idnits 2.17.00 (12 Aug 2021) /tmp/idnits43608/draft-ietf-netmod-rfc7277bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The abstract seems to indicate that this document obsoletes RFC7277, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 170 has weird spacing: '...address yan...' == Line 178 has weird spacing: '...-length uin...' == Line 183 has weird spacing: '...address yan...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (January 11, 2018) is 1584 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-netmod-revised-datastores has been published as RFC 8342 == Outdated reference: draft-ietf-netmod-rfc7223bis has been published as RFC 8343 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4941 (Obsoleted by RFC 8981) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: draft-ietf-netmod-yang-tree-diagrams has been published as RFC 8340 -- Obsolete informational reference (is this intentional?): RFC 6536 (Obsoleted by RFC 8341) -- Obsolete informational reference (is this intentional?): RFC 8022 (Obsoleted by RFC 8349) Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Obsoletes: rfc7277 (if approved) January 11, 2018 5 Intended status: Standards Track 6 Expires: July 15, 2018 8 A YANG Data Model for IP Management 9 draft-ietf-netmod-rfc7277bis-03 11 Abstract 13 This document defines a YANG data model for management of IP 14 implementations. The data model includes configuration and system 15 state. 17 The YANG model in this document conforms to the Network Management 18 Datastore Architecture defined in I-D.ietf-netmod-revised-datastores. 20 This document obsoletes RFC 7277. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on July 15, 2018. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Summary of Changes from RFC 7277 . . . . . . . . . . . . 2 58 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 60 2. IP Data Model . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3. Relationship to the IP-MIB . . . . . . . . . . . . . . . . . 6 62 4. IP Management YANG Module . . . . . . . . . . . . . . . . . . 7 63 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 64 6. Security Considerations . . . . . . . . . . . . . . . . . . . 26 65 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 66 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 67 8.1. Normative References . . . . . . . . . . . . . . . . . . 27 68 8.2. Informative References . . . . . . . . . . . . . . . . . 29 69 Appendix A. Example: NETCONF reply . . . . . . . . 30 70 Appendix B. Example: NETCONF Reply . . . . . . . . . 30 71 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 32 73 1. Introduction 75 This document defines a YANG [RFC7950] data model for management of 76 IP implementations. 78 The data model covers configuration of per-interface IPv4 and IPv6 79 parameters, and mappings of IP addresses to link-layer addresses. It 80 also provides information about which IP addresses are operationally 81 used, and which link-layer mappings exist. Per-interface parameters 82 are added through augmentation of the interface data model defined in 83 [I-D.ietf-netmod-rfc7223bis]. 85 This version of the IP data model supports the Network Management 86 Datastore Architecture (NMDA) [I-D.ietf-netmod-revised-datastores]. 88 1.1. Summary of Changes from RFC 7277 90 The "ipv4" and "ipv6" subtrees with "config false" data nodes in the 91 "/interfaces-state/interface" subtree are deprecated. All "config 92 false" data nodes are now present in the "ipv4" and "ipv6" subtrees 93 in the "/interfaces/interface" subtree. 95 Servers that do not implement NMDA, or that wish to support clients 96 that do not implement NMDA, MAY implement the deprecated "ipv4" and 97 "ipv6" subtrees in the "/interfaces-state/interface" subtree. 99 1.2. Terminology 101 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 103 "OPTIONAL" in this document are to be interpreted as described in BCP 104 14, [RFC2119] [RFC8174] when, and only when, they appear in all 105 capitals, as shown here. 107 The following terms are defined in 108 [I-D.ietf-netmod-revised-datastores] and are not redefined here: 110 o client 112 o server 114 o configuration 116 o system state 118 o intended configuration 120 o running configuration datastore 122 o operational state 124 o operational state datastore 126 The following terms are defined in [RFC7950] and are not redefined 127 here: 129 o augment 131 o data model 133 o data node 135 The terminology for describing YANG data models is found in 136 [RFC7950]. 138 1.3. Tree Diagrams 140 Tree diagrams used in this document follow the notation defined in 141 [I-D.ietf-netmod-yang-tree-diagrams]. 143 2. IP Data Model 145 This document defines the YANG module "ietf-ip", which augments the 146 "interface" and "interface-state" lists defined in the 147 "ietf-interfaces" module [I-D.ietf-netmod-rfc7223bis] with IP- 148 specific data nodes. 150 The data model has the following structure for IP data nodes per 151 interface, excluding the deprecated data nodes: 153 module: ietf-ip 154 augment /if:interfaces/if:interface: 155 +--rw ipv4! 