170 likes | 322 Views
69 th IETF meeting NEE BoF ACL data model for NETCONF ( draft-iijima-ngo-acldatamodel-00). Monday, July 23, 2007 Tomoyuki Iijima, Yoshifumi Atarashi, Hiroyasu Kimura, Makoto Kitani (Alaxala Networks) Hideki Okita (Hitachi Central Research Lab). Our motives. Last 68 th IETF meeting
E N D
69th IETF meeting NEE BoFACL data model for NETCONF(draft-iijima-ngo-acldatamodel-00) Monday, July 23, 2007 Tomoyuki Iijima, Yoshifumi Atarashi, Hiroyasu Kimura, Makoto Kitani (Alaxala Networks) Hideki Okita (Hitachi Central Research Lab)
Our motives • Last 68th IETF meeting • We proposed VLAN data model for NETCONF as a data model reference at the OPSAREA session • draft-iijima-ngo-vlandatamodel-00 • This 69th IETF meeting • Following the VLAN data model, we would like to propose ACL (Access Control List) data model as well at this NEE BoF • draft-iijima-ngo-acldatamodel-00 • BTW, ACL in this draft means filtering of data packets, not filtering of NETCONF operations. • By proposing several data models, we would like to stimulate data model discussion in the NETCONF-related WG.
spreadsheet file (lists of ACL) deny user1 accept user2 Configuration application utilizing ACL data model • Developed by using ACL APIs based on ACL data model and by using NETCONF as a protocol with a network device. • Operators don’t need to input ACL configuration by hands into network devices nor application. open + read operator Configuration application developed by ACL APIs NETCONF reply ACL configuration is done by NETCONF request internet user1 user2
Network functions to be modeled • We extracted several network functions to be modeled from a typical network. • ACL is very useful when configured from a network application since large number of filtering rules are commonly applied to every network device. • Collaboration with security appliances is achievable. • ACL (Filtering) • Route • Line • ACL (Filtering) • Route • Line Internet Enterprise network ISP • ACL (Filtering) • VRRP • Line • VLAN • Line • Link Aggregation • Node Home
Configuration data required to be incorporated • We considered that following configuration data need to be incorporated into each network function’s data model.
association (has-a) inheritance (is-a) ACL’s UML class diagram AccessList • flowId : FlowId • flowDescInfo : FlowDescInfo[] FlowDescInfo • action : Action Action Filter • filter : Filter • type : String FlowLayer2Standard FlowLayer3Standard FlowLayer3Extended FlowLayer3V6Extended • sourceMac : String • destinationMac : String • ethernetType : String • vlanId : short • sourceIP : IPV4Address • sourceIP : IPV4Address • dstIP : IPV4Address • protocol : String • tos : String • sourcePort : String • destinationPort : String • ackFlag : String • synFlag : String • vlanId : short • srcIPRange : RangeIP4 • dstIPRange : RangeIP4 • srcPtRange : RangePt • dstPtRange : RangePt • sourceIP : IPV6Address • dstIP : IPV6Address • vlanId : short • protocol : String
Our NETCONF related drafts • draft-atarashi-ngo-consider-architecture-01 • Overall NETCONF architecture capable of controlling server/storage systems • draft-iijima-netconf-soap-implementation-02 • Experiences and guidelines of NETCONF/SOAP implementation • draft-iijima-ngo-acldatamodel-00 • ACL data model for NETCONF and its use case • draft-iijima-ngo-vlandatamodel-00 • VLAN data model for NETCONF and its use case • draft-okita-ngo-diffservdatamodel-01 • A proposal of DiffServ data model for the unofficial meeting in SanDiego
Conclusion • We showed our ACL data model as a data model reference in order to stimulate NETCONF data model discussion. • We would like to request this I-D to be accepted as an informational I-D for a future scope of NGO or NEE WG.
ACL’s XML schema, xsd format (1/7) <xs:schema id="onapi-datamodel_1.1" targetNamespace="urn:net:alaxala:oan:onapi:commons:netmod:1.1" xmlns:ncp="urn:ietf:params:xml:ns:netconf:base:1.0“ xmlns:xs="http://www.w3.org/2001/XMLSchema“ xmlns:nm1_0="urn:net:alaxala:oan:onapi:commons:netmod:1.0" xmlns:nm1_1="urn:net:alaxala:oan:onapi:commons:netmod:1.1"> <xs:import namespace="urn:ietf:params:xml:ns:netconf:base:1.0" schemaLocation="netconf-base_1.0.xsd"/> <xs:import namespace="urn:net:alaxala:oan:onapi:commons:netmod:1.0" schemaLocation="onapi-datamodel_1.0.xsd" /> <xs:element name="FlowId" type="nm1_1:FlowIdType"></xs:element> <xs:element name="AccessList" type="nm1_1:AccessListType"></xs:element> <xs:element name="NumberSequenceInfo" type="nm1_1:NumberSequenceInfoType"></xs:element> <xs:complexType name="AccessListType"> <xs:sequence> <xs:element ref="nm1_1:FlowId"></xs:element> <xs:element name="Remark" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_1:NumberSequenceInfo" maxOccurs="1" minOccurs="0"/> <xs:choice> <xs:element ref="nm1_1:FlowDescInfo" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer2Standard" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer3Standard" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer3v6Extended" maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:FlowLayer3Extended" maxOccurs="unbounded" minOccurs="0"> </xs:element> </xs:choice> </xs:sequence> <xs:attribute name="operation" type="ncp:editOperationType" /> </xs:complexType>
