idnits 2.17.1 draft-ietf-netmod-rfc7277bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The abstract seems to indicate that this document obsoletes RFC7277, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 165 has weird spacing: '...address yan...' == Line 173 has weird spacing: '...-length uin...' == Line 178 has weird spacing: '...address yan...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (January 9, 2018) is 2289 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-10) exists of draft-ietf-netmod-revised-datastores-07 == Outdated reference: A later version (-03) exists of draft-ietf-netmod-rfc7223bis-01 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4941 (Obsoleted by RFC 8981) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: A later version (-06) exists of draft-ietf-netmod-yang-tree-diagrams-02 -- Obsolete informational reference (is this intentional?): RFC 6536 (Obsoleted by RFC 8341) -- Obsolete informational reference (is this intentional?): RFC 8022 (Obsoleted by RFC 8349) Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Obsoletes: rfc7277 (if approved) January 9, 2018 5 Intended status: Standards Track 6 Expires: July 13, 2018 8 A YANG Data Model for IP Management 9 draft-ietf-netmod-rfc7277bis-02 11 Abstract 13 This document defines a YANG data model for management of IP 14 implementations. The data model includes configuration and system 15 state. This document obsoletes RFC 7277. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on July 13, 2018. 34 Copyright Notice 36 Copyright (c) 2018 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Summary of Changes from RFC 7277 . . . . . . . . . . . . 2 53 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 55 2. IP Data Model . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3. Relationship to the IP-MIB . . . . . . . . . . . . . . . . . 6 57 4. IP Management YANG Module . . . . . . . . . . . . . . . . . . 7 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 59 6. Security Considerations . . . . . . . . . . . . . . . . . . . 26 60 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 62 8.1. Normative References . . . . . . . . . . . . . . . . . . 27 63 8.2. Informative References . . . . . . . . . . . . . . . . . 29 64 Appendix A. Example: NETCONF reply . . . . . . . . 30 65 Appendix B. Example: NETCONF Reply . . . . . . . . . 30 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 32 68 1. Introduction 70 This document defines a YANG [RFC7950] data model for management of 71 IP implementations. 73 The data model covers configuration of per-interface IPv4 and IPv6 74 parameters, and mappings of IP addresses to link-layer addresses. It 75 also provides information about which IP addresses are operationally 76 used, and which link-layer mappings exist. Per-interface parameters 77 are added through augmentation of the interface data model defined in 78 [I-D.ietf-netmod-rfc7223bis]. 80 This version of the IP data model supports the Network Management 81 Datastore Architecture (NMDA) [I-D.ietf-netmod-revised-datastores]. 83 1.1. Summary of Changes from RFC 7277 85 The "ipv4" and "ipv6" subtrees with "config false" data nodes in the 86 "/interfaces-state/interface" subtree are deprecated. All "config 87 false" data nodes are now present in the "ipv4" and "ipv6" subtrees 88 in the "/interfaces/interface" subtree. 90 Servers that do not implement NMDA, or that wish to support clients 91 that do not implement NMDA, MAY implement the deprecated "ipv4" and 92 "ipv6" subtrees in the "/interfaces-state/interface" subtree. 94 1.2. Terminology 96 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in BCP 99 14, [RFC2119] [RFC8174] when, and only when, they appear in all 100 capitals, as shown here. 102 The following terms are defined in 103 [I-D.ietf-netmod-revised-datastores] and are not redefined here: 105 o client 107 o server 109 o configuration 111 o system state 113 o intended configuration 115 o running configuration datastore 117 o operational state 119 o operational state datastore 121 The following terms are defined in [RFC7950] and are not redefined 122 here: 124 o augment 126 o data model 128 o data node 130 The terminology for describing YANG data models is found in 131 [RFC7950]. 133 1.3. Tree Diagrams 135 Tree diagrams used in this document follow the notation defined in 136 [I-D.ietf-netmod-yang-tree-diagrams]. 138 2. IP Data Model 140 This document defines the YANG module "ietf-ip", which augments the 141 "interface" and "interface-state" lists defined in the 142 "ietf-interfaces" module [I-D.ietf-netmod-rfc7223bis] with IP- 143 specific data nodes. 145 The data model has the following structure for IP data nodes per 146 interface, excluding the deprecated data nodes: 148 module: ietf-ip 149 augment /if:interfaces/if:interface: 150 +--rw ipv4! 151 | +--rw enabled? boolean 152 | +--rw forwarding? boolean 153 | +--rw mtu? uint16 154 | +--rw address* [ip] 155 | | +--rw ip inet:ipv4-address-no-zone 156 | | +--rw (subnet) 157 | | | +--:(prefix-length) 158 | | | | +--rw prefix-length? uint8 159 | | | +--:(netmask) 160 | | | +--rw netmask? yang:dotted-quad 161 | | | {ipv4-non-contiguous-netmasks}? 