156 | +--rw enabled? boolean 157 | +--rw forwarding? boolean 158 | +--rw mtu? uint16 159 | +--rw address* [ip] 160 | | +--rw ip inet:ipv4-address-no-zone 161 | | +--rw (subnet) 162 | | | +--:(prefix-length) 163 | | | | +--rw prefix-length? uint8 164 | | | +--:(netmask) 165 | | | +--rw netmask? yang:dotted-quad 166 | | | {ipv4-non-contiguous-netmasks}? 167 | | +--ro origin? ip-address-origin 168 | +--rw neighbor* [ip] 169 | +--rw ip inet:ipv4-address-no-zone 170 | +--rw link-layer-address yang:phys-address 171 | +--ro origin? neighbor-origin 172 +--rw ipv6! 173 +--rw enabled? boolean 174 +--rw forwarding? boolean 175 +--rw mtu? uint32 176 +--rw address* [ip] 177 | +--rw ip inet:ipv6-address-no-zone 178 | +--rw prefix-length uint8 179 | +--ro origin? ip-address-origin 180 | +--ro status? enumeration 181 +--rw neighbor* [ip] 182 | +--rw ip inet:ipv6-address-no-zone 183 | +--rw link-layer-address yang:phys-address 184 | +--ro origin? neighbor-origin 185 | +--ro is-router? empty 186 | +--ro state? enumeration 187 +--rw dup-addr-detect-transmits? uint32 188 +--rw autoconf 189 +--rw create-global-addresses? boolean 190 +--rw create-temporary-addresses? boolean 191 | {ipv6-privacy-autoconf}? 192 +--rw temporary-valid-lifetime? uint32 193 | {ipv6-privacy-autoconf}? 194 +--rw temporary-preferred-lifetime? uint32 195 {ipv6-privacy-autoconf}? 197 The data model defines two containers per interface -- "ipv4" and 198 "ipv6", representing the IPv4 and IPv6 address families. In each 199 container, there is a leaf "enabled" that controls whether or not the 200 address family is enabled on that interface, and a leaf "forwarding" 201 that controls whether or not IP packet forwarding for the address 202 family is enabled on the interface. In each container, there is also 203 a list of addresses, and a list of mappings from IP addresses to 204 link-layer addresses. 206 3. Relationship to the IP-MIB 208 If the device implements the IP-MIB [RFC4293], each entry in the 209 "ipv4/address" and "ipv6/address" lists is mapped to one 210 ipAddressEntry, where the ipAddressIfIndex refers to the "address" 211 entry's interface. 213 The IP-MIB defines objects to control IPv6 Router Advertisement 214 messages. The corresponding YANG data nodes are defined in 215 [RFC8022]. 217 The entries in "ipv4/neighbor" and "ipv6/neighbor" are mapped to 218 ipNetToPhysicalTable. 220 The following table lists the YANG data nodes with corresponding 221 objects in the IP-MIB. 223 +----------------------------------+--------------------------------+ 224 | YANG data node in | IP-MIB object | 225 | /if:interfaces/if:interface | | 226 +----------------------------------+--------------------------------+ 227 | ipv4 | ipv4InterfaceEnableStatus | 228 | ipv4/enabled | ipv4InterfaceEnableStatus | 229 | ipv4/address | ipAddressEntry | 230 | ipv4/address/ip | ipAddressAddrType | 231 | | ipAddressAddr | 232 | ipv4/neighbor | ipNetToPhysicalEntry | 233 | ipv4/neighbor/ip | ipNetToPhysicalNetAddressType | 234 | | ipNetToPhysicalNetAddress | 235 | ipv4/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 236 | ipv4/neighbor/origin | ipNetToPhysicalType | 237 | ipv6 | ipv6InterfaceEnableStatus | 238 | ipv6/enabled | ipv6InterfaceEnableStatus | 239 | ipv6/forwarding | ipv6InterfaceForwarding | 240 | ipv6/address | ipAddressEntry | 241 | ipv6/address/ip | ipAddressAddrType | 242 | | ipAddressAddr | 243 | ipv4/address/origin | ipAddressOrigin | 244 | ipv6/address/status | ipAddressStatus | 245 | ipv6/neighbor | ipNetToPhysicalEntry | 246 | ipv6/neighbor/ip | ipNetToPhysicalNetAddressType | 247 | | ipNetToPhysicalNetAddress | 248 | ipv6/neighbor/link-layer-address | ipNetToPhysicalPhysAddress | 249 | ipv6/neighbor/origin | ipNetToPhysicalType | 250 | ipv6/neighbor/state | ipNetToPhysicalState | 251 +----------------------------------+--------------------------------+ 253 YANG Interface Data Nodes and Related IP-MIB Objects 255 4. IP Management YANG Module 257 This module imports typedefs from [RFC6991] and 258 [I-D.ietf-netmod-rfc7223bis], and it references [RFC0791], [RFC0826], 259 [RFC2460], [RFC4861], [RFC4862], [RFC4941] and [RFC7217]. 261 RFC Ed.: update the date below with the date of RFC publication and 262 remove this note. 264 file "ietf-ip@2018-01-09.yang" 266 module ietf-ip { 267 yang-version 1.1; 268 namespace "urn:ietf:params:xml:ns:yang:ietf-ip"; 269 prefix ip; 270 import ietf-interfaces { 271 prefix if; 272 } 273 import ietf-inet-types { 274 prefix inet; 275 } 276 import ietf-yang-types { 277 prefix yang; 278 } 280 organization 281 "IETF NETMOD (Network Modeling) Working Group"; 283 contact 284 "WG Web: 285 WG List: 287 Editor: Martin Bjorklund 288 "; 289 description 290 "This module contains a collection of YANG definitions for 291 managing IP implementations. 293 Copyright (c) 2018 IETF Trust and the persons identified as 294 authors of the code. All rights reserved. 