idnits 2.17.1 draft-xia-sacm-nid-dp-security-baseline-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 62 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 57 instances of too long lines in the document, the longest one being 61 characters in excess of 72. ** The abstract seems to contain references ([I-D.ietf-xia-sacm-nid-app-infr-layers-security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 298 has weird spacing: '...uleName str...' == Line 306 has weird spacing: '...maximum uin...' == Line 320 has weird spacing: '...maximum uin...' == Line 326 has weird spacing: '...vsiName str...' == Line 328 has weird spacing: '...maximum uin...' == (57 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (September 07, 2017) is 2422 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'I-D.ietf-lin-sacm-nid-mp-security-baseline' is mentioned on line 226, but not defined == Missing Reference: 'I-D.ietf-birkholz-sacm-yang-content' is mentioned on line 197, but not defined == Missing Reference: '1-9' is mentioned on line 2259, but not defined == Missing Reference: '0-9' is mentioned on line 2259, but not defined == Missing Reference: '0-4' is mentioned on line 2259, but not defined == Missing Reference: '0-5' is mentioned on line 2259, but not defined == Unused Reference: 'I-D.ietf-netconf-subscribed-notifications' is defined on line 2678, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-netconf-yang-push' is defined on line 2684, but no explicit reference was found in the text == Outdated reference: A later version (-26) exists of draft-ietf-netconf-subscribed-notifications-03 == Outdated reference: A later version (-25) exists of draft-ietf-netconf-yang-push-08 Summary: 3 errors (**), 0 flaws (~~), 18 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group L. Xia 3 Internet-Draft G. Zheng 4 Intended status: Standards Track Huawei 5 Expires: March 11, 2018 September 07, 2017 7 The Data Model of Network Infrastructure Device Data Plane Security 8 Baseline 9 draft-xia-sacm-nid-dp-security-baseline-00 11 Abstract 13 The following contents propose part of the security baseline YANG 14 output for network infrastructure device: data plane security 15 baseline. The companion documents [I-D.ietf- dong-sacm-nid-cp- 16 security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline], [I- 17 D.ietf-xia-sacm-nid-app-infr-layers-security-baseline] cover other 18 parts of the security baseline YANG output for network infrastructure 19 device respectively: control plane security baseline, management 20 plane security baseline, application layer and infrastructure layer 21 security baseline. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on March 11, 2018. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Objective . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.2. Security Baseline . . . . . . . . . . . . . . . . . . . . 4 60 1.3. Security Baseline Data Model Design . . . . . . . . . . . 4 61 1.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6 64 2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 6 65 3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 6 66 4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 6 67 4.1. Layer 2 protection . . . . . . . . . . . . . . . . . . . 6 68 4.2. ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 69 4.3. URPF . . . . . . . . . . . . . . . . . . . . . . . . . . 12 70 4.4. DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . 15 71 4.5. Control Plane Protection . . . . . . . . . . . . . . . . 20 72 4.6. Data Plane Protection . . . . . . . . . . . . . . . . . . 24 73 4.7. TCP/IP Attack Defence . . . . . . . . . . . . . . . . . . 35 74 5. Network Infrastructure Device Security Baseline Yang Module . 35 75 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 76 7. Security Considerations . . . . . . . . . . . . . . . . . . . 57 77 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 57 78 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 57 79 9.1. Normative References . . . . . . . . . . . . . . . . . . 57 80 9.2. Informative References . . . . . . . . . . . . . . . . . 57 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 83 1. Introduction 85 1.1. Objective 87 Network security is an integral part of the overall network 88 deployment and operation. Due to some basic reasons, network 89 infrastructure devices (e.g. switches, routers, firewalls) are always 90 the objectives or exploited by the network attackers to bring damages 91 to the victim network: 93 o the existence of a lot of unsafe access channels: for the history 94 reason, some old and unsafe protocols still run in the routers, 95 like: SNMP v1/v2, Telnet, etc, and are not mandatory to be 96 replaced by the according safer protocols (SNMP v3, SSH). 98 Attackers easily exploit them to attack routers (e.g., invalid 99 login, message eavesdropping); 101 o The openness of TCP/IP network: despite the benefits of network 102 architecutre design and connectivity brought by the network 103 openness, a lot of threats exist at the same time. Spoofing 104 address, security weakness for various protocols, traffic 105 flooding, and other kinds of threat are originated from the 106 network openness; 108 o the security challenge by the network complexity: network are 109 becoming more complex, with massive nodes, various protocols and 110 flexible topology. Without care design and strict management, as 111 well as automated operation, the policy consistency of network 112 security manangment cannot be ensured. It's common that part of 113 the network infrastructure is subject to attack; 115 o the complex functionality of device: the complexity of device 116 itself increases the difficulty of carring out the security 117 hardening measurements, as well as the skill requirements to the 118 network administrator. As a result, the network administrator may 119 not be capable of or willing to realize all the security 120 measurements, comparing to the implementation of basic 121 functionality; 123 o the mismatching between the data plane and the control plane: 124 there are a large mismatching of the traffic processing capability 125 between the different planes. Without effective control, the 126 large volumn traffic from the data plane will flooding attack the 127 other planes easily. 129 Apparently, the importantance of ensuring the security of the network 130 infrastructure devices is out of question. To secure the network 131 infrastructure devices, one important task is to identify as far as 132 possible the threats and vulnerabilities in the device itself, such 133 as: unnecessary services, insecure configurations, abnormal status, 134 etc, then enforce the security hardening measurements, such as: 135 update patching, modify the security configuration, enhance the 136 security mechanism, etc. We call this task the developing and 137 deploying the security baseline for the network infrastructure, which 138 provides a solid foundation for the overall network security. This 139 document aims to describe the security baseline for the network 140 infrastructure, which is called security baseline in short in this 141 document. 143 1.2. Security Baseline 145 Basically, security baseline can be designed and deployed into 146 different layers of the devices: 148 o application layer: refers to the application platform security 149 solution and the typical application security mechanisms it 150 provided like: identity authentication, access control, permission 151 management, encryption and decryption, auditing and tracking, 152 privacy protection, to ensure secure application data 153 transmission/exchange, secure storage, secure processing, ensuring 154 the secure operation of the application system. Specific examples 155 may be: web application security, software integrity protection, 156 encryption of sensitive data, privacy protection, and lawful 157 interception interfaces and secure third-party component; 159 o network layer: refers to a series of security measures, to protect 160 the network resources and network services running on the device 161 network platform. Network layer security over network product is 162 complicated. Therefore, it is divided into data plane, control 163 plane, management plane to consider: 165 * data plane: focus on the security hardening configuration and 166 status to protect the data plane traffic against eavesdropping, 167 tampering, forging and flooding attacking the network; 169 * control plane: focus on the control signaling security of the 170 network infrastructure device, to protect their normal exchange 171 against various attacks (i.e., eavesdropping, tampering, 172 forging and flooding attack) and restrict the malicious control 173 signaling, for ensuring the correct network topoloy and 174 forwarding behavior; 176 * management plane: focus on the management information and 177 platform security. More specific, it includes all the security 178 configuration and status involved in the network OAM process; 180 o infrastructure layer: refers to all the security design about the 181 device itself and its running OS. As the foundation of the upper 182 layer services, the secure infrastructure layer must be assured. 183 The specific mechanisms include: OS security, update management, 184 software integrity, web security. 186 1.3. Security Baseline Data Model Design 188 The security baseline varies according to many factors, like: 189 different device types (i.e., router, switch, firewall), the 190 supporting security features of device, the specific security 191 requirements of network operator. It's impossible to design a 192 complete set for it, so this document and the companion ones are 193 going to propose the most important and universal points of them. 194 More points can be added in future following the data model scheme 195 specified in this document. 197 [I-D.ietf-birkholz-sacm-yang-content] defines a method of 198 constructing the YANG data model scheme for the security posture 199 assessment of the network infrastructure device by brokering of YANG 200 push telemetry via SACM statements. The basic steps are: 202 o use YANG push mechanism[I-D.ietf-netconf-yang-push]to collect the 203 created streams of notifications (telemetry) 204 [I-D.ietf-netconf-subscribed-notifications]providing SACM content 205 on SACM data plane, and the filter expressions used in the context 206 of YANG subscriptions constitute SACM content that is imperative 207 guidance consumed by SACM components on SACM management plane; 209 o then encapsulate the above YANG push output into a SACM Content 210 Element envelope, which is again encapsulated in a SACM statement 211 envelope; 213 o lastly, publish the SACM statement into a SACM domain via xmpp- 214 grid publisher. 