Manufacturer Usage Description for quarantined access to firmware

module: cira-shg-mud augment /m:mud: +–rw quaranteed-device-policy +–rw enabled-ace-names* [ace-name] +–rw ace-name -> /acl:acls/acl/aces/ace/name

file "ietf-mud-quarantine@2019-12-27.yang" module ietf-mud-quarantine { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-mud-quarantine"; prefix "q"; import ietf-mud { prefix m; description "This module defines an extension to MUD to mark entries as being needed during quarantine"; reference "RFC YYYY: MUD YANG"; } organization "IETF OPSAWG Working group."; contact "WG Web: WG List: opsawg@ietf.org Author: Michael Richardson Author: M. Ranganathan "; description "This module extends the RFC8520 MUD format to two facilities: definition of an Access Control List appropriate to enable device upgrade only, and provide for a history of modifications by third-parties to the MUD file"; revision "2019-12-27" { description "Initial version"; reference "RFC XXXX: MUD profile with quarantined access"; } augment "/m:mud" { description "Adds leaf nodes for marking ACLs that should be enabled during quarantine"; container quaranteed-device-policy { description "The policies that should be enforced on traffic coming from the device when it is under quarantine. These policies are usually a subset of operational policies and are intended to permit firmware updates only. They are intended to keep the device safe (and the network safe from the device) when the device is suspected of being out-of-date, but still considered sufficiently intact to be able to do a firmware update"; list enabled-ace-names { key ace-name; leaf ace-name { type leafref { path "/acl:acls/acl:acl/acl:aces/acl:ace/acl:name"; } } } } } }

]]>