296 Redistribution and use in source and binary forms, with or 297 without modification, is permitted pursuant to, and subject 298 to the license terms contained in, the Simplified BSD License 299 set forth in Section 4.c of the IETF Trust's Legal Provisions 300 Relating to IETF Documents 301 (http://trustee.ietf.org/license-info). 303 This version of this YANG module is part of RFC XXXX; see 304 the RFC itself for full legal notices."; 306 revision 2018-01-09 { 307 description 308 "Updated to support NMDA."; 309 reference 310 "RFC XXXX: A YANG Data Model for IP Management"; 311 } 313 revision 2014-06-16 { 314 description 315 "Initial revision."; 316 reference 317 "RFC 7277: A YANG Data Model for IP Management"; 319 } 321 /* 322 * Features 323 */ 325 feature ipv4-non-contiguous-netmasks { 326 description 327 "Indicates support for configuring non-contiguous 328 subnet masks."; 329 } 331 feature ipv6-privacy-autoconf { 332 description 333 "Indicates support for Privacy Extensions for Stateless Address 334 Autoconfiguration in IPv6."; 335 reference 336 "RFC 4941: Privacy Extensions for Stateless Address 337 Autoconfiguration in IPv6"; 338 } 340 /* 341 * Typedefs 342 */ 344 typedef ip-address-origin { 345 type enumeration { 346 enum other { 347 description 348 "None of the following."; 349 } 350 enum static { 351 description 352 "Indicates that the address has been statically 353 configured - for example, using NETCONF or a Command Line 354 Interface."; 355 } 356 enum dhcp { 357 description 358 "Indicates an address that has been assigned to this 359 system by a DHCP server."; 360 } 361 enum link-layer { 362 description 363 "Indicates an address created by IPv6 stateless 364 autoconfiguration that embeds a link-layer address in its 365 interface identifier."; 366 } 367 enum random { 368 description 369 "Indicates an address chosen by the system at 371 random, e.g., an IPv4 address within 169.254/16, an 372 RFC 4941 temporary address, or an RFC 7217 semantically 373 opaque address."; 374 reference 375 "RFC 4941: Privacy Extensions for Stateless Address 376 Autoconfiguration in IPv6 377 RFC 7217: A Method for Generating Semantically Opaque 378 Interface Identifiers with IPv6 Stateless 379 Address Autoconfiguration (SLAAC)"; 380 } 381 } 382 description 383 "The origin of an address."; 384 } 386 typedef neighbor-origin { 387 type enumeration { 388 enum other { 389 description 390 "None of the following."; 391 } 392 enum static { 393 description 394 "Indicates that the mapping has been statically 395 configured - for example, using NETCONF or a Command Line 396 Interface."; 397 } 398 enum dynamic { 399 description 400 "Indicates that the mapping has been dynamically resolved 401 using, e.g., IPv4 ARP or the IPv6 Neighbor Discovery 402 protocol."; 403 } 404 } 405 description 406 "The origin of a neighbor entry."; 407 } 409 /* 410 * Data nodes 411 */ 413 augment "/if:interfaces/if:interface" { 414 description 415 "IP parameters on interfaces. 417 If an interface is not capable of running IP, the server 418 must not allow the client to configure these parameters."; 420 container ipv4 { 421 presence 422 "Enables IPv4 unless the 'enabled' leaf 423 (which defaults to 'true') is set to 'false'"; 424 description 425 "Parameters for the IPv4 address family."; 427 leaf enabled { 428 type boolean; 429 default true; 430 description 431 "Controls whether IPv4 is enabled or disabled on this 432 interface. When IPv4 is enabled, this interface is 433 connected to an IPv4 stack, and the interface can send 434 and receive IPv4 packets."; 435 } 436 leaf forwarding { 437 type boolean; 438 default false; 439 description 440 "Controls IPv4 packet forwarding of datagrams received by, 441 but not addressed to, this interface. IPv4 routers 442 forward datagrams. IPv4 hosts do not (except those 443 source-routed via the host)."; 444 } 445 leaf mtu { 446 type uint16 { 447 range "68..max"; 448 } 449 units octets; 450 description 451 "The size, in octets, of the largest IPv4 packet that the 452 interface will send and receive. 454 The server may restrict the allowed values for this leaf, 455 depending on the interface's type. 457 If this leaf is not configured, the operationally used MTU 458 depends on the interface's type."; 459 reference 460 "RFC 791: Internet Protocol"; 461 } 462 list address { 463 key "ip"; 464 description 465 "The list of IPv4 addresses on the interface."; 467 leaf ip { 468 type inet:ipv4-address-no-zone; 469 description 470 "The IPv4 address on the interface."; 471 } 472 choice subnet { 473 mandatory true; 474 description 475 "The subnet can be specified as a prefix-length, or, 476 if the server supports non-contiguous netmasks, as 477 a netmask."; 478 leaf prefix-length { 479 type uint8 { 480 range "0..32"; 481 } 482 description 483 "The length of the subnet prefix."; 484 } 485 leaf netmask { 486 if-feature ipv4-non-contiguous-netmasks; 487 type yang:dotted-quad; 488 description 489 "The subnet specified as a netmask."; 490 } 491 } 492 leaf origin { 493 type ip-address-origin; 494 config false; 495 description 496 "The origin of this address."; 497 } 498 } 499 list neighbor { 500 key "ip"; 501 description 502 "A list of mappings from IPv4 addresses to 503 link-layer addresses. 