216 In this document, we follow the same way as [I-D.ietf-birkholz-sacm- 217 yang-content] to define the YANG output for network infrastructure 218 device security baseline posture based on the SACM information model 219 definition [I-D.ietf-sacm-information-model]. 221 1.4. Summary 223 The following contents propose part of the security baseline YANG 224 output for network infrastructure device: data plane security 225 baseline. The companion documents [I-D.ietf- dong-sacm-nid-cp- 226 security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline], [I- 227 D.ietf-xia-sacm-nid-app-infr-layers-security-baseline] cover other 228 parts of the security baseline YANG output for network infrastructure 229 device respectively: control plane security baseline, management 230 plane security baseline, application layer and infrastructure layer 231 security baseline. 233 2. Terminology 234 2.1. Key Words 236 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 237 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 238 document are to be interpreted as described in [RFC2119]. 240 2.2. Definition of Terms 242 This document uses the terms defined in [I-D.draft-ietf-sacm- 243 terminology]. 245 3. Tree Diagrams 247 A simplified graphical representation of the data model is used in 248 this document. The meaning of the symbols in these diagrams is as 249 follows: 251 o Brackets "[" and "]" enclose list keys. 253 o Abbreviations before data node names: "rw" means configuration 254 (read-write) and "ro" state data (read-only). 256 o Symbols after data node names: "?" means an optional node and "*" 257 denotes a "list" and "leaf-list". 259 o Parentheses enclose choice and case nodes, and case nodes are also 260 marked with a colon (":"). 262 o Ellipsis ("...") stands for contents of subtrees that are not 263 shown. 265 4. Data Model Structure 267 As the network infrastructure device, it makes decision of the 268 forwarding path based on the IP/MAC address and sends the packet in 269 data plane, and the NP or ASIC are the main components for the data 270 plane functions. 272 Some overall introduction is to be added! 274 4.1. Layer 2 protection 276 Mac table is the key resource in terms of layer 2 forwarding, also 277 easily attacked by learning massive invalid mac address. the mac 278 limit function is to protect the mac table by limiting the maximum 279 number of learned mac address in appointed interfaces. The mac 280 address is not learned and the packet is discarded when the up-limit 281 is reached, and the alarm is created possibly. 283 If the broadcast traffic is not suppressed in layer 2 network (i.e., 284 Ethernet), a great amount of network bandwidth is consumed by a great 285 deal of broadcast traffic. The network performance is degraded, even 286 interrupting the communication.In such a case, configuring the 287 broadcast traffic suppression on the device to ensure some bandwidth 288 can be reserved for unicast traffic forwarding when broadcast traffic 289 bursts across the network.It's flexible to configure the device to 290 suppress broadcast, multicast, and unknown unicast traffic on an 291 interface, a specified interface in a VLAN, a sub-interface, and over 292 a virtual switch instance (VSI) pseudo wire (PW). 294 module: ietf-mac-limit 295 +--rw mac 296 +--rw macLimitRules 297 | +--rw macLimitRule* [ruleName] 298 | +--rw ruleName string 299 | +--rw maximum uint32 300 | +--rw rate? uint16 301 | +--rw action? macLimitForward 302 | +--rw alarm? macEnableStatus 303 +--rw vlanMacLimits 304 | +--rw vlanMacLimit* [vlanId] 305 | +--rw vlanId macVlanId 306 | +--rw maximum uint32 307 | +--rw rate? uint16 308 | +--rw action? macLimitForward 309 | +--rw alarm? macEnableStatus 310 +--rw vsiMacLimits 311 | +--rw vsiMacLimit* [vsiName] 312 | +--rw vsiName string 313 | +--rw maximum uint32 314 | +--rw rate? uint16 315 | +--rw action? macLimitForward 316 | +--rw alarm? macEnableStatus 317 +--rw bdMacLimits 318 | +--rw bdMacLimit* [bdId] 319 | +--rw bdId uint32 320 | +--rw maximum uint32 321 | +--rw rate? uint16 322 | +--rw action? macLimitForward 323 | +--rw alarm? macEnableStatus 324 +--rw pwMacLimits 325 | +--rw pwMacLimit* [vsiName pwName] 326 | +--rw vsiName string 327 | +--rw pwName string 328 | +--rw maximum uint32 329 | +--rw rate? uint16 330 | +--rw action? macLimitForward 331 | +--rw alarm? macEnableStatus 332 +--rw ifMacLimits 333 | +--rw ifMacLimit* [ifName limitType] 334 | +--rw ifName pub-type:ifName 335 | +--rw limitType limitType 336 | +--rw ruleName? -> /mac/macLimitRules/macLimitRule/ruleName 337 | +--rw maximum uint32 338 | +--rw rate? uint16 339 | +--rw action? macLimitForward 340 | +--rw alarm? macEnableStatus 341 +--rw ifVlanMacLimits 342 | +--ro ifVlanMacLimit* [ifName vlanBegin limitType] 343 | +--ro ifName pub-type:ifName 344 | +--ro vlanBegin macVlanId 345 | +--ro vlanEnd? macVlanId 346 | +--ro limitType limitType 347 | +--ro ruleName? -> /mac/macLimitRules/macLimitRule/ruleName 348 | +--ro maximum uint32 349 | +--ro rate uint16 350 | +--ro action? macLimitForward 351 | +--ro alarm? macEnableStatus 352 +--rw subifMacLimits 353 | +--rw subifMacLimit* [ifName limitType] 354 | +--rw ifName pub-type:ifName 355 | +--rw limitType limitType 356 | +--ro vsiName string 357 | +--rw ruleName string 358 | +--rw maximum uint32 359 | +--rw rate? uint16 360 | +--rw action? macLimitForward 361 | +--rw alarm? macEnableStatus 362 +--rw vsiStormSupps 363 | +--rw vsiStormSupp* [vsiName suppressType] 364 | +--rw vsiName string 365 | +--rw suppressType suppressType 366 | +--rw percent? uint64 367 | +--rw packets? uint64 368 | +--rw cir? uint64 369 | +--rw cbs? uint64 370 +--rw vlanStormSupps 371 | +--rw vlanStormSupp* [vlanId suppressType] 372 | +--rw vlanId macVlanId 373 | +--rw suppressType suppressType 374 | +--rw percent? uint64 375 | +--rw packets? uint64 376 | +--rw cir? uint64 377 | +--rw cbs? uint64 378 +--rw pwSuppresss 379 | +--rw pwSuppress* [vsiName pwName suppressType] 380 | +--rw vsiName string 381 | +--rw pwName string 382 | +--rw suppressType suppressType 383 | +--rw percent? uint64 384 | +--rw packets? uint64 385 | +--rw cir? uint64 386 | +--rw cbs? uint64 387 +--rw vsiTotalNumbers 388 | +--ro vsiTotalNumber* [vsiName slotId macType] 389 | +--ro vsiName string 390 | +--ro slotId string 391 | +--ro macType macType 392 | +--ro number uint32 393 +--rw ifStormSupps 394 | +--rw ifStormSupp* [ifName suppressType] 395 | +--rw ifName pub-type:ifName 396 | +--rw suppressType suppressType 397 | +--rw direction directionType 398 | +--rw percent? uint64 399 | +--rw packets? uint64 400 | +--rw cir? uint64 401 | +--rw cbs? uint64 402 +--rw ifStormBlocks 403 | +--rw ifStormBlock* [ifName blockType direction] 404 | +--rw ifName pub-type:ifName 405 | +--rw blockType suppressType 406 | +--rw direction directionType 407 +--rw ifStormContrls 408 +--rw ifStormContrl* [ifName] 409 +--rw ifName pub-type:ifName 410 +--rw action? stormCtrlActionType 411 +--rw trapEnable? enableType 412 +--rw logEnable? enableType 413 +--rw interval? uint64 414 +--rw ifPacketContrlAttributes 415 | +--rw ifPacketContrlAttribute* [packetType] 416 | +--rw packetType stormCtrlType 417 | +--rw rateType? stormCtrlRateType 418 | +--rw minRate uint32 419 | +--rw maxRate uint64 420 +--rw ifstormContrlInfos 421 +--ro ifstormContrlInfo* [packetType] 422 +--ro packetType stormCtrlType 423 +--ro punishStatus? stormCtrlActionType 424 +--ro lastPunishTime? string 426 4.2. ARP 428 ARP security is set of functions to protect the ARP protocol and 429 networks against malicious attacks so that the network communication 430 keeps stable and important user information is protected, which 431 mainly includes: 433 ARP anti-spoofing functions: protect devices against spoofing ARP 434 attack packets, improving the security and reliability of network 435 communication. 437 ARP anti-flooding functions: relieve CPU load and prevent the ARP 438 table overflow, ensuring normal network operation. 440 module: ietf-arp-sec 441 +--ro arp-sec 442 +--ro arpInterfaces 443 | +--rw arpInterface* [ifName] 444 | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName 445 | +--rw arpLearnDisable? boolean //arp-learning-control 446 | +--rw arpLearnStrict? arpStrictLearn //arp-learning-control 447 | +--rw fakeExpireTime? uint32 //arp-fake-expire-time? 448 | +--rw dstMacCheck? boolean //validate 449 | +--rw srcMacCheck? boolean //validate 450 +--rw secArpGrats 451 | +--rw secArpGrat* [ifName] 452 | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName 453 +--rw secArpChkIpEns 454 | +--rw secArpChkIpEn* [ifName] 455 | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName 456 +--rw secArpMacIlls 457 | +--rw secArpMacIll* [ifName] 458 | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName 459 +--rw secArpReqNoBlks 460 | +--rw secArpReqNoBlk* [ifName] 461 | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName 462 +--ro secDisArpChks 463 | +--ro secDisArpChk* [secSlotId secChkType] 464 | +--ro secSlotId -> /devm:devm/lpuBoards/lpuBoard/position 465 | +--ro secChkType cpudefendArpAttackType 466 | +--ro secTotalPkts? uint64 467 | +--ro secPassedPkts? uint64 468 | +--ro secDropedPkts? uint64 469 +--ro arpIfLimits //arp-table-limit 470 | +--rw arpIfLimit* [ifName vlanId] 471 | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName 472 | +--rw vlanId uint16 473 | +--rw limitNum uint32 474 | +--ro learnedNum? uint32 475 +--ro arpSpeedLimits // arp-speed-limit 476 | +--rw arpSpeedLimit* [slotId suppressType ipType] 477 | +--rw slotId string 478 | +--rw suppressType enumeration 479 | +--rw ipType enumeration 480 | +--rw suppressValue uint32 481 +--ro arpGlobalSpeedLimits // arp-speed-limit 482 +--rw arpGSpeedLimit* [gSuppressType gIpType] 483 +--rw gSuppressType arpSuppType 484 +--rw gIpType arpSuppIpType 485 +--rw gPortType? enumeration 486 +--rw gSuppressValue uint32 488 4.3. URPF 490 Unicast Reverse Path Forwarding (URPF) is a technology used to defend 491 against network attacks based on source address spoofing. Generally, 492 upon receiving a packet, a router first obtains the destination IP 493 address of the packet and then searches the forwarding table for a 494 route to the destination address. If the router finds such a route, 495 it forwards the packet; otherwise, it discards the packet. A URPF- 496 enabled router, however, obtains the source IP address of a received 497 packet and searches for a route to the source address. If the router 498 fails to find the route, it considers that the source address is a 499 forged one and discards the packet. In this manner, URPF can 500 effectively protect against malicious attacks that are launched by 501 changing the source addresses of packets. 503 URPF can be performed in strict or loose mode. The strict mode 504 checks both the existence of source address in the route table and 505 the interface consistency, while loose mode only checks if the source 506 address is in the route table. In some case, the router may have 507 only one default route to the router of the ISP. Therefore, matching 508 the default route entry needs to be supported. 