1 / 17

69 th IETF meeting NEE BoF ACL data model for NETCONF ( draft-iijima-ngo-acldatamodel-00)

69 th IETF meeting NEE BoF ACL data model for NETCONF ( draft-iijima-ngo-acldatamodel-00). Monday, July 23, 2007 Tomoyuki Iijima, Yoshifumi Atarashi, Hiroyasu Kimura, Makoto Kitani (Alaxala Networks) Hideki Okita (Hitachi Central Research Lab). Our motives. Last 68 th IETF meeting

kane-franks
Download Presentation

69 th IETF meeting NEE BoF ACL data model for NETCONF ( draft-iijima-ngo-acldatamodel-00)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 69th IETF meeting NEE BoFACL data model for NETCONF(draft-iijima-ngo-acldatamodel-00) Monday, July 23, 2007 Tomoyuki Iijima, Yoshifumi Atarashi, Hiroyasu Kimura, Makoto Kitani (Alaxala Networks) Hideki Okita (Hitachi Central Research Lab)

  2. Our motives • Last 68th IETF meeting • We proposed VLAN data model for NETCONF as a data model reference at the OPSAREA session • draft-iijima-ngo-vlandatamodel-00 • This 69th IETF meeting • Following the VLAN data model, we would like to propose ACL (Access Control List) data model as well at this NEE BoF • draft-iijima-ngo-acldatamodel-00 • BTW, ACL in this draft means filtering of data packets, not filtering of NETCONF operations. • By proposing several data models, we would like to stimulate data model discussion in the NETCONF-related WG.

  3. spreadsheet file (lists of ACL) deny user1 accept user2 Configuration application utilizing ACL data model • Developed by using ACL APIs based on ACL data model and by using NETCONF as a protocol with a network device. • Operators don’t need to input ACL configuration by hands into network devices nor application. open + read operator Configuration application developed by ACL APIs NETCONF reply ACL configuration is done by NETCONF request internet user1 user2

  4. GUI of the ACL configuration application

  5. Network functions to be modeled • We extracted several network functions to be modeled from a typical network. • ACL is very useful when configured from a network application since large number of filtering rules are commonly applied to every network device. • Collaboration with security appliances is achievable. • ACL (Filtering) • Route • Line • ACL (Filtering) • Route • Line Internet Enterprise network ISP • ACL (Filtering) • VRRP • Line • VLAN • Line • Link Aggregation • Node Home

  6. Configuration data required to be incorporated • We considered that following configuration data need to be incorporated into each network function’s data model.

  7. association (has-a) inheritance (is-a) ACL’s UML class diagram AccessList • flowId : FlowId • flowDescInfo : FlowDescInfo[] FlowDescInfo • action : Action Action Filter • filter : Filter • type : String FlowLayer2Standard FlowLayer3Standard FlowLayer3Extended FlowLayer3V6Extended • sourceMac : String • destinationMac : String • ethernetType : String • vlanId : short • sourceIP : IPV4Address • sourceIP : IPV4Address • dstIP : IPV4Address • protocol : String • tos : String • sourcePort : String • destinationPort : String • ackFlag : String • synFlag : String • vlanId : short • srcIPRange : RangeIP4 • dstIPRange : RangeIP4 • srcPtRange : RangePt • dstPtRange : RangePt • sourceIP : IPV6Address • dstIP : IPV6Address • vlanId : short • protocol : String

  8. Some of ACL’s APIs generated from data model

  9. Our NETCONF related drafts • draft-atarashi-ngo-consider-architecture-01 • Overall NETCONF architecture capable of controlling server/storage systems • draft-iijima-netconf-soap-implementation-02 • Experiences and guidelines of NETCONF/SOAP implementation • draft-iijima-ngo-acldatamodel-00 • ACL data model for NETCONF and its use case • draft-iijima-ngo-vlandatamodel-00 • VLAN data model for NETCONF and its use case • draft-okita-ngo-diffservdatamodel-01 • A proposal of DiffServ data model for the unofficial meeting in SanDiego

  10. Conclusion • We showed our ACL data model as a data model reference in order to stimulate NETCONF data model discussion. • We would like to request this I-D to be accepted as an informational I-D for a future scope of NGO or NEE WG.

  11. ACL’s XML schema, xsd format (1/7) <xs:schema id="onapi-datamodel_1.1" targetNamespace="urn:net:alaxala:oan:onapi:commons:netmod:1.1" xmlns:ncp="urn:ietf:params:xml:ns:netconf:base:1.0“ xmlns:xs="http://www.w3.org/2001/XMLSchema“ xmlns:nm1_0="urn:net:alaxala:oan:onapi:commons:netmod:1.0" xmlns:nm1_1="urn:net:alaxala:oan:onapi:commons:netmod:1.1"> <xs:import namespace="urn:ietf:params:xml:ns:netconf:base:1.0" schemaLocation="netconf-base_1.0.xsd"/> <xs:import namespace="urn:net:alaxala:oan:onapi:commons:netmod:1.0" schemaLocation="onapi-datamodel_1.0.xsd" /> <xs:element name="FlowId" type="nm1_1:FlowIdType"></xs:element> <xs:element name="AccessList" type="nm1_1:AccessListType"></xs:element> <xs:element name="NumberSequenceInfo" type="nm1_1:NumberSequenceInfoType"></xs:element> <xs:complexType name="AccessListType"> <xs:sequence> <xs:element ref="nm1_1:FlowId"></xs:element> <xs:element name="Remark" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_1:NumberSequenceInfo" maxOccurs="1" minOccurs="0"/> <xs:choice> <xs:element ref="nm1_1:FlowDescInfo" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer2Standard" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer3Standard" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer3v6Extended" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer3Extended" maxOccurs="unbounded" minOccurs="0"> </xs:element> </xs:choice> </xs:sequence> <xs:attribute name="operation" type="ncp:editOperationType" /> </xs:complexType>

