< draft-ietf-netmod-acl-model-12.txt   draft-ietf-netmod-acl-model-13.txt >
NETMOD WG M. Jethanandani NETMOD WG M. Jethanandani
Internet-Draft Cisco Systems, Inc Internet-Draft Cisco Systems, Inc
Intended status: Standards Track L. Huang Intended status: Standards Track L. Huang
Expires: March 5, 2018 General Electric Expires: March 16, 2018 General Electric
S. Agarwal S. Agarwal
Cisco Systems, Inc. Cisco Systems, Inc.
D. Blair D. Blair
Cisco Systems, INc Cisco Systems, INc
September 1, 2017 September 12, 2017
Network Access Control List (ACL) YANG Data Model Network Access Control List (ACL) YANG Data Model
draft-ietf-netmod-acl-model-12 draft-ietf-netmod-acl-model-13
Abstract Abstract
This document describes a data model of Access Control List (ACL) This document describes a data model of Access Control List (ACL)
basic building blocks. basic building blocks.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 5, 2018. This Internet-Draft will expire on March 16, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 16 skipping to change at page 6, line 16
| | +--rw dscp? inet:dscp | | +--rw dscp? inet:dscp
| | +--rw ecn? uint8 | | +--rw ecn? uint8
| | +--rw length? uint16 | | +--rw length? uint16
| | +--rw ttl? uint8 | | +--rw ttl? uint8
| | +--rw protocol? uint8 | | +--rw protocol? uint8
| | +--rw source-port-range! | | +--rw source-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw operation? operator | | | +--rw operation? operator
| | +--rw destination-port-range! | | +--rw destination-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw opearations? operator | | | +--rw operations? operator
| | +--rw ihl? uint8 | | +--rw ihl? uint8
| | +--rw flags? bits | | +--rw flags? bits
| | +--rw offset? uint16 | | +--rw offset? uint16
| | +--rw identification? uint16 | | +--rw identification? uint16
| | +--rw destination-ipv4-network? inet:ipv4-prefi | | +--rw destination-ipv4-network? inet:ipv4-prefi
x x
| | +--rw source-ipv4-network? inet:ipv4-prefi | | +--rw source-ipv4-network? inet:ipv4-prefi
x x
| +--rw ipv6-acl {ipv6-acl}? | +--rw ipv6-acl {ipv6-acl}?
| | +--rw dscp? inet:dscp | | +--rw dscp? inet:dscp
| | +--rw ecn? uint8 | | +--rw ecn? uint8
| | +--rw length? uint16 | | +--rw length? uint16
| | +--rw ttl? uint8 | | +--rw ttl? uint8
| | +--rw protocol? uint8 | | +--rw protocol? uint8
| | +--rw source-port-range! | | +--rw source-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw operation? operator | | | +--rw operation? operator
| | +--rw destination-port-range! | | +--rw destination-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw opearations? operator | | | +--rw operations? operator
| | +--rw next-header? uint8 | | +--rw next-header? uint8
| | +--rw destination-ipv6-network? inet:ipv6-prefi | | +--rw destination-ipv6-network? inet:ipv6-prefi
x x
| | +--rw source-ipv6-network? inet:ipv6-prefi | | +--rw source-ipv6-network? inet:ipv6-prefi
x x
| | +--rw flow-label? inet:ipv6-flow- | | +--rw flow-label? inet:ipv6-flow-
label label
| +--rw l2-l3-ipv4-acl {mixed-ipv4-acl}? | +--rw l2-l3-ipv4-acl {mixed-ipv4-acl}?
| | +--rw destination-mac-address? yang:mac-ad | | +--rw destination-mac-address? yang:mac-ad
dress dress
skipping to change at page 7, line 21 skipping to change at page 7, line 21
| | +--rw dscp? inet:dscp | | +--rw dscp? inet:dscp
| | +--rw ecn? uint8 | | +--rw ecn? uint8
| | +--rw length? uint16 | | +--rw length? uint16
| | +--rw ttl? uint8 | | +--rw ttl? uint8
| | +--rw protocol? uint8 | | +--rw protocol? uint8
| | +--rw source-port-range! | | +--rw source-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw operation? operator | | | +--rw operation? operator
| | +--rw destination-port-range! | | +--rw destination-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw opearations? operator | | | +--rw operations? operator
| | +--rw ihl? uint8 | | +--rw ihl? uint8
| | +--rw flags? bits | | +--rw flags? bits
| | +--rw offset? uint16 | | +--rw offset? uint16
| | +--rw identification? uint16 | | +--rw identification? uint16
| | +--rw destination-ipv4-network? inet:ipv4-p | | +--rw destination-ipv4-network? inet:ipv4-p
refix refix
| | +--rw source-ipv4-network? inet:ipv4-p | | +--rw source-ipv4-network? inet:ipv4-p
refix refix
| +--rw l2-l3-ipv6-acl {mixed-ipv6-acl}? | +--rw l2-l3-ipv6-acl {mixed-ipv6-acl}?