510 URPF can be performed over interface, defined flow and traffic sent 511 to local CPU. 513 module: ietf-urpf-sec 514 +--rw urpf-security 515 +--rw interface-urpf* [ifname] 516 | +--rw ifname if:interface-ref 517 | +--rw mode? enumeration 518 | +--rw allow-default? boolean 519 +--rw qosClassifiers 520 | +--rw qosClassifier* [classifierName operator] 521 | +--rw classifierName qosPolicyName 522 | +--rw description? string 523 | +--rw operator qosClassOperator 524 | +--rw qosRuleAnys 525 | | +--rw qosRuleAny* [protoFamily] 526 | | +--rw protoFamily qosIPFamily 527 | +--rw qosRuleMacs 528 | | +--rw qosRuleMac* [macType macAddr] 529 | | +--rw macType qosMacType 530 | | +--rw macAddr pub-type:macAddress 531 | +--rw qosRuleProto6s 532 | | +--rw qosRuleProto6* [protoFamily protocol] 533 | | +--rw protoFamily qosIPv6Family 534 | | +--rw protocol uint8 535 | +--rw qosRuleIPv6Addrs 536 | | +--rw qosRuleIPv6Addr* [addressType ipAddress6 prefixLen] 537 | | +--rw addressType qosAddressType 538 | | +--rw ipAddress6 pub-type:ipv6Address 539 | | +--rw prefixLen uint8 540 | +--rw qosRuleTcpFlags 541 | | +--rw qosRuleTcpFlag* [tcpFlag] 542 | | +--rw tcpFlag uint8 543 | +--rw qosRuleAcls 544 | | +--rw qosRuleAcl* [aclFamily aclName] 545 | | +--rw aclFamily qosIPFamily 546 | | +--rw aclName string 547 | +--rw qosRulePrioritys 548 | +--rw qosRulePriority* [priorityType priorityValue] 549 | +--rw priorityType qosPriorityType 550 | +--rw priorityValue uint8 551 +--rw qosBehaviors 552 | +--rw qosBehavior* [behaviorName] 553 | +--rw behaviorName qosPolicyName 554 | +--rw description? string 555 | +--rw qosActFilters 556 | | +--rw qosActFilter* 557 | | +--rw actionType qosActionFilter 558 | | +--rw filter qosFilterFlag 559 | +--rw qosActPortMirrors 560 | | +--rw qosActPortMirror* [actionType] 561 | | +--rw actionType qosActionPortMirror 562 | | +--rw enable qosPortMirror 563 | +--rw qosActCars 564 | | +--rw qosActCar* [actionType] 565 | | +--rw actionType qosActionCar 566 | | +--rw cir uint32 567 | | +--rw pir? uint32 568 | | +--rw cbs? uint32 569 | | +--rw pbs? uint32 570 | | +--rw greenAction? qosCarRedActionType 571 | | +--rw greenServiceClass? qosServiceClass 572 | | +--rw greenColor? qosColor 573 | | +--rw yellowAction? qosCarRedActionType 574 | | +--rw yellowServiceClass? qosServiceClass 575 | | +--rw yellowColor? qosColor 576 | | +--rw redAction? qosCarRedActionType 577 | | +--rw redServiceClass? qosServiceClass 578 | | +--rw redColor? qosColor 579 | +--rw qosActRemarks 580 | | +--rw qosActRemark* [actionType] 581 | | +--rw actionType qosActionRemark 582 | | +--rw remarkValue uint8 583 | +--rw qosActSrvClss 584 | | +--rw qosActSrvCls* [actionType] 585 | | +--rw actionType qosActionServiceClass 586 | | +--rw serviceClass qosServiceClass 587 | | +--rw color qosColor 588 | +--rw qosActUrpfs 589 | | +--rw qosActUrpf* [actionType] 590 | | +--rw actionType qosActionUrpf 591 | | +--rw checkType qosUrpfCheckType 592 | | +--rw allowDefault? qosSwitchFlag 593 | +--rw qosActLoads 594 | | +--rw qosActLoad* [actionType] 595 | | +--rw actionType qosActionLoadBalance 596 | | +--rw balanceType qosLoadBalanceType 597 | +--rw qosActNsSamplers 598 | | +--rw qosActNsSampler* [flowType] 599 | | +--rw flowType qosNsFlowType 600 | | +--rw sampleType qosSampleType 601 | | +--rw sampleValue uint16 602 | +--rw qosActRdrNhps 603 | | +--rw qosActRdrNhp* [rdrType] 604 | | +--rw rdrType qosRdrType 605 | | +--rw nextHop pub-type:ipv4Address 606 | | +--rw ifName pub-type:ifName 607 | +--rw qosActRdrMhps 608 | | +--rw qosActRdrMhp* [rdrType] 609 | | +--rw rdrType qosRdrType 610 | | +--rw loadBalance? boolean 611 | | +--rw qosRdrNhps 612 | | +--rw qosRdrNhp* [nextHop] 613 | | +--rw nextHop pub-type:ipv4Address 614 | | +--rw ifName pub-type:ifName 615 | +--rw qosActRdrNhp6s 616 | | +--rw qosActRdrNhp6* [rdrType] 617 | | +--rw rdrType qosRdrType 618 | | +--rw nextHop pub-type:ipv6Address 619 | | +--rw ifName pub-type:ifName 620 | +--rw qosActRdrMhp6s 621 | | +--rw qosActRdrMhp6* [rdrType] 622 | | +--rw rdrType qosRdrType 623 | | +--rw loadBalance? boolean 624 | | +--rw qosRdrNhp6s 625 | | +--rw qosRdrNhp6* [nextHop] 626 | | +--rw nextHop pub-type:ipv6Address 627 | | +--rw ifName pub-type:ifName 628 | +--rw qosActRdrVpns 629 | | +--rw qosActRdrVpn* [actionType] 630 | | +--rw actionType qosActionRedirectVpnGroup 631 | | +--rw vpnGroupName qosPolicyName 632 | +--rw qosActRdrLsps 633 | +--rw qosActRdrLsp* [actionType] 634 | +--rw actionType qosActionRedirectLsp 635 | +--rw configType qosLspRdrType 636 | +--rw destAddr pub-type:ipv4Address 637 | +--rw nextHop pub-type:ipv4Address 638 | +--rw ifName pub-type:ifName 639 | +--rw secondary qosEnableFlag+--rw qosPolicys 640 +--rw qosPolicy* [policyName] 641 | +--rw policyName qosPolicyName 642 | +--ro policyID? uint32 643 | +--rw description? string 644 | +--rw step? uint16 645 | +--rw shareMode? qosSwitchFlag 646 | +--rw statFlag? qosSwitchFlag 647 | +--rw v6QosLocalIDEns 648 | | +--rw v6QosLocalIDEn* [v6QosLocalIDEn] 649 | | +--rw v6QosLocalIDEn boolean 650 | +--rw qosPolicyNodes 651 | | +--rw qosPolicyNode* [classifierName] 652 | | +--rw classifierName string 653 | | +--rw behaviorName string 654 | | +--rw priority? uint16 655 | +--rw qosPolicyNodeNewModes 656 | +--rw qosPolicyNodeNewMode* [classifierName streamDirection groupType groupName] 657 | +--rw classifierName string 658 | +--rw streamDirection streamDirectionType 659 | +--rw groupType groupType 660 | +--rw groupName string 661 | +--rw behaviorName string 662 | +--rw precedence? uint16 663 +--rw local-URPF 664 +--rw cpu-defend-policy* [name] 665 +--rw name string 666 +--description? string 667 +-- urpf-mode enumeration 668 +--allow-default boolean 669 +--slot-id unit16 671 4.4. DHCP Snooping 673 DHCP, which is widely used on networks, dynamically assigns IP 674 addresses to clients and manages configuration information in a 675 centralized manner. During DHCP packet forwarding, some attacks may 676 occur, such as bogus DHCP server attacks, DHCP exhaustion attacks, 677 denial of service (DoS) attacks, and DHCP flooding attacks. 679 DHCP snooping is a DHCP security feature that functions in a similar 680 way to a firewall between DHCP clients and servers. A DHCP-snooping- 681 capable device intercepts DHCP packets and uses information carried 682 in the packets to create a DHCP snooping binding table. This table 683 records hosts' MAC addresses, IP addresses, IP address lease time, 684 VLAN, and interface information. The device uses this table to check 685 the validity of received DHCP packets. If a DHCP packet does not 686 match any entry in this table, the device discards the packet. 688 Besides the binding table, DHCP snooping has other security features 689 such as trusted interface, max dhcp user limit and whitelist to 690 defend against the bogus DHCP server, DHCP flooding and other fine- 691 grained DHCP attacks. 693 module: ietf-dhcp-sec 694 +--rw dhcp 695 +--rw snooping 696 +--rw dhcpSnpGlobal 697 | +--rw dhcpSnpEnable? boolean 698 | +--rw serverDetectEnable? boolean 699 | +--rw dhcpSnpUserBindAutoSaveEnable? boolean 700 | +--rw dhcpSnpUserBindFileName? string 701 | +--rw globalCheckRateEnable? boolean 702 | +--rw dhcpSnpGlobalRate? uint16 703 | +--rw checkRateAlarmEnable? boolean 704 | +--rw rateThreshold? uint16 705 | +--rw alarmThreshold? uint16 706 | +--ro rateLimitPacketCount? uint32 707 | +--rw dhcpSnpUserOfflineRemoveMac? boolean 708 | +--rw dhcpSnpArpDetectEnable? boolean 709 | +--rw dhcpSnpGlobalMaxUser? uint16 710 | +--rw dhcpSnpUserTransferEnable? boolean 711 +--rw dhcpSnpVlans 712 | +--rw dhcpSnpVlan* [vlanId] 713 | +--rw vlanId uint16 714 | +--rw dhcpSnpEnable boolean 715 | +--rw checkRateEnable boolean 716 | +--rw dhcpSnpVlanRate uint32 717 | +--rw dhcpSnpVlanTrustEnable boolean 718 | +--rw checkArpEnable boolean 719 | +--rw alarmArpEnable boolean 720 | +--rw alarmArpThreshold uint16 721 | +--rw checkIpEnable boolean 722 | +--rw alarmIpEnable boolean 723 | +--rw alarmIpThreshold uint16 724 | +--rw alarmReplyEnable boolean 725 | +--rw alarmReplyThreshold uint16 726 | +--rw checkMacEnable boolean 727 | +--rw alarmMacEnable boolean 728 | +--rw alarmMacThreshold uint16 729 | +--rw checkUserBindEnable boolean 730 | +--rw alarmUserBindEnable boolean 731 | +--rw alarmUserBindThreshold uint16 732 | +--rw dhcpSnpVlanMaxUserNum uint16 733 | +--rw alarmUserLimitEnable boolean 734 | +--rw alarmUserLimitThreshold uint16 735 | +--rw dhcpSnpVlanStatistics 736 | +--ro dropArpPktCnt? uint32 737 | +--ro dropIpPktCnt? uint32 738 | +--ro dropDhcpReqCntByBindTbl? uint32 739 | +--ro dropDhcpReqCntByMacCheck? uint32 740 | +--ro dropDhcpReplyCnt? uint32 741 +--rw vlanTrustInterfaces 742 | +--rw vlanTrustInterface* [vlanId ifName] 743 | +--rw vlanId uint16 744 | +--rw ifName pub-type:ifName 745 +--rw dhcpSnpInterfaces 746 | +--rw dhcpSnpInterface* [ifName] 747 | +--rw ifName pub-type:ifName 748 | +--rw dhcpSnpEnable boolean 749 | +--rw dhcpSnpIfDisable boolean 750 | +--rw dhcpSnpIfTrustEnable boolean 751 | +--rw dhcpSnpIfRate uint16 752 | +--rw checkRateEnable boolean 753 | +--rw alarmRateEnable boolean 754 | +--rw alarmRateThreshold uint16 755 | +--rw checkArpEnable boolean 756 | +--rw alarmArpEnable boolean 757 | +--rw alarmArpThreshold uint16 758 | +--rw checkIpEnable boolean 759 | +--rw alarmIpEnable boolean 760 | +--rw alarmIpThreshold uint16 761 | +--rw alarmReplyEnable boolean 762 | +--rw alarmReplyThreshold uint16 763 | +--rw checkMacEnable boolean 764 | +--rw alarmMacEnable boolean 765 | +--rw alarmMacThreshold uint16 766 | +--rw checkUserBindEnable boolean 767 | +--rw alarmUserBindEnable boolean 768 | +--rw alarmUserBindThreshold uint16 769 | +--rw dhcpSnpIntfMaxUserNum uint32 770 | +--rw alarmUserLimitEnable boolean 771 | +--rw alarmUserLimitThreshold uint16 772 | +--rw dhcpSnpInterfStickyMacEnable boolean 773 | +--rw dhcpSnpIfStatistics 774 | +--ro dropArpPktCnt? uint32 775 | +--ro dropIpPktCnt? uint32 776 | +--ro pktCntDropByUserBind? uint32 777 | +--ro pktCntDropByMac? uint32 778 | +--ro pktCntDropByUntrustReply? uint32 779 | +--ro pktCntDropByRate? uint32 780 +--rw dhcpSnpDynBindTbls 781 | +--ro dhcpSnpDynBindTbl* [ipAddress outerVlan innerVlan vsiName vpnName bridgeDomain] 782 | +--ro ipAddress pub-type:ipv4Address 783 | +--ro outerVlan uint16 784 | +--ro innerVlan uint16 785 | +--ro vsiName string 786 | +--ro vpnName string 787 | +--ro bridgeDomain uint32 788 | +--ro macAddress? pub-type:macAddress 789 | +--ro ifName? pub-type:ifName 790 | +--ro lease? yang:date-and-time 791 +--rw dhcpSnpVlanIfs 792 | +--rw dhcpSnpVlanIf* [vlanId ifName] 793 | +--rw vlanId uint16 794 | +--rw ifName pub-type:ifName 795 | +--rw dhcpSnpEnable boolean 796 | +--rw trustFlag