158 | +--rw enabled? boolean 159 | +--rw forwarding? boolean 160 | +--rw mtu? uint16 161 | +--rw address* [ip] 162 | | +--rw ip inet:ipv4-address-no-zone 163 | | +--rw (subnet) 164 | | | +--:(prefix-length) 165 | | | | +--rw prefix-length? uint8 166 | | | +--:(netmask) 167 | | | +--rw netmask? yang:dotted-quad 168 | | | {ipv4-non-contiguous-netmasks}? 169 | | +--ro origin? ip-address-origin 170 | +--rw neighbor* [ip] 171 | +--rw ip inet:ipv4-address-no-zone 172 | +--rw link-layer-address yang:phys-address 173 | +--rw origin? neighbor-origin 174 +--rw ipv6! 175 +--rw enabled? boolean 176 +--rw forwarding? boolean 177 +--rw mtu? uint32 178 +--rw address* [ip] 179 | +--rw ip inet:ipv6-address-no-zone 180 | +--rw prefix-length uint8 181 | +--ro origin? ip-address-origin 182 | +--ro status? enumeration 183 +--rw neighbor* [ip] 184 | +--rw ip inet:ipv6-address-no-zone 185 | +--rw link-layer-address yang:phys-address 186 | +--ro origin? neighbor-origin 187 | +--ro is-router? empty 188 | +--ro state? enumeration 189 +--rw dup-addr-detect-transmits? uint32 190 +--rw autoconf 191 +--rw create-global-addresses? boolean 192 +--rw create-temporary-addresses? boolean 193 | {ipv6-privacy-autoconf}? 194 +--rw temporary-valid-lifetime? uint32 195 | {ipv6-privacy-autoconf}? 196 +--rw temporary-preferred-lifetime? uint32 197 {ipv6-privacy-autoconf}? 199 The data model defines two containers per interface -- "ipv4" and 200 "ipv6", representing the IPv4 and IPv6 address families. In each 201 container, there is a leaf "enabled" that controls whether or not the 202 address family is enabled on that interface, and a leaf "forwarding" 203 that controls whether or not IP packet forwarding for the address 204 family is enabled on the interface. In each container, there is also 205 a list of addresses, and a list of mappings from IP addresses to 206 link-layer addresses. 208 3. Relationship to the IP-MIB 210 If the device implements the IP-MIB [RFC4293], each entry in the 211 "ipv4/address" and "ipv6/address" lists is mapped to one 212 ipAddressEntry, where the ipAddressIfIndex refers to the "address" 213 entry's interface. 215 The IP-MIB defines objects to control IPv6 Router Advertisement 216 messages. The corresponding YANG data nodes are defined in 217 [RFC8022]. 219 The entries in "ipv4/neighbor" and "ipv6/neighbor" are mapped to 220 ipNetToPhysicalTable. 222 The following table lists the YANG data nodes with corresponding 223 objects in the IP-MIB. 225 +--------------------------------------+----------------------------+ 226 | YANG data node in | IP-MIB object | 227 | /if:interfaces/if:interface | | 228 +--------------------------------------+----------------------------+ 229 | ipv4 | ipv4InterfaceEnableStatus | 230 | | | 231 | | ipv4/enabled | 232 | ipv4InterfaceEnableStatus | | 233 | | | 234 | ipv4/address | ipAddressEntry | 235 | | | 236 | | ipv4/address/ip | 237 | ipAddressAddrType ipAddressAddr | | 238 | | | 239 | ipv4/neighbor | ipNetToPhysicalEntry | 240 | | | 241 | | ipv4/neighbor/ip | 242 | ipNetToPhysicalNetAddressType | | 243 | ipNetToPhysicalNetAddress | | 244 | | | 245 | ipv4/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 246 | | | 247 | | ipv4/neighbor/origin | 248 | ipNetToPhysicalType | | 249 | | | 250 | ipv6 | ipv6InterfaceEnableStatus | 251 | | | 252 | | ipv6/enabled | 253 | ipv6InterfaceEnableStatus | | 254 | | | 255 | ipv6/forwarding | ipv6InterfaceForwarding | 256 | | | 257 | | ipv6/address | 258 | ipAddressEntry | | 259 | | | 260 | ipv6/address/ip | ipAddressAddrType | 261 | | ipAddressAddr | 262 | | | 263 | | ipv4/address/origin | 264 | ipAddressOrigin | | 265 | | | 266 | ipv6/address/status | ipAddressStatus | 267 | | ipv6/neighbor | 268 | ipNetToPhysicalEntry | ipv6/neighbor/ip | 269 | ipNetToPhysicalNetAddressType | | 270 | ipNetToPhysicalNetAddress | | 271 | | | 272 | ipv6/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 273 | | | 274 | | ipv6/neighbor/origin | 275 | ipNetToPhysicalType | | 276 | | | 277 | ipv6/neighbor/state | ipNetToPhysicalState | 278 | | | 279 | | 280 +--------------------------------------+----------------------------+ 282 YANG Interface Data Nodes and Related IP-MIB Objects 284 4. IP Management YANG Module 286 This module imports typedefs from [RFC6991] and 287 [I-D.bjorklund-netmod-rfc7223bis], and it references [RFC0791], 288 [RFC0826], [RFC2460], [RFC4861], [RFC4862], [RFC4941] and [RFC7217]. 