netconfcentral logo

ietf-mud

HTML

ietf-mud@2018-06-15



  module ietf-mud {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-mud";

    prefix ietf-mud;

    import ietf-access-control-list {
      prefix acl;
    }
    import ietf-yang-types {
      prefix yang;
    }
    import ietf-inet-types {
      prefix inet;
    }

    organization
      "IETF OPSAWG (Ops Area) Working Group";

    contact
      "WG Web: http://tools.ietf.org/wg/opsawg/
     WG List: opsawg@ietf.org
     Author: Eliot Lear
     lear@cisco.com
     Author: Ralph Droms
     rdroms@gmail.com
     Author: Dan Romascanu
     dromasca@gmail.com

    ";

    description
      "This YANG module defines a component that augments the
     IETF description of an access list.  This specific module
     focuses on additional filters that include local, model,
     and same-manufacturer.

     This module is intended to be serialized via JSON and stored
     as a file, as described in RFC XXXX [RFC Editor to fill in with
     this document #].

     Copyright (c) 2016,2017 IETF Trust and the persons
     identified as the document authors.  All rights reserved.
     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD
     License set forth in Section 4.c of the IETF Trust's Legal
     Provisions Relating to IETF Documents
     (http://trustee.ietf.org/license-info).
     This version of this YANG module is part of RFC XXXX; see
     the RFC itself for full legal notices.";

    revision "2018-06-15" {
      description
        "Initial proposed standard.";
      reference
        "RFC XXXX: Manufacturer Usage Description
        Specification";

    }


    typedef direction {
      type enumeration {
        enum "to-device" {
          value 0;
          description
            "packets or flows destined to the target
           Thing";
        }
        enum "from-device" {
          value 1;
          description
            "packets or flows destined from
           the target Thing";
        }
      }
      description
        "Which way are we talking about?";
    }

    container mud {
      presence
        "Enabled for this particular MUD URL";
      description
        "MUD related information, as specified
       by RFC-XXXX [RFC Editor to fill in].";
      uses mud-grouping;
    }  // container mud

    grouping mud-grouping {
      description
        "Information about when support end(ed), and
       when to refresh";
      leaf mud-version {
        type uint8;
        mandatory true;
        description
          "This is the version of the MUD
         specification.  This memo specifies version 1.";
      }

      leaf mud-url {
        type inet:uri;
        mandatory true;
        description
          "This is the MUD URL associated with the entry found
         in a MUD file.";
      }

      leaf last-update {
        type yang:date-and-time;
        mandatory true;
        description
          "This is intended to be when the current MUD file
         was generated.  MUD Managers SHOULD NOT check
         for updates between this time plus cache validity";
      }

      leaf mud-signature {
        type inet:uri;
        description
          "A URI that resolves to a signature as
         described in this specification.";
      }

      leaf cache-validity {
        type uint8 {
          range "1..168";
        }
        units "hours";
        default "48";
        description
          "The information retrieved from the MUD server is
         valid for these many hours, after which it should
         be refreshed.  N.B. MUD manager implementations
         need not discard MUD files beyond this period.";
      }

      leaf is-supported {
        type boolean;
        mandatory true;
        description
          "This boolean indicates whether or not the Thing is
         currently supported by the manufacturer.";
      }

      leaf systeminfo {
        type string;
        description
          "A UTF-8 description of this Thing.  This
         should be a brief description that may be
         displayed to the user to determine whether
         to allow the Thing on the
         network.";
      }

      leaf mfg-name {
        type string;
        description
          "Manufacturer name, as described in
         the ietf-hardware YANG module.";
      }

      leaf model-name {
        type string;
        description
          "Model name, as described in the
         ietf-hardware YANG module.";
      }

      leaf firmware-rev {
        type string;
        description
          "firmware-rev, as described in the
         ietf-hardware YANG module.  Note this field MUST
         NOT be included when the device can be updated
         but the MUD-URL cannot.";
      }