ACL’s XML schema, xsd format (2/7) <xs:complexType name="NumberSequenceInfoType"> <xs:sequence> <xs:element name="StartingSeq" type="xs:integer“ maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="IncrementSeq" type="xs:integer“ maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="FlowDescInfoType"> <xs:sequence> <xs:element name="Sequence" type="xs:integer" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_1:Action" maxOccurs="1" minOccurs="0"/> <xs:element name="AccessListInfo" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> <xs:element name="Filter" type="nm1_1:Filter"/> <xs:element name="Action" type="nm1_1:ActionType"/> <xs:complexType name="ActionType"> <xs:sequence> <xs:element ref="nm1_1:Filter" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="FlowLayer2StandardType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence maxOccurs="1" minOccurs="0"> <xs:element name="SourceMac" type="nm1_0:MacAddress" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationMac“ type="nm1_0:MacAddress" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="EthernetType" type="xs:string“ maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_0:VlanId" maxOccurs="1“ minOccurs="0"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType>
ACL’s XML schema, xsd format (3/7) <xs:complexType name="FlowLayer3StandardType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence> <xs:element name="SourceIP" type="nm1_0:IPV4Address" maxOccurs="1" minOccurs="1"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <xs:complexType name="FlowLayer3ExtendedType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence> <xs:element name="SourceIP" type="nm1_0:IPV4Address" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationIP" type="nm1_0:IPV4Address" maxOccurs="1" minOccurs="0"> </xs:element> <xs:element name="Protocol" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="Tos" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="SourcePort" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationPort" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="AckFlag" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="SynFlag" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_0:VlanId" maxOccurs="1“ minOccurs="0"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType>
ACL’s XML schema, xsd format (4/7) <xs:complexType name="FlowLayer3v6ExtendedType"> <xs:complexContent> <xs:extension base="nm1_1:FlowDescInfoType"> <xs:sequence> <xs:element name="SourceIP" type="nm1_0:IPV6Address" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="DestinationIP“ type="nm1_0:IPV6Address" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="Protocol" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element ref="nm1_0:VlanId" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <xs:element name="FlowLayer2Standard" type="nm1_1:FlowLayer2StandardType"></xs:element> <xs:element name="FlowLayer3Standard" type="nm1_1:FlowLayer3StandardType"></xs:element> <xs:element name="FlowLayer3v6Extended“ type="nm1_1:FlowLayer3v6ExtendedType"></xs:element> <xs:element name="FlowLayer3Extended" type="nm1_1:FlowLayer3ExtendedType"></xs:element> <xs:element name="AccessLists"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:AccessList" maxOccurs="unbounded“ minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> </xs:element>
ACL’s XML schema, xsd format (5/7) <xs:element name="FlowDescInfo" type="nm1_1:FlowDescInfoType"></xs:element> <xs:complexType name="IfAccessListType"> <xs:sequence> <xs:element name="FilterIn" minOccurs="0" form="qualified"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:FlowId" maxOccurs="unbounded" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="FilterOut" minOccurs="0" form="qualified"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:FlowId" maxOccurs="unbounded" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="FlowIdType"> <xs:sequence> <xs:element name="Id" type="xs:string" maxOccurs="1" minOccurs="0" form="qualified"></xs:element> <xs:element name="Type" type="xs:string" maxOccurs="1“ minOccurs="0"></xs:element> <xs:element name="FlowType" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> <xs:element name="Detect" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> </xs:complexType>
ACL’s XML schema, xsd format (6/7) <xs:complexType name="PortAccessListType"> <xs:complexContent> <xs:extension base="nm1_1:IfAccessListType"> <xs:sequence> <xs:element ref="nm1_0:PortId" maxOccurs="1“ minOccurs="0"></xs:element> </xs:sequence> <xs:attribute name="operation" type="ncp:editOperationType" /> </xs:extension> </xs:complexContent> </xs:complexType> <xs:complexType name="VlanAccessListType"> <xs:complexContent> <xs:extension base="nm1_1:IfAccessListType"> <xs:sequence> <xs:element ref="nm1_0:VlanId" maxOccurs="1“ minOccurs="0"></xs:element> <xs:element name="MacMode" type="xs:string" maxOccurs="1" minOccurs="0"></xs:element> </xs:sequence> <xs:attribute name="operation" type="ncp:editOperationType" /> </xs:extension> </xs:complexContent> </xs:complexType> <xs:element name="IfAccessLists"> <xs:complexType> <xs:sequence> <xs:element ref="nm1_1:PortAccessList“ maxOccurs="unbounded" minOccurs="0"> </xs:element> <xs:element ref="nm1_1:VlanAccessList" maxOccurs="unbounded“ minOccurs="0"> </xs:element> </xs:sequence> </xs:complexType> </xs:element>
ACL’s XML schema, xsd format (7/7) <xs:simpleType name="Filter"> <xs:restriction base="xs:string"> <xs:enumeration value="permit"></xs:enumeration> <xs:enumeration value="deny"></xs:enumeration> </xs:restriction> </xs:simpleType> <xs:element name="VlanAccessList" type="nm1_1:VlanAccessListType"></xs:element> <xs:element name="PortAccessList" type="nm1_1:PortAccessListType"></xs:element> <xs:element name="PortId" type="nm1_1:PortIdType"></xs:element> <xs:simpleType name="PortIdType"> <xs:restriction base="xs:string"> <xs:pattern value=".*"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="VlanIdType"> <xs:restriction base="xs:integer"> <xs:minInclusive value="1"/> <xs:maxInclusive value="4095"/> </xs:restriction> </xs:simpleType> </xs:schema>