505 Entries in this list in the intended configuration are 506 used as static entries in the ARP Cache. 508 In the operational state, this list represents the ARP 509 Cache."; 510 reference 511 "RFC 826: An Ethernet Address Resolution Protocol"; 513 leaf ip { 514 type inet:ipv4-address-no-zone; 515 description 516 "The IPv4 address of the neighbor node."; 517 } 518 leaf link-layer-address { 519 type yang:phys-address; 520 mandatory true; 521 description 522 "The link-layer address of the neighbor node."; 523 } 524 leaf origin { 525 type neighbor-origin; 526 config false; 527 description 528 "The origin of this neighbor entry."; 529 } 530 } 531 } 533 container ipv6 { 534 presence 535 "Enables IPv6 unless the 'enabled' leaf 536 (which defaults to 'true') is set to 'false'"; 537 description 538 "Parameters for the IPv6 address family."; 540 leaf enabled { 541 type boolean; 542 default true; 543 description 544 "Controls whether IPv6 is enabled or disabled on this 545 interface. When IPv6 is enabled, this interface is 546 connected to an IPv6 stack, and the interface can send 547 and receive IPv6 packets."; 548 } 549 leaf forwarding { 550 type boolean; 551 default false; 552 description 553 "Controls IPv6 packet forwarding of datagrams received by, 554 but not addressed to, this interface. IPv6 routers 555 forward datagrams. IPv6 hosts do not (except those 556 source-routed via the host)."; 557 reference 558 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 559 Section 6.2.1, IsRouter"; 560 } 561 leaf mtu { 562 type uint32 { 563 range "1280..max"; 564 } 565 units octets; 566 description 567 "The size, in octets, of the largest IPv6 packet that the 568 interface will send and receive. 570 The server may restrict the allowed values for this leaf, 571 depending on the interface's type. 573 If this leaf is not configured, the operationally used MTU 574 depends on the interface's type."; 575 reference 576 "RFC 2460: Internet Protocol, Version 6 (IPv6) 577 Specification 578 Section 5"; 579 } 581 list address { 582 key "ip"; 583 description 584 "The list of IPv6 addresses on the interface."; 586 leaf ip { 587 type inet:ipv6-address-no-zone; 588 description 589 "The IPv6 address on the interface."; 590 } 591 leaf prefix-length { 592 type uint8 { 593 range "0..128"; 594 } 595 mandatory true; 596 description 597 "The length of the subnet prefix."; 598 } 599 leaf origin { 600 type ip-address-origin; 601 config false; 602 description 603 "The origin of this address."; 604 } 605 leaf status { 606 type enumeration { 607 enum preferred { 608 description 609 "This is a valid address that can appear as the 610 destination or source address of a packet."; 611 } 612 enum deprecated { 613 description 614 "This is a valid but deprecated address that should 615 no longer be used as a source address in new 616 communications, but packets addressed to such an 617 address are processed as expected."; 618 } 619 enum invalid { 620 description 621 "This isn't a valid address, and it shouldn't appear 622 as the destination or source address of a packet."; 623 } 624 enum inaccessible { 625 description 626 "The address is not accessible because the interface 627 to which this address is assigned is not 628 operational."; 629 } 630 enum unknown { 631 description 632 "The status cannot be determined for some reason."; 633 } 634 enum tentative { 635 description 636 "The uniqueness of the address on the link is being 637 verified. Addresses in this state should not be 638 used for general communication and should only be 639 used to determine the uniqueness of the address."; 640 } 641 enum duplicate { 642 description 643 "The address has been determined to be non-unique on 644 the link and so must not be used."; 645 } 646 enum optimistic { 647 description 648 "The address is available for use, subject to 649 restrictions, while its uniqueness on a link is 650 being verified."; 651 } 652 } 653 config false; 654 description 655 "The status of an address. Most of the states correspond 656 to states from the IPv6 Stateless Address 657 Autoconfiguration protocol."; 658 reference 659 "RFC 4293: Management Information Base for the 660 Internet Protocol (IP) 661 - IpAddressStatusTC 662 RFC 4862: IPv6 Stateless Address Autoconfiguration"; 663 } 664 } 665 list neighbor { 666 key "ip"; 667 description 668 "A list of mappings from IPv6 addresses to 669 link-layer addresses. 671 Entries in this list in the intended configuration are 672 used as static entries in the Neighbor Cache. 