idnits 2.17.1 draft-xia-sacm-nid-dp-security-baseline-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 50 instances of too long lines in the document, the longest one being 85 characters in excess of 72. ** The abstract seems to contain references ([I-D.ietf-lin-sacm-nid-mp-security-baseline]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 297 has weird spacing: '...le-name str...' == Line 304 has weird spacing: '...vlan-id mac...' == Line 305 has weird spacing: '...maximum uin...' == Line 317 has weird spacing: '...reshold uin...' == Line 321 has weird spacing: '...maximum uin...' == (32 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (June 04, 2018) is 2143 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'I-D.ietf-birkholz-sacm-yang-content' is mentioned on line 193, but not defined == Missing Reference: 'I-D.ietf-lin-sacm-nid-mp-security-baseline' is mentioned on line 222, but not defined == Unused Reference: 'I-D.ietf-netconf-subscribed-notifications' is defined on line 2226, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-netconf-yang-push' is defined on line 2232, but no explicit reference was found in the text == Outdated reference: A later version (-26) exists of draft-ietf-netconf-subscribed-notifications-12 == Outdated reference: A later version (-25) exists of draft-ietf-netconf-yang-push-16 Summary: 2 errors (**), 0 flaws (~~), 14 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group L. Xia 3 Internet-Draft G. Zheng 4 Intended status: Standards Track Huawei 5 Expires: December 6, 2018 June 04, 2018 7 The Data Model of Network Infrastructure Device Data Plane Security 8 Baseline 9 draft-xia-sacm-nid-dp-security-baseline-02 11 Abstract 13 This document proposes one part of the security baseline YANG for 14 network infrastructure device (i.e., router, switch, firewall, etc): 15 data plane security baseline. The companion documents [I-D.ietf-lin- 16 sacm-nid-mp-security-baseline], [I- D.ietf-dong-sacm-nid-infra- 17 security-baseline] cover other parts of the security baseline YANG 18 for network infrastructure device respectively: management plane 19 security baseline, infrastructure layer security baseline. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on December 6, 2018. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Objective . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.2. Security Baseline . . . . . . . . . . . . . . . . . . . . 3 58 1.3. Security Baseline Data Model Design . . . . . . . . . . . 4 59 1.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 5 62 2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 6 63 3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 6 64 4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 6 65 4.1. Layer 2 protection . . . . . . . . . . . . . . . . . . . 6 66 4.2. ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 67 4.3. URPF . . . . . . . . . . . . . . . . . . . . . . . . . . 12 68 4.4. DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . 13 69 4.5. CPU Protection . . . . . . . . . . . . . . . . . . . . . 18 70 4.6. TCP/IP Attack Defence . . . . . . . . . . . . . . . . . . 21 71 5. Network Infrastructure Device Security Baseline Yang Module . 22 72 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 73 7. Security Considerations . . . . . . . . . . . . . . . . . . . 47 74 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 47 75 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 47 76 9.1. Normative References . . . . . . . . . . . . . . . . . . 47 77 9.2. Informative References . . . . . . . . . . . . . . . . . 47 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 80 1. Introduction 82 1.1. Objective 84 Network security is an essential part of the overall network 85 deployment and operation. Due to the following reasons, network 86 infrastructure devices (e.g. switch, router, firewall) are always the 87 objective and exploited by the network attackers, which bring damages 88 to the victim network: 90 o The existence of a lot of unsafe access channels: for the history 91 reason, some old and unsafe protocols still run in the network 92 devices, like: SNMP v1/v2, Telnet, etc, and are not mandatory to 93 be replaced by the according safer protocols (SNMP v3, SSH). 