290 RFC Ed.: update the date below with the date of RFC publication and 291 remove this note. 293 file "ietf-ip@2017-08-21.yang" 295 module ietf-ip { 296 yang-version 1.1; 297 namespace "urn:ietf:params:xml:ns:yang:ietf-ip"; 298 prefix ip; 299 import ietf-interfaces { 300 prefix if; 301 } 302 import ietf-inet-types { 303 prefix inet; 304 } 305 import ietf-yang-types { 306 prefix yang; 307 } 309 organization 310 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 312 contact 313 "WG Web: 314 WG List: 316 Editor: Martin Bjorklund 317 "; 318 description 319 "This module contains a collection of YANG definitions for 320 managing IP implementations. 322 Copyright (c) 2017 IETF Trust and the persons identified as 323 authors of the code. All rights reserved. 325 Redistribution and use in source and binary forms, with or 326 without modification, is permitted pursuant to, and subject 327 to the license terms contained in, the Simplified BSD License 328 set forth in Section 4.c of the IETF Trust's Legal Provisions 329 Relating to IETF Documents 330 (http://trustee.ietf.org/license-info). 332 This version of this YANG module is part of RFC XXXX; see 333 the RFC itself for full legal notices."; 335 revision 2017-08-21 { 336 description 337 "Updated to support NMDA."; 338 reference 339 "RFC XXXX: A YANG Data Model for IP Management"; 340 } 342 revision 2014-06-16 { 343 description 344 "Initial revision."; 345 reference 346 "RFC 7277: A YANG Data Model for IP Management"; 348 } 350 /* 351 * Features 352 */ 354 feature ipv4-non-contiguous-netmasks { 355 description 356 "Indicates support for configuring non-contiguous 357 subnet masks."; 358 } 360 feature ipv6-privacy-autoconf { 361 description 362 "Indicates support for Privacy Extensions for Stateless Address 363 Autoconfiguration in IPv6."; 364 reference 365 "RFC 4941: Privacy Extensions for Stateless Address 366 Autoconfiguration in IPv6"; 367 } 369 /* 370 * Typedefs 371 */ 373 typedef ip-address-origin { 374 type enumeration { 375 enum other { 376 description 377 "None of the following."; 378 } 379 enum static { 380 description 381 "Indicates that the address has been statically 382 configured - for example, using NETCONF or a Command Line 383 Interface."; 384 } 385 enum dhcp { 386 description 387 "Indicates an address that has been assigned to this 388 system by a DHCP server."; 389 } 390 enum link-layer { 391 description 392 "Indicates an address created by IPv6 stateless 393 autoconfiguration that embeds a link-layer address in its 394 interface identifier."; 395 } 396 enum random { 397 description 398 "Indicates an address chosen by the system at 400 random, e.g., an IPv4 address within 169.254/16, an 401 RFC 4941 temporary address, or an RFC 7217 semantically 402 opaque address."; 403 reference 404 "RFC 4941: Privacy Extensions for Stateless Address 405 Autoconfiguration in IPv6 406 RFC 7217: A Method for Generating Semantically Opaque 407 Interface Identifiers with IPv6 Stateless 408 Address Autoconfiguration (SLAAC)"; 409 } 410 } 411 description 412 "The origin of an address."; 413 } 415 typedef neighbor-origin { 416 type enumeration { 417 enum other { 418 description 419 "None of the following."; 420 } 421 enum static { 422 description 423 "Indicates that the mapping has been statically 424 configured - for example, using NETCONF or a Command Line 425 Interface."; 426 } 427 enum dynamic { 428 description 429 "Indicates that the mapping has been dynamically resolved 430 using, e.g., IPv4 ARP or the IPv6 Neighbor Discovery 431 protocol."; 432 } 433 } 434 description 435 "The origin of a neighbor entry."; 436 } 438 /* 439 * Data nodes 440 */ 442 augment "/if:interfaces/if:interface" { 443 description 444 "IP parameters on interfaces. 