YANG Data Model for Network Access Control Lists (ACLs)
RFC 8519
|
| Document |
Type |
|
RFC - Proposed Standard
(March 2019; Errata)
|
|
Last updated |
|
2019-06-24
|
|
Replaces |
|
draft-bogdanovic-netmod-acl-model
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
html
pdf
htmlized
bibtex
|
|
Yang Validation |
|
☯
0 errors, 0 warnings.
draft-ietf-netmod-acl-model-21.txt:
xym 0.4:
Extracting 'ietf-access-control-list@2018-11-06.yang'
Removed 0 empty lines
Extracting 'ietf-packet-fields@2018-11-06.yang'
Removed 0 empty lines
Extracting 'example-newco-acl'
Getting YANG file name from module name: example-newco-acl.yang
Extracting 'ietf-ethertypes@2018-11-06.yang'
Removed 0 empty lines
ietf-access-control-list@2018-11-06.yang:
pyang 1.7.8: pyang --verbose --ietf -p {libs} {model}:
# read ietf-access-control-list@2018-11-06.yang (CL)
# read /a/www/ietf-datatracker/6.93.0/env/share/yang/modules/ietf/ietf-yang-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-yang-types@2019-02-27.yang
# read ietf-packet-fields@2018-11-06.yang
# read /a/www/ietf-datatracker/6.93.0/env/share/yang/modules/ietf/ietf-inet-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-inet-types@2019-02-27.yang
# read ietf-ethertypes@2018-11-06.yang
# read /a/www/ietf-datatracker/6.93.0/env/share/yang/modules/ietf/ietf-interfaces.yang
# read /a/www/ietf-ftp/yang/rfcmod/ietf-interfaces@2018-02-20.yang
yanglint 0.14.80: yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model} -i:
No validation errors
ietf-packet-fields@2018-11-06.yang:
pyang 1.7.8: pyang --verbose --ietf -p {libs} {model}:
# read ietf-packet-fields@2018-11-06.yang (CL)
# read /a/www/ietf-datatracker/6.93.0/env/share/yang/modules/ietf/ietf-inet-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-inet-types@2019-02-27.yang
# read /a/www/ietf-datatracker/6.93.0/env/share/yang/modules/ietf/ietf-yang-types.yang
# read /a/www/ietf-ftp/yang/draftmod/ietf-yang-types@2019-02-27.yang
# read ietf-ethertypes@2018-11-06.yang
yanglint 0.14.80: yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model} -i:
No validation errors
ietf-ethertypes@2018-11-06.yang:
pyang 1.7.8: pyang --verbose --ietf -p {libs} {model}:
# read ietf-ethertypes@2018-11-06.yang (CL)
yanglint 0.14.80: yanglint --verbose -p {rfclib} -p {draftlib} -p {tmplib} {model} -i:
No validation errors
|
|
Reviews |
|
|
|
Additional Resources |
|
|
| Stream |
WG state
|
|
Submitted to IESG for Publication
|
|
Document shepherd |
|
Kent Watsen
|
|
Shepherd write-up |
|
Show
(last changed 2018-05-21)
|
| IESG |
IESG state |
|
RFC 8519 (Proposed Standard)
|
|
Consensus Boilerplate |
|
Yes
|
|
Telechat date |
|
|
|
Responsible AD |
|
Ignas Bagdonas
|
|
Send notices to |
|
"Kent Watsen" <kwatsen@juniper.net>
|
| IANA |
IANA review state |
|
Version Changed - Review Needed
|
|
IANA action state |
|
RFC-Ed-Ack
|
Internet Engineering Task Force (IETF) M. Jethanandani
Request for Comments: 8519 VMware
Category: Standards Track S. Agarwal
ISSN: 2070-1721 Cisco Systems, Inc.
L. Huang
D. Blair
March 2019
YANG Data Model for Network Access Control Lists (ACLs)
Abstract
This document defines a data model for Access Control Lists (ACLs).
An ACL is a user-ordered set of rules used to configure the
forwarding behavior in a device. Each rule is used to find a match
on a packet and define actions that will be performed on the packet.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8519.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Jethanandani, et al. Standards Track [Page 1]
RFC 8519 YANG Data Model for ACLs March 2019
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
3. Understanding ACL's Filters and Actions . . . . . . . . . . . 4
3.1. ACL Modules . . . . . . . . . . . . . . . . . . . . . . . 5
4. ACL YANG Models . . . . . . . . . . . . . . . . . . . . . . . 9
4.1. IETF Access Control List Module . . . . . . . . . . . . . 9
4.2. IETF Packet Fields Module . . . . . . . . . . . . . . . . 24
4.3. ACL Examples . . . . . . . . . . . . . . . . . . . . . . 37
4.4. Port Range Usage and Other Examples . . . . . . . . . . . 39
5. Security Considerations . . . . . . . . . . . . . . . . . . . 42
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
6.1. URI Registration . . . . . . . . . . . . . . . . . . . . 43
6.2. YANG Module Name Registration . . . . . . . . . . . . . . 44
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
7.1. Normative References . . . . . . . . . . . . . . . . . . 44
7.2. Informative References . . . . . . . . . . . . . . . . . 46
Appendix A. Extending ACL Model Examples . . . . . . . . . . . . 47
A.1. Example of a Company's Proprietary Module . . . . . . . . 47
A.2. Linux nftables . . . . . . . . . . . . . . . . . . . . . 50
A.3. Ethertypes . . . . . . . . . . . . . . . . . . . . . . . 51
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60
1. Introduction
An Access Control List (ACL) is one of the basic elements used to
configure device-forwarding behavior. It is used in many networking
technologies such as Policy-Based Routing (PBR), firewalls, etc.
An ACL is a user-ordered set of rules that is used to filter traffic
on a networking device. Each rule is represented by an Access
Control Entry (ACE).
Each ACE has a group of match criteria and a group of actions.
The match criteria allow for the definition of packet headers and
metadata, the contents of which must match the definitions.
o Packet header matches apply to fields visible in the packet such
as address, Class of Service (CoS), or port number.
Jethanandani, et al. Standards Track [Page 2]
RFC 8519 YANG Data Model for ACLs March 2019
Show full document text