94 Attackers easily exploit them for attack (e.g., invalid login, 95 message eavesdropping); 97 o The openness nature of TCP/IP network: despite the benefits of 98 network architecutre design and connectivity brought by the 99 network openness, a lot of threats exist at the same time. 100 Spoofing address, security weakness for various protocols, traffic 101 flooding, and other kinds of threat are originated from the 102 network openness; 104 o The security challenge by the network complexity: network are 105 becoming more complex, with massive nodes, various protocols and 106 flexible topology. Without careful design and strict management, 107 as well as operation automation, the policy consistency of network 108 security manangment cannot be ensured. It's common that part of 109 the network infrastructure is subject to attack; 111 o The complex functionality of device: the complexity of device 112 itself increases the difficulty of carring out the security 113 hardening measurements, as well as the skill requirements to the 114 network administrator. As a result, the network administrator may 115 not be capable of or willing to realize all the security 116 measurements, in addition to implementing the other basic 117 functionalities; 119 o The capacity and capability mismatching between the data plane and 120 the control plane: there are a large mismatching of the traffic 121 processing capacity and capability between different planes. 122 Without effective control, the large volume of traffic from the 123 data plane will flooding attack the other planes easily. 125 Therefore, the importance of ensuring the security of the network 126 infrastructure devices is out of question. To secure the network 127 infrastructure devices, one important task is to identify as far as 128 possible the threats and vulnerabilities in the device itself, such 129 as: unnecessary services, insecure configurations, abnormal status, 130 etc, then enforce the corresponding security hardening measurements, 131 such as: update the patch, modify the security configuration, enhance 132 the security mechanism, etc. We call this task the developing and 133 deploying the security baseline for the network infrastructure, which 134 provides a solid foundation for the overall network security. This 135 document aims to describe the security baseline for the network 136 infrastructure, which is called security baseline in short in this 137 document. 139 1.2. Security Baseline 141 Basically, security baseline can be designed and deployed into 142 different layers of the devices: 144 o application layer: refers to the application platform security 145 solution and the typical application security mechanisms it 146 provided like: identity authentication, access control, permission 147 management, encryption and decryption, auditing and tracking, 148 privacy protection, to ensure secure application data 149 transmission/exchange, secure storage, secure processing, ensuring 150 the secure operation of the application system. Specific examples 151 may be: web application security, software integrity protection, 152 encryption of sensitive data, privacy protection, and lawful 153 interception interfaces and secure third-party component; 155 o network layer: refers to a series of security measures, to protect 156 the network resources and network services running on the device 157 network platform. Network layer security over network product is 158 complicated. Therefore, it is divided into data plane, control 159 plane, management plane to consider: 161 * data plane: focus on the security hardening configuration and 162 status to protect the data plane traffic against eavesdropping, 163 tampering, forging and flooding attacking the network; 165 * control plane: focus on the control signaling security of the 166 network infrastructure device, to protect their normal exchange 167 against various attacks (i.e., eavesdropping, tampering, 168 forging and flooding attack) and restrict the malicious control 169 signaling, for ensuring the correct network topology and 170 forwarding behavior; 172 * management plane: focus on the management information and 173 platform security. More specific, it includes all the security 174 configuration and status involved in the network OAM process; 176 o infrastructure layer: refers to all the security design about the 177 device itself and its running OS. As the foundation of the upper 178 layer services, the secure infrastructure layer must be assured. 