162 | | +--ro origin? ip-address-origin 163 | +--rw neighbor* [ip] 164 | +--rw ip inet:ipv4-address-no-zone 165 | +--rw link-layer-address yang:phys-address 166 | +--ro origin? neighbor-origin 167 +--rw ipv6! 168 +--rw enabled? boolean 169 +--rw forwarding? boolean 170 +--rw mtu? uint32 171 +--rw address* [ip] 172 | +--rw ip inet:ipv6-address-no-zone 173 | +--rw prefix-length uint8 174 | +--ro origin? ip-address-origin 175 | +--ro status? enumeration 176 +--rw neighbor* [ip] 177 | +--rw ip inet:ipv6-address-no-zone 178 | +--rw link-layer-address yang:phys-address 179 | +--ro origin? neighbor-origin 180 | +--ro is-router? empty 181 | +--ro state? enumeration 182 +--rw dup-addr-detect-transmits? uint32 183 +--rw autoconf 184 +--rw create-global-addresses? boolean 185 +--rw create-temporary-addresses? boolean 186 | {ipv6-privacy-autoconf}? 187 +--rw temporary-valid-lifetime? uint32 188 | {ipv6-privacy-autoconf}? 189 +--rw temporary-preferred-lifetime? uint32 190 {ipv6-privacy-autoconf}? 192 The data model defines two containers per interface -- "ipv4" and 193 "ipv6", representing the IPv4 and IPv6 address families. In each 194 container, there is a leaf "enabled" that controls whether or not the 195 address family is enabled on that interface, and a leaf "forwarding" 196 that controls whether or not IP packet forwarding for the address 197 family is enabled on the interface. In each container, there is also 198 a list of addresses, and a list of mappings from IP addresses to 199 link-layer addresses. 201 3. Relationship to the IP-MIB 203 If the device implements the IP-MIB [RFC4293], each entry in the 204 "ipv4/address" and "ipv6/address" lists is mapped to one 205 ipAddressEntry, where the ipAddressIfIndex refers to the "address" 206 entry's interface. 208 The IP-MIB defines objects to control IPv6 Router Advertisement 209 messages. The corresponding YANG data nodes are defined in 210 [RFC8022]. 212 The entries in "ipv4/neighbor" and "ipv6/neighbor" are mapped to 213 ipNetToPhysicalTable. 215 The following table lists the YANG data nodes with corresponding 216 objects in the IP-MIB. 218 +----------------------------------+--------------------------------+ 219 | YANG data node in | IP-MIB object | 220 | /if:interfaces/if:interface | | 221 +----------------------------------+--------------------------------+ 222 | ipv4 | ipv4InterfaceEnableStatus | 223 | ipv4/enabled | ipv4InterfaceEnableStatus | 224 | ipv4/address | ipAddressEntry | 225 | ipv4/address/ip | ipAddressAddrType | 226 | | ipAddressAddr | 227 | ipv4/neighbor | ipNetToPhysicalEntry | 228 | ipv4/neighbor/ip | ipNetToPhysicalNetAddressType | 229 | | ipNetToPhysicalNetAddress | 230 | ipv4/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 231 | ipv4/neighbor/origin | ipNetToPhysicalType | 232 | ipv6 | ipv6InterfaceEnableStatus | 233 | ipv6/enabled | ipv6InterfaceEnableStatus | 234 | ipv6/forwarding | ipv6InterfaceForwarding | 235 | ipv6/address | ipAddressEntry | 236 | ipv6/address/ip | ipAddressAddrType | 237 | | ipAddressAddr | 238 | ipv4/address/origin | ipAddressOrigin | 239 | ipv6/address/status | ipAddressStatus | 240 | ipv6/neighbor | ipNetToPhysicalEntry | 241 | ipv6/neighbor/ip | ipNetToPhysicalNetAddressType | 242 | | ipNetToPhysicalNetAddress | 243 | ipv6/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 244 | ipv6/neighbor/origin | ipNetToPhysicalType | 245 | ipv6/neighbor/state | ipNetToPhysicalState | 246 +----------------------------------+--------------------------------+ 248 YANG Interface Data Nodes and Related IP-MIB Objects 250 4. IP Management YANG Module 252 This module imports typedefs from [RFC6991] and 253 [I-D.ietf-netmod-rfc7223bis], and it references [RFC0791], [RFC0826], 254 [RFC2460], [RFC4861], [RFC4862], [RFC4941] and [RFC7217]. 256 RFC Ed.: update the date below with the date of RFC publication and 257 remove this note. 259 file "ietf-ip@2018-01-09.yang" 261 module ietf-ip { 262 yang-version 1.1; 263 namespace "urn:ietf:params:xml:ns:yang:ietf-ip"; 264 prefix ip; 265 import ietf-interfaces { 266 prefix if; 267 } 268 import ietf-inet-types { 269 prefix inet; 270 } 271 import ietf-yang-types { 272 prefix yang; 273 } 275 organization 276 "IETF NETMOD (Network Modeling) Working Group"; 278 contact 279 "WG Web: 280 WG List: 282 Editor: Martin Bjorklund 283 "; 284 description 285 "This module contains a collection of YANG definitions for 286 managing IP implementations. 288 Copyright (c) 2018 IETF Trust and the persons identified as 289 authors of the code. All rights reserved. 291 Redistribution and use in source and binary forms, with or 292 without modification, is permitted pursuant to, and subject 293 to the license terms contained in, the Simplified BSD License 294 set forth in Section 4.c of the IETF Trust's Legal Provisions 295 Relating to IETF Documents 296 (http://trustee.ietf.org/license-info). 