446 If an interface is not capable of running IP, the server 447 must not allow the client to configure these parameters."; 449 container ipv4 { 450 presence 451 "Enables IPv4 unless the 'enabled' leaf 452 (which defaults to 'true') is set to 'false'"; 453 description 454 "Parameters for the IPv4 address family."; 456 leaf enabled { 457 type boolean; 458 default true; 459 description 460 "Controls whether IPv4 is enabled or disabled on this 461 interface. When IPv4 is enabled, this interface is 462 connected to an IPv4 stack, and the interface can send 463 and receive IPv4 packets."; 464 } 465 leaf forwarding { 466 type boolean; 467 default false; 468 description 469 "Controls IPv4 packet forwarding of datagrams received by, 470 but not addressed to, this interface. IPv4 routers 471 forward datagrams. IPv4 hosts do not (except those 472 source-routed via the host)."; 473 } 474 leaf mtu { 475 type uint16 { 476 range "68..max"; 477 } 478 units octets; 479 description 480 "The size, in octets, of the largest IPv4 packet that the 481 interface will send and receive. 483 The server may restrict the allowed values for this leaf, 484 depending on the interface's type. 486 If this leaf is not configured, the operationally used MTU 487 depends on the interface's type."; 488 reference 489 "RFC 791: Internet Protocol"; 490 } 491 list address { 492 key "ip"; 493 description 494 "The list of IPv4 addresses on the interface."; 496 leaf ip { 497 type inet:ipv4-address-no-zone; 498 description 499 "The IPv4 address on the interface."; 500 } 501 choice subnet { 502 mandatory true; 503 description 504 "The subnet can be specified as a prefix-length, or, 505 if the server supports non-contiguous netmasks, as 506 a netmask."; 507 leaf prefix-length { 508 type uint8 { 509 range "0..32"; 510 } 511 description 512 "The length of the subnet prefix."; 513 } 514 leaf netmask { 515 if-feature ipv4-non-contiguous-netmasks; 516 type yang:dotted-quad; 517 description 518 "The subnet specified as a netmask."; 519 } 520 } 521 leaf origin { 522 type ip-address-origin; 523 config false; 524 description 525 "The origin of this address."; 526 } 527 } 528 list neighbor { 529 key "ip"; 530 description 531 "A list of mappings from IPv4 addresses to 532 link-layer addresses. 534 Entries in this list in the intended configuration 535 datastore are used as static entries in the ARP Cache. 537 In the operational state datastore, this list represents 538 the ARP Cache."; 539 reference 540 "RFC 826: An Ethernet Address Resolution Protocol"; 542 leaf ip { 543 type inet:ipv4-address-no-zone; 544 description 545 "The IPv4 address of the neighbor node."; 546 } 547 leaf link-layer-address { 548 type yang:phys-address; 549 mandatory true; 550 description 551 "The link-layer address of the neighbor node."; 552 } 553 leaf origin { 554 type neighbor-origin; 555 description 556 "The origin of this neighbor entry."; 557 } 558 } 559 } 561 container ipv6 { 562 presence 563 "Enables IPv6 unless the 'enabled' leaf 564 (which defaults to 'true') is set to 'false'"; 565 description 566 "Parameters for the IPv6 address family."; 568 leaf enabled { 569 type boolean; 570 default true; 571 description 572 "Controls whether IPv6 is enabled or disabled on this 573 interface. When IPv6 is enabled, this interface is 574 connected to an IPv6 stack, and the interface can send 575 and receive IPv6 packets."; 576 } 577 leaf forwarding { 578 type boolean; 579 default false; 580 description 581 "Controls IPv6 packet forwarding of datagrams received by, 582 but not addressed to, this interface. IPv6 routers 583 forward datagrams. IPv6 hosts do not (except those 584 source-routed via the host)."; 585 reference 586 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 587 Section 6.2.1, IsRouter"; 589 } 590 leaf mtu { 591 type uint32 { 592 range "1280..max"; 593 } 594 units octets; 595 description 596 "The size, in octets, of the largest IPv6 packet that the 597 interface will send and receive. 599 The server may restrict the allowed values for this leaf, 600 depending on the interface's type. 602 If this leaf is not configured, the operationally used MTU 603 depends on the interface's type."; 604 reference 605 "RFC 2460: Internet Protocol, Version 6 (IPv6) 606 Specification 607 Section 5"; 608 } 610 list address { 611 key "ip"; 612 description 613 "The list of IPv6 addresses on the interface."; 615 leaf ip { 616 type inet:ipv6-address-no-zone; 617 description 618 "The IPv6 address on the interface."; 619 } 620 leaf prefix-length { 621 type uint8 { 622 range "0..128"; 623 } 624 mandatory true; 625 description 626 "The length of the subnet prefix."; 627 } 628 leaf origin { 629 type ip-address-origin; 630 config false; 631 description 632 "The origin of this address."; 633 } 634 leaf status { 635 type enumeration { 636 enum preferred { 637 description 638 "This is a valid address