YANG Data Model for Network Access Control Lists (ACLs)
RFC 8519

Document Type RFC - Proposed Standard (March 2019; No errata)
Last updated 2019-03-12
Replaces draft-bogdanovic-netmod-acl-model
Stream IETF
Formats plain text pdf html bibtex
Yang Validation 0 errors, 0 warnings.
Reviews
Additional URLs
- Yang catalog entry for ietf-access-control-list@2018-11-06.yang
- Yang catalog entry for ietf-ethertypes@2018-11-06.yang
- Yang catalog entry for ietf-packet-fields@2018-11-06.yang
- Yang impact analysis for draft-ietf-netmod-acl-model
- Mailing list discussion
Stream WG state Submitted to IESG for Publication (wg milestone: Jan 2018 - Submit draft-ietf-ne... )
Document shepherd Kent Watsen
Shepherd write-up Show (last changed 2018-05-21)
IESG IESG state RFC 8519 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Ignas Bagdonas
Send notices to "Kent Watsen" <kwatsen@juniper.net>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                   M. Jethanandani
Request for Comments: 8519                                        VMware
Category: Standards Track                                     S. Agarwal
ISSN: 2070-1721                                      Cisco Systems, Inc.
                                                                L. Huang
                                                                D. Blair
                                                              March 2019

        YANG Data Model for Network Access Control Lists (ACLs)

Abstract

   This document defines a data model for Access Control Lists (ACLs).
   An ACL is a user-ordered set of rules used to configure the
   forwarding behavior in a device.  Each rule is used to find a match
   on a packet and define actions that will be performed on the packet.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8519.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Jethanandani, et al.         Standards Track                    [Page 1]
RFC 8519                YANG Data Model for ACLs              March 2019

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Definitions and Acronyms  . . . . . . . . . . . . . . . .   3
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
     1.3.  Tree Diagram  . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Problem Statement . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Understanding ACL's Filters and Actions . . . . . . . . . . .   4
     3.1.  ACL Modules . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . .   9
     4.1.  IETF Access Control List Module . . . . . . . . . . . . .   9
     4.2.  IETF Packet Fields Module . . . . . . . . . . . . . . . .  24
     4.3.  ACL Examples  . . . . . . . . . . . . . . . . . . . . . .  37
     4.4.  Port Range Usage and Other Examples . . . . . . . . . . .  39
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  42
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  43
     6.1.  URI Registration  . . . . . . . . . . . . . . . . . . . .  43
     6.2.  YANG Module Name Registration . . . . . . . . . . . . . .  44
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  44
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  44
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  46
   Appendix A.  Extending ACL Model Examples . . . . . . . . . . . .  47
     A.1.  Example of a Company's Proprietary Module . . . . . . . .  47
     A.2.  Linux nftables  . . . . . . . . . . . . . . . . . . . . .  50
     A.3.  Ethertypes  . . . . . . . . . . . . . . . . . . . . . . .  51
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  60
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  60

1.  Introduction

   An Access Control List (ACL) is one of the basic elements used to
   configure device-forwarding behavior.  It is used in many networking
   technologies such as Policy-Based Routing (PBR), firewalls, etc.

   An ACL is a user-ordered set of rules that is used to filter traffic
   on a networking device.  Each rule is represented by an Access
   Control Entry (ACE).

   Each ACE has a group of match criteria and a group of actions.

   The match criteria allow for the definition of packet headers and
   metadata, the contents of which must match the definitions.

   o  Packet header matches apply to fields visible in the packet such
      as address, Class of Service (CoS), or port number.

Jethanandani, et al.         Standards Track                    [Page 2]
RFC 8519                YANG Data Model for ACLs              March 2019
Show full document text