      leaf software-rev {
        type string;
        description
          "software-rev, as described in the
         ietf-hardware YANG module.  Note this field MUST
         NOT be included when the device can be updated
         but the MUD-URL cannot.";
      }

      leaf documentation {
        type inet:uri;
        description
          "This URL points to documentation that
         relates to this device and any classes that it uses
         in its MUD file.  A caution: MUD managers need
         not resolve this URL on their own, but rather simply
         provide it to the administrator.  Parsing HTML is
         not an intended function of a MUD manager.";
      }

      leaf-list extensions {
        type string {
          length "1..40";
        }
        description
          "A list of extension names that are used in this MUD
         file.  Each name is registered with the IANA and
         described in an RFC.";
      }

      container from-device-policy {
        description
          "The policies that should be enforced on traffic
         coming from the device. These policies are not
         necessarily intended to be enforced at a single
         point, but may be rendered by the controller to any
         relevant enforcement points in the network or
         elsewhere.";
        uses access-lists;
      }  // container from-device-policy

      container to-device-policy {
        description
          "The policies that should be enforced on traffic
         going to the device. These policies are not
         necessarily intended to be enforced at a single
         point, but may be rendered by the controller to any
         relevant enforcement points in the network or
         elsewhere.";
        uses access-lists;
      }  // container to-device-policy
    }  // grouping mud-grouping

    grouping access-lists {
      description
        "A grouping for access lists in the context of device
       policy.";
      container access-lists {
        description
          "The access lists that should be applied to traffic
           to or from the device.";
        list access-list {
          key "name";
          description
            "Each entry on this list refers to an ACL that
             should be present in the overall access list
             data model. Each ACL is identified by name and
             type.";
          leaf name {
            type leafref {
              path
                "/acl:acls/acl:acl/acl:name";
            }
            description
              "The name of the ACL for this entry.";
          }
        }  // list access-list
      }  // container access-lists
    }  // grouping access-lists

    augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches {
      description
        "adding abstractions to avoid need of IP addresses";
      container mud {
        description "MUD-specific matches.";
        leaf manufacturer {
          type inet:host;
          description
            "A domain that is intended to match the authority
           section of the MUD URL. This node is used to specify
           one or more manufacturers a device should
           be authorized to access.";
        }

        leaf same-manufacturer {
          type empty;
          description
            "This node matches the authority section of the MUD URL
           of a Thing.  It is intended to grant access to all
           devices with the same authority section.";
        }

        leaf model {
          type inet:uri;
          description
            "Devices of the specified model type will match if
           they have an identical MUD URL.";
        }

        leaf local-networks {
          type empty;
          description
            "IP addresses will match this node if they are
           considered local addresses.  A local address may be
           a list of locally defined prefixes and masks
           that indicate a particular administrative scope.";
        }

        leaf controller {
          type inet:uri;
          description
            "This node names a class that has associated with it
           zero or more IP addresses to match against.  These
           may be scoped to a manufacturer or via a standard
           URN.";
        }

        leaf my-controller {
          type empty;
          description
            "This node matches one or more network elements that
           have been configured to be the controller for this
           Thing, based on its MUD URL.";
        }
      }  // container mud
    }

    augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches/acl:l4/acl:tcp/acl:tcp {
      description "add direction-initiated";
      leaf direction-initiated {
        type direction;
        description
          "This node matches based on which direction a
         connection was initiated. The means by which that
         is determined is discussed in this document.";
      }
    }
  }  // module ietf-mud

Summary

  
ietf-mud  
  
Organization IETF OPSAWG (Operations and Management Area Working Group)
  
Module ietf-mud
Version 2019-01-28
File ietf-mud@2019-01-28.yang
  
Prefix ietf-mud
Namespace urn:ietf:params:xml:ns:yang:ietf-mud
  
Cooked /cookedmodules/ietf-mud/2019-01-28
YANG /src/ietf-mud@2019-01-28.yang
XSD /xsd/ietf-mud@2019-01-28.xsd
  
Abstract This YANG module defines a component that augments the IETF description of an access list. This specific module focuses on addi...
  