674 In the operational state, this list represents the 675 Neighbor Cache."; 676 reference 677 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 679 leaf ip { 680 type inet:ipv6-address-no-zone; 681 description 682 "The IPv6 address of the neighbor node."; 683 } 684 leaf link-layer-address { 685 type yang:phys-address; 686 mandatory true; 687 description 688 "The link-layer address of the neighbor node. 690 In the operational state, if the neighbor's 'state' leaf 691 is 'incomplete', this leaf is not instantiated."; 692 } 693 leaf origin { 694 type neighbor-origin; 695 config false; 696 description 697 "The origin of this neighbor entry."; 698 } 699 leaf is-router { 700 type empty; 701 config false; 702 description 703 "Indicates that the neighbor node acts as a router."; 704 } 705 leaf state { 706 type enumeration { 707 enum incomplete { 708 description 709 "Address resolution is in progress, and the 710 link-layer address of the neighbor has not yet been 711 determined."; 712 } 713 enum reachable { 714 description 715 "Roughly speaking, the neighbor is known to have been 716 reachable recently (within tens of seconds ago)."; 717 } 718 enum stale { 719 description 720 "The neighbor is no longer known to be reachable, but 721 until traffic is sent to the neighbor no attempt 722 should be made to verify its reachability."; 723 } 724 enum delay { 725 description 726 "The neighbor is no longer known to be reachable, and 727 traffic has recently been sent to the neighbor. 728 Rather than probe the neighbor immediately, however, 729 delay sending probes for a short while in order to 730 give upper-layer protocols a chance to provide 731 reachability confirmation."; 732 } 733 enum probe { 734 description 735 "The neighbor is no longer known to be reachable, and 736 unicast Neighbor Solicitation probes are being sent 737 to verify reachability."; 738 } 739 } 740 config false; 741 description 742 "The Neighbor Unreachability Detection state of this 743 entry."; 744 reference 745 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 746 Section 7.3.2"; 747 } 748 } 750 leaf dup-addr-detect-transmits { 751 type uint32; 752 default 1; 753 description 754 "The number of consecutive Neighbor Solicitation messages 755 sent while performing Duplicate Address Detection on a 756 tentative address. A value of zero indicates that 757 Duplicate Address Detection is not performed on 758 tentative addresses. A value of one indicates a single 759 transmission with no follow-up retransmissions."; 760 reference 761 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 762 } 763 container autoconf { 764 description 765 "Parameters to control the autoconfiguration of IPv6 766 addresses, as described in RFC 4862."; 767 reference 768 "RFC 4862: IPv6 Stateless Address Autoconfiguration"; 770 leaf create-global-addresses { 771 type boolean; 772 default true; 773 description 774 "If enabled, the host creates global addresses as 775 described in RFC 4862."; 776 reference 777 "RFC 4862: IPv6 Stateless Address Autoconfiguration 778 Section 5.5"; 779 } 780 leaf create-temporary-addresses { 781 if-feature ipv6-privacy-autoconf; 782 type boolean; 783 default false; 784 description 785 "If enabled, the host creates temporary addresses as 786 described in RFC 4941."; 787 reference 788 "RFC 4941: Privacy Extensions for Stateless Address 789 Autoconfiguration in IPv6"; 790 } 792 leaf temporary-valid-lifetime { 793 if-feature ipv6-privacy-autoconf; 794 type uint32; 795 units "seconds"; 796 default 604800; 797 description 798 "The time period during which the temporary address 799 is valid."; 800 reference 801 "RFC 4941: Privacy Extensions for Stateless Address 802 Autoconfiguration in IPv6 803 - TEMP_VALID_LIFETIME"; 804 } 805 leaf temporary-preferred-lifetime { 806 if-feature ipv6-privacy-autoconf; 807 type uint32; 808 units "seconds"; 809 default 86400; 810 description 811 "The time period during which the temporary address is 812 preferred."; 813 reference 814 "RFC 4941: Privacy Extensions for Stateless Address 815 Autoconfiguration in IPv6 816 - TEMP_PREFERRED_LIFETIME"; 817 } 818 } 819 } 820 } 822 /* 823 * Legacy operational state data nodes 824 */ 826 augment "/if:interfaces-state/if:interface" { 827 status deprecated; 828 description 829 "Data nodes for the operational state of IP on interfaces."; 831 container ipv4 { 832 presence "Present if IPv4 is enabled on this interface"; 833 config false; 834 status deprecated; 835 description 836 "Interface-specific parameters for the IPv4 address family."; 838 leaf forwarding { 839 type boolean; 840 status deprecated; 841 description 842 "Indicates whether IPv4 packet forwarding is enabled or 843 disabled on this interface."; 844 } 845 leaf mtu { 846 type uint16 { 847 range "68..max"; 848 } 849 units octets; 850 status deprecated; 851 description 852 "The size, in octets, of the largest IPv4 packet that the 853 interface will send and receive."; 854 reference 855 "RFC 791: Internet Protocol"; 856 } 857 list address { 858 key "ip"; 859 status deprecated; 860 description 861 "The list of IPv4 addresses on the interface."; 863 leaf ip { 864 type inet:ipv4-address-no-zone; 865 status deprecated; 866 description 867 "The IPv4 address on the interface."; 868 } 869 choice subnet { 870 status deprecated; 871 description 872 "The subnet can be specified as a prefix-length, or, 873 if the server supports non-contiguous netmasks, as 874 a netmask."; 875 leaf prefix-length { 876 type uint8 { 877 range "0..32"; 878 } 879 status deprecated; 880 description 881 "The length of the subnet prefix."; 882 } 883 leaf netmask { 884 if-feature ipv4-non-contiguous-netmasks; 885 type yang:dotted-quad; 886 status deprecated; 887 description 888 "The subnet specified as a netmask."; 889 } 890 } 891 leaf origin { 892 type ip-address-origin; 893 status deprecated; 894 description 895 "The origin of this address."; 896 } 897 } 898 list neighbor { 899 key "ip"; 900 status deprecated; 901 description 902 "A list of mappings from IPv4 addresses to 903 link-layer addresses. 