179 The specific mechanisms include: OS security, key management, 180 cryptography security, certificate management, software integrity. 182 1.3. Security Baseline Data Model Design 184 The security baseline varies according to many factors, like: 185 different device types (i.e., router, switch, firewall), the 186 supporting security features of device, the specific security 187 requirements of network operator. It's impossible to design a 188 complete set for it, so this document and the companion ones are 189 going to propose the most important and universal points of them. 190 More baseline contents can be added in future following the data 191 model scheme specified. 193 [I-D.ietf-birkholz-sacm-yang-content] defines a method of 194 constructing the YANG data model scheme for the security posture 195 assessment of the network infrastructure device by brokering of YANG 196 push telemetry via SACM statements. The basic steps are: 198 o use YANG push mechanism[I-D.ietf-netconf-yang-push]to collect the 199 created streams of notifications (telemetry) 200 [I-D.ietf-netconf-subscribed-notifications]providing SACM content 201 on SACM data plane, and the filter expressions used in the context 202 of YANG subscriptions constitute SACM content that is imperative 203 guidance consumed by SACM components on SACM management plane; 205 o then encapsulate the above YANG push output into a SACM Content 206 Element envelope, which is again encapsulated in a SACM statement 207 envelope; 209 o lastly, publish the SACM statement into a SACM domain via xmpp- 210 grid publisher. 212 In this document, we follow the same way as [I-D.ietf-birkholz-sacm- 213 yang-content] to define the YANG output for network infrastructure 214 device security baseline posture based on the SACM information model 215 definition [I-D.ietf-sacm-information-model]. 217 1.4. Summary 219 The following contents propose part of the security baseline YANG 220 output for network infrastructure device: data plane security 221 baseline. The companion documents [I-D.ietf- dong-sacm-nid-cp- 222 security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline], [I- 223 D.ietf-xia-sacm-nid-app-infr-layers-security-baseline] cover other 224 parts of the security baseline YANG output for network infrastructure 225 device respectively: control plane security baseline, management 226 plane security baseline, application layer and infrastructure layer 227 security baseline. 229 2. Terminology 231 2.1. Key Words 233 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 234 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 235 document are to be interpreted as described in [RFC2119]. 237 2.2. Definition of Terms 239 This document uses the terms defined in [I-D.draft-ietf-sacm- 240 terminology]. 242 3. Tree Diagrams 244 A simplified graphical representation of the data model is used in 245 this document. The meaning of the symbols in these diagrams is as 246 follows: 248 o Brackets "[" and "]" enclose list keys. 250 o Abbreviations before data node names: "rw" means configuration 251 (read-write) and "ro" state data (read-only). 253 o Symbols after data node names: "?" means an optional node and "*" 254 denotes a "list" and "leaf-list". 256 o Parentheses enclose choice and case nodes, and case nodes are also 257 marked with a colon (":"). 259 o Ellipsis ("...") stands for contents of subtrees that are not 260 shown. 