Contact
WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: opsawg@ietf.org

Author: Eliot Lear
	lear@cisco.com

Author: Ralph Droms
	rdroms@gmail.com

Author: Dan Romascanu
	dromasca@gmail.com
  
ietf-mud  
  
Organization IETF OPSAWG (Ops Area) Working Group
  
Module ietf-mud
Version 2018-06-15
File ietf-mud@2018-06-15.yang
  
Prefix ietf-mud
Namespace urn:ietf:params:xml:ns:yang:ietf-mud
  
Cooked /cookedmodules/ietf-mud/2018-06-15
YANG /src/ietf-mud@2018-06-15.yang
XSD /xsd/ietf-mud@2018-06-15.xsd
  
Abstract This YANG module defines a component that augments the IETF description of an access list. This specific module focuses on addi...
  
Contact
WG Web: http://tools.ietf.org/wg/opsawg/
WG List: opsawg@ietf.org
Author: Eliot Lear
lear@cisco.com
Author: Ralph Droms
rdroms@gmail.com
Author: Dan Romascanu
dromasca@gmail.com

Description

 
ietf-mud
This YANG module defines a component that augments the
IETF description of an access list.  This specific module
focuses on additional filters that include local, model,
and same-manufacturer.

This module is intended to be serialized via JSON and stored
as a file, as described in RFC 8520.

The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.

Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code.  All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC 8520; see
the RFC itself for full legal notices.
 
ietf-mud
This YANG module defines a component that augments the
IETF description of an access list.  This specific module
focuses on additional filters that include local, model,
and same-manufacturer.

This module is intended to be serialized via JSON and stored
as a file, as described in RFC XXXX [RFC Editor to fill in with
this document #].

Copyright (c) 2016,2017 IETF Trust and the persons
identified as the document authors.  All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.

Typedefs

Typedef Base type Abstract
direction enumeration Which way are we talking about?
direction enumeration Which way are we talking about?

Groupings

Grouping Objects Abstract
access-lists access-lists A grouping for access lists in the context of device policy.
access-lists access-lists A grouping for access lists in the context of device policy.
mud-grouping mud-version mud-url last-update mud-signature cache-validity is-supported systeminfo mfg-name model-name firmware-rev software-rev documentation extensions from-device-policy to-device-policy Information about when support end(ed), and when to refresh
mud-grouping mud-version mud-url last-update mud-signature cache-validity is-supported systeminfo mfg-name model-name firmware-rev software-rev documentation extensions from-device-policy to-device-policy Information about when support ends (or ended) and when to refresh.

