| rfc9899v3.txt | rfc9899.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) O. Gonzalez de Dios | Internet Engineering Task Force (IETF) O. Gonzalez de Dios | |||
| Request for Comments: 9899 Telefonica | Request for Comments: 9899 Telefonica | |||
| Category: Standards Track S. Barguil | Category: Standards Track S. Barguil | |||
| ISSN: 2070-1721 Nokia | ISSN: 2070-1721 Nokia | |||
| M. Boucadair | M. Boucadair | |||
| Orange | Orange | |||
| Q. Wu | Q. Wu | |||
| Huawei | Huawei | |||
| November 2025 | December 2025 | |||
| Extensions to the YANG Data Model for Access Control Lists (ACLs) | Extensions to the YANG Data Model for Access Control Lists (ACLs) | |||
| Abstract | Abstract | |||
| RFC 8519 defines a YANG data model for Access Control Lists (ACLs). | RFC 8519 defines a YANG data model for Access Control Lists (ACLs). | |||
| This document specifies a set of extensions that fix many of the | This document specifies a set of extensions that fix many of the | |||
| limitations of the ACL model as initially defined in RFC 8519. | limitations of the ACL model as initially defined in RFC 8519. | |||
| Specifically, it introduces augmentations to the ACL base model to | Specifically, it introduces augmentations to the ACL base model to | |||
| enhance its functionality and applicability. | enhance its functionality and applicability. | |||
| This document also defines initial versions of IANA-maintained | This document also creates initial versions of IANA-maintained | |||
| modules for ICMP types and IPv6 extension headers. | modules for ICMP types and IPv6 extension headers. | |||
| Status of This Memo | Status of This Memo | |||
| This is an Internet Standards Track document. | This is an Internet Standards Track document. | |||
| This document is a product of the Internet Engineering Task Force | This document is a product of the Internet Engineering Task Force | |||
| (IETF). It represents the consensus of the IETF community. It has | (IETF). It represents the consensus of the IETF community. It has | |||
| received public review and has been approved for publication by the | received public review and has been approved for publication by the | |||
| Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | |||
| skipping to change at line 155 ¶ | skipping to change at line 155 ¶ | |||
| [RFC8956]. Therefore, it is valuable from a network operation | [RFC8956]. Therefore, it is valuable from a network operation | |||
| standpoint to support the means to easily map to the filtering rules | standpoint to support the means to easily map to the filtering rules | |||
| conveyed in messages triggered by these tools. | conveyed in messages triggered by these tools. | |||
| The enhanced ACL module (Section 4) conforms to the Network | The enhanced ACL module (Section 4) conforms to the Network | |||
| Management Datastore Architecture (NMDA) defined in [RFC8342]. | Management Datastore Architecture (NMDA) defined in [RFC8342]. | |||
| A set of examples to illustrate the use of the enhanced ACL module is | A set of examples to illustrate the use of the enhanced ACL module is | |||
| provided in Appendix B. | provided in Appendix B. | |||
| This document also defines initial versions of IANA-maintained | This document also creates initial versions of IANA-maintained | |||
| modules for ICMP types and IPv6 extension headers. The design of the | modules for ICMP types and IPv6 extension headers. The design of the | |||
| modules adheres to the recommendations in Section 4.30.2 of | modules adheres to the recommendations in Section 4.30.2 of | |||
| [YANG-GUIDELINES]. The latest version of these IANA-maintained | [YANG-GUIDELINES]. The latest version of these IANA-maintained | |||
| modules can be retrieved from the "YANG Parameters" registry group | modules can be retrieved from the "YANG Parameters" registry group | |||
| [IANA-YANG-PARAMETERS]. | [IANA-YANG-PARAMETERS]. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| skipping to change at line 393 ¶ | skipping to change at line 393 ¶ | |||
| with an operator (equal to, greater than or equal to, etc.). | with an operator (equal to, greater than or equal to, etc.). | |||
| Protocol sets: A protocol set contains a list of protocol values. A | Protocol sets: A protocol set contains a list of protocol values. A | |||