905 This list represents the ARP Cache."; 906 reference 907 "RFC 826: An Ethernet Address Resolution Protocol"; 909 leaf ip { 910 type inet:ipv4-address-no-zone; 911 status deprecated; 912 description 913 "The IPv4 address of the neighbor node."; 914 } 915 leaf link-layer-address { 916 type yang:phys-address; 917 status deprecated; 918 description 919 "The link-layer address of the neighbor node."; 920 } 921 leaf origin { 922 type neighbor-origin; 923 status deprecated; 924 description 925 "The origin of this neighbor entry."; 926 } 927 } 928 } 930 container ipv6 { 931 presence "Present if IPv6 is enabled on this interface"; 932 config false; 933 status deprecated; 934 description 935 "Parameters for the IPv6 address family."; 937 leaf forwarding { 938 type boolean; 939 default false; 940 status deprecated; 941 description 942 "Indicates whether IPv6 packet forwarding is enabled or 943 disabled on this interface."; 944 reference 945 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 946 Section 6.2.1, IsRouter"; 947 } 948 leaf mtu { 949 type uint32 { 950 range "1280..max"; 951 } 952 units octets; 953 status deprecated; 954 description 955 "The size, in octets, of the largest IPv6 packet that the 956 interface will send and receive."; 957 reference 958 "RFC 2460: Internet Protocol, Version 6 (IPv6) 959 Specification 960 Section 5"; 961 } 962 list address { 963 key "ip"; 964 status deprecated; 965 description 966 "The list of IPv6 addresses on the interface."; 968 leaf ip { 969 type inet:ipv6-address-no-zone; 970 status deprecated; 971 description 972 "The IPv6 address on the interface."; 973 } 974 leaf prefix-length { 975 type uint8 { 976 range "0..128"; 977 } 978 mandatory true; 979 status deprecated; 980 description 981 "The length of the subnet prefix."; 982 } 983 leaf origin { 984 type ip-address-origin; 985 status deprecated; 986 description 987 "The origin of this address."; 988 } 989 leaf status { 990 type enumeration { 991 enum preferred { 992 description 993 "This is a valid address that can appear as the 994 destination or source address of a packet."; 995 } 996 enum deprecated { 997 description 998 "This is a valid but deprecated address that should 999 no longer be used as a source address in new 1000 communications, but packets addressed to such an 1001 address are processed as expected."; 1002 } 1003 enum invalid { 1004 description 1005 "This isn't a valid address, and it shouldn't appear 1006 as the destination or source address of a packet."; 1007 } 1008 enum inaccessible { 1009 description 1010 "The address is not accessible because the interface 1011 to which this address is assigned is not 1012 operational."; 1013 } 1014 enum unknown { 1015 description 1016 "The status cannot be determined for some reason."; 1017 } 1018 enum tentative { 1019 description 1020 "The uniqueness of the address on the link is being 1021 verified. Addresses in this state should not be 1022 used for general communication and should only be 1023 used to determine the uniqueness of the address."; 1024 } 1025 enum duplicate { 1026 description 1027 "The address has been determined to be non-unique on 1028 the link and so must not be used."; 1029 } 1030 enum optimistic { 1031 description 1032 "The address is available for use, subject to 1033 restrictions, while its uniqueness on a link is 1034 being verified."; 1035 } 1036 } 1037 status deprecated; 1038 description 1039 "The status of an address. Most of the states correspond 1040 to states from the IPv6 Stateless Address 1041 Autoconfiguration protocol."; 1042 reference 1043 "RFC 4293: Management Information Base for the 1044 Internet Protocol (IP) 1045 - IpAddressStatusTC 1046 RFC 4862: IPv6 Stateless Address Autoconfiguration"; 1047 } 1048 } 1049 list neighbor { 1050 key "ip"; 1051 status deprecated; 1052 description 1053 "A list of mappings from IPv6 addresses to 1054 link-layer addresses. 1056 This list represents the Neighbor Cache."; 1057 reference 1058 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6)"; 1060 leaf ip { 1061 type inet:ipv6-address-no-zone; 1062 status deprecated; 1063 description 1064 "The IPv6 address of the neighbor node."; 1065 } 1066 leaf link-layer-address { 1067 type yang:phys-address; 1068 status deprecated; 1069 description 1070 "The link-layer address of the neighbor node."; 1071 } 1072 leaf origin { 1073 type neighbor-origin; 1074 status deprecated; 1075 description 1076 "The origin of this neighbor entry."; 1077 } 1078 leaf is-router { 1079 type empty; 1080 status deprecated; 1081 description 1082 "Indicates that the neighbor node acts as a router."; 1083 } 1084 leaf state { 1085 type enumeration { 1086 enum incomplete { 1087 description 1088 "Address resolution is in progress, and the 1089 link-layer address of the neighbor has not yet been 1090 determined."; 1091 } 1092 enum reachable { 1093 description 1094 "Roughly speaking, the neighbor is known to have been 1095 reachable recently (within tens of seconds ago)."; 1096 } 1097 enum stale { 1098 description 1099 "The neighbor is no longer known to be reachable, but 1100 until traffic is sent to the neighbor no attempt 1101 should be made to verify its reachability."; 1102 } 1103 enum delay { 1104 description 1105 "The neighbor is no longer known to be reachable, and 1106 traffic has recently been sent to the neighbor. 