| rfc9899v1.txt | rfc9899.txt | |||
|---|---|---|---|---|
| skipping to change at line 12 ¶ | skipping to change at line 12 ¶ | |||
| Internet Engineering Task Force (IETF) O. Gonzalez de Dios | Internet Engineering Task Force (IETF) O. Gonzalez de Dios | |||
| Request for Comments: 9899 Telefonica | Request for Comments: 9899 Telefonica | |||
| Category: Standards Track S. Barguil | Category: Standards Track S. Barguil | |||
| ISSN: 2070-1721 Nokia | ISSN: 2070-1721 Nokia | |||
| M. Boucadair | M. Boucadair | |||
| Orange | Orange | |||
| Q. Wu | Q. Wu | |||
| Huawei | Huawei | |||
| November 2025 | November 2025 | |||
| Extensions to the Access Control Lists (ACLs) YANG Model | Extensions to the YANG Data Model for Access Control Lists (ACLs) | |||
| Abstract | Abstract | |||
| RFC 8519 defines a YANG data model for Access Control Lists (ACLs). | RFC 8519 defines a YANG data model for Access Control Lists (ACLs). | |||
| This document specifies a set of extensions that fix many of the | This document specifies a set of extensions that fix many of the | |||
| limitations of the ACL model as initially defined in RFC 8519. | limitations of the ACL model as initially defined in RFC 8519. | |||
| Specifically, it introduces augmentations to the ACL base model to | Specifically, it introduces augmentations to the ACL base model to | |||
| enhance its functionality and applicability. | enhance its functionality and applicability. | |||
| The document also defines IANA-maintained modules for ICMP types and | The document also defines IANA-maintained modules for ICMP types and | |||
| skipping to change at line 98 ¶ | skipping to change at line 98 ¶ | |||
| A.5. Suboptimal TCP Flags Handling | A.5. Suboptimal TCP Flags Handling | |||
| A.6. Rate-Limit Action | A.6. Rate-Limit Action | |||
| A.7. Payload-Based Filtering | A.7. Payload-Based Filtering | |||
| A.8. Reuse the Content of ACLs Across Several Devices | A.8. Reuse the Content of ACLs Across Several Devices | |||
| A.9. Match MPLS Headers | A.9. Match MPLS Headers | |||
| Appendix B. Examples | Appendix B. Examples | |||
| B.1. TCP Flags Handling | B.1. TCP Flags Handling | |||
| B.2. Fragments Handling | B.2. Fragments Handling | |||
| B.3. Pattern-Based Filtering | B.3. Pattern-Based Filtering | |||
| B.4. VLAN Filtering | B.4. VLAN Filtering | |||
| B.5. ISID Filtering | B.5. I-SID Filtering | |||
| B.6. Rate-Limit | B.6. Rate-Limit | |||
| Acknowledgments | Acknowledgments | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| [RFC8519] defines Access Control Lists (ACLs) as a user-ordered set | [RFC8519] defines Access Control Lists (ACLs) as a user-ordered set | |||
| of filtering rules. The model targets the configuration of the | of filtering rules. The model targets the configuration of the | |||
| filtering behavior of a device. However, the model structure, as | filtering behavior of a device. However, the model structure, as | |||
| defined in [RFC8519], suffers from a set of limitations. This | defined in [RFC8519], suffers from a set of limitations. This | |||
| skipping to change at line 566 ¶ | skipping to change at line 566 ¶ | |||
| Control Lists (ACLs), Section 4.2"; | Control Lists (ACLs), Section 4.2"; | |||
| } | } | |||
| import ietf-routing-types { | import ietf-routing-types { | |||
| prefix rt-types; | prefix rt-types; | |||
| reference | reference | |||
| "RFC 8294: Common YANG Data Types for the Routing Area"; | "RFC 8294: Common YANG Data Types for the Routing Area"; | |||
| } | } | |||
| import iana-icmpv4-types { | import iana-icmpv4-types { | |||
| prefix iana-icmpv4-types; | prefix iana-icmpv4-types; | |||
| reference | reference | |||
| "RFC 9899: Extensions to the Access Control Lists (ACLs) | "RFC 9899: Extensions to the YANG Data Model for Access | |||