that can appear as the 639 destination or source address of a packet."; 640 } 641 enum deprecated { 642 description 643 "This is a valid but deprecated address that should 644 no longer be used as a source address in new 645 communications, but packets addressed to such an 646 address are processed as expected."; 647 } 648 enum invalid { 649 description 650 "This isn't a valid address, and it shouldn't appear 651 as the destination or source address of a packet."; 652 } 653 enum inaccessible { 654 description 655 "The address is not accessible because the interface 656 to which this address is assigned is not 657 operational."; 658 } 659 enum unknown { 660 description 661 "The status cannot be determined for some reason."; 662 } 663 enum tentative { 664 description 665 "The uniqueness of the address on the link is being 666 verified. Addresses in this state should not be 667 used for general communication and should only be 668 used to determine the uniqueness of the address."; 669 } 670 enum duplicate { 671 description 672 "The address has been determined to be non-unique on 673 the link and so must not be used."; 674 } 675 enum optimistic { 676 description 677 "The address is available for use, subject to 678 restrictions, while its uniqueness on a link is 679 being verified."; 680 } 681 } 682 config false; 683 description 684 "The status of an address. Most of the states correspond 685 to states from the IPv6 Stateless Address 686 Autoconfiguration protocol."; 687 reference 688 "RFC 4293: Management Information Base for the 689 Internet Protocol (IP) 690 - IpAddressStatusTC 691 RFC 4862: IPv6 Stateless Address Autoconfiguration"; 692 } 693 } 694 list neighbor { 695 key "ip"; 696 description 697 "A list of mappings from IPv6 addresses to 698 link-layer addresses. 700 Entries in this list in the intended configuration 701 datastore are used as static entries in the Neighbor 702 Cache. 704 In the operational state datastore, this list represents 705 the Neighbor Cache."; 706 reference 707 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 709 leaf ip { 710 type inet:ipv6-address-no-zone; 711 description 712 "The IPv6 address of the neighbor node."; 713 } 714 leaf link-layer-address { 715 type yang:phys-address; 716 mandatory true; 717 description 718 "The link-layer address of the neighbor node."; 719 } 720 leaf origin { 721 type neighbor-origin; 722 config false; 723 description 724 "The origin of this neighbor entry."; 725 } 726 leaf is-router { 727 type empty; 728 config false; 729 description 730 "Indicates that the neighbor node acts as a router."; 731 } 732 leaf state { 733 type enumeration { 734 enum incomplete { 735 description 736 "Address resolution is in progress, and the 737 link-layer address of the neighbor has not yet been 738 determined."; 739 } 740 enum reachable { 741 description 742 "Roughly speaking, the neighbor is known to have been 743 reachable recently (within tens of seconds ago)."; 744 } 745 enum stale { 746 description 747 "The neighbor is no longer known to be reachable, but 748 until traffic is sent to the neighbor no attempt 749 should be made to verify its reachability."; 750 } 751 enum delay { 752 description 753 "The neighbor is no longer known to be reachable, and 754 traffic has recently been sent to the neighbor. 755 Rather than probe the neighbor immediately, however, 756 delay sending probes for a short while in order to 757 give upper-layer protocols a chance to provide 758 reachability confirmation."; 759 } 760 enum probe { 761 description 762 "The neighbor is no longer known to be reachable, and 763 unicast Neighbor Solicitation probes are being sent 764 to verify reachability."; 765 } 766 } 767 config false; 768 description 769 "The Neighbor Unreachability Detection state of this 770 entry."; 771 reference 772 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 773 Section 7.3.2"; 774 } 775 } 777 leaf dup-addr-detect-transmits { 778 type uint32; 779 default 1; 780 description 781 "The number of consecutive Neighbor Solicitation messages 782 sent while performing Duplicate Address Detection on a 783 tentative address. A value of zero indicates that 784 Duplicate Address Detection is not performed on 785 tentative addresses. A value of one indicates a single 786 transmission with no follow-up retransmissions."; 787 reference 