298 This version of this YANG module is part of RFC XXXX; see 299 the RFC itself for full legal notices."; 301 revision 2018-01-09 { 302 description 303 "Updated to support NMDA."; 304 reference 305 "RFC XXXX: A YANG Data Model for IP Management"; 306 } 308 revision 2014-06-16 { 309 description 310 "Initial revision."; 311 reference 312 "RFC 7277: A YANG Data Model for IP Management"; 314 } 316 /* 317 * Features 318 */ 320 feature ipv4-non-contiguous-netmasks { 321 description 322 "Indicates support for configuring non-contiguous 323 subnet masks."; 324 } 326 feature ipv6-privacy-autoconf { 327 description 328 "Indicates support for Privacy Extensions for Stateless Address 329 Autoconfiguration in IPv6."; 330 reference 331 "RFC 4941: Privacy Extensions for Stateless Address 332 Autoconfiguration in IPv6"; 333 } 335 /* 336 * Typedefs 337 */ 339 typedef ip-address-origin { 340 type enumeration { 341 enum other { 342 description 343 "None of the following."; 344 } 345 enum static { 346 description 347 "Indicates that the address has been statically 348 configured - for example, using NETCONF or a Command Line 349 Interface."; 350 } 351 enum dhcp { 352 description 353 "Indicates an address that has been assigned to this 354 system by a DHCP server."; 355 } 356 enum link-layer { 357 description 358 "Indicates an address created by IPv6 stateless 359 autoconfiguration that embeds a link-layer address in its 360 interface identifier."; 361 } 362 enum random { 363 description 364 "Indicates an address chosen by the system at 366 random, e.g., an IPv4 address within 169.254/16, an 367 RFC 4941 temporary address, or an RFC 7217 semantically 368 opaque address."; 369 reference 370 "RFC 4941: Privacy Extensions for Stateless Address 371 Autoconfiguration in IPv6 372 RFC 7217: A Method for Generating Semantically Opaque 373 Interface Identifiers with IPv6 Stateless 374 Address Autoconfiguration (SLAAC)"; 375 } 376 } 377 description 378 "The origin of an address."; 379 } 381 typedef neighbor-origin { 382 type enumeration { 383 enum other { 384 description 385 "None of the following."; 386 } 387 enum static { 388 description 389 "Indicates that the mapping has been statically 390 configured - for example, using NETCONF or a Command Line 391 Interface."; 392 } 393 enum dynamic { 394 description 395 "Indicates that the mapping has been dynamically resolved 396 using, e.g., IPv4 ARP or the IPv6 Neighbor Discovery 397 protocol."; 398 } 399 } 400 description 401 "The origin of a neighbor entry."; 402 } 404 /* 405 * Data nodes 406 */ 408 augment "/if:interfaces/if:interface" { 409 description 410 "IP parameters on interfaces. 412 If an interface is not capable of running IP, the server 413 must not allow the client to configure these parameters."; 415 container ipv4 { 416 presence 417 "Enables IPv4 unless the 'enabled' leaf 418 (which defaults to 'true') is set to 'false'"; 419 description 420 "Parameters for the IPv4 address family."; 422 leaf enabled { 423 type boolean; 424 default true; 425 description 426 "Controls whether IPv4 is enabled or disabled on this 427 interface. When IPv4 is enabled, this interface is 428 connected to an IPv4 stack, and the interface can send 429 and receive IPv4 packets."; 430 } 431 leaf forwarding { 432 type boolean; 433 default false; 434 description 435 "Controls IPv4 packet forwarding of datagrams received by, 436 but not addressed to, this interface. IPv4 routers 437 forward datagrams. IPv4 hosts do not (except those 438 source-routed via the host)."; 439 } 440 leaf mtu { 441 type uint16 { 442 range "68..max"; 443 } 444 units octets; 445 description 446 "The size, in octets, of the largest IPv4 packet that the 447 interface will send and receive. 449 The server may restrict the allowed values for this leaf, 450 depending on the interface's type. 452 If this leaf is not configured, the operationally used MTU 453 depends on the interface's type."; 454 reference 455 "RFC 791: Internet Protocol"; 456 } 457 list address { 458 key "ip"; 459 description 460 "The list of IPv4 addresses on the interface."; 462 leaf ip { 463 type inet:ipv4-address-no-zone; 464 description 465 "The IPv4 address on the interface."; 466 } 467 choice subnet { 468 mandatory true; 469 description 470 "The subnet can be specified as a prefix-length, or, 471 if the server supports non-contiguous netmasks, as 472 a netmask."; 473 leaf prefix-length { 474 type uint8 { 475 range "0..32"; 476 } 477 description 478 "The length of the subnet prefix."; 479 } 480 leaf netmask { 481 if-feature ipv4-non-contiguous-netmasks; 482 type yang:dotted-quad; 483 description 484 "The subnet specified as a netmask."; 485 } 486 } 487 leaf origin { 488 type ip-address-origin; 489 config false; 490 description 491 "The origin of this address."; 492 } 493 } 494 list neighbor { 495 key "ip"; 496 description 497 "A list of mappings from IPv4 addresses to 498 link-layer addresses. 500 Entries in this list in the intended configuration are 501 used as static entries in the ARP Cache. 