1107 Rather than probe the neighbor immediately, however, 1108 delay sending probes for a short while in order to 1109 give upper-layer protocols a chance to provide 1110 reachability confirmation."; 1111 } 1112 enum probe { 1113 description 1114 "The neighbor is no longer known to be reachable, and 1115 unicast Neighbor Solicitation probes are being sent 1116 to verify reachability."; 1117 } 1118 } 1119 status deprecated; 1120 description 1121 "The Neighbor Unreachability Detection state of this 1122 entry."; 1123 reference 1124 "RFC 4861: Neighbor Discovery for IP version 6 (IPv6) 1125 Section 7.3.2"; 1126 } 1127 } 1128 } 1129 } 1130 } 1132 1134 5. IANA Considerations 1136 This document registers a URI in the "IETF XML Registry" [RFC3688]. 1137 Following the format in RFC 3688, the following registration has been 1138 made. 1140 URI: urn:ietf:params:xml:ns:yang:ietf-ip 1142 Registrant Contact: The NETMOD WG of the IETF. 1144 XML: N/A; the requested URI is an XML namespace. 1146 This document registers a YANG module in the "YANG Module Names" 1147 registry [RFC6020]. 1149 Name: ietf-ip 1150 Namespace: urn:ietf:params:xml:ns:yang:ietf-ip 1151 Prefix: ip 1152 Reference: RFC 7277 1154 6. Security Considerations 1156 The YANG module specified in this document defines a schema for data 1157 that is designed to be accessed via network management protocols such 1158 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 1159 is the secure transport layer, and the mandatory-to-implement secure 1160 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1161 is HTTPS, and the mandatory-to-implement secure transport is TLS 1162 [RFC5246]. 1164 The NETCONF access control model [RFC6536] provides the means to 1165 restrict access for particular NETCONF or RESTCONF users to a 1166 preconfigured subset of all available NETCONF or RESTCONF protocol 1167 operations and content. 1169 There are a number of data nodes defined in the YANG module which are 1170 writable/creatable/deletable (i.e., config true, which is the 1171 default). These data nodes may be considered sensitive or vulnerable 1172 in some network environments. Write operations (e.g., edit-config) 1173 to these data nodes without proper protection can have a negative 1174 effect on network operations. These are the subtrees and data nodes 1175 and their sensitivity/vulnerability: 1177 ipv4/enabled and ipv6/enabled: These leafs are used to enable or 1178 disable IPv4 and IPv6 on a specific interface. By enabling a 1179 protocol on an interface, an attacker might be able to create an 1180 unsecured path into a node (or through it if routing is also 1181 enabled). By disabling a protocol on an interface, an attacker 1182 might be able to force packets to be routed through some other 1183 interface or deny access to some or all of the network via that 1184 protocol. 1186 ipv4/address and ipv6/address: These lists specify the configured IP 1187 addresses on an interface. By modifying this information, an 1188 attacker can cause a node to either ignore messages destined to it 1189 or accept (at least at the IP layer) messages it would otherwise 1190 ignore. The use of filtering or security associations may reduce 1191 the potential damage in the latter case. 1193 ipv4/forwarding and ipv6/forwarding: These leafs allow a client to 1194 enable or disable the forwarding functions on the entity. By 1195 disabling the forwarding functions, an attacker would possibly be 1196 able to deny service to users. By enabling the forwarding 1197 functions, an attacker could open a conduit into an area. This 1198 might result in the area providing transit for packets it 1199 shouldn't, or it might allow the attacker access to the area, 1200 bypassing security safeguards. 1202 ipv6/autoconf: The leafs in this branch control the 1203 autoconfiguration of IPv6 addresses and, in particular, whether or 1204 not temporary addresses are used. By modifying the corresponding 1205 leafs, an attacker might impact the addresses used by a node and 1206 thus indirectly the privacy of the users using the node. 1208 ipv4/mtu and ipv6/mtu: Setting these leafs to very small values can 1209 be used to slow down interfaces. 1211 7. Acknowledgments 1213 The author wishes to thank Jeffrey Lange, Ladislav Lhotka, Juergen 1214 Schoenwaelder, and Dave Thaler for their helpful comments. 