  12. ACL’s XML schema, xsd format (2/7) <xs:complexType name="NumberSequenceInfoType"> <xs:sequence> <xs:element name="StartingSeq" type="xs:integer“ maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="IncrementSeq" type="xs:integer“ maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="FlowDescInfoType"> <xs:sequence> <xs:element name="Sequence" type="xs:integer" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_1:Action" maxOccurs="1" minOccurs="0"/> <xs:element name="AccessListInfo" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> <xs:element name="Filter" type="nm1_1:Filter"/> <xs:element name="Action" type="nm1_1:ActionType"/> <xs:complexType name="ActionType"> <xs:sequence> <xs:element ref="nm1_1:Filter" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="FlowLayer2StandardType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence maxOccurs="1" minOccurs="0"> <xs:element name="SourceMac" type="nm1_0:MacAddress" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationMac“ type="nm1_0:MacAddress" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="EthernetType" type="xs:string“ maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_0:VlanId" maxOccurs="1“ minOccurs="0"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType>

  13. ACL’s XML schema, xsd format (3/7) <xs:complexType name="FlowLayer3StandardType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence> <xs:element name="SourceIP" type="nm1_0:IPV4Address" maxOccurs="1" minOccurs="1"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <xs:complexType name="FlowLayer3ExtendedType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence> <xs:element name="SourceIP" type="nm1_0:IPV4Address" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationIP" type="nm1_0:IPV4Address" maxOccurs="1" minOccurs="0"> </xs:element> <xs:element name="Protocol" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="Tos" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="SourcePort" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationPort" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="AckFlag" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="SynFlag" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_0:VlanId" maxOccurs="1“ minOccurs="0"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType>

  14. ACL’s XML schema, xsd format (4/7) <xs:complexType name="FlowLayer3v6ExtendedType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence> <xs:element name="SourceIP" type="nm1_0:IPV6Address" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationIP“ type="nm1_0:IPV6Address" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="Protocol" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_0:VlanId" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <xs:element name="FlowLayer2Standard" type="nm1_1:FlowLayer2StandardType"></xs:element> <xs:element name="FlowLayer3Standard" type="nm1_1:FlowLayer3StandardType"></xs:element> <xs:element name="FlowLayer3v6Extended“ type="nm1_1:FlowLayer3v6ExtendedType"></xs:element> <xs:element name="FlowLayer3Extended" type="nm1_1:FlowLayer3ExtendedType"></xs:element> <xs:element name="AccessLists"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:AccessList" maxOccurs="unbounded“ minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> </xs:element>

  15. ACL’s XML schema, xsd format (5/7) <xs:element name="FlowDescInfo" type="nm1_1:FlowDescInfoType"></xs:element> <xs:complexType name="IfAccessListType"> <xs:sequence> <xs:element name="FilterIn" minOccurs="0" form="qualified"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:FlowId" maxOccurs="unbounded" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="FilterOut" minOccurs="0" form="qualified"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:FlowId" maxOccurs="unbounded" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="FlowIdType"> <xs:sequence> <xs:element name="Id" type="xs:string" maxOccurs="1" minOccurs="0" form="qualified"></xs:element> <xs:element name="Type" type="xs:string" maxOccurs="1“ minOccurs="0"></xs:element> <xs:element name="FlowType" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="Detect" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType>

  16. ACL’s XML schema, xsd format (6/7) <xs:complexType name="PortAccessListType"> <xs:complexContent> <xs:extension base="nm1_1:IfAccessListType"> <xs:sequence> <xs:element ref="nm1_0:PortId" maxOccurs="1“ minOccurs="0"></xs:element> </xs:sequence> <xs:attribute name="operation" type="ncp:editOperationType" /> </xs:extension> </xs:complexContent> </xs:complexType> <xs:complexType name="VlanAccessListType"> <xs:complexContent> <xs:extension base="nm1_1:IfAccessListType"> <xs:sequence> <xs:element ref="nm1_0:VlanId" maxOccurs="1“ minOccurs="0"></xs:element> <xs:element name="MacMode" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> <xs:attribute name="operation" type="ncp:editOperationType" /> </xs:extension> </xs:complexContent> </xs:complexType> <xs:element name="IfAccessLists"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:PortAccessList“ maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:VlanAccessList" maxOccurs="unbounded“ minOccurs="0"> </xs:element> </xs:sequence> </xs:complexType> </xs:element>

  17. ACL’s XML schema, xsd format (7/7) <xs:simpleType name="Filter"> <xs:restriction base="xs:string"> <xs:enumeration value="permit"></xs:enumeration> <xs:enumeration value="deny"></xs:enumeration> </xs:restriction> </xs:simpleType> <xs:element name="VlanAccessList" type="nm1_1:VlanAccessListType"></xs:element> <xs:element name="PortAccessList" type="nm1_1:PortAccessListType"></xs:element> <xs:element name="PortId" type="nm1_1:PortIdType"></xs:element> <xs:simpleType name="PortIdType"> <xs:restriction base="xs:string"> <xs:pattern value=".*"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="VlanIdType"> <xs:restriction base="xs:integer"> <xs:minInclusive value="1"/> <xs:maxInclusive value="4095"/> </xs:restriction> </xs:simpleType> </xs:schema>

More Related