503 In the operational state, this list represents the ARP 504 Cache."; 505 reference 506 "RFC 826: An Ethernet Address Resolution Protocol"; 508 leaf ip { 509 type inet:ipv4-address-no-zone; 510 description 511 "The IPv4 address of the neighbor node."; 512 } 513 leaf link-layer-address { 514 type yang:phys-address; 515 mandatory true; 516 description 517 "The link-layer address of the neighbor node."; 518 } 519 leaf origin { 520 type neighbor-origin; 521 config false; 522 description 523 "The origin of this neighbor entry."; 524 } 525 } 526 } 528 container ipv6 { 529 presence 530 "Enables IPv6 unless the 'enabled' leaf 531 (which defaults to 'true') is set to 'false'"; 532 description 533 "Parameters for the IPv6 address family."; 535 leaf enabled { 536 type boolean; 537 default true; 538 description 539 "Controls whether IPv6 is enabled or disabled on this 540 interface. When IPv6 is enabled, this interface is 541 connected to an IPv6 stack, and the interface can send 542 and receive IPv6 packets."; 543 } 544 leaf forwarding { 545 type boolean; 546 default false; 547 description 548 "Controls IPv6 packet forwarding of datagrams received by, 549 but not addressed to, this interface. IPv6 routers 550 forward datagrams. IPv6 hosts do not (except those 551 source-routed via the host)."; 552 reference 553 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 554 Section 6.2.1, IsRouter"; 555 } 556 leaf mtu { 557 type uint32 { 558 range "1280..max"; 559 } 560 units octets; 561 description 562 "The size, in octets, of the largest IPv6 packet that the 563 interface will send and receive. 565 The server may restrict the allowed values for this leaf, 566 depending on the interface's type. 568 If this leaf is not configured, the operationally used MTU 569 depends on the interface's type."; 570 reference 571 "RFC 2460: Internet Protocol, Version 6 (IPv6) 572 Specification 573 Section 5"; 574 } 576 list address { 577 key "ip"; 578 description 579 "The list of IPv6 addresses on the interface."; 581 leaf ip { 582 type inet:ipv6-address-no-zone; 583 description 584 "The IPv6 address on the interface."; 585 } 586 leaf prefix-length { 587 type uint8 { 588 range "0..128"; 589 } 590 mandatory true; 591 description 592 "The length of the subnet prefix."; 593 } 594 leaf origin { 595 type ip-address-origin; 596 config false; 597 description 598 "The origin of this address."; 599 } 600 leaf status { 601 type enumeration { 602 enum preferred { 603 description 604 "This is a valid address that can appear as the 605 destination or source address of a packet."; 606 } 607 enum deprecated { 608 description 609 "This is a valid but deprecated address that should 610 no longer be used as a source address in new 611 communications, but packets addressed to such an 612 address are processed as expected."; 613 } 614 enum invalid { 615 description 616 "This isn't a valid address, and it shouldn't appear 617 as the destination or source address of a packet."; 618 } 619 enum inaccessible { 620 description 621 "The address is not accessible because the interface 622 to which this address is assigned is not 623 operational."; 624 } 625 enum unknown { 626 description 627 "The status cannot be determined for some reason."; 628 } 629 enum tentative { 630 description 631 "The uniqueness of the address on the link is being 632 verified. Addresses in this state should not be 633 used for general communication and should only be 634 used to determine the uniqueness of the address."; 635 } 636 enum duplicate { 637 description 638 "The address has been determined to be non-unique on 639 the link and so must not be used."; 640 } 641 enum optimistic { 642 description 643 "The address is available for use, subject to 644 restrictions, while its uniqueness on a link is 645 being verified."; 646 } 647 } 648 config false; 649 description 650 "The status of an address. Most of the states correspond 651 to states from the IPv6 Stateless Address 652 Autoconfiguration protocol."; 653 reference 654 "RFC 4293: Management Information Base for the 655 Internet Protocol (IP) 656 - IpAddressStatusTC 657 RFC 4862: IPv6 Stateless Address Autoconfiguration"; 658 } 659 } 660 list neighbor { 661 key "ip"; 662 description 663 "A list of mappings from IPv6 addresses to 664 link-layer addresses. 666 Entries in this list in the intended configuration are 667 used as static entries in the Neighbor Cache. 