Network Working Group T. Iijima Internet-Draft Y. Atarashi Intended status: Informational H. Kimura Expires: June 29, 2008 M. Kitani Alaxala Networks Corp. H. Okita Central Research Laboratory, Hitachi, Ltd. December 27, 2007 ACL data model for NETCONF draft-iijima-ngo-acldatamodel-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 29, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Iijima, et al. Expires June 29, 2008 [Page 1] Internet-Draft ACL data model for NETCONF December 2007 Abstract Data models are to be discussed within the NETCONF framework shortly. We devised data model of ACL(Access Control List) and moreover developed a network configuration application using the data model. This document introduces the data model which we developed so that it facilitates discussion of data model which NETCONF protocol carry. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Data modeling for NETCONF . . . . . . . . . . . . . . . . 3 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Data model over NETCONF . . . . . . . . . . . . . . . . . . . 4 3. ACL data model . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Class diagram of ACL data model . . . . . . . . . . . . . 5 3.2. ACL schema of ACL data model . . . . . . . . . . . . . . . 6 3.3. Application using ACL data model . . . . . . . . . . . . . 12 4. Security Considerations . . . . . . . . . . . . . . . . . . . 13 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.1. Normative References . . . . . . . . . . . . . . . . . . . 15 6.2. Informative References . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Intellectual Property and Copyright Statements . . . . . . . . . . 18 Iijima, et al. Expires June 29, 2008 [Page 2] Internet-Draft ACL data model for NETCONF December 2007 1. Introduction 1.1. Data modeling for NETCONF Data modeling of configuration data of each network function is necessary in order to achieve interoperability among NETCONF entities. For that purpose, we devised ACL data model and moreover developed a network configuration application using that data model. 1.2. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [2]. 1.3. Motivation This document opens our data model to public so that it facilitates discussion of data model by which NETCONF configures each network device. This document is aiming to be accepted as a reference to the NETCONF data model. Iijima, et al. Expires June 29, 2008 [Page 3] Internet-Draft ACL data model for NETCONF December 2007 2. Data model over NETCONF NETCONF's architecture is provided in Figure 1. As this figure shows, layers of operation, RPC, and application protocol have been standardized. However, content layer, which is the configuration data exchanged over NETCONF protocol, has been left out from NETCONF standardization process. In order to achieve interoperability among NETCONF entities, data modeling of configuration data is necessary. Layer Example +-------------+ +-----------------------------+ | Content | | Configuration data | +-------------+ +-----------------------------+ | | +-------------+ +-----------------------------+ | Operations | | , | +-------------+ +-----------------------------+ | | +-------------+ +-----------------------------+ | RPC | | , | +-------------+ +-----------------------------+ | | +-------------+ +-----------------------------+ | Application | | BEEP, SSH, SSL, console | | Protocol | | | +-------------+ +-----------------------------+ Figure 1: NETCONF architecture Iijima, et al. Expires June 29, 2008 [Page 4] Internet-Draft ACL data model for NETCONF December 2007 3. ACL data model In this section, we provide ACL data model which we developed. The data model was originally designed in a style of UML(Unified Modeling Language) class diagram. But, due to the paper limitation, we listed a highly simplified class diagram. 3.1. Class diagram of ACL data model Figure 2 shows the highly simplified class diagram of ACL data model. +-------------------------------------------------+ | AccessList | |+ flowId | |+ FlowDescInfo[] | +-------------------------------------------------+ <> | | +-------------------------------------------------+ | FlowDescInfo | |+ action | +-------------------------------------------------+ A A A A | | | | | | | | +------------+ +------------+ +------------+ +--------------+ | FlowLayer2 | | FlowLayer3 | | FlowLayer3 | | FlowLayer3V6 | | Standard | | Standard | | Extended | | Extended | +------------+ +------------+ +------------+ +--------------+ |+ srcMac | |+ srcIpv4 | |+ srcIpv4 | |+ srcIpv6 | |+ dstMac | | | |+ dstIpv4 | |+ dstIpv6 | |+ ethType | | | |+ protocol | |+ protocol | |+ vlanId | | | |+ tos | |+ vlanId | | | | | |+ srcPort | | | | | | | |+ dstPort | | | | | | | |+ ackFlag | | | | | | | |+ synFlag | | | | | | | |+ vlanId | | | | | | | |+ srcIpRange| | | | | | | |+ dstIpRange| | | | | | | |+ srcPtRange| | | | | | | |+ dstPtRange| | | +------------+ +------------+ +------------+ +--------------+ <>:association (has-a) A :inheritance (is-a) Iijima, et al. Expires June 29, 2008 [Page 5] Internet-Draft ACL data model for NETCONF December 2007 Figure 2: ACL's class diagram AccessList class has FlowDescInfo class as well as some variables such as Flow ID. And FlowDescInfo class is used by being inherited as FlowLayer2Standard, FlowLayer3Standard, FlowLayer3Extended, and FlowLayer3V6Extended class. If one particular Flow ID is used for standard layer2 ACL and standard layer3 ACL, the ACL information is set in the FlowLayer2Standard class and the FlowLayer3Standard class. And AccessList class which contains the FlowLayer2Standard and the FlowLayer3Standard class is configured and the configured data are sent over the NETCONF protocol. 3.2. ACL schema of ACL data model From the class diagram illustrated in the previous section, ACL's XML schema can be generated. The configuration data are sent in a style conforming to this XML schema. Iijima, et al. Expires June 29, 2008 [Page 6] Internet-Draft ACL data model for NETCONF December 2007 Iijima, et al. Expires June 29, 2008 [Page 7] Internet-Draft ACL data model for NETCONF December 2007 Iijima, et al. Expires June 29, 2008 [Page 8] Internet-Draft ACL data model for NETCONF December 2007 Iijima, et al. Expires June 29, 2008 [Page 9] Internet-Draft ACL data model for NETCONF December 2007 Iijima, et al. Expires June 29, 2008 [Page 10] Internet-Draft ACL data model for NETCONF December 2007 Iijima, et al. Expires June 29, 2008 [Page 11] Internet-Draft ACL data model for NETCONF December 2007 3.3. Application using ACL data model We developed a configuration application which exchanges NETCONF messages conforming to XML schema listed in the previous section. Figure 3 depicts the image of the configuration application we developed. Lists of ACL are wrote down in the spreadsheet file in advance. The configuration application developed using the ACL data model can open and read the file. Then, the configuration application reads the lists of ACL line by line and transforms them into a NETCONF request message conforming to the XML schema listed before. And the configuration application sends the NETCONF request message and configures the network device accordingly. +-----------------------+ | Configuration | | Application | | | | +---------------+ | | | Spreadsheet | | | | File | | | |(Lists of ACL) | | | +---------------+ | +-----------------------+ | ^ | | NETCONF request/reply | | v | +---------------+ | Network | | Device | +---------------+ Figure 3: Application using ACL data model Iijima, et al. Expires June 29, 2008 [Page 12] Internet-Draft ACL data model for NETCONF December 2007 4. Security Considerations When we exchange NETCONF messages based on the data model we proposed, security should be taken care of. WS-Security can achieve secure data transportation by utilizing XML Signature, XML Encryption mechanism. Iijima, et al. Expires June 29, 2008 [Page 13] Internet-Draft ACL data model for NETCONF December 2007 5. IANA Considerations This document has no actions for IANA. Iijima, et al. Expires June 29, 2008 [Page 14] Internet-Draft ACL data model for NETCONF December 2007 6. References 6.1. Normative References [1] Enns, R., "NETCONF Configuration Protocol", RFC 4741, December 2006. 6.2. Informative References [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Sperberg-McQueen, C., Bray, T., and J. Paoli, "XML 1.0 Recommendation", World Wide Web Consortium FirstEdition REC-xml- 19980210, February 1998, . Iijima, et al. Expires June 29, 2008 [Page 15] Internet-Draft ACL data model for NETCONF December 2007 Authors' Addresses Iijima Tomoyuki Alaxala Networks Corp. Shin-Kawasaki Mitsui Bldg. 890 Saiwai-ku Kashimada Kawasaki, Kanagawa 212-0058 Japan Phone: +81-44-549-1200 Fax: +81-44-549-1272 Email: tomoyuki.iijima@alaxala.com Yoshifumi Atarashi Alaxala Networks Corp. Shin-Kawasaki Mitsui Bldg. 890 Saiwai-ku Kashimada Kawasaki, Kanagawa 212-0058 Japan Phone: +81-44-549-1200 Fax: +81-44-549-1272 Email: atarashi@alaxala.net Hiroyasu Kimura Alaxala Networks Corp. Shin-Kawasaki Mitsui Bldg. 890 Saiwai-ku Kashimada Kawasaki, Kanagawa 212-0058 Japan Phone: +81-44-549-1200 Fax: +81-44-549-1272 Email: h-kimura@alaxala.net Iijima, et al. Expires June 29, 2008 [Page 16] Internet-Draft ACL data model for NETCONF December 2007 Makoto Kitani Alaxala Networks Corp. Shin-Kawasaki Mitsui Bldg. 890 Saiwai-ku Kashimada Kawasaki, Kanagawa 212-0058 Japan Phone: +81-44-549-1200 Fax: +81-44-549-1272 Email: makoto.kitani@alaxala.com Hideki Okita Central Research Laboratory, Hitachi, Ltd. 1-280 Higashi-Koigakubo Kokubunji, Tokyo 185-8601 Japan Phone: +81-42-323-1111 Fax: +81-42-327-7868 Email: hideki.okita.pf@hitachi.com Iijima, et al. Expires June 29, 2008 [Page 17] Internet-Draft ACL data model for NETCONF December 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Iijima, et al. Expires June 29, 2008 [Page 18]