788 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 789 } 790 container autoconf { 791 description 792 "Parameters to control the autoconfiguration of IPv6 793 addresses, as described in RFC 4862."; 794 reference 795 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 797 leaf create-global-addresses { 798 type boolean; 799 default true; 800 description 801 "If enabled, the host creates global addresses as 802 described in RFC 4862."; 803 reference 804 "RFC 4862: IPv6 Stateless Address Autoconfiguration 805 Section 5.5"; 806 } 807 leaf create-temporary-addresses { 808 if-feature ipv6-privacy-autoconf; 809 type boolean; 810 default false; 811 description 812 "If enabled, the host creates temporary addresses as 813 described in RFC 4941."; 814 reference 815 "RFC 4941: Privacy Extensions for Stateless Address 816 Autoconfiguration in IPv6"; 817 } 819 leaf temporary-valid-lifetime { 820 if-feature ipv6-privacy-autoconf; 821 type uint32; 822 units "seconds"; 823 default 604800; 824 description 825 "The time period during which the temporary address 826 is valid."; 827 reference 828 "RFC 4941: Privacy Extensions for Stateless Address 829 Autoconfiguration in IPv6 830 - TEMP_VALID_LIFETIME"; 831 } 832 leaf temporary-preferred-lifetime { 833 if-feature ipv6-privacy-autoconf; 834 type uint32; 835 units "seconds"; 836 default 86400; 837 description 838 "The time period during which the temporary address is 839 preferred."; 840 reference 841 "RFC 4941: Privacy Extensions for Stateless Address 842 Autoconfiguration in IPv6 843 - TEMP_PREFERRED_LIFETIME"; 844 } 845 } 846 } 847 } 849 /* 850 * Legacy operational state data nodes 851 */ 853 augment "/if:interfaces-state/if:interface" { 854 status deprecated; 855 description 856 "Data nodes for the operational state of IP on interfaces."; 858 container ipv4 { 859 presence "Present if IPv4 is enabled on this interface"; 860 config false; 861 status deprecated; 862 description 863 "Interface-specific parameters for the IPv4 address family."; 865 leaf forwarding { 866 type boolean; 867 status deprecated; 868 description 869 "Indicates whether IPv4 packet forwarding is enabled or 870 disabled on this interface."; 871 } 872 leaf mtu { 873 type uint16 { 874 range "68..max"; 875 } 876 units octets; 877 status deprecated; 878 description 879 "The size, in octets, of the largest IPv4 packet that the 880 interface will send and receive."; 881 reference 882 "RFC 791: Internet Protocol"; 883 } 884 list address { 885 key "ip"; 886 status deprecated; 887 description 888 "The list of IPv4 addresses on the interface."; 890 leaf ip { 891 type inet:ipv4-address-no-zone; 892 status deprecated; 893 description 894 "The IPv4 address on the interface."; 895 } 896 choice subnet { 897 status deprecated; 898 description 899 "The subnet can be specified as a prefix-length, or, 900 if the server supports non-contiguous netmasks, as 901 a netmask."; 902 leaf prefix-length { 903 type uint8 { 904 range "0..32"; 905 } 906 status deprecated; 907 description 908 "The length of the subnet prefix."; 909 } 910 leaf netmask { 911 if-feature ipv4-non-contiguous-netmasks; 912 type yang:dotted-quad; 913 status deprecated; 914 description 915 "The subnet specified as a netmask."; 916 } 917 } 918 leaf origin { 919 type ip-address-origin; 920 status deprecated; 921 description 922 "The origin of this address."; 923 } 924 } 925 list neighbor { 926 key "ip"; 927 status deprecated; 928 description 929 "A list of mappings from IPv4 addresses to 930 link-layer addresses. 932 This list represents the ARP Cache."; 933 reference 934 "RFC 826: An Ethernet Address Resolution Protocol"; 936 leaf ip { 937 type inet:ipv4-address-no-zone; 938 status deprecated; 939 description 940 "The IPv4 address of the neighbor node."; 941 } 942 leaf link-layer-address { 943 type yang:phys-address; 944 status deprecated; 945 description 946 "The link-layer address of the neighbor node."; 947 } 948 leaf origin { 949 type neighbor-origin; 950 status deprecated; 951 description 952 "The origin of this neighbor entry."; 953 } 954 } 955 } 957 container ipv6 { 958 presence "Present if IPv6 is enabled on this interface"; 959 config false; 960 status deprecated; 961 description 962 "Parameters for the IPv6 address family."; 964 leaf forwarding { 965 type boolean; 966 default false; 967 status deprecated; 968 