669 In the operational state, this list represents the 670 Neighbor Cache."; 671 reference 672 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 674 leaf ip { 675 type inet:ipv6-address-no-zone; 676 description 677 "The IPv6 address of the neighbor node."; 678 } 679 leaf link-layer-address { 680 type yang:phys-address; 681 mandatory true; 682 description 683 "The link-layer address of the neighbor node. 685 In the operational state, if the neighbor's 'state' leaf 686 is 'incomplete', this leaf is not instantiated."; 687 } 688 leaf origin { 689 type neighbor-origin; 690 config false; 691 description 692 "The origin of this neighbor entry."; 693 } 694 leaf is-router { 695 type empty; 696 config false; 697 description 698 "Indicates that the neighbor node acts as a router."; 699 } 700 leaf state { 701 type enumeration { 702 enum incomplete { 703 description 704 "Address resolution is in progress, and the 705 link-layer address of the neighbor has not yet been 706 determined."; 707 } 708 enum reachable { 709 description 710 "Roughly speaking, the neighbor is known to have been 711 reachable recently (within tens of seconds ago)."; 712 } 713 enum stale { 714 description 715 "The neighbor is no longer known to be reachable, but 716 until traffic is sent to the neighbor no attempt 717 should be made to verify its reachability."; 718 } 719 enum delay { 720 description 721 "The neighbor is no longer known to be reachable, and 722 traffic has recently been sent to the neighbor. 723 Rather than probe the neighbor immediately, however, 724 delay sending probes for a short while in order to 725 give upper-layer protocols a chance to provide 726 reachability confirmation."; 727 } 728 enum probe { 729 description 730 "The neighbor is no longer known to be reachable, and 731 unicast Neighbor Solicitation probes are being sent 732 to verify reachability."; 733 } 734 } 735 config false; 736 description 737 "The Neighbor Unreachability Detection state of this 738 entry."; 739 reference 740 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 741 Section 7.3.2"; 742 } 743 } 745 leaf dup-addr-detect-transmits { 746 type uint32; 747 default 1; 748 description 749 "The number of consecutive Neighbor Solicitation messages 750 sent while performing Duplicate Address Detection on a 751 tentative address. A value of zero indicates that 752 Duplicate Address Detection is not performed on 753 tentative addresses. A value of one indicates a single 754 transmission with no follow-up retransmissions."; 755 reference 756 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 757 } 758 container autoconf { 759 description 760 "Parameters to control the autoconfiguration of IPv6 761 addresses, as described in RFC 4862."; 762 reference 763 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 765 leaf create-global-addresses { 766 type boolean; 767 default true; 768 description 769 "If enabled, the host creates global addresses as 770 described in RFC 4862."; 771 reference 772 "RFC 4862: IPv6 Stateless Address Autoconfiguration 773 Section 5.5"; 774 } 775 leaf create-temporary-addresses { 776 if-feature ipv6-privacy-autoconf; 777 type boolean; 778 default false; 779 description 780 "If enabled, the host creates temporary addresses as 781 described in RFC 4941."; 782 reference 783 "RFC 4941: Privacy Extensions for Stateless Address 784 Autoconfiguration in IPv6"; 785 } 787 leaf temporary-valid-lifetime { 788 if-feature ipv6-privacy-autoconf; 789 type uint32; 790 units "seconds"; 791 default 604800; 792 description 793 "The time period during which the temporary address 794 is valid."; 795 reference 796 "RFC 4941: Privacy Extensions for Stateless Address 797 Autoconfiguration in IPv6 798 - TEMP_VALID_LIFETIME"; 799 } 800 leaf temporary-preferred-lifetime { 801 if-feature ipv6-privacy-autoconf; 802 type uint32; 803 units "seconds"; 804 default 86400; 805 description 806 "The time period during which the temporary address is 807 preferred."; 808 reference 809 "RFC 4941: Privacy Extensions for Stateless Address 810 Autoconfiguration in IPv6 811 - TEMP_PREFERRED_LIFETIME"; 812 } 813 } 814 } 815 } 817 /* 818 * Legacy operational state data nodes 819 */ 821 augment "/if:interfaces-state/if:interface" { 822 status deprecated; 823 description 824 "Data nodes for the operational state of IP on interfaces."; 826 container ipv4 { 827 presence "Present if IPv4 is enabled on this interface"; 828 config false; 829 status deprecated; 830 description 831 "Interface-specific parameters for the IPv4 address family."; 833 leaf forwarding { 834 type boolean; 835 status deprecated; 836 description 837 "Indicates whether IPv4 packet forwarding is enabled or 838 disabled on this interface."; 839 } 840 leaf mtu { 841 type uint16 { 842 range "68..max"; 843 } 844 units octets; 845 status deprecated; 846 description 847 "The size, in octets, of the largest IPv4 packet that the 848 interface will send and receive."; 849 reference 850 "RFC 791: Internet Protocol"; 851 } 852 list address { 853 key "ip"; 854 status deprecated; 855 description 856 "The list of IPv4 addresses on the interface."; 858 leaf ip { 859 type inet:ipv4-address-no-zone; 860 status deprecated; 861 description 862 "The IPv4 address on the interface."; 863 } 864 choice subnet { 865 status deprecated; 866 description 867 "The subnet can be specified as a prefix-length, or, 868 if the server supports non-contiguous netmasks, as 869 a netmask."; 870 leaf prefix-length { 871 type uint8 { 872 range "0..32"; 873 } 874 status deprecated; 875 description 876 "The length of the subnet prefix."; 877 } 878 leaf netmask { 879 if-feature ipv4-non-contiguous-netmasks; 880 type yang:dotted-quad; 881 status deprecated; 882 description 883 "The subnet specified as a netmask."; 884 } 885 } 886 leaf origin { 887 type ip-address-origin; 888 status deprecated; 889 description 890 "The origin of this address."; 891 } 892 } 893 list neighbor { 894 key "ip"; 895 status deprecated; 896 description 897 "A list of mappings from IPv4 addresses to 898 link-layer addresses. 