262 4. Data Model Structure 264 As the network infrastructure device, it makes decision of the 265 forwarding path based on the IP/MAC address and sends the packet in 266 data plane.The NP or ASIC are the main components for the data plane 267 functions. 269 This section describes the key data plane security baseline of the 270 network infrastructure devices, and defines their specific data 271 models. 273 4.1. Layer 2 protection 275 Mac table is the key resource in terms of layer 2 forwarding, also 276 easily attacked by learning massive invalid mac address. The mac 277 limit function is to protect the mac table by limiting the maximum 278 number of learned mac address in appointed interfaces. The mac 279 address is not learned and the packet is discarded when the up-limit 280 is reached, and the alarm is created possibly. 282 If the broadcast traffic is not suppressed in layer 2 network (i.e., 283 Ethernet), a great amount of network bandwidth is consumed by a great 284 deal of broadcast traffic. The network performance is degraded, even 285 interrupting the communication.In such a case, configuring the 286 broadcast traffic suppression on the device to ensure some bandwidth 287 can be reserved for unicast traffic forwarding when broadcast traffic 288 bursts across the network.It's flexible to configure the device to 289 suppress broadcast, multicast, and unknown unicast traffic on an 290 interface, a specified interface in a VLAN, a sub-interface, and over 291 a virtual switch instance (VSI) pseudo wire (PW). 293 module: ietf-mac-limit 294 +--rw mac 295 +--rw mac-limit-rules 296 | +--rw mac-limit-rule* [rule-name] 297 | +--rw rule-name string 298 | +--rw maximum uint32 299 | +--rw rate? uint16 300 | +--rw action? mac-limit-forward 301 | +--rw alarm? mac-enable-status 302 +--rw vlan-mac-limits 303 | +--rw vlan-mac-limit* [vlan-id] 304 | +--rw vlan-id mac-vlan-id 305 | +--rw maximum uint32 306 | +--rw rate? uint16 307 | +--rw action? mac-limit-forward 308 | +--rw alarm? mac-enable-status 309 +--rw vsi-mac-limits 310 | +--rw vsi-mac-limit* [vsi-name] 311 | +--rw vsi-name string 312 | +--rw maximum uint32 313 | +--rw rate? uint16 314 | +--rw action? mac-limit-forward 315 | +--rw alarm? mac-enable-status 316 | +--rw up-threshold uint8 317 | +--rw down-threshold uint8 318 +--rw bd-mac-limits 319 | +--rw bd-mac-limit* [bd-id] 320 | +--rw bd-id uint32 321 | +--rw maximum uint32 322 | +--rw rate? uint16 323 | +--rw action? mac-limit-forward 324 | +--rw alarm? mac-enable-status 325 +--rw pw-mac-limits 326 | +--rw pw-mac-limit* [vsi-name pw-name] 327 | +--rw vsi-name string 328 | +--rw pw-name string 329 | +--rw maximum uint32 330 | +--rw rate? uint16 331 | +--rw action? mac-limit-forward 332 | +--rw alarm? mac-enable-status 333 +--rw if-mac-limits 334 | +--rw if-mac-limit* [if-name limit-type] 335 | +--rw if-name string 336 | +--rw limit-type limit-type 337 | +--rw rule-name? -> /mac/mac-limit-rules/mac-limit-rule/rule-name 338 | +--rw maximum uint32 339 | +--rw rate? uint16 340 | +--rw action? mac-limit-forward 341 | +--rw alarm? mac-enable-status 342 +--rw if-vlan-mac-limits 343 | +--ro if-vlan-mac-limit* [if-name vlan-begin limit-type] 344 | +--ro if-name string 345 | +--ro vlan-begin mac-vlan-id 346 | +--ro vlan-end? mac-vlan-id 347 | +--ro limit-type limit-type 348 | +--ro rule-name? -> /mac/mac-limit-rules/mac-limit-rule/rule-name 349 | +--ro maximum uint32 350 | +--ro rate uint16 351 | +--ro action? mac-limit-forward 352 | +--ro alarm? mac-enable-status 353 +--rw subif-mac-limits 354 | +--rw subif-mac-limit* [if-name limit-type] 355 | +--rw if-name string 356 | +--rw limit-type limit-type 357 | +--ro vsi-name string 358 | +--rw rule-name string 359 | +--rw maximum uint32 360 | +--rw rate? uint16 361 | +--rw action? mac-limit-forward 362 | +--rw alarm? mac-enable-status 363 +--rw vsi-storm-supps 364 | +--rw vsi-storm-supp* [vsi-name suppress-type] 365 | +--rw vsi-name string 366 | +--rw suppress-type suppress-type 367 | +--rw cir? uint64 368 | +--rw cbs? uint64 369 +--rw vlan-storm-supps 370 | +--rw vlan-storm-supp* [vlan-id suppress-type] 371 | +--rw vlan-id mac-vlan-id 372 | +--rw suppress-type