| | +--rw destination-mac-address? yang:mac-ad | | +--rw destination-mac-address? yang:mac-ad
skipping to change at page 7, line 52 skipping to change at page 7, line 52
| | +--rw dscp? inet:dscp | | +--rw dscp? inet:dscp
| | +--rw ecn? uint8 | | +--rw ecn? uint8
| | +--rw length? uint16 | | +--rw length? uint16
| | +--rw ttl? uint8 | | +--rw ttl? uint8
| | +--rw protocol? uint8 | | +--rw protocol? uint8
| | +--rw source-port-range! | | +--rw source-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw operation? operator | | | +--rw operation? operator
| | +--rw destination-port-range! | | +--rw destination-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw opearations? operator | | | +--rw operations? operator
| | +--rw next-header? uint8 | | +--rw next-header? uint8
| | +--rw destination-ipv6-network? inet:ipv6-p | | +--rw destination-ipv6-network? inet:ipv6-p
refix refix
| | +--rw source-ipv6-network? inet:ipv6-p | | +--rw source-ipv6-network? inet:ipv6-p
refix refix
| | +--rw flow-label? | | +--rw flow-label?
| | inet:ipv6-flow-label | | inet:ipv6-flow-label
| +--rw l2-l3-ipv4-ipv6-acl {l2-l3-ipv4-ipv6-acl}? | +--rw l2-l3-ipv4-ipv6-acl {l2-l3-ipv4-ipv6-acl}?
| | +--rw destination-mac-address? yang:mac-ad | | +--rw destination-mac-address? yang:mac-ad
dress dress
skipping to change at page 8, line 33 skipping to change at page 8, line 33
| | +--rw dscp? inet:dscp | | +--rw dscp? inet:dscp
| | +--rw ecn? uint8 | | +--rw ecn? uint8
| | +--rw length? uint16 | | +--rw length? uint16
| | +--rw ttl? uint8 | | +--rw ttl? uint8
| | +--rw protocol? uint8 | | +--rw protocol? uint8
| | +--rw source-port-range! | | +--rw source-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw operation? operator | | | +--rw operation? operator
| | +--rw destination-port-range! | | +--rw destination-port-range!
| | | +--rw lower-port inet:port-number | | | +--rw lower-port inet:port-number
| | | +--rw upper-port? inet:port-number | | | +--rw upper-port? inet:port-number
| | | +--rw opearations? operator | | | +--rw operations? operator
| | +--rw ihl? uint8 | | +--rw ihl? uint8
| | +--rw flags? bits | | +--rw flags? bits
| | +--rw offset? uint16 | | +--rw offset? uint16
| | +--rw identification? uint16 | | +--rw identification? uint16
| | +--rw destination-ipv4-network? inet:ipv4-p | | +--rw destination-ipv4-network? inet:ipv4-p
refix refix
| | +--rw source-ipv4-network? inet:ipv4-p | | +--rw source-ipv4-network? inet:ipv4-p
refix refix
| | +--rw next-header? uint8 | | +--rw next-header? uint8
| | +--rw destination-ipv6-network? inet:ipv6-p | | +--rw destination-ipv6-network? inet:ipv6-p
skipping to change at page 9, line 48 skipping to change at page 9, line 48
associated with the "acl-name". Each of the entries in the associated with the "acl-name". Each of the entries in the
list("access-list-entries"), indexed by the string "rule-name", has list("access-list-entries"), indexed by the string "rule-name", has
containers defining "matches" and "actions". containers defining "matches" and "actions".