description 969 "Indicates whether IPv6 packet forwarding is enabled or 970 disabled on this interface."; 971 reference 972 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 973 Section 6.2.1, IsRouter"; 974 } 975 leaf mtu { 976 type uint32 { 977 range "1280..max"; 978 } 979 units octets; 980 status deprecated; 981 description 982 "The size, in octets, of the largest IPv6 packet that the 983 interface will send and receive."; 984 reference 985 "RFC 2460: Internet Protocol, Version 6 (IPv6) 986 Specification 987 Section 5"; 988 } 989 list address { 990 key "ip"; 991 status deprecated; 992 description 993 "The list of IPv6 addresses on the interface."; 995 leaf ip { 996 type inet:ipv6-address-no-zone; 997 status deprecated; 998 description 999 "The IPv6 address on the interface."; 1000 } 1001 leaf prefix-length { 1002 type uint8 { 1003 range "0..128"; 1004 } 1005 mandatory true; 1006 status deprecated; 1007 description 1008 "The length of the subnet prefix."; 1009 } 1010 leaf origin { 1011 type ip-address-origin; 1012 status deprecated; 1013 description 1014 "The origin of this address."; 1015 } 1016 leaf status { 1017 type enumeration { 1018 enum preferred { 1019 description 1020 "This is a valid address that can appear as the 1021 destination or source address of a packet."; 1022 } 1023 enum deprecated { 1024 description 1025 "This is a valid but deprecated address that should 1026 no longer be used as a source address in new 1027 communications, but packets addressed to such an 1028 address are processed as expected."; 1029 } 1030 enum invalid { 1031 description 1032 "This isn't a valid address, and it shouldn't appear 1033 as the destination or source address of a packet."; 1034 } 1035 enum inaccessible { 1036 description 1037 "The address is not accessible because the interface 1038 to which this address is assigned is not 1039 operational."; 1040 } 1041 enum unknown { 1042 description 1043 "The status cannot be determined for some reason."; 1044 } 1045 enum tentative { 1046 description 1047 "The uniqueness of the address on the link is being 1048 verified. Addresses in this state should not be 1049 used for general communication and should only be 1050 used to determine the uniqueness of the address."; 1051 } 1052 enum duplicate { 1053 description 1054 "The address has been determined to be non-unique on 1055 the link and so must not be used."; 1056 } 1057 enum optimistic { 1058 description 1059 "The address is available for use, subject to 1060 restrictions, while its uniqueness on a link is 1061 being verified."; 1062 } 1063 } 1064 status deprecated; 1065 description 1066 "The status of an address. Most of the states correspond 1067 to states from the IPv6 Stateless Address 1068 Autoconfiguration protocol."; 1070 reference 1071 "RFC 4293: Management Information Base for the 1072 Internet Protocol (IP) 1073 - IpAddressStatusTC 1074 RFC 4862: IPv6 Stateless Address Autoconfiguration"; 1075 } 1076 } 1077 list neighbor { 1078 key "ip"; 1079 status deprecated; 1080 description 1081 "A list of mappings from IPv6 addresses to 1082 link-layer addresses. 1084 This list represents the Neighbor Cache."; 1085 reference 1086 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 1088 leaf ip { 1089 type inet:ipv6-address-no-zone; 1090 status deprecated; 1091 description 1092 "The IPv6 address of the neighbor node."; 1093 } 1094 leaf link-layer-address { 1095 type yang:phys-address; 1096 status deprecated; 1097 description 1098 "The link-layer address of the neighbor node."; 1099 } 1100 leaf origin { 1101 type neighbor-origin; 1102 status deprecated; 1103 description 1104 "The origin of this neighbor entry."; 1105 } 1106 leaf is-router { 1107 type empty; 1108 status deprecated; 1109 description 1110 "Indicates that the neighbor node acts as a router."; 1111 } 1112 leaf state { 1113 type enumeration { 1114 enum incomplete { 1115 description 1116 "Address resolution is in progress, and the 1117 link-layer address of the neighbor has not yet been 1118 determined."; 1119 } 1120 enum reachable { 1121 description 1122 "Roughly speaking, the neighbor is known to have been 1123 reachable recently (within tens of seconds ago)."; 1124 } 1125 enum stale { 1126 description 1127 "The neighbor is no longer known to be reachable, but 1128 until traffic is sent to the neighbor no attempt 1129 should be made to verify its reachability."; 1130 } 1131 enum delay { 1132 description 1133 "The neighbor is no longer known to be reachable, and 1134 traffic has recently been sent to the neighbor. 