boolean 797 | +--rw checkArpEnable boolean 798 | +--rw alarmArpEnable boolean 799 | +--rw alarmArpThreshold uint32 800 | +--rw checkIpEnable boolean 801 | +--rw alarmIpEnable boolean 802 | +--rw alarmIpThreshold uint32 803 | +--rw alarmReplyEnable boolean 804 | +--rw alarmReplyThreshold uint32 805 | +--rw checkChaddrEnable boolean 806 | +--rw alarmChaddrEnable boolean 807 | +--rw alarmChaddrThreshold uint32 808 | +--rw checkReqEnable boolean 809 | +--rw alarmReqEnable boolean 810 | +--rw alarmReqThreshold uint32 811 | +--rw dhcpSnpVlanIfMaxUserNum uint32 812 | +--rw alarmUserLimitEnable boolean 813 | +--rw alarmUserLimitThreshold uint32 814 | +--rw dhcpSnpVlanIfStatistics 815 | +--ro dropArpPktCnt? uint32 816 | +--ro dropIpPktCnt? uint32 817 | +--ro dropDhcpReqCntByBindTbl? uint32 818 | +--ro dropDhcpReqCntByMacCheck? uint32 819 | +--ro dropDhcpReplyCnt? uint32 820 +--rw ifStaticBindTbls 821 | +--rw ifStaticBindTbl* [ifName ipAddress vlanId ceVlanId] 822 | +--rw ifName pub-type:ifName 823 | +--rw ipAddress pub-type:ipAddress 824 | +--rw vlanId uint16 825 | +--rw ceVlanId uint16 826 | +--rw macAddress? pub-type:macAddress 827 +--rw vlanStaticBindTbls 828 | +--rw vlanStaticBindTbl* [vlanId ipAddress ceVlanId] 829 | +--rw vlanId uint16 830 | +--rw ipAddress pub-type:ipAddress 831 | +--rw ceVlanId uint16 832 | +--rw macAddress? pub-type:macAddress 833 | +--rw ifName? pub-type:ifName 834 +--rw dhcpSnpBds 835 | +--rw dhcpSnpBd* [bdId] 836 | +--rw bdId uint32 837 | +--rw dhcpSnpEnable? boolean 838 | +--rw dhcpSnpTrust? boolean 839 | +--rw checkArpEnable? boolean 840 | +--rw alarmArpEnable? boolean 841 | +--rw alarmArpThreshold? uint32 842 | +--rw checkIpEnable? boolean 843 | +--rw alarmIpEnable? boolean 844 | +--rw alarmIpThreshold? uint32 845 | +--rw alarmReplyEnable? boolean 846 | +--rw alarmReplyThreshold? uint32 847 | +--rw checkMacEnable? boolean 848 | +--rw alarmMacEnable? boolean 849 | +--rw alarmMacThreshold? uint32 850 | +--rw checkRequestEnable? boolean 851 | +--rw alarmRequestEnable? boolean 852 | +--rw alarmRequestThreshold? uint32 853 | +--rw maxUserNum? uint32 854 | +--rw alarmUserLimitEnable? boolean 855 | +--rw alarmUserLimitThreshold? uint32 856 | +--rw statistics 857 | +--ro dropArpPktCnt? uint32 858 | +--ro dropIpPktCnt? uint32 859 | +--ro dropDhcpReqCntByBindTbl? uint32 860 | +--ro dropDhcpReqCntByMacCheck? uint32 861 | +--ro dropDhcpReplyCnt? uint32 862 +--rw BdStaticBindTbls 863 | +--rw globalBdStaticBindTbl* [bdId ipAddress peVlan ceVlan] 864 | +--rw bdId uint32 865 | +--rw ipAddress pub-type:ipv4Address 866 | +--rw macAddress? pub-type:macAddress 867 | +--rw peVlan uint16 868 | +--rw ceVlan uint16 869 +--rw dhcpSnpWhiteLists 870 +--rw dhcpSnpWhiteList* [whtLstName] 871 +--rw whtLstName string 872 +--rw applyFlag boolean 873 +--rw dhcpSnpWhiteRules 874 +--rw dhcpSnpWhiteRule* [ruleId] 875 +--rw ruleId uint16 876 +--rw srcIP? inet:ipv4-address-no-zone 877 +--rw srcMask? inet:ipv4-address-no-zone 878 +--rw dstIP? inet:ipv4-address-no-zone 879 +--rw dstMask? inet:ipv4-address-no-zone 880 +--rw srcPort? dhcpSnpPort 881 +--rw dstPort? dhcpSnpPort 883 4.5. Control Plane Protection 885 When a large number of protocols runs on the router, a lot of packets 886 need be sent to the control plane for processing. In such a case, 887 the router control plane is prone to be attacked. To protect it, 888 protocol packet control is needed. This function allows only 889 specified protocol packets to be sent to control plane, and reduces 890 malicious packet attacks on the control plane to ensure that devices 891 work properly. 893 module: ietf-hostdefend-sec 894 +--rw hostdefend 895 +--rw secma global 896 | +--rw secMAEnable? boolean 897 | +--rw secMABgp? hostdefendMAAction 898 | +--rw secMAFtp? hostdefendMAAction 899 | +--rw secMALdp? hostdefendMAAction 900 | +--rw secMAOspf? hostdefendMAAction 901 | +--rw secMARip? hostdefendMAAction 902 | +--rw secMARsvp? hostdefendMAAction 903 | +--rw secMASnmp? hostdefendMAAction 904 | +--rw secMASsh? hostdefendMAAction 905 | +--rw secMATlnt? hostdefendMAAction 906 | +--rw secMATftp? hostdefendMAAction 907 | +--rw secMAIsis? hostdefendMAAction 908 | +--rw secMAPimSm? hostdefendMAAction 909 | +--rw secMABgp4Plus? hostdefendMAAction 910 | +--rw secMAIPv6Ftp? hostdefendMAAction 911 | +--rw secMAOspfv3? hostdefendMAAction 912 | +--rw secMAIPv6PimSm? hostdefendMAAction 913 | +--rw secMAIPv6Ssh? hostdefendMAAction 914 | +--rw secMAIPv6Telnet? hostdefendMAAction 915 +--rw secmaslots 916 | +--rw secmaslot* [secMASlotPlcyID] 917 | +--rw secMASlotPlcyID uint32 918 | +--rw secMABgp? hostdefendMAAction 919 | +--rw secMAFtp? hostdefendMAAction 920 | +--rw secMALdp? hostdefendMAAction 921 | +--rw secMAOspf? hostdefendMAAction 922 | +--rw secMARip? hostdefendMAAction 923 | +--rw secMARsvp? hostdefendMAAction 924 | +--rw secMASnmp? hostdefendMAAction 925 | +--rw secMASsh? hostdefendMAAction 926 | +--rw secMATelnet? hostdefendMAAction 927 | +--rw secMATftp? hostdefendMAAction 928 | +--rw secMAIsis? hostdefendMAAction 929 | +--rw secMAPimSm? hostdefendMAAction 930 | +--rw secMABgp4Plus? hostdefendMAAction 931 | +--rw secMAIPv6Ftp? hostdefendMAAction 932 | +--rw secMAOspfv3? hostdefendMAAction 933 | +--rw secMAIPv6PimSm? hostdefendMAAction 934 | +--rw secMAIPv6Ssh? hostdefendMAAction 935 | +--rw secMAIPv6Telnet? hostdefendMAAction 936 +--rw secmaslotcfgs 937 | +--rw secmaslotcfg* [secMASlotIdStr] 938 | +--rw secMASlotIdStr hostdefendMaSlotId 939 | +--rw secMASlotPlcyID uint32 940 +--rw secmaintfs 941 | +--rw secmaintf* [secMAIntfPlcyID] 942 | +--rw secMAIntfPlcyID uint32 943 | +--rw secMABgp? hostdefendMAAction 944 | +--rw secMAFtp? hostdefendMAAction 945 | +--rw secMALdp? hostdefendMAAction 946 | +--rw secMAOspf? hostdefendMAAction 947 | +--rw secMARip? hostdefendMAAction 948 | +--rw secMARsvp? hostdefendMAAction 949 | +--rw secMASnmp? hostdefendMAAction 950 | +--rw secMASsh? hostdefendMAAction 951 | +--rw secMATelnet? hostdefendMAAction 952 | +--rw secMATftp? hostdefendMAAction 953 | +--rw secMAIsis? hostdefendMAAction 954 | +--rw secMAPimSm? hostdefendMAAction 955 | +--rw secMABgp4Plus? hostdefendMAAction 956 | +--rw secMAIPv6Ftp? hostdefendMAAction 957 | +--rw secMAOspfv3? hostdefendMAAction 958 | +--rw secMAIPv6PimSm? hostdefendMAAction 959 | +--rw secMAIPv6Ssh? hostdefendMAAction 960 | +--rw secMAIPv6Telnet? hostdefendMAAction 961 +--rw secmaintfcfgs 962 | +--rw secmaintfcfg* [ifName] 963 | +--rw ifName pub-type:ifName 964 | +--rw secMAIntfPlcyID uint32 965 +--rw secFragCarStats 966 | +--ro secFragCarStat* [secSlotId] 967 | +--ro secSlotId string 968 | +--ro secTotalPktNum? uint64 969 | +--ro secDropPktNum? uint64 970 | +--ro secPassPktNum? uint64 971 +--rw secMaDefendStats 972 | +--ro secMaDefendStat* [slotId protocolType] 973 | +--ro slotId string 974 | +--ro protocolType hostdefendMaDefendPROTOCOL 975 | +--ro totalPktNum? uint64 976 | +--ro passPktNum? uint64 977 | +--ro dropPktNum? uint64 978 +--rw secHostCaptPkts 979 | +--rw secHostCaptPkt* [captureIndex] 980 | +--rw captureIndex uint8 981 | +--rw hostCaptPro uint32 982 | +--rw hostCaptType hostdefendCaptPhyType 983 | +--rw ifName? pub-type:ifName 984 | +--rw captLinkType? hostdefendCaptLinkType 985 | +--rw peVlan? uint32 986 | +--rw peEnd? uint32 987 | +--rw ceVlan? uint32 988 | +--rw ceEnd? uint32 989 | +--rw captPktNum? uint32 990 | +--rw captTimeOut? uint32 991 | +--rw captPktLenType? hostdefendPktLenType 992 | +--rw captPktLen? uint32 993 | +--rw captAclType? hostdefendAclType 994 | +--rw captAcl? hostdefendCaptAcl 995 | +--rw captIpv6Acl? hostdefendCaptIpv6Acl 996 | +--rw terminal? hostdefendDestType 997 | +--rw fileName? string 998 | +--rw fileSize? uint32 999 +--rw secMaDefendIfStats 1000 | +--ro secMaDefendIfStat* [protocolType] 1001 | +--ro ifName? pub-type:ifName 1002 | +--ro protocolType hostdefendMaDefendPROTOCOL 1003 | +--ro totalPktNum? uint64 1004 | +--ro passPktNum? uint64 1005 | +--ro dropPktNum? uint64 1006 +--rw secIsolates 1007 | +--rw secIsolate* [secStatus] 1008 | +--rw secStatus hostdefendIsolateStatus 1009 +--rw serviceSecurityV4s 1010 | +--rw serviceSecurityV4* [policyName] 1011 | +--rw policyName mpacPolicyName 1012 | +--rw step? uint32 1013 | +--rw description? string 1014 | +--rw ruleIPv4s 1015 | +--rw ruleIPv4* [ruleName] 1016 | +--rw ruleName string 1017 | +--rw ruleID? uint32 1018 | +--rw action mpacRuleAction 1019 | +--rw protocolType mpacProtocolType 1020 | +--rw protocolName? mpacProtoName 1021 | +--rw ipProtocolNum? uint8 1022 | +--rw sourceIP? pub-type:ipv4Address 1023 | +--rw sourceWild? pub-type:ipv4Address 1024 | +--rw destinationIP? pub-type:ipv4Address 1025 | +--rw destinationWild? pub-type:ipv4Address 1026 | +--rw sourcePort? uint16 1027 | +--rw destinationPort? uint16 1028 | +--rw match4Stats 1029 | +--ro match4Stat* 1030 | +--ro matchCount? uint64 1031 +--rw serviceSecurityV6s 1032 | +--rw serviceSecurityV6* [policyName] 1033 | +--rw policyName mpacPolicyName 1034 | +--rw step? uint32 1035 | +--rw description? string 1036 | +--rw ruleIPv6s 1037 | +--rw ruleIPv6* [ruleName] 1038 | +--rw ruleName string 1039 | +--rw ruleID? uint32 1040 | +--rw action mpacRuleAction 1041 | +--rw protocolType mpacProtocolType 1042 | +--rw protocolName? mpacProto6Name 1043 | +--rw ipProtocolNum? uint8 1044 | +--rw sourceIP? pub-type:ipv6Address 1045 | +--rw sourcePrefix? uint32 1046 | +--rw destinationIP? pub-type:ipv6Address 1047 | +--rw destinationPrefix? uint32 1048 | +--rw sourcePort? uint16 1049 | +--rw destinationPort? uint16 1050 | +--rw match6Stats 1051 | +--ro match6Stat* 1052 | +--ro matchCount? uint64 1053 +--rw serviceSecurityCfgGlobals 1054 | +--rw serviceSecurityCfgGlobal* [family] 1055 | +--rw family enumeration 1056 | +--rw policyNameV4? -> /hostdefend/serviceSecurityV4s/serviceSecurityV4/policyName 1057 | +--rw policyNameV6? -> /hostdefend/serviceSecurityV6s/serviceSecurityV6/policyName 1058 +--rw serviceSecurityCfgIfs 1059 | +--rw serviceSecurityCfgIf* [ifName family] 1060 | +--rw ifName pub-type:ifName 1061 | +--rw family mpacProtocolFamily 1062 | +--rw policyNameV4? -> /hostdefend/serviceSecurityV4s/serviceSecurityV4/policyName 1063 | +--rw policyNameV6? -> /hostdefend/serviceSecurityV6s/serviceSecurityV6/policyName 1064 +--rw secHostIfStats 1065 | +--ro secHostIfStat* [ifName] 1066 | +--ro ifName string 1067 | +--ro recvPacket? uint64 1068 | +--ro secIfProtocolStats 1069 | +--ro secIfProtocolStat* 1070 | +--ro layer? hostIfStatsProtocolLayType 1071 | +--ro protocol? hostIfStatsProtocolType 1072 | +--ro expectedPkts? uint32 1073 | +--ro unexpectedPkts? uint32 1074 +--rw secIfProtocolCfgs 1075 | +--rw secIfProtocolCfg* [ifName] 1076 | +--rw ifName string 1078 +--rw secCaptPktInstances 1079 +--ro secCaptPktInstance* 1080 +--ro secInstanceId? uint8 1081 +--ro inBoundInst? uint32 1082 +--ro outBoundInst? uint32 1083 +--ro totalInst? uint32 1084 +--ro hostInst? uint32 1085 +--ro protocolNum? uint32 1086 +--ro ifName? string 1087 +--ro captureStatus? hostdefendStatusType 1088 +--ro captTimeOut? uint32 1089 +--ro setPktNum? uint32 1090 +--ro setPktSize? uint32 1091 +--ro deletePktNum? uint32 1092 +--ro deletePktSize? uint32 1093 +--ro getPktNum? uint32 1094 +--ro getPktSize? uint32 1095 +--ro firPktTime? string 1096 +--ro lastPktTime? string 1097 +--ro acl? string 1098 +--ro remainTime? uint32 1099 +--ro pktDevName? string 1100 +--ro fileName? string 1101 +--ro linkType? hostdefendCaptLinkType 1102 +--ro hostCaptType? hostdefendCaptType 1104 4.6. Data Plane Protection 1106 In the data plane of router, before various protocol packets are sent 1107 to the control plane for further processing. Necessary control 1108 policies or functions(i.e., CAR, Alarm control, packet capture, etc) 1109 and a number of packet statistics are needed in data plane to protect 1110 the devices, as well as get more visibility of router status. 