| protocol can be identified by either a number (e.g., 17) or a name | protocol can be identified by either a number (e.g., 17) or a name | |||
| (e.g., UDP). | (e.g., UDP). | |||
| ICMP sets: An ICMP set contains a list of ICMPv4 [RFC0792] or ICMPv6 | ICMP sets: An ICMP set contains a list of ICMPv4 [RFC0792] or ICMPv6 | |||
| [RFC4443] types, and each type is identified by a type value and | [RFC4443] types, and each type is identified by a type value and | |||
| is optionally identified by the code and the rest of the header. | is optionally identified by the code and the rest of the header. | |||
| IANA-maintained modules for ICMP types are defined in this | IANA-maintained modules for ICMP types are created in this | |||
| document. | document. | |||
| Aliases: An alias is defined by a combination of various parameters | Aliases: An alias is defined by a combination of various parameters | |||
| (e.g., IP prefix, protocol, port number, or VLAN [IEEE802.1Qcp]). | (e.g., IP prefix, protocol, port number, or VLAN [IEEE802.1Qcp]). | |||
| When only sets of one parameter (e.g., protocol) are handled, then | When only sets of one parameter (e.g., protocol) are handled, then | |||
| the relevant parameter sets should be used (e.g., protocol set) | the relevant parameter sets should be used (e.g., protocol set) | |||
| rather than an alias. | rather than an alias. | |||
| For example, an alias can be defined to apply ACL policies bound | For example, an alias can be defined to apply ACL policies bound | |||
| to a set of HTTPS servers. Such an alias will typically include | to a set of HTTPS servers. Such an alias will typically include | |||
| skipping to change at line 423 ¶ | skipping to change at line 423 ¶ | |||
| information, to identify, allow, or block traffic based on | information, to identify, allow, or block traffic based on | |||
| specific content or patterns within the payload. An offset type | specific content or patterns within the payload. An offset type | |||
| (e.g., Layer 2 or Layer 3) is used to indicate the position of the | (e.g., Layer 2 or Layer 3) is used to indicate the position of the | |||
| data in the packet to use for the match. | data in the packet to use for the match. | |||
| 3.3. IPv6 Extension Headers | 3.3. IPv6 Extension Headers | |||
| The enhanced ACL module can be used to manage ACLs that require | The enhanced ACL module can be used to manage ACLs that require | |||
| matching against IPv6 extension headers [RFC8200]. To that aim, a | matching against IPv6 extension headers [RFC8200]. To that aim, a | |||
| new IANA-maintained module for IPv6 extension header types, "iana- | new IANA-maintained module for IPv6 extension header types, "iana- | |||
| ipv6-ext-types", is defined in this document. | ipv6-ext-types", is created in this document. | |||
| 3.4. TCP Flags Handling | 3.4. TCP Flags Handling | |||
| The augmented ACL module includes a new container 'flags-bitmask' to | The augmented ACL module includes a new container 'flags-bitmask' to | |||
| better handle TCP flags (Section 3.1 of [RFC9293]). Assigned TCP | better handle TCP flags (Section 3.1 of [RFC9293]). Assigned TCP | |||
| flags are maintained in the "TCP Header Flags" registry under the | flags are maintained in the "TCP Header Flags" registry under the | |||
| "Transmission Control Protocol (TCP) Parameters" registry group | "Transmission Control Protocol (TCP) Parameters" registry group | |||
| [IANA-TCP-FLAGS]. | [IANA-TCP-FLAGS]. | |||
| Clients that support both 'flags-bitmask' and 'flags' [RFC8519] | Clients that support both 'flags-bitmask' and 'flags' [RFC8519] | |||
| skipping to change at line 1903 ¶ | skipping to change at line 1903 ¶ | |||
| Name: iana-ipv6-ext-types | Name: iana-ipv6-ext-types | |||
| Maintained by IANA: Y | Maintained by IANA: Y | |||
| Namespace: urn:ietf:params:xml:ns:yang:iana-ipv6-ext-types | Namespace: urn:ietf:params:xml:ns:yang:iana-ipv6-ext-types | |||
| Prefix: iana-ipv6-ext-types | Prefix: iana-ipv6-ext-types | |||
| Reference: RFC 9899 | Reference: RFC 9899 | |||
| 6.3. Considerations for IANA-Maintained Modules | 6.3. Considerations for IANA-Maintained Modules | |||
| 6.3.1. ICMPv4 Types IANA Module | 6.3.1. ICMPv4 Types IANA Module | |||
| This document defines the initial version of the IANA-maintained | This document creates the initial version of the IANA-maintained | |||