900 This list represents the ARP Cache."; 901 reference 902 "RFC 826: An Ethernet Address Resolution Protocol"; 904 leaf ip { 905 type inet:ipv4-address-no-zone; 906 status deprecated; 907 description 908 "The IPv4 address of the neighbor node."; 909 } 910 leaf link-layer-address { 911 type yang:phys-address; 912 status deprecated; 913 description 914 "The link-layer address of the neighbor node."; 915 } 916 leaf origin { 917 type neighbor-origin; 918 status deprecated; 919 description 920 "The origin of this neighbor entry."; 921 } 922 } 923 } 925 container ipv6 { 926 presence "Present if IPv6 is enabled on this interface"; 927 config false; 928 status deprecated; 929 description 930 "Parameters for the IPv6 address family."; 932 leaf forwarding { 933 type boolean; 934 default false; 935 status deprecated; 936 description 937 "Indicates whether IPv6 packet forwarding is enabled or 938 disabled on this interface."; 939 reference 940 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 941 Section 6.2.1, IsRouter"; 942 } 943 leaf mtu { 944 type uint32 { 945 range "1280..max"; 946 } 947 units octets; 948 status deprecated; 949 description 950 "The size, in octets, of the largest IPv6 packet that the 951 interface will send and receive."; 952 reference 953 "RFC 2460: Internet Protocol, Version 6 (IPv6) 954 Specification 955 Section 5"; 956 } 957 list address { 958 key "ip"; 959 status deprecated; 960 description 961 "The list of IPv6 addresses on the interface."; 963 leaf ip { 964 type inet:ipv6-address-no-zone; 965 status deprecated; 966 description 967 "The IPv6 address on the interface."; 968 } 969 leaf prefix-length { 970 type uint8 { 971 range "0..128"; 972 } 973 mandatory true; 974 status deprecated; 975 description 976 "The length of the subnet prefix."; 977 } 978 leaf origin { 979 type ip-address-origin; 980 status deprecated; 981 description 982 "The origin of this address."; 983 } 984 leaf status { 985 type enumeration { 986 enum preferred { 987 description 988 "This is a valid address that can appear as the 989 destination or source address of a packet."; 990 } 991 enum deprecated { 992 description 993 "This is a valid but deprecated address that should 994 no longer be used as a source address in new 995 communications, but packets addressed to such an 996 address are processed as expected."; 997 } 998 enum invalid { 999 description 1000 "This isn't a valid address, and it shouldn't appear 1001 as the destination or source address of a packet."; 1002 } 1003 enum inaccessible { 1004 description 1005 "The address is not accessible because the interface 1006 to which this address is assigned is not 1007 operational."; 1008 } 1009 enum unknown { 1010 description 1011 "The status cannot be determined for some reason."; 1012 } 1013 enum tentative { 1014 description 1015 "The uniqueness of the address on the link is being 1016 verified. Addresses in this state should not be 1017 used for general communication and should only be 1018 used to determine the uniqueness of the address."; 1019 } 1020 enum duplicate { 1021 description 1022 "The address has been determined to be non-unique on 1023 the link and so must not be used."; 1024 } 1025 enum optimistic { 1026 description 1027 "The address is available for use, subject to 1028 restrictions, while its uniqueness on a link is 1029 being verified."; 1030 } 1031 } 1032 status deprecated; 1033 description 1034 "The status of an address. Most of the states correspond 1035 to states from the IPv6 Stateless Address 1036 Autoconfiguration protocol."; 1037 reference 1038 "RFC 4293: Management Information Base for the 1039 Internet Protocol (IP) 1040 - IpAddressStatusTC 1041 RFC 4862: IPv6 Stateless Address Autoconfiguration"; 1042 } 1043 } 1044 list neighbor { 1045 key "ip"; 1046 status deprecated; 1047 description 1048 "A list of mappings from IPv6 addresses to 1049 link-layer addresses. 1051 This list represents the Neighbor Cache."; 1052 reference 1053 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 1055 leaf ip { 1056 type inet:ipv6-address-no-zone; 1057 status deprecated; 1058 description 1059 "The IPv6 address of the neighbor node."; 1060 } 1061 leaf link-layer-address { 1062 type yang:phys-address; 1063 status deprecated; 1064 description 1065 "The link-layer address of the neighbor node."; 1066 } 1067 leaf origin { 1068 type neighbor-origin; 1069 status deprecated; 1070 description 1071 "The origin of this neighbor entry."; 1072 } 1073 leaf is-router { 1074 type empty; 1075 status deprecated; 1076 description 1077 "Indicates that the neighbor node acts as a router."; 1078 } 1079 leaf state { 1080 type enumeration { 1081 enum incomplete { 1082 description 1083 "Address resolution is in progress, and the 1084 link-layer address of the neighbor has not yet been 1085 determined."; 1086 } 1087 enum reachable { 1088 description 1089 "Roughly speaking, the neighbor is known to have been 1090 reachable recently (within tens of seconds ago)."; 1091 } 1092 enum stale { 1093 description 1094 "The neighbor is no longer known to be reachable, but 1095 until traffic is sent to the neighbor no attempt 1096 should be made to verify its reachability."; 1097 } 1098 enum delay { 1099 description 1100 "The neighbor is no longer known to be reachable, and 1101 traffic has recently been sent to the neighbor. 