module ietf-mud { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-mud"; prefix ietf-mud; import ietf-access-control-list { prefix acl; } import ietf-yang-types { prefix yang; } import ietf-inet-types { prefix inet; } organization "IETF OPSAWG (Ops Area) Working Group"; contact "WG Web: http://tools.ietf.org/wg/opsawg/ WG List: opsawg@ietf.org Author: Eliot Lear lear@cisco.com Author: Ralph Droms rdroms@gmail.com Author: Dan Romascanu dromasca@gmail.com "; description "This YANG module defines a component that augments the IETF description of an access list. This specific module focuses on additional filters that include local, model, and same-manufacturer. This module is intended to be serialized via JSON and stored as a file, as described in RFC XXXX [RFC Editor to fill in with this document #]. Copyright (c) 2016,2017 IETF Trust and the persons identified as the document authors. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2017-10-07 { description "Initial proposed standard."; reference "RFC XXXX: Manufacturer Usage Description Specification"; } typedef direction { type enumeration { enum "to-device" { description "packets or flows destined to the target Thing"; } enum "from-device" { description "packets or flows destined from the target Thing"; } } description "Which way are we talking about?"; } container mud { presence "Enabled for this particular MUD URL"; description "MUD related information, as specified by RFC-XXXX [RFC Editor to fill in]."; uses mud-grouping; } grouping mud-grouping { description "Information about when support end(ed), and when to refresh"; leaf mud-url { type inet:uri; mandatory true; description "This is the MUD URL associated with the entry found in a MUD file."; } leaf last-update { type yang:date-and-time; mandatory true; description "This is intended to be when the current MUD file was generated. MUD Controllers SHOULD NOT check for updates between this time plus cache validity"; } leaf cache-validity { type uint8 { range "1..168"; } units "hours"; default "48"; description "The information retrieved from the MUD server is valid for these many hours, after which it should be refreshed. N.B. MUD controller implementations need not discard MUD files beyond this period."; } leaf is-supported { type boolean; mandatory true; description "This boolean indicates whether or not the Thing is currently supported by the manufacturer."; } leaf systeminfo { type inet:uri; description "A URL to a description of this Thing. This should be a brief localized description. The reference text should be no more than octets. systeminfo may be displayed to the user to determine whether to allow the Thing on the network."; } leaf-list extensions { type string { length "1..40"; } description "A list of extension names that are used in this MUD file. Each name is registered with the IANA and described in an RFC."; } container from-device-policy { description "The policies that should be enforced on traffic coming from the device. These policies are not necessarily intended to be enforced at a single point, but may be rendered by the controller to any relevant enorcement points in the network or elsewhere."; uses access-lists; } container to-device-policy { description "The policies that should be enforced on traffic going to the device. These policies are not necessarily intended to be enforced at a single point, but may be rendered by the controller to any relevant enorcement points in the network or elsewhere."; uses access-lists; } } grouping access-lists { description "A grouping for access lists in the context of device policy."; container access-lists { description "The access lists that should be applied to traffic to or from the device."; list access-list { key "acl-name acl-type"; description "Each entry on this list refers to an ACL that should be present in the overall access list data model. Each ACL is identified by name and type."; leaf acl-name { type leafref { path "/acl:access-lists/acl:acl/acl:acl-name"; } description "The name of the ACL for this entry."; } leaf acl-type { type identityref { base acl:acl-base; } description "The type of the ACL for this entry. The name is scoped ONLY to the MUD file, and may not be unique in any other circumstance."; } } } } augment "/acl:access-lists/acl:acl/acl:aces/acl:ace/acl:matches" { description "adding abstractions to avoid need of IP addresses"; container mud-acl { description "MUD-specific matches."; leaf manufacturer { type inet:host; description "A domain that is intended to match the authority section of the MUD URL. This node is used to specify one or more manufacturers a device should be authorized to access."; } leaf same-manufacturer { type empty; description "This node matches the authority section of the MUD URL of a Thing. It is intended to grant access to all devices with the same authority section."; } leaf model { type inet:uri; description "Devices of the specified model type will match if they have an identical MUD URL."; } leaf local-networks { type empty; description "IP addresses will match this node if they are considered local addresses. A local address may be a list of locally defined prefixes and masks that indicate a particular administrative scope."; } leaf controller { type inet:uri; description "This node names a class that has associated with it zero or more IP addresses to match against. These may be scoped to a manufacturer or via a standard URN."; } leaf my-controller { type empty; description "This node matches one or more network elements that have been configured to be the controller for this Thing, based on its MUD URL."; } } } augment "/acl:access-lists/acl:acl/acl:aces/" + "acl:ace/acl:matches/acl:tcp-acl" { description "Adding domain names to matching"; leaf direction-initiated { type direction; description "This node matches based on which direction a connection was initiated. The means by which that is determined is discussed in this document."; } } }