1112 module: ietf-cpudefend-sec 1113 +--rw cpudefend 1114 +--rw secpolicys 1115 | +--rw secpolicy* [secPolicyID] 1116 | +--rw secPolicyID uint32 1117 | +--rw secDescription? string 1118 | +--rw secpolicyattcfg 1119 | | +--rw secIsAttackSrc? boolean 1120 | | +--rw secAttSrcRate? cpudefendAttSampleRate 1121 | | +--rw secAttSrcAppLnk? boolean 1122 | | +--rw secAttSrcCpCar? boolean 1123 | | +--rw secAttSrcMa? boolean 1124 | | +--rw secAttSrcTcpip? boolean 1125 | +--rw secTMSQConfig 1126 | | +--rw secStatus? boolean 1127 | +--rw secpolicyproseq 1128 | | +--rw secProSeqWL? cpudefendProcessSeq 1129 | | +--rw secProSeqBL? cpudefendProcessSeq 1130 | | +--rw secProSeqUF? cpudefendProcessSeq 1131 | +--rw secpolicyapplnk 1132 | | +--rw secDftAction? cpudefendAppDefAction 1133 | +--rw secpolicyallpkt 1134 | | +--rw secRateValue? uint32 1135 | | +--rw secRateFlag? cpudefendTotalCar 1136 | +--rw secpolicycars 1137 | | +--rw secpolicycar* [secPolicyType secPolicyTypeID subProtoType subTcpIpType] 1138 | | +--rw secPolicyType cpudefendPolicyCarType 1139 | | +--rw secPolicyTypeID uint32 1140 | | +--rw subProtoType cpudefendCPCARProtocol 1141 | | +--rw subTcpIpType cpudefendTcpipCarType 1142 | | +--rw secPolicyCir? uint32 1143 | | +--rw secPolicyCbs? uint32 1144 | | +--rw secPolicyCbs4Sh? uint32 1145 | | +--rw secMinPktLen? uint32 1146 | +--rw secpolicyswitchs 1147 | | +--rw secpolicyswitch* [secPolicyType secPolicyTypeID subTcpIpType] 1148 | | +--rw secPolicyType cpudefendPolicySwitchType 1149 | | +--rw secPolicyTypeID cpudefendAclProtocolTypeID 1150 | | +--rw subTcpIpType cpudefendTcpipType 1151 | | +--rw secPolicyEnable? boolean 1152 | +--rw secpolicyalarms 1153 | | +--rw secpolicyalarm* [secPolicyType secPolicyTypeID] 1154 | | +--rw secPolicyType secPolicyAlarmType 1155 | | +--rw secPolicyTypeID uint32 1156 | | +--rw secAlarmFlag? boolean 1157 | | +--rw secAlarmThld? uint32 1158 | | +--rw secAlarmInt? uint32 1159 | | +--rw secAlarmSpd? uint32 1160 | | +--rw secAlarmResume? uint32 1161 | +--rw secpolicyprios 1162 | | +--rw secpolicyprio* [secPolicyType secPolicyTypeID subProtoType] 1163 | | +--rw secPolicyType cpudefendPolicyPrioType 1164 | | +--rw secPolicyTypeID uint32 1165 | | +--rw subProtoType cpudefendCPCARProtocol 1166 | | +--rw secPriority cpudefendPriority 1167 | +--rw secpolicyacls 1168 | | +--rw secpolicyacl* [secPolicyType secPolicyTypeID] 1169 | | +--rw secPolicyType cpudefendPolicyAclType 1170 | | +--rw secPolicyTypeID uint32 1171 | | +--rw secAclNum uint32 1172 | | +--rw secPrior? boolean 1173 | +--rw secDevUrpfs 1174 | | +--rw secDevUrpf* [secUrpfLooseType] 1175 | | +--rw secUrpfLooseType cpudefendUrpfMode 1176 | | +--rw secEnableDefaultRoute? boolean 1177 | +--rw sECCrssBrdCarNodes 1178 | +--rw sECCrssBrdCarNode* [secPolicyCir] 1179 | +--rw secPolicyCir uint32 1180 | +--rw secPolicyCbs? uint32 1181 +--rw secpolicycfgs 1182 | +--rw secpolicycfg* [secSlotIdStr] 1183 | +--rw secSlotIdStr -> /devm:devm/lpuBoards/lpuBoard/position 1184 | +--rw secPolicyID -> /cpudefend/secpolicys/secpolicy/secPolicyID 1185 +--ro seccarsysids 1186 | +--ro seccarsysid* [secSlotId secCarSysId] 1187 | +--ro secSlotId string 1188 | +--ro secPolicyID? uint32 1189 | +--ro secCarSysId uint16 1190 | +--ro secCarCir? uint32 1191 | +--ro secCarCbs? uint32 1192 | +--ro secDefaultCir? uint32 1193 | +--ro secDefaultCbs? uint32 1194 | +--ro secDescription? string 1195 +--ro secappstats 1196 | +--ro secappstat* [secSlotId] 1197 | +--ro secSlotId string 1198 | +--ro secAppEnable? cpudefendAppStatus 1199 | +--ro secAppDefAct? cpudefendAppDefAction 1200 | +--ro secFtpServer? cpudefendAppStatus 1201 | +--ro secSshServer? cpudefendAppStatus 1202 | +--ro secSnmp? cpudefendAppStatus 1203 | +--ro secTelnetServer? cpudefendAppStatus 1204 | +--ro secTftp? cpudefendAppStatus 1205 | +--ro secBgp? cpudefendAppStatus 1206 | +--ro secLdp? cpudefendAppStatus 1207 | +--ro secRsvp? cpudefendAppStatus 1208 | +--ro secOspf? cpudefendAppStatus 1209 | +--ro secRip? cpudefendAppStatus 1210 | +--ro secMsdp? cpudefendAppStatus 1211 | +--ro secPim? cpudefendAppStatus 1212 | +--ro secIgmp? cpudefendAppStatus 1213 | +--ro secIsis? cpudefendAppStatus 1214 | +--ro secFtpClient? cpudefendAppStatus 1215 | +--ro secTelnetClient? cpudefendAppStatus 1216 | +--ro secSshClient? cpudefendAppStatus 1217 | +--ro secNtp? cpudefendAppStatus 1218 | +--ro secRadius? cpudefendAppStatus 1219 | +--ro secHwtacacs? cpudefendAppStatus 1220 | +--ro secLspping? cpudefendAppStatus 1221 | +--ro secIcmp? cpudefendAppStatus 1222 | +--ro secVrrp? cpudefendAppStatus 1223 | +--ro secDhcp? cpudefendAppStatus 1224 | +--ro secDnsClient? cpudefendAppStatus 1225 | +--ro secSysLog? cpudefendAppStatus 1226 | +--ro secBfd? cpudefendAppStatus 1227 | +--ro sec8021ag? cpudefendAppStatus 1228 | +--ro secLacp? cpudefendAppStatus 1229 | +--ro secBgpV6? cpudefendAppStatus 1230 | +--ro secOspfV3? cpudefendAppStatus 1231 | +--ro secFtpV6Server? cpudefendAppStatus 1232 | +--ro secFtpV6Client? cpudefendAppStatus 1233 | +--ro secIcmpV6? cpudefendAppStatus 1234 | +--ro secPimV6? cpudefendAppStatus 1235 | +--ro secSshV6Server? cpudefendAppStatus 1236 | +--ro secTelnetV6Client? cpudefendAppStatus 1237 | +--ro secTelnetV6Server? cpudefendAppStatus 1238 | +--ro secDnsV6? cpudefendAppStatus 1239 | +--ro secWebAuthServ? cpudefendAppStatus 1240 | +--ro secDiameter? cpudefendAppStatus 1241 | +--ro secOpenflow? cpudefendAppStatus 1242 | +--ro secUnicastVrrp? cpudefendAppStatus 1243 | +--ro secIgpmu? cpudefendAppStatus 1244 | +--ro secIpfpm? cpudefendAppStatus 1245 +--ro secnoncarstats 1246 | +--ro secnoncarstat* [secSlotId secPolicyType secPolicyTypeID] 1247 | +--ro secSlotId string 1248 | +--ro secPolicyType cpudefendNoCarPolicyType 1249 | +--ro secPolicyTypeID cpudefendSecStatTypeID 1250 | +--ro secSubTotalPkts? uint64 1251 | +--ro secSubPassPkts? uint64 1252 | +--ro secSubDropPkts? uint64 1253 +--ro seccarstats 1254 | +--ro seccarstat* [secSlotId secPolicyType secPolicyTypeID] 1255 | +--ro secSlotId string 1256 | +--ro secPolicyType cpudefendPolicyType 1257 | +--ro secPolicyTypeID uint32 1258 | +--ro secAppEnable? boolean 1259 | +--ro secAppDefAct? cpudefendAppDefAction 1260 | +--ro secProtoEnable? boolean 1261 | +--ro secPassedPkts? uint64 1262 | +--ro secDropedPkts? uint64 1263 | +--ro secCfgCir? uint32 1264 | +--ro secCfgCbs? uint32 1265 | +--ro secActualCir? uint32 1266 | +--ro secActualCbs? uint32 1267 | +--ro secPriority? cpudefendPriority 1268 | +--ro secMinPktLen? uint32 1269 | +--ro secAclDenyPkts? uint64 1270 | +--ro secHistPps? uint64 1271 | +--ro secHistPpsTime? yang:date-and-time 1272 | +--ro secLastPps? uint64 1273 | +--ro secLastDrpBTime? yang:date-and-time 1274 | +--ro secLastDrpETime? yang:date-and-time 1275 | +--ro secTtlDropPkts? uint64 1276 +--ro secattsrcorgs 1277 | +--ro secattsrcorg* [secPktNumber secSlotId] 1278 | +--ro secBufferSize? uint32 1279 | +--ro secRecordNumber? uint32 1280 | +--ro secCoverFlag? uint32 1281 | +--ro secPktNumber uint32 1282 | +--ro secSlotId string 1283 | +--ro ifName? pub-type:ifName 1284 | +--ro secPVlanId? uint16 1285 | +--ro secCVlanId? uint16 1286 | +--ro secAttType? cpudefendATTSRCTYPE 1287 | +--ro secDateTime? yang:date-and-time 1288 | +--ro secAttSrcData? string 1289 +--ro secAttSrcVerboses 1290 | +--ro secAttSrcVerbose* [secPktNumber secSlotId] 1291 | +--ro secBufferSize? uint32 1292 | +--ro secRecordNumber? uint32 1293 | +--ro secCoverFlag? uint32 1294 | +--ro secPktNumber uint32 1295 | +--ro secSlotId string 1296 | +--ro ifName pub-type:ifName 1297 | +--ro secPeVlanID? uint16 1298 | +--ro secCeVlanID? uint16 1299 | +--ro secAttType? cpudefendATTSRCTYPE 1300 | +--ro secStartTime? yang:date-and-time 1301 | +--ro secL2Type? cpudefendAttSrcL2Type 1302 | +--ro secLinkType? uint16 1303 | +--ro secSrcMac? pub-type:macAddress 1304 | +--ro secDestMac? pub-type:macAddress 1305 | +--ro secL25Type? cpudefendAttSrcL25Type 1306 | +--ro secArpType? cpudefendAttSrcArpType 1307 | +--ro secMplsLabelNum? uint16 1308 | +--ro secMplsLabel1? uint16 1309 | +--ro secMplsLabel2? uint16 1310 | +--ro secMplsLabel3? uint16 1311 | +--ro secMplsLabel4? uint16 1312 | +--ro secMplsLabel5? uint16 1313 | +--ro secL3Type? cpudefendAttSrcL3Type 1314 | +--ro secIPVersion? uint8 1315 | +--ro secIPHeaderLen? uint8 1316 | +--ro secIPTos? uint8 1317 | +--ro secIPLen? uint16 1318 | +--ro secIPId? uint16 1319 | +--ro secIPOff? uint16 1320 | +--ro secIPTtl? uint8 1321 | +--ro secIPProtocol? uint8 1322 | +--ro secIPCheckSum? uint16 1323 | +--ro secSrcAddr? inet:ipv4-address-no-zone 1324 | +--ro secDstAddr? inet:ipv4-address-no-zone 1325 | +--ro secL4Type? cpudefendAttSrcL4Type 1326 | +--ro secSrcPort? uint16 1327 | +--ro secDstPort? uint16 1328 | +--ro secTcpSeqNum? uint32 1329 | +--ro secTcpAckNum? uint32 1330 | +--ro secTcpFlag? uint8 1331 | +--ro secTcpWinSize? uint16 1332 | +--ro secCheckSum? uint16 1333 | +--ro secUdpLen? uint16 1334 | +--ro secIcmpIgmpType? uint8 1335 | +--ro secIcmpIgmpCode? uint8 1336 | +--ro secIgmpGroup? inet:ipv4-address-no-zone 1337 | +--ro secAttSrcData? string 1338 | +--ro secATMVPI? uint16 1339 | +--ro secATMVCI? uint16 1340 | +--ro secSysid? uint32 1341 +--ro secTotalPktStats 1342 | +--ro secTotalPktStat* [secSlotId] 1343 | +--ro secSlotId string 1344 | +--ro secTotalPkt? uint64 1345 | +--ro secPassPkt? uint64 1346 | +--ro secDropPkt? uint64 1347 +--rw secArpCarValues 1348 | +--rw secArpCarValue* [secIfName] 1349 | +--rw secIfName -> /ifm:ifm/interfaces/interface/ifName 1350 | +--rw secEnable? boolean 1351 | +--rw secRateLimit? uint32 1352 +--ro secSlotArpAtcks 1353 | +--ro secSlotArpAtck* [secIfIndex secHistory] 1354 | +--ro secIfIndex -> /ifm:ifm/interfaces/interface/ifName 1355 | +--ro secVlanId? uint32 1356 | +--ro secIfSubIndex? pub-type:ifName 1357 | +--ro secPeVlanId? uint32 1358 | +--ro secCeVlanId? uint32 1359 | +--ro secCtrlVlan? uint32 1360 | +--ro secEnableArpCar? boolean 1361 | +--ro secPassBytes? uint64 1362 | +--ro secPassPkts? uint64 1363 | +--ro secDropBytes? uint64 1364 | +--ro secDropPkts? uint64 1365 | +--ro secStartTime? yang:date-and-time 1366 | +--ro secHistory sec_history_type 1367 | +--ro secEndTime? yang:date-and-time 1368 | +--ro secPassedBytes? uint64 1369 | +--ro secPassedPkts? uint64 1370 | +--ro secDroppedBytes? uint64 1371 | +--ro secDroppedPkts? uint64 1372 +--rw secArpSafeguards 1373 | +--rw secArpSafeguard* [secIfIndex] 1374 | +--rw secIfIndex -> /ifm:ifm/interfaces/interface/ifName 1375 +--ro secArpSafeGStats 1376 | +--ro secArpSafeGStat* [secSlotId] 1377 | +--ro secSlotId string 1378 | +--ro secRequestCnt? uint64 1379 | +--ro secReplyCnt? uint64 1380 | +--ro secTocpCnt? uint64 1381 | +--ro secDropCnt? uint64 1382 +--rw secEnL2LoDetects 1383 | +--rw secEnL2LoDetect* [secSlotId] 1384 | +--rw secSlotId -> /devm:devm/lpuBoards/lpuBoard/position 1385 | +--rw secDetectFlag? boolean 1386 +--rw secL2LoDteTraps 1387 | +--rw secL2LoDteTrap* [secSlotId] 1388 | +--rw secSlotId -> /devm:devm/lpuBoards/lpuBoard/position 1389 | +--rw secTrapFlag? boolean 1390 +--rw secL2LoDteShuts 1391 | +--rw secL2LoDteShut* [secSlotId] 1392 | +--rw secSlotId -> /devm:devm/lpuBoards/lpuBoard/position 1393 | +--rw secShutFlag? boolean 1394 | +--rw secUpTimes? uint16 1395 | +--rw secUpInterval? uint16 1396 +--ro secL2LoDisStaIns 1397 | +--ro secL2LoDisStaIn* [secSlotId] 1398 | +--ro secSlotId string 1399 | +--ro secActionFlag? cpudefendL2LoopAction 1400 | +--ro secIfName? pub-type:ifName 1401 | +--ro secVlanID? uint16 1402 | +--ro secLoopLevel? cpudefendL2LoopLevel 1403 | +--ro secPortState? cpudefendL2LoopIntfStatus 1404 +--ro secL2LoDisPckIns 1405 | +--ro secL2LoDisPckIn* [secSlotId] 1406 | +--ro secSlotId string 1407 | +--ro secIfName? pub-type:ifName 1408 | +--ro secNumber? uint16 1409 | +--ro secPeVlanId? uint16 1410 | +--ro secCeVlanId? uint16 1411 | +--ro secProtocol? cpudefendSecStatTypeID 1412 | +--ro secPktType? cpudefendL2LoopPacketType 1413 | +--ro secSrcMac? pub-type:macAddress 1414 +--rw secTMSQWeights 1415 | +--rw secTMSQWeight* [secPolicyID secSQType] 1416 | +--rw secPolicyID uint32 1417 | +--rw secSQType cpudefendTMSQWeightType 1418 | +--rw secSQWeight? uint32 1419 | +--rw secSQCir? uint32 1420 | +--rw secSQPir? uint32 1421 +--ro secDisSQStats 1422 | +--ro secDisSQStat* [secSlotId secSQType] 1423 | +--ro secSlotId string 1424 | +--ro secSQType cpudefendTMSQWeightType 1425 | +--ro secPassedPkts? uint64 1426 | +--ro secDropedPkts? uint64 1427 | +--ro secDisFQStats 1428 | +--ro secDisFQStat* 1429 | +--ro secBEPassPkts? uint64 1430 | +--ro secBEDropPkts? uint64 1431 | +--ro secAF1PassPkts? uint64 1432 | +--ro secAF1DropPkts? uint64 1433 | +--ro secAF2PassPkts? uint64 1434 | +--ro secAF2DropPkts? uint64 1435 | +--ro secAF3PassPkts? uint64 1436 | +--ro secAF3DropPkts? uint64 1437 | +--ro secAF4PassPkts? uint64 1438 | +--ro secAF4DropPkts? uint64 1439 | +--ro secEFPassPkts? uint64 1440 | +--ro secEFDropPkts? uint64 1441 | +--ro secCS6PassPkts? uint64 1442 | +--ro secCS6DropPkts? uint64 1443 | +--ro secCS7PassPkts? uint64 1444 | +--ro secCS7DropPkts? uint64 1445 +--ro secDisSQWeights 1446 | +--ro secDisSQWeight* [secSlotId secSQType] 1447 | +--ro secSlotId string 1448 | +--ro secSQType cpudefendTMSQWeightType 1449 | +--ro secConfigSQCir? uint32 1450 | +--ro secDftSQCir? uint32 1451 | +--ro secConfigSQPir? uint32 1452 | +--ro secDftSQPir? uint32 1453 | +--ro secConfigWeight? uint32 1454 | +--ro secDftWeight? uint32 1455 +--rw sechostcarNodes 1456 | +--rw sechostcarNode* [slotID hostCarType] 1457 | +--rw slotID -> /devm:devm/lpuBoards/lpuBoard/position 1458 | +--rw hostCarType cpudefendhostCarType 1459 | +--rw cir? uint32 1460 | +--rw pir? uint32 1461 | +--rw cbs? uint32 1462 | +--rw pbs? uint32 1463 +--rw secHstcAdjustNodes 1464 | +--rw socHstcAdjustNode* [slotID hostCarType] 1465 | +--rw slotID string 1466 | +--rw hostCarType cpudefendhostCarType 1467 | +--rw ifEnable? socIfEnable 1468 +--rw secHstcAdjNodes 1469 | +--rw socHstcAdjNode* [slotID hostCarType] 1470 | +--rw slotID string 1471 | +--rw hostCarType cpudefendhostCarType 1472 | +--rw dropThreshold? uint32 1473 | +--rw interval? uint32 1474 +--ro secDisDefaultCars 1475 | +--ro secDisDefaultCar* [secSlotId secSysId] 1476 | +--ro secSlotId string 1477 | +--ro secSysId uint16 1478 | +--ro secCir? uint32 1479 | +--ro secCbs? uint32 1480 | +--ro secMinPkt? uint32 1481 | +--ro secPriority? cpudefendSecPriority 1482 | +--ro secTypeId? cpudefendSecTypeId 1483 +--ro secCurrentCarNodes 1484 | +--ro secCurrentCarNode* [secSlotId secPolicyTypeID] 1485 | +--ro secSlotId string 1486 | +--ro secPolicyTypeID uint32 1487 | +--ro secPolicyCir? uint32 1488 | +--ro secPolicyCbs? uint32 1489 | +--ro secMinPkt? uint32 1490 | +--ro secPriority? cpudefendSecPriority 1491 | +--ro desc? cpudefendSecTypeId 1492 +--ro secAttSrcFiles 1493 | +--ro secAttSrcFile* [fileName] 1494 | +--ro fileName string 1495 | +--ro secRecordNum? uint32 1496 | +--ro secPktNumber? uint32 1497 | +--ro secPeVlanID? uint16 1498 | +--ro secCeVlanID? uint16 1499 | +--ro secStartTime? yang:date-and-time 1500 | +--ro secL2Type? cpudefendAttSrcL2Type 1501 | +--ro secLinkType? uint16 1502 | +--ro secSrcMac? pub-type:macAddress 1503 | +--ro secDestMac? pub-type:macAddress 1504 | +--ro secL25Type? cpudefendAttSrcL25Type 1505 | +--ro secArpType? cpudefendAttSrcArpType 1506 | +--ro secMplsLabelNum? uint16 1507 | +--ro secMplsLabel1? uint16 1508 | +--ro secMplsLabel2? uint16 1509 | +--ro secMplsLabel3? uint16 1510 | +--ro secMplsLabel4? uint16 1511 | +--ro secMplsLabel5? uint16 1512 | +--ro secL3Type? cpudefendAttSrcL3Type 1513 | +--ro secIPVersion? uint8 1514 | +--ro secIPHeaderLen? uint8 1515 | +--ro secIPTos? uint8 1516 | +--ro secIPLen? uint16 1517 | +--ro secIPId? uint16 1518 | +--ro secIPOff? uint16 1519 | +--ro secIPTtl? uint8 1520 | +--ro secIPProtocol? uint8 1521 | +--ro secIPCheckSum? uint16 1522 | +--ro secSrcAddr? inet:ipv4-address-no-zone 1523 | +--ro secDstAddr? inet:ipv4-address-no-zone 1524 | +--ro secL4Type? cpudefendAttSrcL4Type 1525 | +--ro secSrcPort? uint16 1526 | +--ro secDstPort? uint16 1527 | +--ro secTcpSeqNum? uint32 1528 | +--ro secTcpAckNum? uint32 1529 | +--ro secTcpFlag? uint8 1530 | +--ro secTcpWinSize? uint8 1531 | +--ro secCheckSum? uint16 1532 | +--ro secUdpLen? uint16 1533 | +--ro secIcmpIgmpType? uint8 1534 | +--ro secIcmpIgmpCode? uint8 1535 | +--ro secIgmpGroup? inet:ipv4-address-no-zone 1536 | +--ro secAttSrcData? string 1537 | +--ro secVpi? uint16 1538 | +--ro secVci? uint16 1539 +--ro secHostCarStats 1540 | +--ro secHostCarStat* [slotID hostCarType statType hostCarID httpHostCarID vlanHostCarID] 1541 | +--ro slotID -> /devm:devm/lpuBoards/lpuBoard/position 1542 | +--ro hostCarType cpudefendhostCarType 1543 | +--ro statType cpudefendstatType 1544 | +--ro hostCarID uint32 1545 | +--ro httpHostCarID uint32 1546 | +--ro vlanHostCarID uint32 1547 | +--ro passedBytes? uint64 1548 | +--ro droppedBytes? uint64 1549 +--ro secHostCarCfgs 1550 | +--ro secHostCarCfg* [socSlotID] 1551 | +--ro secSlotID string 1552 | +--ro hostCarType? cpudefendhostCarType 1553 | +--ro defaultCir? uint32 1554 | +--ro defaultPir? uint32 1555 | +--ro defaultCbs? uint32 1556 | +--ro defaultPbs? uint32 1557 | +--ro actualCir? uint32 1558 | +--ro actualPir? uint32 1559 | +--ro actualCbs? uint32 1560 | +--ro actualPbs? uint32 1561 | +--ro droprateEn? socIfEnable 1562 | +--ro logInterval? uint32 1563 | +--ro logThreshold? uint32 1564 +--ro secAccessUsers 1565 | +--ro secAccessUser* [secSlotId hostcarCarID] 1566 | +--ro secSlotId -> /devm:devm/lpuBoards/lpuBoard/position 1567 | +--ro hostcarCarID uint32 1568 | +--ro passedBytes? uint64 1569 | +--ro droppedBytes? uint64 1570 | +--ro secUserName? string 1571 | +--ro userStatus? cpudefendUserStatus 1572 | +--ro secUsrIPV4Addr? inet:ipv4-address-no-zone 1573 | +--ro secUsrIPV6Addr? inet:ipv6-address-no-zone 1574 | +--ro secUsrMac? pub-type:macAddress 1575 | +--ro outterVlanId? uint16 1576 | +--ro innerVlanId? uint16 1577 +--rw secCaptPktActNodes 1578 | +--rw secCaptPktActNode* [captureIndex] 1579 | +--rw captureIndex uint8 1580 | +--rw secIfName -> /ifm:ifm/interfaces/interface/ifName 1581 | +--rw direction? cpudefendCaptDirection 1582 | +--rw pktNumber? uint32 1583 | +--rw timeOut? uint32 1584 | +--rw pktLen? uint32 1585 | +--rw captAclType? cpudefendCaptAclType 1586 | +--rw secCaptAcl? cpudefendCaptAcl 1587 | +--rw secCaptIpv6Acl? cpudefendCaptIpv6Acl 1588 | +--rw vlanType? cpudefendvlanType 1589 | +--rw peBegin? uint16 1590 | +--rw peEnd? uint16 1591 | +--rw ceBegin? uint16 1592 | +--rw ceEnd? uint16 1593 | +--rw bufferonly? cpudefendDestType 1594 | +--rw fileName? string 1595 | +--rw fileSize? uint8 1596 | +--rw overwrite? boolean 1598 4.7. TCP/IP Attack Defence 1600 Defense against TCP/IP attacks is applied to the router on the edge 1601 of the network or other routers that are easily to be attacked by 1602 illegal TCP/IP packets. Defense against TCP/IP attacks can protect 1603 the CPU of the router against malformed packets, fragmented packets, 1604 TCP SYN packets, and UDP packets, ensuring that normal services can 1605 be processed. 1607 module: ietf-tcp-ip-attack-defence 1608 +--rw secAntiAttackEnable 1609 | +--rw antiEnable? antiAttackEnableCfgType 1610 | +--rw abnormalEnable? antiAttackEnableCfgType 1611 | +--rw udpFloodEnable? antiAttackEnableCfgType 1612 | +--rw tcpSynEnable? antiAttackEnableCfgType 1613 | +--rw icmpFloodEnable? antiAttackEnableCfgType 1614 | +--rw fragmentEnable? antiAttackEnableCfgType 1615 +--rw secAntiAttackCarCfg 1616 | +--rw cirFrag? uint32 1617 | +--rw cirIcmp? uint32 1618 | +--rw cirTcp? uint32 1619 +--rw secAntiAttackStats 1620 | +--ro secAntiAttackStat* [attackType] 1621 | +--ro attackType antiAttackType 1622 | +--ro totalCount? uint64 1623 | +--ro dropCount? uint64 1624 | +--ro passCount? uint64 1626 5. Network Infrastructure Device Security Baseline Yang Module 1628 module ietf-mac-limit { 1629 namespace "urn:ietf:params:xml:ns:yang:ietf-mac-limit"; 1630 prefix maclimit; 1631 /* 1632 import huawei-pub-type { 1633 prefix pub-type; 1634 } 1635 */ 1636 import ietf-yang-types { 1637 prefix yang; 1638 } 1639 /* 1640 import huawei-extension { 1641 prefix ext; 1642 } 1644 include huawei-mac-action; 1645 include huawei-mac-type; 1646 */ 1647 organization 1648 "Huawei Technologies."; 1649 contact 1650 "Liang Xia: Frank.xialiang@huawei.com"; 1651 "Guangying Zheng: Zhengguangying@huawei.com"; 1652 description 1653 "MAC address limit."; 1655 revision 2017-09-01 { 1656 description 1657 "Init revision"; 1658 reference "xxx."; 1659 } 1661 container mac { 1662 description 1663 "MAC address forwarding. "; 1664 container macLimitRules { 1665 description 1666 "Global MAC address learning limit rule."; 1667 list macLimitRule { 1668 key "ruleName"; 1669 description 1670 "Global MAC address