1102 Rather than probe the neighbor immediately, however, 1103 delay sending probes for a short while in order to 1104 give upper-layer protocols a chance to provide 1105 reachability confirmation."; 1106 } 1107 enum probe { 1108 description 1109 "The neighbor is no longer known to be reachable, and 1110 unicast Neighbor Solicitation probes are being sent 1111 to verify reachability."; 1112 } 1113 } 1114 status deprecated; 1115 description 1116 "The Neighbor Unreachability Detection state of this 1117 entry."; 1118 reference 1119 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 1120 Section 7.3.2"; 1121 } 1122 } 1123 } 1124 } 1125 } 1127 1129 5. IANA Considerations 1131 This document registers a URI in the "IETF XML Registry" [RFC3688]. 1132 Following the format in RFC 3688, the following registration has been 1133 made. 1135 URI: urn:ietf:params:xml:ns:yang:ietf-ip 1137 Registrant Contact: The NETMOD WG of the IETF. 1139 XML: N/A; the requested URI is an XML namespace. 1141 This document registers a YANG module in the "YANG Module Names" 1142 registry [RFC6020]. 1144 Name: ietf-ip 1145 Namespace: urn:ietf:params:xml:ns:yang:ietf-ip 1146 Prefix: ip 1147 Reference: RFC 7277 1149 6. Security Considerations 1151 The YANG module defined in this document is designed to be accessed 1152 via network management protocols such as NETCONF [RFC6241] or 1153 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 1154 layer, and the mandatory-to-implement secure transport is Secure 1155 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 1156 mandatory-to-implement secure transport is TLS [RFC5246]. 1158 The NETCONF access control model [RFC6536] provides the means to 1159 restrict access for particular NETCONF or RESTCONF users to a 1160 preconfigured subset of all available NETCONF or RESTCONF protocol 1161 operations and content. 1163 There are a number of data nodes defined in the YANG module which are 1164 writable/creatable/deletable (i.e., config true, which is the 1165 default). These data nodes may be considered sensitive or vulnerable 1166 in some network environments. Write operations (e.g., edit-config) 1167 to these data nodes without proper protection can have a negative 1168 effect on network operations. These are the subtrees and data nodes 1169 and their sensitivity/vulnerability: 1171 ipv4/enabled and ipv6/enabled: These leafs are used to enable or 1172 disable IPv4 and IPv6 on a specific interface. By enabling a 1173 protocol on an interface, an attacker might be able to create an 1174 unsecured path into a node (or through it if routing is also 1175 enabled). By disabling a protocol on an interface, an attacker 1176 might be able to force packets to be routed through some other 1177 interface or deny access to some or all of the network via that 1178 protocol. 1180 ipv4/address and ipv6/address: These lists specify the configured IP 1181 addresses on an interface. By modifying this information, an 1182 attacker can cause a node to either ignore messages destined to it 1183 or accept (at least at the IP layer) messages it would otherwise 1184 ignore. The use of filtering or security associations may reduce 1185 the potential damage in the latter case. 1187 ipv4/forwarding and ipv6/forwarding: These leafs allow a client to 1188 enable or disable the forwarding functions on the entity. By 1189 disabling the forwarding functions, an attacker would possibly be 1190 able to deny service to users. By enabling the forwarding 1191 functions, an attacker could open a conduit into an area. This 1192 might result in the area providing transit for packets it 1193 shouldn't, or it might allow the attacker access to the area, 1194 bypassing security safeguards. 1196 ipv6/autoconf: The leafs in this branch control the 1197 autoconfiguration of IPv6 addresses and, in particular, whether or 1198 not temporary addresses are used. By modifying the corresponding 1199 leafs, an attacker might impact the addresses used by a node and 1200 thus indirectly the privacy of the users using the node. 1202 ipv4/mtu and ipv6/mtu: Setting these leafs to very small values can 1203 be used to slow down interfaces. 1205 7. Acknowledgments 1207 The author wishes to thank Jeffrey Lange, Ladislav Lhotka, Juergen 1208 Schoenwaelder, and Dave Thaler for their helpful comments. 