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
mud container MUD related information, as specified by RFC-XXXX [RFC Editor to fill in].
mud container MUD-related information, as specified by RFC 8520.
   cache-validity leaf The information retrieved from the MUD server is valid for these many hours, after which it should be refreshed. N.B. MUD manager implementations need not discard MUD files beyond this period.
   cache-validity leaf The information retrieved from the MUD server is valid for these many hours, after which it should be refreshed. N.B., MUD manager implementations need not discard MUD files beyond this period.
   documentation leaf This URL points to documentation that relates to this device and any classes that it uses in its MUD file. A caution: MUD managers need not resolve this URL on their own, but rather simply provide it to the administrator. Parsing HTML is not an intended...
   documentation leaf This URL points to documentation that relates to this device and any classes that it uses in its MUD file. A caution: MUD managers need not resolve this URL on their own but rather simply provide it to the administrator. Parsing HTML is not an intended ...
   extensions leaf-list A list of extension names that are used in this MUD file. Each name is registered with the IANA and described in an RFC.
   extensions leaf-list A list of extension names that are used in this MUD file. Each name is registered with the IANA and described in an RFC.
   firmware-rev leaf firmware-rev, as described in the ietf-hardware YANG module. Note this field MUST NOT be included when the device can be updated but the MUD-URL cannot.
   firmware-rev leaf firmware-rev, as described in the ietf-hardware YANG module. Note that this field MUST NOT be included when the device can be updated but the MUD URL cannot.
   from-device-policy container The policies that should be enforced on traffic coming from the device. These policies are not necessarily intended to be enforced at a single point, but may be rendered by the controller to any relevant enforcement points in the network or elsewhere.
   from-device-policy container The policies that should be enforced on traffic coming from the device. These policies are not necessarily intended to be enforced at a single point but may be rendered by the controller to any relevant enforcement points in the network or elsewhere.
      access-lists container The access lists that should be applied to traffic to or from the device.
      access-lists container The access lists that should be applied to traffic to or from the device.
         access-list list Each entry on this list refers to an ACL that should be present in the overall access list data model. Each ACL is identified by name and type.
         access-list list Each entry on this list refers to an ACL that should be present in the overall access list data model. Each ACL is identified by name and type.
            name leaf The name of the ACL for this entry.
            name leaf The name of the ACL for this entry.
   is-supported leaf This boolean indicates whether or not the Thing is currently supported by the manufacturer.
   is-supported leaf This boolean indicates whether or not the Thing is currently supported by the manufacturer.
   last-update leaf This is intended to be when the current MUD file was generated. MUD Managers SHOULD NOT check for updates between this time plus cache validity
   last-update leaf This is intended to be when the current MUD file was generated. MUD managers SHOULD NOT check for updates between this time plus cache validity.
   mfg-name leaf Manufacturer name, as described in the ietf-hardware YANG module.
   mfg-name leaf Manufacturer name, as described in the ietf-hardware YANG module.
   model-name leaf Model name, as described in the ietf-hardware YANG module.
   model-name leaf Model name, as described in the ietf-hardware YANG module.
   mud-signature leaf A URI that resolves to a signature as described in this specification.
   mud-signature leaf A URI that resolves to a signature as described in this specification.
   mud-url leaf This is the MUD URL associated with the entry found in a MUD file.
   mud-url leaf This is the MUD URL associated with the entry found in a MUD file.
   mud-version leaf This is the version of the MUD specification. This memo specifies version 1.
   mud-version leaf This is the version of the MUD specification. This memo specifies version 1.
   software-rev leaf software-rev, as described in the ietf-hardware YANG module. Note this field MUST NOT be included when the device can be updated but the MUD-URL cannot.
   software-rev leaf software-rev, as described in the ietf-hardware YANG module. Note that this field MUST NOT be included when the device can be updated but the MUD URL cannot.
   systeminfo leaf A UTF-8 description of this Thing. This should be a brief description that may be displayed to the user to determine whether to allow the Thing on the network.
   systeminfo leaf A UTF-8 description of this Thing. This should be a brief description that may be displayed to the user to determine whether to allow the Thing on the network.
   to-device-policy container The policies that should be enforced on traffic going to the device. These policies are not necessarily intended to be enforced at a single point, but may be rendered by the controller to any relevant enforcement points in the network or elsewhere.
   to-device-policy container The policies that should be enforced on traffic going to the device. These policies are not necessarily intended to be enforced at a single point but may be rendered by the controller to any relevant enforcement points in the network or elsewhere.
      access-lists container The access lists that should be applied to traffic to or from the device.
      access-lists container The access lists that should be applied to traffic to or from the device.
         access-list list Each entry on this list refers to an ACL that should be present in the overall access list data model. Each ACL is identified by name and type.
         access-list list Each entry on this list refers to an ACL that should be present in the overall access list data model. Each ACL is identified by name and type.
            name leaf The name of the ACL for this entry.
            name leaf The name of the ACL for this entry.