learning limit."; 1671 leaf ruleName { 1672 type string { 1673 length "1..31"; 1674 } 1675 description 1676 "Global MAC address learning limit rule name."; 1677 } 1678 leaf maximum { 1679 type uint32 { 1680 range "0..131072"; 1681 } 1682 mandatory true; 1683 description 1684 "Maximum number of MAC addresses that can be learned."; 1685 } 1686 leaf rate { 1687 type uint16 { 1688 range "0..1000"; 1689 } 1690 default "0"; 1691 description 1692 "Interval at which MAC addresses are learned."; 1693 } 1694 leaf action { 1695 type macLimitForward; 1696 default "discard"; 1697 description 1698 "Discard or forward after the number of learned MAC addresses reaches the maximum number."; 1699 } 1700 leaf alarm { 1701 type macEnableStatus; 1702 default "enable"; 1703 description 1704 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1705 } 1706 } 1707 } 1708 container vlanMacLimits { 1709 description 1710 "VLAN MAC address limit list."; 1711 list vlanMacLimit { 1712 key "vlanId"; 1713 description 1714 "VLAN MAC address limit."; 1715 leaf vlanId { 1716 type macVlanId; 1717 description 1718 "VLAN ID."; 1719 } 1720 leaf maximum { 1721 type uint32 { 1722 range "0..130048"; 1723 } 1724 mandatory true; 1725 description 1726 "Maximum number of MAC addresses that can be learned in a VLAN."; 1727 } 1728 leaf rate { 1729 type uint16 { 1730 range "0..1000"; 1731 } 1732 default "0"; 1733 description 1734 "Interval at which MAC addresses are learned in a VLAN."; 1735 } 1736 leaf action { 1737 type macLimitForward; 1738 default "discard"; 1739 description 1740 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VLAN."; 1741 } 1742 leaf alarm { 1743 type macEnableStatus; 1744 default "enable"; 1745 description 1746 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VLAN."; 1747 } 1748 } 1749 } 1750 container vsiMacLimits { 1751 description 1752 "VSI MAC address limit list."; 1753 list vsiMacLimit { 1754 key "vsiName"; 1755 description 1756 "VSI MAC address limit."; 1757 leaf vsiName { 1758 type string { 1759 length "1..31"; 1760 } 1761 description 1762 "VSI name."; 1763 } 1764 leaf maximum { 1765 type uint32 { 1766 range "0..524288"; 1767 } 1768 mandatory true; 1769 description 1770 "Maximum number of MAC addresses that can be learned in a VSI."; 1771 } 1772 leaf rate { 1773 type uint16 { 1774 range "0..1000"; 1775 } 1776 default "0"; 1777 description 1778 "Interval at which MAC addresses are learned in a VSI."; 1779 } 1780 leaf action { 1781 type macLimitForward; 1782 default "discard"; 1783 description 1784 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VSI."; 1785 } 1786 leaf alarm { 1787 type macEnableStatus; 1788 default "disable"; 1789 description 1790 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VSI."; 1791 } 1792 leaf upThreshold { 1793 type uint8 { 1794 range "80..100"; 1795 } 1796 mandatory true; 1797 description 1798 "Upper limit for the number of MAC addresses."; 1799 } 1800 leaf downThreshold { 1801 type uint8 { 1802 range "60..100"; 1803 } 1804 mandatory true; 1805 description 1806 "Upper limit for the number of MAC addresses."; 1807 } 1808 } 1809 } 1810 container bdMacLimits { 1811 description 1812 "BD MAC address limit list."; 1813 list bdMacLimit { 1814 key "bdId"; 1815 description 1816 "BD MAC address limit."; 1817 leaf bdId { 1818 type uint32 { 1819 range "1..16777215"; 1820 } 1821 description 1822 "Specifies the ID of a bridge domain."; 1823 } 1824 leaf maximum { 1825 type uint32 { 1826 range "0..130048"; 1827 } 1828 mandatory true; 1829 description 1830 "Maximum number of MAC addresses that can be learned in a BD."; 1831 } 1832 leaf rate { 1833 type uint16 { 1834 range "0..1000"; 1835 } 1836 default "0"; 1837 description 1838 "Interval at which MAC addresses are learned in a BD."; 1839 } 1840 leaf action { 1841 type macLimitForward; 1842 default "discard"; 1843 description 1844 "Forward or discard the packet."; 1845 } 1846 leaf alarm { 1847 type macEnableStatus; 1848 default "enable"; 1849 description 1850 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1851 } 1852 } 1853 } 1854 container pwMacLimits { 1855 description 1856 "PW MAC address limit list."; 1857 list pwMacLimit { 1858 key "vsiName pwName"; 1859 description 1860 "PW MAC address limit."; 1861 leaf vsiName { 1862 type string { 1863 length "1..31"; 1864 } 1865 description 1866 "VSI name."; 1867 } 1868 leaf pwName { 1869 type string { 1870 length "1..15"; 1871 } 1872 description 1873 "PW name."; 1874 } 1875 leaf maximum { 1876 type uint32 { 1877 range "0..130048"; 1878 } 1879 mandatory true; 1880 description 1881 "Maximum number of MAC addresses that can be learned in a PW."; 1882 } 1883 leaf rate { 1884 type uint16 { 1885 range "0..1000"; 1886 } 1887 default "0"; 1888 description 1889 "Interval at which MAC addresses are learned in a PW."; 1890 } 1891 leaf action { 1892 type macLimitForward; 1893 default "discard"; 1894 description 1895 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a PW."; 1896 } 1897 leaf alarm { 1898 type macEnableStatus; 1899 default "enable"; 1900 description 1901 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a PW."; 1902 } 1903 } 1904 } 1905 container ifMacLimits { 1906 description 1907 "Interface MAC address limit list."; 1908 list ifMacLimit { 1909 key "ifName limitType"; 1910 description 1911 "Interface MAC address limit."; 1912 leaf ifName { 1913 type pub-type:ifName; 1914 description 1915 "Interface name."; 1916 } 1917 leaf limitType { 1918 type limitType; 1919 description 1920 "Interface MAC limit type."; 1921 } 1922 leaf ruleName { 1923 type leafref { 1924 path "/mac/macLimitRules/macLimitRule/ruleName"; 1925 } 1926 description 1927 "Rule name."; 1929 } 1930 leaf maximum { 1931 type uint32 { 1932 range "0..131072"; 1933 } 1934 mandatory true; 1935 description 1936 "Maximum number of MAC addresses that can be learned on an interface."; 1937 } 1938 leaf rate { 1939 type uint16 { 1940 range "0..1000"; 1941 } 1942 default "0"; 1943 description 1944 "Interval (ms) at which MAC addresses are learned on an interface."; 1945 } 1946 leaf action { 1947 type macLimitForward; 1948 default "discard"; 1949 description 1950 "Discard or forward after the number of learned MAC addresses reaches the maximum number on an interface"; 1951 } 1952 leaf alarm { 1953 type macEnableStatus; 1954 default "enable"; 1955 description 1956 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on an interface."; 1957 } 1958 } 1959 } 1960 container ifVlanMacLimits { 1961 description 1962 "Interface + VLAN MAC address limit list."; 1963 list ifVlanMacLimit { 1964 key "ifName vlanBegin limitType"; 1965 config false; 1966 description 1967 "Interface + VLAN MAC address limit."; 1968 leaf ifName { 1969 type pub-type:ifName; 1970 description 1971 "Name of an interface. "; 1972 } 1973 leaf vlanBegin { 1974 type macVlanId; 1975 description 1976 "Start VLAN ID."; 1978 } 1979 leaf vlanEnd { 1980 type macVlanId; 1981 description 1982 "End VLAN ID."; 1983 } 1984 leaf limitType { 1985 type limitType; 1986 description 1987 "Interface MAC limit type."; 1988 } 1989 leaf ruleName { 1990 type leafref { 1991 path "/mac/macLimitRules/macLimitRule/ruleName"; 1992 } 1993 description 1994 "Rule name."; 1995 } 1996 leaf maximum { 1997 type uint32 { 1998 range "0..131072"; 1999 } 2000 mandatory true; 2001 description 2002 "Maximum number of MAC addresses that can be learned on an interface."; 2003 } 2004 leaf rate { 2005 type uint16 { 2006 range "0..1000"; 2007 } 2008 mandatory true; 2009 description 2010 "Interval (ms) at which MAC addresses are learned on an interface."; 2011 } 2012 leaf action { 2013 type macLimitForward; 2014 default "discard"; 2015 description 2016 "Discard or forward the packet."; 2017 } 2018 leaf alarm { 2019 type macEnableStatus; 2020 default "enable"; 2021 description 2022 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 2023 } 2024 } 2025 } 2026 container subifMacLimits { 2027 description 2028 "Sub-interface MAC address limit list."; 2029 list subifMacLimit { 2030 key "ifName limitType"; 2031 description 2032 "Sub-interface MAC address limit."; 2033 leaf ifName { 2034 type pub-type:ifName; 2035 description 2036 "Name of a sub-interface. "; 2037 } 2038 leaf limitType { 2039 type limitType; 2040 description 2041 "Sub-interface MAC limit type."; 2042 } 2043 leaf vsiName { 2044 type string { 2045 length "1..36"; 2046 } 2047 config false; 2048 mandatory true; 2049 description 2050 "VSI name , EVPN name or bridge domain ID."; 2051 } 2052 leaf ruleName { 2053 type string { 2054 length "1..31"; 2055 } 2056 mandatory true; 2057 description 2058 "Rule name."; 2059 } 2060 leaf maximum { 2061 type uint32 { 2062 range "0..131072"; 2063 } 2064 mandatory true; 2065 description 2066 "Maximum number of MAC addresses that can be learned on a sub-interface."; 2067 } 2068 leaf rate { 2069 type uint16 { 2070 range "0..1000"; 2071 } 2072 default "0"; 2073 description 2074 "Interval (ms) at which MAC addresses are learned on a sub-interface."; 2075 } 2076 leaf action { 2077 type macLimitForward; 2078 default "discard"; 2079 description 2080 "Discard or forward after the number of learned MAC addresses reaches the maximum number on a sub-interface."; 2081 } 2082 leaf alarm { 2083 type macEnableStatus; 2084 default "enable"; 2085 description 2086 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on a sub-interface."; 2087 } 2088 } 2089 } 2090 container vsiStormSupps { 2091 description 2092 "VSI Suppression List."; 2093 list vsiStormSupp { 2094 key "vsiName suppressType"; 2095 description 2096 "VSI Suppression."; 2097 leaf vsiName { 2098 type string { 2099 length "1..31"; 2100 } 2101 description 2102 "VSI name."; 2103 } 2104 leaf suppressType { 2105 type suppressType; 2106 description 2107 "Traffic suppression type."; 2108 } 2109 leaf cir { 2110 type uint64 { 2111 range "0..4294967295"; 2112 } 2113 default "0"; 2114 description 2115 "CIR value."; 2116 } 2117 leaf cbs { 2118 type uint64 { 2119 range "0..4294967295"; 2120 } 2121 description 2122 "CBS value."; 2123 } 2124 } 2125 } 2126 container vlanStormSupps { 2127 description 2128 "VLAN Suppression List."; 2129 list vlanStormSupp { 2130 key "vlanId suppressType"; 2131 description 2132 "VLAN Suppression."; 2133 leaf vlanId { 2134 type macVlanId; 2135 description 2136 "VLAN ID."; 2137 } 2138 leaf suppressType { 2139 type suppressType; 2140 description 2141 "Traffic suppression type."; 2142 } 2143 leaf cir { 2144 type uint64 { 2145 range "64..4294967295"; 2146 } 2147 default "64"; 2148 description 2149 "CIR value."; 2150 } 2151 leaf cbs { 2152 type uint64 { 2153 range "10000..4294967295"; 2154 } 2155 description 2156 "CBS value."; 2157 } 2158 } 2159 } 2160 container subIfSuppresss { 2161 description 2162 "Sub-interface traffic suppression list."; 2163 list subIfSuppress { 2164 key "ifName suppressType direction"; 2165 description 2166 "Sub-Interface traffic