1135 Rather than probe the neighbor immediately, however, 1136 delay sending probes for a short while in order to 1137 give upper-layer protocols a chance to provide 1138 reachability confirmation."; 1139 } 1140 enum probe { 1141 description 1142 "The neighbor is no longer known to be reachable, and 1143 unicast Neighbor Solicitation probes are being sent 1144 to verify reachability."; 1145 } 1146 } 1147 status deprecated; 1148 description 1149 "The Neighbor Unreachability Detection state of this 1150 entry."; 1151 reference 1152 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 1153 Section 7.3.2"; 1154 } 1155 } 1156 } 1157 } 1158 } 1160 1162 5. IANA Considerations 1164 This document registers a URI in the "IETF XML Registry" [RFC3688]. 1165 Following the format in RFC 3688, the following registration has been 1166 made. 1168 URI: urn:ietf:params:xml:ns:yang:ietf-ip 1170 Registrant Contact: The NETMOD WG of the IETF. 1172 XML: N/A; the requested URI is an XML namespace. 1174 This document registers a YANG module in the "YANG Module Names" 1175 registry [RFC6020]. 1177 Name: ietf-ip 1178 Namespace: urn:ietf:params:xml:ns:yang:ietf-ip 1179 Prefix: ip 1180 Reference: RFC 7277 1182 6. Security Considerations 1184 The YANG module defined in this memo is designed to be accessed via 1185 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 1186 secure transport layer and the mandatory-to-implement secure 1187 transport is SSH [RFC6242]. The NETCONF access control model 1188 [RFC6536] provides the means to restrict access for particular 1189 NETCONF users to a pre-configured subset of all available NETCONF 1190 protocol operations and content. 1192 There are a number of data nodes defined in the YANG module which are 1193 writable/creatable/deletable (i.e., config true, which is the 1194 default). These data nodes may be considered sensitive or vulnerable 1195 in some network environments. Write operations (e.g., edit-config) 1196 to these data nodes without proper protection can have a negative 1197 effect on network operations. These are the subtrees and data nodes 1198 and their sensitivity/vulnerability: 1200 ipv4/enabled and ipv6/enabled: These leafs are used to enable or 1201 disable IPv4 and IPv6 on a specific interface. By enabling a 1202 protocol on an interface, an attacker might be able to create an 1203 unsecured path into a node (or through it if routing is also 1204 enabled). By disabling a protocol on an interface, an attacker 1205 might be able to force packets to be routed through some other 1206 interface or deny access to some or all of the network via that 1207 protocol. 1209 ipv4/address and ipv6/address: These lists specify the configured IP 1210 addresses on an interface. By modifying this information, an 1211 attacker can cause a node to either ignore messages destined to it 1212 or accept (at least at the IP layer) messages it would otherwise 1213 ignore. The use of filtering or security associations may reduce 1214 the potential damage in the latter case. 1216 ipv4/forwarding and ipv6/forwarding: These leafs allow a client to 1217 enable or disable the forwarding functions on the entity. By 1218 disabling the forwarding functions, an attacker would possibly be 1219 able to deny service to users. By enabling the forwarding 1220 functions, an attacker could open a conduit into an area. This 1221 might result in the area providing transit for packets it 1222 shouldn't, or it might allow the attacker access to the area, 1223 bypassing security safeguards. 1225 ipv6/autoconf: The leafs in this branch control the 1226 autoconfiguration of IPv6 addresses and, in particular, whether or 1227 not temporary addresses are used. By modifying the corresponding 1228 leafs, an attacker might impact the addresses used by a node and 1229 thus indirectly the privacy of the users using the node. 1231 ipv4/mtu and ipv6/mtu: Setting these leafs to very small values can 1232 be used to slow down interfaces. 1234 7. Acknowledgments 1236 The author wishes to thank Jeffrey Lange, Ladislav Lhotka, Juergen 1237 Schoenwaelder, and Dave Thaler for their helpful comments. 