1216 8. References 1218 8.1. Normative References 1220 [I-D.ietf-netmod-revised-datastores] 1221 Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1222 and R. Wilton, "Network Management Datastore 1223 Architecture", draft-ietf-netmod-revised-datastores-07 1224 (work in progress), November 2017. 1226 [I-D.ietf-netmod-rfc7223bis] 1227 Bjorklund, M., "A YANG Data Model for Interface 1228 Management", draft-ietf-netmod-rfc7223bis-01 (work in 1229 progress), December 2017. 1231 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1232 DOI 10.17487/RFC0791, September 1981, . 1235 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1236 Requirement Levels", BCP 14, RFC 2119, 1237 DOI 10.17487/RFC2119, March 1997, . 1240 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1241 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 1242 December 1998, . 1244 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1245 DOI 10.17487/RFC3688, January 2004, . 1248 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 1249 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 1250 DOI 10.17487/RFC4861, September 2007, . 1253 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1254 Address Autoconfiguration", RFC 4862, 1255 DOI 10.17487/RFC4862, September 2007, . 1258 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 1259 Extensions for Stateless Address Autoconfiguration in 1260 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 1261 . 1263 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1264 (TLS) Protocol Version 1.2", RFC 5246, 1265 DOI 10.17487/RFC5246, August 2008, . 1268 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1269 the Network Configuration Protocol (NETCONF)", RFC 6020, 1270 DOI 10.17487/RFC6020, October 2010, . 1273 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1274 and A. Bierman, Ed., "Network Configuration Protocol 1275 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1276 . 1278 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1279 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1280 . 1282 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1283 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1284 . 1286 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1287 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1288 . 1290 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1291 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1292 . 1294 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1295 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1296 May 2017, . 1298 8.2. Informative References 1300 [I-D.ietf-netmod-yang-tree-diagrams] 1301 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- 1302 ietf-netmod-yang-tree-diagrams-02 (work in progress), 1303 October 2017. 1305 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 1306 Converting Network Protocol Addresses to 48.bit Ethernet 1307 Address for Transmission on Ethernet Hardware", STD 37, 1308 RFC 826, DOI 10.17487/RFC0826, November 1982, 1309 . 1311 [RFC4293] Routhier, S., Ed., "Management Information Base for the 1312 Internet Protocol (IP)", RFC 4293, DOI 10.17487/RFC4293, 1313 April 2006, . 1315 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1316 Protocol (NETCONF) Access Control Model", RFC 6536, 1317 DOI 10.17487/RFC6536, March 2012, . 1320 [RFC7217] Gont, F., "A Method for Generating Semantically Opaque 1321 Interface Identifiers with IPv6 Stateless Address 1322 Autoconfiguration (SLAAC)", RFC 7217, 1323 DOI 10.17487/RFC7217, April 2014, . 1326 [RFC8022] Lhotka, L. and A. Lindem, "A YANG Data Model for Routing 1327 Management", RFC 8022, DOI 10.17487/RFC8022, November 1328 2016, . 1330 Appendix A. Example: NETCONF reply 1332 This section gives an example of a reply to the NETCONF 1333 request for the running configuration datastore for a device that 1334 implements the data model defined in this document. 1336 1339 1340 1343 1344 eth0 1345 ianaift:ethernetCsmacd 1346 1347
1348 192.0.2.1 1349 24 1350
1351
1352 1353 1280 1354
1355 2001:db8::10 1356 32 1357
1358 0 1359
1360
1361
1362
1363
1365 Appendix B. Example: NETCONF Reply 1367 This section gives an example of a reply to the NETCONF 1368 request for the operational state datastore for a device that 1369 implements the data model defined in this document. 1371 This example uses the "origin" annotation, which is defined in the 1372 module "ietf-origin" [I-D.ietf-netmod-revised-datastores]. 1374 1377 1378 1383 1384 eth0 1385 ianaift:ethernetCsmacd 1386 1388 1389 true 1390 false 1391 1500 1392
1393 192.0.2.1 1394 24 1395 static 1396
1397 1398 192.0.2.2 1399 1400 00:00:5E:00:53:AB 1401 1402 1403
1404 1405 true 1406 false 1407 1280 1408
1409 2001:db8::10 1410 32 1411 static 1412 preferred 1413
1414
1415 2001:db8::1:100 1416 32 1417 dhcp 1418 preferred 1419
1420 0 1421 1422 2001:db8::1 1423 1424 00:00:5E:00:53:AB 1425 1426 dynamic 1427 1428 reachable 1429 1430 1431 2001:db8::4 1432 dynamic 1433 incomplete 1434 1435
1436
1438
1439
1440
1442 Author's Address 1444 Martin Bjorklund 1445 Tail-f Systems 1447 Email: mbj@tail-f.com