suppression."; 2167 leaf ifName { 2168 type pub-type:ifName; 2169 description 2170 "Sub-interface name."; 2171 } 2172 leaf suppressType { 2173 type suppressType; 2174 description 2175 "Suppression type."; 2176 } 2177 leaf direction { 2178 type directionType; 2179 description 2180 "Suppression direction."; 2181 } 2182 leaf cir { 2183 type uint64 { 2184 range "0..4294967295"; 2185 } 2186 default "0"; 2187 description 2188 "CIR value."; 2189 } 2190 leaf cbs { 2191 type uint64 { 2192 range "0..4294967295"; 2193 } 2194 description 2195 "CBS value."; 2196 } 2197 } 2198 } 2199 container pwSuppresss { 2200 description 2201 "PW traffic suppress list."; 2202 list pwSuppress { 2203 key "vsiName pwName suppressType"; 2204 description 2205 "PW traffic suppression."; 2206 leaf vsiName { 2207 type string { 2208 length "1..31"; 2209 } 2210 description 2211 "VSI name."; 2212 } 2213 leaf pwName { 2214 type string { 2215 length "1..15"; 2216 } 2217 description 2218 "PW name."; 2219 } 2220 leaf suppressType { 2221 type suppressType; 2222 description 2223 "Traffic suppression type."; 2224 } 2225 leaf cir { 2226 type uint64 { 2227 range "100..4294967295"; 2228 } 2229 default "100"; 2230 description 2231 "CIR value."; 2232 } 2233 leaf cbs { 2234 type uint64 { 2235 range "100..4294967295"; 2236 } 2237 description 2238 "CBS value."; 2239 } 2240 } 2241 } 2242 container pwSuppressPtns { 2243 description 2244 "PW traffic suppress list."; 2245 list pwSuppressPtn { 2246 key "vsiName peerIp pwId pwEncap"; 2247 description 2248 "PW traffic suppression."; 2249 leaf vsiName { 2250 type string { 2251 length "1..31"; 2252 } 2253 description 2254 "VSI name."; 2255 } 2256 leaf peerIp { 2257 type string { 2258 length "0..255"; 2259 pattern "((([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\\.){3}([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))"; 2260 } 2261 description 2262 "Peer IP address."; 2263 } 2264 leaf pwId { 2265 type uint32 { 2266 range "1..4294967295"; 2267 } 2268 description 2269 "PW ID."; 2270 } 2271 leaf pwEncap { 2272 type macPwEncapType; 2273 description 2274 "PW encapsulation type."; 2275 } 2276 leaf isEnable { 2277 type boolean; 2278 default "true"; 2279 description 2280 "Enable status."; 2281 } 2282 leaf suppressType { 2283 type suppressStyle; 2284 default "absoluteValue"; 2285 description 2286 "Traffic suppression type."; 2287 } 2288 leaf broadcast { 2289 type uint32 { 2290 range "0..200000000"; 2291 } 2292 default "1000"; 2293 description 2294 "Broadcast suppression (kbit/s)"; 2295 } 2296 leaf unicast { 2297 type uint32 { 2298 range "0..200000000"; 2299 } 2300 default "1000"; 2301 description 2302 "Unknown unicast suppression (kbit/s)."; 2303 } 2304 leaf multicast { 2305 type uint32 { 2306 range "0..200000000"; 2307 } 2308 default "1000"; 2309 description 2310 "Multicast suppression (kbit/s)."; 2311 } 2312 } 2313 } 2314 container vsiInSuppressions { 2315 description 2316 "VSI inbound traffic suppression list."; 2317 list vsiInSuppression { 2318 key "vsiName"; 2319 description 2320 "VSI inbound traffic suppression."; 2321 leaf vsiName { 2322 type string { 2323 length "1..31"; 2324 } 2325 description 2326 "VSI name."; 2327 } 2328 leaf inboundSupp { 2329 type macEnableStatus; 2330 default "enable"; 2331 description 2332 "Inbound suppression."; 2333 } 2334 } 2335 } 2336 container vsiOutSuppressions { 2337 description 2338 "VSI outbound traffic suppression list."; 2339 list vsiOutSuppression { 2340 key "vsiName"; 2341 description 2342 "VSI outbound traffic suppression."; 2343 leaf vsiName { 2344 type string { 2345 length "1..31"; 2346 } 2347 description 2348 "VSI name."; 2349 } 2350 leaf outboundSupp { 2351 type macEnableStatus; 2352 default "enable"; 2353 description 2354 "Outbound suppression."; 2355 } 2356 } 2357 } 2358 container vsiSuppresss { 2359 description 2360 "VSI traffic suppression list."; 2361 list vsiSuppress { 2362 key "subIfName"; 2363 description 2364 "VSI traffic suppression."; 2365 leaf vsiName { 2366 type string { 2367 length "1..31"; 2368 } 2369 mandatory true; 2370 description 2371 "VSI name."; 2372 } 2373 leaf subIfName { 2374 type pub-type:ifName; 2375 description 2376 "Sub-interface name."; 2377 } 2378 leaf isEnable { 2379 type boolean; 2380 default "true"; 2381 description 2382 "Enable status."; 2383 } 2384 leaf suppressType { 2385 type suppressStyle; 2386 default "percent"; 2387 description 2388 "Traffic suppression type."; 2389 } 2390 leaf broadcast { 2391 type uint32 { 2392 range "0..200000000"; 2393 } 2394 default "64"; 2395 description 2396 "Broadcast suppression (kbit/s)"; 2397 } 2398 leaf broadcastPercent { 2399 type uint32 { 2400 range "0..100"; 2401 } 2402 default "1"; 2403 description 2404 "Broadcast suppression."; 2405 } 2406 leaf unicast { 2407 type uint32 { 2408 range "0..200000000"; 2409 } 2410 default "64"; 2411 description 2412 "Unknown unicast suppression (kbit/s)."; 2413 } 2414 leaf unicastPercent { 2415 type uint32 { 2416 range "0..100"; 2417 } 2418 default "1"; 2419 description 2420 "Unknown unicast suppression."; 2421 } 2422 leaf multicast { 2423 type uint32 { 2424 range "0..200000000"; 2425 } 2426 default "64"; 2427 description 2428 "Multicast suppression (kbit/s)."; 2429 } 2430 leaf multicastPercent { 2431 type uint32 { 2432 range "0..100"; 2433 } 2434 default "1"; 2435 description 2436 "Multicast suppression."; 2437 } 2438 } 2439 } 2440 container vsiTotalNumbers { 2441 description 2442 "List of MAC address total numbers in a VSI."; 2443 list vsiTotalNumber { 2444 key "vsiName slotId macType"; 2445 config false; 2446 description 2447 "Total number of MAC addresses in a VSI."; 2448 leaf vsiName { 2449 type string { 2450 length "1..31"; 2451 } 2452 description 2453 "VSI name."; 2454 } 2455 leaf slotId { 2456 type string { 2457 length "1..24"; 2459 } 2460 description 2461 "Slot ID."; 2462 } 2463 leaf macType { 2464 type macType; 2465 description 2466 "MAC address type."; 2467 } 2468 leaf number { 2469 type uint32; 2470 mandatory true; 2471 description 2472 "Number of MAC addresses."; 2473 } 2474 } 2475 } 2476 container ifStormSupps { 2477 description 2478 "Interface traffic suppression list."; 2479 list ifStormSupp { 2480 key "ifName suppressType"; 2481 description 2482 "Interface traffic suppression."; 2483 leaf ifName { 2484 type pub-type:ifName; 2485 description 2486 "Name of an interface. "; 2487 } 2488 leaf suppressType { 2489 type suppressType; 2490 description 2491 "Suppression type."; 2492 } 2493 leaf percent { 2494 type uint64 { 2495 range "0..99"; 2496 } 2497 description 2498 "Percent."; 2499 } 2500 leaf packets { 2501 type uint64 { 2502 range "0..148810000"; 2503 } 2504 description 2505 "Packets per second."; 2506 } 2507 leaf cir { 2508 type uint64 { 2509 range "0..100000000"; 2510 } 2511 description 2512 "CIR(Kbit/s)."; 2513 } 2514 leaf cbs { 2515 type uint64 { 2516 range "10000..4294967295"; 2517 } 2518 description 2519 "CBS(Bytes)."; 2520 } 2521 } 2522 } 2523 container ifStormBlocks { 2524 description 2525 "Interface traffic block list."; 2526 list ifStormBlock { 2527 key "ifName blockType direction"; 2528 description 2529 "Interface traffic suppression."; 2530 leaf ifName { 2531 type pub-type:ifName; 2532 description 2533 "Name of an interface. "; 2534 } 2535 leaf blockType { 2536 type suppressType; 2537 description 2538 "Block type."; 2539 } 2540 leaf direction { 2541 type directionType; 2542 description 2543 "Direction."; 2544 } 2545 } 2546 } 2547 container ifStormContrls { 2548 description 2549 "Interface storm control list."; 2550 list ifStormContrl { 2551 key "ifName"; 2552 description 2553 "Interface storm control."; 2554 leaf ifName { 2555 type pub-type:ifName; 2556 description 2557 "Name of an interface. "; 2558 } 2559 leaf action { 2560 type stormCtrlActionType; 2561 default "normal"; 2562 description 2563 "Action type."; 2564 } 2565 leaf trapEnable { 2566 type enableType; 2567 default "disable"; 2568 description 2569 "Trap state."; 2570 } 2571 leaf logEnable { 2572 type enableType; 2573 default "disable"; 2574 description 2575 "Log state."; 2576 } 2577 leaf interval { 2578 type uint64 { 2579 range "1..180"; 2580 } 2581 default "5"; 2582 description 2583 "Detect interval."; 2584 } 2585 container ifPacketContrlAttributes { 2586 description 2587 "Storm control rate list."; 2588 list ifPacketContrlAttribute { 2589 key "packetType"; 2590 description 2591 "Storm control rate."; 2592 leaf packetType { 2593 type stormCtrlType; 2594 description 2595 "Packet type."; 2596 } 2597 leaf rateType { 2598 type stormCtrlRateType; 2599 default "pps"; 2600 description 2601 "Storm control rate type."; 2602 } 2603 leaf minRate { 2604 type uint32 { 2605 range "1..148810000"; 2606 } 2607 mandatory true; 2608 description 2609 "Storm control min rate."; 2610 } 2611 leaf maxRate { 2612 type uint64 { 2613 range "1..148810000"; 2614 } 2615 mandatory true; 2616 description 2617 "Storm control max rate."; 2618 } 2619 } 2620 } 2621 container ifstormContrlInfos { 2622 description 2623 "Storm control info list."; 2624 list ifstormContrlInfo { 2625 key "packetType"; 2626 config false; 2627 description 2628 "Storm control info"; 2629 leaf packetType { 2630 type stormCtrlType; 2631 description 2632 "Packet type."; 2633 } 2634 leaf punishStatus { 2635 type stormCtrlActionType; 2636 description 2637 "Storm control status."; 2638 } 2639 leaf lastPunishTime { 2640 type string { 2641 length "1..50"; 2642 } 2643 description 2644 "Last punish time."; 2645 } 2646 } 2647 } 2648 } 2649 } 2650 } 2652 } 2654 6. IANA Considerations 2656 This document makes no request of IANA. 2658 Note to RFC Editor: this section may be removed on publication as an 2659 RFC. 2661 7. Security Considerations 2663 To be added. 2665 8. Acknowledgements 2667 9. References 2669 9.1. Normative References 2671 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2672 Requirement Levels", BCP 14, RFC 2119, 2673 DOI 10.17487/RFC2119, March 1997, 2674 . 2676 9.2. Informative References 2678 [I-D.ietf-netconf-subscribed-notifications] 2679 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 2680 A. Tripathy, "Custom Subscription to Event Notifications", 2681 draft-ietf-netconf-subscribed-notifications-03 (work in 2682 progress), July 2017. 2684 [I-D.ietf-netconf-yang-push] 2685 Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen- 2686 Nygaard, E., Bierman, A., and B. Lengyel, "Subscribing to 2687 YANG datastore push updates", draft-ietf-netconf-yang- 2688 push-08 (work in progress), August 2017. 2690 [I-D.ietf-sacm-information-model] 2691 Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, 2692 M., Haynes, D., and H. Birkholz, "SACM Information Model", 2693 draft-ietf-sacm-information-model-10 (work in progress), 2694 April 2017. 2696 Authors' Addresses 2698 Liang Xia 2699 Huawei 2701 Email: frank.xialiang@huawei.com 2703 Guangying Zheng 2704 Huawei 2706 Email: zhengguangying@huawei.com