suppress-type 373 | +--rw cir? uint64 374 | +--rw cbs? uint64 375 +--rw sub-if-suppresss 376 | +--rw sub-if-suppress* [if-name suppress-type direction] 377 | +--rw if-name string 378 | +--rw suppress-type suppress-type 379 | +--rw direction direction-type 380 | +--rw cir? uint64 381 | +--rw cbs? uint64 382 +--rw pw-suppresss 383 | +--rw pw-suppress* [vsi-name pw-name suppress-type] 384 | +--rw vsi-name string 385 | +--rw pw-name string 386 | +--rw suppress-type suppress-type 387 | +--rw cir? uint64 388 | +--rw cbs? uint64 389 +--rw vsi-in-suppressions 390 | +--rw vsi-in-suppression* [vsi-name] 391 | +--rw vsi-name string 392 | +--rw inbound-supp? mac-enable-status 393 +--rw vsi-out-suppressions 394 | +--rw vsi-out-suppression* [vsi-name] 395 | +--rw vsi-name string 396 | +--rw out-bound-supp? mac-enable-status 397 +--rw vsi-suppresss 398 | +--rw vsi-suppress* [sub-if-name] 399 | +--rw vsi-name string 400 | +--rw sub-if-name string 401 | +--rw is-enable? boolean 402 | +--rw suppress-type? suppress-style 403 | +--rw broadcast? uint32 404 | +--rw broadcast-percent? uint32 405 | +--rw unicast? uint32 406 | +--rw unicast-percent? uint32 407 | +--rw multicast? uint32 408 | +--rw multicast-percent? uint32 409 +--rw vsi-total-numbers 410 | +--ro vsi-total-number* [vsi-name slot-id mac-type] 411 | +--ro vsi-name string 412 | +--ro slot-id string 413 | +--ro mac-type mac-type 414 | +--ro number uint32 415 +--rw if-storm-supps 416 | +--rw if-storm-supp* [if-name suppress-type] 417 | +--rw if-name string 418 | +--rw suppress-type suppress-type 419 | +--rw percent? uint64 420 | +--rw packets? uint64 421 | +--rw cir? uint64 422 | +--rw cbs? uint64 423 +--rw if-storm-blocks 424 | +--rw if-storm-block* [if-name block-type direction] 425 | +--rw if-name string 426 | +--rw block-type suppress-type 427 | +--rw direction direction-type 428 +--rw if-storm-contrls 429 +--rw if-storm-contrl* [if-name] 430 +--rw if-name string 431 +--rw action? storm-ctrl-action-type 432 +--rw trap-enable? enable-type 433 +--rw log-enable? enable-type 434 +--rw interval? uint64 435 +--rw if-packet-contrl-attributes 436 | +--rw if-packet-contrl-attribute* [packet-type] 437 | +--rw packet-type storm-ctrl-type 438 | +--rw rate-type? storm-ctrl-rate-type 439 | +--rw min-rate uint32 440 | +--rw max-rate uint64 441 +--rw ifstorm-contrl-infos 442 +--ro ifstorm-contrl-info* [packet-type] 443 +--ro packet-type storm-ctrl-type 444 +--ro punish-status? storm-ctrl-action-type 445 +--ro last-punish-time? string 447 4.2. ARP 449 ARP security is set of functions to protect the ARP protocol and 450 networks against malicious attacks so that the network communication 451 keeps stable and important user information is protected, which 452 mainly includes: 454 ARP anti-spoofing functions: protect devices against spoofing ARP 455 attack packets, improving the security and reliability of network 456 communication. 458 ARP anti-flooding functions: relieve CPU load and prevent the ARP 459 table overflow, ensuring normal network operation. 461 module: ietf-arp-sec 462 +--ro arp-sec 463 +--ro arp-interf aces 464 | +--rw arp-interface* [if-name] 465 | +--rw if-name -> /if:interfaces/if:interface/if:name 466 | +--rw arp-learn-disable? boolean //arp-learning-control 467 | +--rw arp-learn-strict? arp-strict-learn //arp-learning-control 468 | +--rw fake-expire-time? uint32 //arp-fake-expire-time? 469 | +--rw dst-mac-check? boolean //validate 470 | +--rw src-mac-check? boolean //validate 471 +--rw sec-arp-grats 472 | +--rw sec-arp-grat* [if-name] 473 | +--rw if-name -> /if:interfaces/if:interface/if:name 474 +--rw sec-arp-chk-ip-ens 475 | +--rw sec-arp-chk-ip-en* [if-name] 476 | +--rw if-name -> /if:interfaces/if:interface/if:name 477 +--rw sec-arp-mac-ills 478 | +--rw sec-arp-mac-ill* [if-name] 479 | +--rw if-name -> /if:interfaces/if:interface/if:name 480 +--rw sec-arp-req-no-blks 481 | +--rw sec-arp-req-no-blk* [if-name] 482 | +--rw if-name -> /if:interfaces/if:interface/if:name 483 +--ro sec-dis-arp-chks 484 | +--ro sec-dis-arp-chk* [sec-slot-id sec-chk-type] 485 | +--ro sec-slot-id -> /devm:devm/lpu-boards/lpu-board/position 486 | +--ro sec-chk-type cpudefend-arp-attack-type 487 | +--ro sec-total-pkts? uint64 488 | +--ro sec-passed-pkts? uint64 489 | +--ro sec-droped-pkts? uint64 490 +--ro arp-if-limits //arp-table-limit 491 | +--rw arp-if-limit* [if-name vlan-id] 492 | +--rw if-name -> /if:interfaces/if:interface/if:name 493 | +--rw vlan-id uint16 494 | +--rw limit-num uint32 495 | +--ro learned-num? uint32 496 +--ro arp-speed-limits // arp-speed-limit 497 | +--rw arp-speed-limit* [slot-id suppress-type ip-type] 498 | +--rw slot-id string 499 | +--rw suppress-type enumeration 500 | +--rw ip-type enumeration 501 | +--rw suppress-value uint32 502 +--ro arp-global-speed-limits // arp-speed-limit 503 +--rw arp-gspeed-limit* [g-suppress-type g-ip-type] 504 +--rw g-suppress-type arp-supp-type 505 +--rw g-ip-type arp-supp-ip-type 506 +--rw g-port-type? enumeration 507 +--rw g-suppress-value uint32 509 4.3. URPF 511 Unicast Reverse Path Forwarding (URPF) is a technology used to defend 512 against network attacks based on source address spoofing. Generally, 513 upon receiving a packet, a router first obtains the destination IP 514 address of the packet and then searches the forwarding table for a 515 route to the destination address. If the router finds such a route, 516 it forwards the packet; otherwise, it discards the packet. A URPF- 517 enabled router, however, obtains the source IP address of a received 518 packet and searches for a route to the source address. If the router 519 fails to find the route, it considers that the source address is a 520 forged one and discards the packet. In this manner, URPF can 521 effectively protect against malicious attacks that are launched by 522 changing the source addresses of packets. 524 URPF can be performed in strict or loose mode. The strict mode 525 checks both the existence of source address in the route table and 526 the interface consistency, while loose mode only checks if the source 527 address is in the route table. In some case, the router may have 528 only one default route to the router of the ISP. Therefore, matching 529 the default route entry needs to be supported. 531 URPF can be performed over interface, defined flow and traffic sent 532 to local CPU. 534 module: ietf-urpf-sec 535 +--ro urpf-sec 536 +--rw interface-urpf* [ifname] 537 | +--rw ifname if:interface-ref 538 | +--rw mode? enumeration 539 | +--rw allow-default? boolean 540 augment "/policy:policies/policy:policy-entry" + 541 | "/policy:classifier-entry" + 542 | "/policy:classifier-action-entry-cfg": 543 +--rw (action-cfg-params)? 544 | +--:(urpf) 545 | +--rw urpf-cfg 546 | +--rw check-type? urpf-check-type 547 | +--rw allow-default? Boolean 548 +--rw local-URPF 549 +--rw cpu-defend-policy* [name] 550 +--rw name string 551 +--description? string 552 +-- urpf-mode enumeration 553 +--allow-default boolean 554 +--slot-id unit16 556 Identity urpf { 557 base policy:action-type; 558 description 559 " urpf action type"; 560 } 562 grouping urpf { 563 container urpf-cfg { 564 leaf check-type { 565 type urpf-check-type; 566 description 567 "urpf checking"; 568 } 569 leaf allow-default{ 570 type qos-switch-flag; 571 description " allow-default flag"; 572 } 573 description 574 "urpf container"; 575 } 576 description 577 "dscp marking grouping"; 578 } 580 augment "/policy:policies" + 581 "/policy:policy-entry" + 582 "/policy:classifier-entry" + 583 "/policy:classifier-action-entry-cfg" + 584 "/diffserv:action-cfg-params" { 585 case urpf { 586 uses sec-ac:urpf; 587 description 588 "urpf action"; 589 } 590 } 592 4.4. DHCP Snooping 594 DHCP, which is widely used on networks, dynamically assigns IP 595 addresses to clients and manages configuration information in a 596 centralized manner. During DHCP packet forwarding, some attacks may 597 occur, such as bogus DHCP server attacks, DHCP exhaustion attacks, 598 denial of service (DoS) attacks, and DHCP flooding attacks. 