| "iana-icmpv4-types" YANG module. The most recent version of the YANG | "iana-icmpv4-types" YANG module. The most recent version of the YANG | |||
| module is available in the "YANG Parameters" registry group | module is available in the "YANG Parameters" registry group | |||
| [IANA-YANG-PARAMETERS]. | [IANA-YANG-PARAMETERS]. | |||
| IANA has added this note to the registry: | IANA has added this note to the registry: | |||
| | New values must not be directly added to the "iana-icmpv4-types" | | New values must not be directly added to the "iana-icmpv4-types" | |||
| | YANG module. They must instead be added to the "ICMP Type | | YANG module. They must instead be added to the "ICMP Type | |||
| | Numbers" registry [IANA-ICMPv4]. | | Numbers" registry [IANA-ICMPv4]. | |||
| skipping to change at line 1950 ¶ | skipping to change at line 1950 ¶ | |||
| IANA has added this note to "ICMP Type Numbers" registry | IANA has added this note to "ICMP Type Numbers" registry | |||
| [IANA-ICMPv4] and listed this document as an additional reference for | [IANA-ICMPv4] and listed this document as an additional reference for | |||
| the registry: | the registry: | |||
| | When this registry is modified, the YANG module "iana- | | When this registry is modified, the YANG module "iana- | |||
| | icmpv4-types" [IANA-YANG-PARAMETERS] must be updated as defined in | | icmpv4-types" [IANA-YANG-PARAMETERS] must be updated as defined in | |||
| | RFC 9899. | | RFC 9899. | |||
| 6.3.2. ICMPv6 Types IANA Module | 6.3.2. ICMPv6 Types IANA Module | |||
| This document defines the initial version of the IANA-maintained | This document creates the initial version of the IANA-maintained | |||
| "iana-icmpv6-types" YANG module. The most recent version of the YANG | "iana-icmpv6-types" YANG module. The most recent version of the YANG | |||
| module is available in the "YANG Parameters" registry group | module is available in the "YANG Parameters" registry group | |||
| [IANA-YANG-PARAMETERS]. | [IANA-YANG-PARAMETERS]. | |||
| IANA has added this note to the registry: | IANA has added this note to the registry: | |||
| | New values must not be directly added to the "iana-icmpv6-types" | | New values must not be directly added to the "iana-icmpv6-types" | |||
| | YANG module. They must instead be added to the "ICMPv6 "type" | | YANG module. They must instead be added to the "ICMPv6 "type" | |||
| | Numbers" registry [IANA-ICMPv6]. | | Numbers" registry [IANA-ICMPv6]. | |||
| skipping to change at line 1997 ¶ | skipping to change at line 1997 ¶ | |||
| IANA has added this note to the "ICMPv6 "type" Numbers" registry | IANA has added this note to the "ICMPv6 "type" Numbers" registry | |||
| [IANA-ICMPv6] and listed this document as an additional reference for | [IANA-ICMPv6] and listed this document as an additional reference for | |||
| the registry: | the registry: | |||
| | When this registry is modified, the YANG module "iana- | | When this registry is modified, the YANG module "iana- | |||
| | icmpv6-types" [IANA-YANG-PARAMETERS] must be updated as defined in | | icmpv6-types" [IANA-YANG-PARAMETERS] must be updated as defined in | |||
| | RFC 9899. | | RFC 9899. | |||
| 6.3.3. IPv6 Extension Header Types IANA Module | 6.3.3. IPv6 Extension Header Types IANA Module | |||
| This document defines the initial version of the IANA-maintained | This document creates the initial version of the IANA-maintained | |||
| "iana-ipv6-ext-types" YANG module. The most recent version of the | "iana-ipv6-ext-types" YANG module. The most recent version of the | |||
| YANG module is available in the "YANG Parameters" registry group | YANG module is available in the "YANG Parameters" registry group | |||
| [IANA-YANG-PARAMETERS]. | [IANA-YANG-PARAMETERS]. | |||
| IANA has added this note to the registry: | IANA has added this note to the registry: | |||
| | New values must not be directly added to the "iana-ipv6-ext-types" | | New values must not be directly added to the "iana-ipv6-ext-types" | |||
| | YANG module. They must instead be added to the "IPv6 Extension | | YANG module. They must instead be added to the "IPv6 Extension | |||
| | Header Types" registry [IANA-IPv6]. | | Header Types" registry [IANA-IPv6]. | |||
| End of changes. 8 change blocks. | ||||
| 8 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||