The "matches" define criteria used to identify patterns in "ietf- The "matches" define criteria used to identify patterns in "ietf-
packet-fields". The "actions" define behavior to undertake once a packet-fields". The "actions" define behavior to undertake once a
"match" has been identified. In addition to permit and deny for "match" has been identified. In addition to permit and deny for
actions, a logging option allows for a match to be logged that can be actions, a logging option allows for a match to be logged that can be
used to determine which rule was matched upon. used to determine which rule was matched upon.
<CODE BEGINS> file "ietf-access-control-list@2017-09-01.yang" <CODE BEGINS> file "ietf-access-control-list@2017-09-12.yang"
module ietf-access-control-list { module ietf-access-control-list {
namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
prefix acl; prefix acl;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-packet-fields { import ietf-packet-fields {
skipping to change at page 10, line 51 skipping to change at page 10, line 51
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-09-01 { revision 2017-09-12 {
description description
"Added feature and identity statements for different types "Added feature and identity statements for different types
of rule matches. Split the matching rules based on the of rule matches. Split the matching rules based on the
feature statement and added a must statement within feature statement and added a must statement within
each container."; each container.";
reference reference
"RFC XXX: Network Access Control List (ACL) YANG Data Model."; "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
} }
/* /*
skipping to change at page 18, line 51 skipping to change at page 18, line 51
get included for any given ACL with the exception of TCP, UDP and get included for any given ACL with the exception of TCP, UDP and
ICMP header fields. Those fields can be used in conjunction with any ICMP header fields. Those fields can be used in conjunction with any
of the above layer 2 or layer 3 fields. of the above layer 2 or layer 3 fields.
Since the number of match criteria is very large, the base draft does Since the number of match criteria is very large, the base draft does
not include these directly but references them by "uses" to keep the not include these directly but references them by "uses" to keep the
base module simple. In case more match conditions are needed, those base module simple. In case more match conditions are needed, those
can be added by augmenting choices within container "matches" in can be added by augmenting choices within container "matches" in
ietf-access-control-list.yang model. ietf-access-control-list.yang model.
<CODE BEGINS> file "ietf-packet-fields@2017-09-01.yang" <CODE BEGINS> file "ietf-packet-fields@2017-09-12.yang"
module ietf-packet-fields { module ietf-packet-fields {
namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
prefix packet-fields; prefix packet-fields;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
skipping to change at page 19, line 50 skipping to change at page 19, line 50
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-09-01 { revision 2017-09-12 {
description description
"Added header fields for TCP, UDP, and ICMP."; "Added header fields for TCP, UDP, and ICMP.";
reference reference
"RFC XXX: Network Access Control List (ACL) YANG Data Model."; "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
} }
/* /*
* Typedefs * Typedefs
*/ */
typedef operator { typedef operator {
skipping to change at page 21, line 26 skipping to change at page 21, line 26
error-message error-message
"The upper-port must be greater than or equal "The upper-port must be greater than or equal
to lower-port"; to lower-port";
} }
description description
"Upper boundary for port. If it exists, the upper port "Upper boundary for port. If it exists, the upper port
must be greater or equal to lower-port."; must be greater or equal to lower-port.";
} }
leaf operation { leaf operation {
type operator; type operator;
must "(lower-port and not(upper-port))" { must "(../lower-port and not(../upper-port))" {
error-message error-message
"If lower-port is specified, and an operator is also "If lower-port is specified, and an operator is also
specified, then upper-port should not be specified."; specified, then upper-port should not be specified.";
description description
"If lower-port is specified, and an operator is also "If lower-port is specified, and an operator is also
specified, then upper-port should not be specified."; specified, then upper-port should not be specified.";
} }
default eq; default eq;
description description
"Operator to be applied on the lower-port."; "Operator to be applied on the lower-port.";
skipping to change at page 22, line 20 skipping to change at page 22, line 20
type inet:port-number; type inet:port-number;
must ". >= ../lower-port" { must ". >= ../lower-port" {
error-message error-message
"The upper-port must be greater than or equal "The upper-port must be greater than or equal
to lower-port"; to lower-port";
} }
description description
"Upper boundary for port. If existing, the upper port must "Upper boundary for port. If existing, the upper port must
be greater or equal to lower-port"; be greater or equal to lower-port";
} }
leaf opearations { leaf operations {
type operator; type operator;
must "(lower-port and not(upper-port))" { must "(../lower-port and not(../upper-port))" {
error-message error-message
"If lower-port is specified, and an operator is also "If lower-port is specified, and an operator is also
specified, then upper-port should not be specified."; specified, then upper-port should not be specified.";
description description
"If lower-port is specified, and an operator is also "If lower-port is specified, and an operator is also
specified, then upper-port should not be specified."; specified, then upper-port should not be specified.";
} }
default eq; default eq;
description description
"Operator to be applied on the lower-port."; "Operator to be applied on the lower-port.";
skipping to change at page 36, line 50 skipping to change at page 36, line 50
| +--:(v4-lower-bound) | +--:(v4-lower-bound)
| | +--rw v4-lower-bound? inet:ipv4-prefix | | +--rw v4-lower-bound? inet:ipv4-prefix
| +--:(v4-upper-bound) | +--:(v4-upper-bound)
| +--rw v4-upper-bound? inet:ipv4-prefix | +--rw v4-upper-bound? inet:ipv4-prefix
+--rw (ipv6-range)? +--rw (ipv6-range)?