1239 8. References 1241 8.1. Normative References 1243 [I-D.bjorklund-netmod-rfc7223bis] 1244 Bjorklund, M., "A YANG Data Model for Interface 1245 Configuration", draft-bjorklund-netmod-rfc7223bis-00 (work 1246 in progress), August 2017. 1248 [I-D.ietf-netmod-revised-datastores] 1249 Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1250 and R. Wilton, "Network Management Datastore 1251 Architecture", draft-ietf-netmod-revised-datastores-03 1252 (work in progress), July 2017. 1254 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1255 DOI 10.17487/RFC0791, September 1981, . 1258 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1259 Requirement Levels", BCP 14, RFC 2119, 1260 DOI 10.17487/RFC2119, March 1997, . 1263 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1264 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 1265 December 1998, . 1267 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1268 DOI 10.17487/RFC3688, January 2004, . 1271 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 1272 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 1273 DOI 10.17487/RFC4861, September 2007, . 1276 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1277 Address Autoconfiguration", RFC 4862, 1278 DOI 10.17487/RFC4862, September 2007, . 1281 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 1282 Extensions for Stateless Address Autoconfiguration in 1283 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 1284 . 1286 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1287 the Network Configuration Protocol (NETCONF)", RFC 6020, 1288 DOI 10.17487/RFC6020, October 2010, . 1291 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1292 and A. Bierman, Ed., "Network Configuration Protocol 1293 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1294 . 1296 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1297 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1298 . 1300 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1301 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1302 . 1304 8.2. Informative References 1306 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 1307 Converting Network Protocol Addresses to 48.bit Ethernet 1308 Address for Transmission on Ethernet Hardware", STD 37, 1309 RFC 826, DOI 10.17487/RFC0826, November 1982, 1310 . 1312 [RFC4293] Routhier, S., Ed., "Management Information Base for the 1313 Internet Protocol (IP)", RFC 4293, DOI 10.17487/RFC4293, 1314 April 2006, . 1316 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1317 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1318 . 1320 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1321 Protocol (NETCONF) Access Control Model", RFC 6536, 1322 DOI 10.17487/RFC6536, March 2012, . 1325 [RFC7217] Gont, F., "A Method for Generating Semantically Opaque 1326 Interface Identifiers with IPv6 Stateless Address 1327 Autoconfiguration (SLAAC)", RFC 7217, 1328 DOI 10.17487/RFC7217, April 2014, . 1331 [RFC8022] Lhotka, L. and A. Lindem, "A YANG Data Model for Routing 1332 Management", RFC 8022, DOI 10.17487/RFC8022, November 1333 2016, . 1335 Appendix A. Example: NETCONF reply 1337 This section gives an example of a reply to the NETCONF 1338 request for the running configuration datastore for a device that 1339 implements the data model defined in this document. 1341 1344 1345 1348 1349 eth0 1350 ianaift:ethernetCsmacd 1351 1352
1353 192.0.2.1 1354 24 1355
1356
1357 1358 1280 1359
1360 2001:db8::10 1361 32 1362
1363 0 1364
1365
1366
1367
1368
1370 Appendix B. Example: NETCONF Reply 1372 This section gives an example of a reply to the NETCONF 1373 request for the operational state datastore for a device that 1374 implements the data model defined in this document. 1376 1379 1380 1385 1386 eth0 1387 ianaift:ethernetCsmacd 1388 1389 1390 false 1391 1500 1392
1393 192.0.2.1 1394 24 1395 static 1396
1397 1398 192.0.2.2 1399 1400 00:01:02:03:04:05 1401 1402 1403
1404 1405 false 1406 1280 1407
1408 2001:db8::10 1409 32 1410 static 1411 preferred 1412
1413
1414 2001:db8::1:100 1415 32 1416 dhcp 1417 preferred 1418
1419 0 1420 1421 2001:db8::1 1422 1423 00:01:02:03:04:05 1424 1425 dynamic 1426 1427 reachable 1428 1429 1430 2001:db8::4 1431 dynamic 1432 incomplete 1433 1434
1435
1437
1438
1439
1441 Author's Address 1443 Martin Bjorklund 1444 Tail-f Systems 1446 Email: mbj@tail-f.com