| YANG Model"; | Control Lists (ACLs)"; | |||
| } | } | |||
| import iana-icmpv6-types { | import iana-icmpv6-types { | |||
| prefix iana-icmpv6-types; | prefix iana-icmpv6-types; | |||
| reference | reference | |||
| "RFC 9899: Extensions to the Access Control Lists (ACLs) | "RFC 9899: Extensions to the YANG Data Model for Access | |||
| YANG Model"; | Control Lists (ACLs)"; | |||
| } | } | |||
| import iana-ipv6-ext-types { | import iana-ipv6-ext-types { | |||
| prefix iana-ipv6-ext-types; | prefix iana-ipv6-ext-types; | |||
| reference | reference | |||
| "RFC 9899: Extensions to the Access Control Lists (ACLs) | "RFC 9899: Extensions to the YANG Data Model for Access | |||
| YANG Model"; | Control Lists (ACLs)"; | |||
| } | } | |||
| organization | organization | |||
| "IETF NETMOD Working Group"; | "IETF NETMOD Working Group"; | |||
| contact | contact | |||
| "WG Web: <https://datatracker.ietf.org/wg/netmod/> | "WG Web: <https://datatracker.ietf.org/wg/netmod/> | |||
| WG List: <mailto:netmod@ietf.org> | WG List: <mailto:netmod@ietf.org> | |||
| Author: Mohamed Boucadair | Author: Mohamed Boucadair | |||
| <mailto:mohamed.boucadair@orange.com> | <mailto:mohamed.boucadair@orange.com> | |||
| skipping to change at line 615 ¶ | skipping to change at line 615 ¶ | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 9899; see the | This version of this YANG module is part of RFC 9899; see the | |||
| RFC itself for full legal notices."; | RFC itself for full legal notices."; | |||
| revision 2025-11-07 { | revision 2025-11-07 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC 9899: Extensions to the Access Control Lists (ACLs) | "RFC 9899: Extensions to the YANG Data Model for Access | |||
| YANG Model"; | Control Lists (ACLs)"; | |||
| } | } | |||
| feature match-on-payload { | feature match-on-payload { | |||
| description | description | |||
| "Match based on a pattern is supported."; | "Match based on a pattern is supported."; | |||
| } | } | |||
| feature match-on-vlan-filter { | feature match-on-vlan-filter { | |||
| description | description | |||
| "Match based on a VLAN range of a VLAN list is supported."; | "Match based on a VLAN range of a VLAN list is supported."; | |||
| skipping to change at line 2676 ¶ | skipping to change at line 2676 ¶ | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 8: Example of VLAN Filter (Message Body) | Figure 8: Example of VLAN Filter (Message Body) | |||
| B.5. ISID Filtering | B.5. I-SID Filtering | |||
| Figure 9 shows an ACL example to illustrate the ISID range filtering. | Figure 9 shows an ACL example to illustrate the I-SID range | |||
| filtering. | ||||
| { | { | |||
| "ietf-access-control-list:acls": { | "ietf-access-control-list:acls": { | |||
| "acl": [ | "acl": [ | |||
| { | { | |||
| "name": "test", | "name": "test", | |||
| "aces": { | "aces": { | |||
| "ace": [ | "ace": [ | |||
| { | { | |||
| "name": "1", | "name": "1", | |||
| skipping to change at line 2706 ¶ | skipping to change at line 2707 ¶ | |||
| "forwarding": "ietf-access-control-list:accept" | "forwarding": "ietf-access-control-list:accept" | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 9: Example ISID Filter (Message Body) | Figure 9: Example I-SID Filter (Message Body) | |||
| B.6. Rate-Limit | B.6. Rate-Limit | |||
| Figure 10 shows an ACL example to rate-limit incoming SYNs during a | Figure 10 shows an ACL example to rate-limit incoming SYNs during a | |||
| SYN flood attack. | SYN flood attack. | |||
| { | { | |||
| "ietf-access-control-list:acls": { | "ietf-access-control-list:acls": { | |||
| "acl": [ | "acl": [ | |||
| { | { | |||
| End of changes. 9 change blocks. | ||||
| 13 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||