+--:(v6-lower-bound) +--:(v6-lower-bound)
| +--rw v6-lower-bound? inet:ipv6-prefix | +--rw v6-lower-bound? inet:ipv6-prefix
+--:(v6-upper-bound) +--:(v6-upper-bound)
+--rw v6-upper-bound? inet:ipv6-prefix +--rw v6-upper-bound? inet:ipv6-prefix
file "example-ext-route-filter@2017-09-01.yang" file "example-ext-route-filter@2017-09-12.yang"
module example-ext-route-filter { module example-ext-route-filter {
namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter"; namespace "urn:ietf:params:xml:ns:yang:example-ext-route-filter";
prefix example-ext-route-filter; prefix example-ext-route-filter;
import ietf-inet-types { import ietf-inet-types {
prefix "inet"; prefix "inet";
} }
import ietf-access-control-list { import ietf-access-control-list {
prefix "ietf-acl"; prefix "ietf-acl";
} }
skipping to change at page 37, line 27 skipping to change at page 37, line 27
"abc@abc.com"; "abc@abc.com";
description " description "
This module describes route filter as a collection of This module describes route filter as a collection of
match prefixes. When specifying a match prefix, you match prefixes. When specifying a match prefix, you
can specify an exact match with a particular route or can specify an exact match with a particular route or
a less precise match. You can configure either a a less precise match. You can configure either a
common action that applies to the entire list or an common action that applies to the entire list or an
action associated with each prefix. action associated with each prefix.
"; ";
revision 2017-09-01 { revision 2017-09-12 {
description description
"Creating Route-Filter extension model based on "Creating Route-Filter extension model based on
ietf-access-control-list model"; ietf-access-control-list model";
reference "Example route filter"; reference "Example route filter";
} }
augment "/ietf-acl:access-lists/ietf-acl:acl/" + augment "/ietf-acl:access-lists/ietf-acl:acl/" +
"ietf-acl:aces/ietf-acl:ace/ietf-acl:matches" { "ietf-acl:aces/ietf-acl:ace/ietf-acl:matches" {
description " description "
This module augments the matches container in the ietf-acl This module augments the matches container in the ietf-acl
skipping to change at page 41, line 23 skipping to change at page 41, line 23
} }
organization organization
"Newco model group."; "Newco model group.";
contact contact
"abc@newco.com"; "abc@newco.com";
description description
"This YANG module augments IETF ACL Yang."; "This YANG module augments IETF ACL Yang.";
revision 2017-09-01 { revision 2017-09-12 {
description description
"Creating NewCo proprietary extensions to ietf-acl model"; "Creating NewCo proprietary extensions to ietf-acl model";
reference reference
"RFC XXXX: Network Access Control List (ACL) "RFC XXXX: Network Access Control List (ACL)
YANG Data Model"; YANG Data Model";
} }
augment "/ietf-acl:access-lists/ietf-acl:acl/" + augment "/ietf-acl:access-lists/ietf-acl:acl/" +
"ietf-acl:aces/ietf-acl:ace/" + "ietf-acl:aces/ietf-acl:ace/" +
 End of changes. 19 change blocks. 
29 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/