1210 8. References 1212 8.1. Normative References 1214 [I-D.ietf-netmod-revised-datastores] 1215 Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1216 and R. Wilton, "Network Management Datastore 1217 Architecture", draft-ietf-netmod-revised-datastores-07 1218 (work in progress), November 2017. 1220 [I-D.ietf-netmod-rfc7223bis] 1221 Bjorklund, M., "A YANG Data Model for Interface 1222 Management", draft-ietf-netmod-rfc7223bis-01 (work in 1223 progress), December 2017. 1225 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1226 DOI 10.17487/RFC0791, September 1981, . 1229 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1230 Requirement Levels", BCP 14, RFC 2119, 1231 DOI 10.17487/RFC2119, March 1997, . 1234 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1235 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 1236 December 1998, . 1238 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1239 DOI 10.17487/RFC3688, January 2004, . 1242 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 1243 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 1244 DOI 10.17487/RFC4861, September 2007, . 1247 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1248 Address Autoconfiguration", RFC 4862, 1249 DOI 10.17487/RFC4862, September 2007, . 1252 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 1253 Extensions for Stateless Address Autoconfiguration in 1254 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 1255 . 1257 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1258 (TLS) Protocol Version 1.2", RFC 5246, 1259 DOI 10.17487/RFC5246, August 2008, . 1262 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1263 the Network Configuration Protocol (NETCONF)", RFC 6020, 1264 DOI 10.17487/RFC6020, October 2010, . 1267 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1268 and A. Bierman, Ed., "Network Configuration Protocol 1269 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1270 . 1272 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1273 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1274 . 1276 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1277 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1278 . 1280 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1281 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1282 . 1284 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1285 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1286 . 1288 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1289 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1290 May 2017, . 1292 8.2. Informative References 1294 [I-D.ietf-netmod-yang-tree-diagrams] 1295 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- 1296 ietf-netmod-yang-tree-diagrams-02 (work in progress), 1297 October 2017. 1299 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 1300 Converting Network Protocol Addresses to 48.bit Ethernet 1301 Address for Transmission on Ethernet Hardware", STD 37, 1302 RFC 826, DOI 10.17487/RFC0826, November 1982, 1303 . 1305 [RFC4293] Routhier, S., Ed., "Management Information Base for the 1306 Internet Protocol (IP)", RFC 4293, DOI 10.17487/RFC4293, 1307 April 2006, . 1309 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1310 Protocol (NETCONF) Access Control Model", RFC 6536, 1311 DOI 10.17487/RFC6536, March 2012, . 1314 [RFC7217] Gont, F., "A Method for Generating Semantically Opaque 1315 Interface Identifiers with IPv6 Stateless Address 1316 Autoconfiguration (SLAAC)", RFC 7217, 1317 DOI 10.17487/RFC7217, April 2014, . 1320 [RFC8022] Lhotka, L. and A. Lindem, "A YANG Data Model for Routing 1321 Management", RFC 8022, DOI 10.17487/RFC8022, November 1322 2016, . 1324 Appendix A. Example: NETCONF reply 1326 This section gives an example of a reply to the NETCONF 1327 request for the running configuration datastore for a device that 1328 implements the data model defined in this document. 1330 1333 1334 1337 1338 eth0 1339 ianaift:ethernetCsmacd 1340 1341
1342 192.0.2.1 1343 24 1344
1345 1346 1347 1280 1348
1349 2001:db8::10 1350 32 1351
1352 0 1353 1354 1355 1356 1357 1359 Appendix B. Example: NETCONF Reply 1361 This section gives an example of a reply to the NETCONF 1362 request for the operational state datastore for a device that 1363 implements the data model defined in this document. 1365 This example uses the "origin" annotation, which is defined in the 1366 module "ietf-origin" [I-D.ietf-netmod-revised-datastores]. 1368 1371 1372 1377 1378 eth0 1379 ianaift:ethernetCsmacd 1380 1382 1383 true 1384 false 1385 1500 1386
1387 192.0.2.1 1388 24 1389 static 1390
1391 1392 192.0.2.2 1393 1394 00:01:02:03:04:05 1395 1396 1397 1398 1399 true 1400 false 1401 1280 1402
1403 2001:db8::10 1404 32 1405 static 1406 preferred 1407
1408
1409 2001:db8::1:100 1410 32 1411 dhcp 1412 preferred 1413
1414 0 1415 1416 2001:db8::1 1417 1418 00:01:02:03:04:05 1419 1420 dynamic 1421 1422 reachable 1423 1424 1425 2001:db8::4 1426 dynamic 1427 incomplete 1428 1429 1430 1432 1433 1434 1436 Author's Address 1438 Martin Bjorklund 1439 Tail-f Systems 1441 Email: mbj@tail-f.com