600 DHCP snooping is a DHCP security feature that functions in a similar 601 way to a firewall between DHCP clients and servers. A DHCP-snooping- 602 capable device intercepts DHCP packets and uses information carried 603 in the packets to create a DHCP snooping binding table. This table 604 records hosts' MAC addresses, IP addresses, IP address lease time, 605 VLAN, and interface information. The device uses this table to check 606 the validity of received DHCP packets. If a DHCP packet does not 607 match any entry in this table, the device discards the packet. 609 Besides the binding table, DHCP snooping has other security features 610 such as trusted interface, max dhcp user limit and whitelist to 611 defend against the bogus DHCP server, DHCP flooding and other fine- 612 grained DHCP attacks. 614 module: ietf-dhcp-sec 615 +--rw dhcp 616 +--rw snooping 617 +--rw dhcp-snp-global 618 | +--rw dhcp-snp-enable? boolean 619 | +--rw server-detect-enable? boolean 620 | +--rw dhcp-snp-user-bind-auto-save-enable? boolean 621 | +--rw dhcp-snp-user-bind-file-name? string 622 | +--rw global-check-rate-enable? boolean 623 | +--rw dhcp-snp-global-rate? uint16 624 | +--rw check-rate-alarm-enable? boolean 625 | +--rw rate-threshold? uint16 626 | +--rw alarm-threshold? uint16 627 | +--ro rate-limit-packet-count? uint32 628 | +--rw dhcp-snp-user-offline-remove-mac? boolean 629 | +--rw dhcp-snp-arp-detect-enable? boolean 630 | +--rw dhcp-snp-global-max-user? uint16 631 | +--rw dhcp-snp-user-transfer-enable? boolean 632 +--rw dhcp-snp-vlans 633 | +--rw dhcp-snp-vlan* [vlan-id] 634 | +--rw vlan-id uint16 635 | +--rw dhcp-snp-enable boolean 636 | +--rw check-rate-enable boolean 637 | +--rw dhcp-snp-vlan-rate uint32 638 | +--rw dhcp-snp-vlan-trust-enable boolean 639 | +--rw check-arp-enable boolean 640 | +--rw alarm-arp-enable boolean 641 | +--rw alarm-arp-threshold uint16 642 | +--rw check-ip-enable boolean 643 | +--rw alarm-ip-enable boolean 644 | +--rw alarm-ip-threshold uint16 645 | +--rw alarm-reply-enable boolean 646 | +--rw alarm-reply-threshold uint16 647 | +--rw check-mac-enable boolean 648 | +--rw alarm-mac-enable boolean 649 | +--rw alarm-mac-threshold uint16 650 | +--rw check-user-bind-enable boolean 651 | +--rw alarm-user-bind-enable boolean 652 | +--rw alarm-user-bind-threshold uint16 653 | +--rw dhcp-snp-vlan-max-user-num uint16 654 | +--rw alarm-user-limit-enable boolean 655 | +--rw alarm-user-limit-threshold uint16 656 | +--rw dhcp-snp-vlan-statistics 657 | +--ro drop-arp-pkt-cnt? uint32 658 | +--ro drop-ip-pkt-cnt? uint32 659 | +--ro drop-dhcp-req-cnt-by-bind-tbl? uint32 660 | +--ro drop-dhcp-req-cnt-by-mac-check? uint32 661 | +--ro drop-dhcp-reply-cnt? uint32 662 +--rw vlan-trust-interfaces 663 | +--rw vlan-trust-interface* [vlan-id if-name] 664 | +--rw vlan-id uint16 665 | +--rw if-name pub-type:if-name 666 +--rw dhcp-snp-interfaces 667 | +--rw dhcp-snp-interface* [if-name] 668 | +--rw if-name pub-type:if-name 669 | +--rw dhcp-snp-enable boolean 670 | +--rw dhcp-snp-if-disable boolean 671 | +--rw dhcp-snp-if-trust-enable boolean 672 | +--rw dhcp-snp-if-rate uint16 673 | +--rw check-rate-enable boolean 674 | +--rw alarm-rate-enable boolean 675 | +--rw alarm-rate-threshold uint16 676 | +--rw check-arp-enable boolean 677 | +--rw alarm-arp-enable boolean 678 | +--rw alarm-arp-threshold uint16 679 | +--rw check-ip-enable boolean 680 | +--rw alarm-ip-enable boolean 681 | +--rw alarm-ip-threshold uint16 682 | +--rw alarm-reply-enable boolean 683 | +--rw alarm-reply-threshold uint16 684 | +--rw check-mac-enable boolean 685 | +--rw alarm-mac-enable boolean 686 | +--rw alarm-mac-threshold uint16 687 | +--rw check-user-bind-enable boolean 688 | +--rw alarm-user-bind-enable boolean 689 | +--rw alarm-user-bind-threshold uint16 690 | +--rw dhcp-snp-intf-max-user-num uint32 691 | +--rw alarm-user-limit-enable boolean 692 | +--rw alarm-user-limit-threshold uint16 693 | +--rw dhcp-snp-interf-sticky-mac-enable boolean 694 | +--rw dhcp-snp-if-statistics 695 | +--ro drop-arp-pkt-cnt? uint32 696 | +--ro drop-ip-pkt-cnt? uint32 697 | +--ro pkt-cnt-drop-by-user-bind? uint32 698 | +--ro pkt-cnt-drop-by-mac? uint32 699 | +--ro pkt-cnt-drop-by-untrust-reply? uint32 700 | +--ro pkt-cnt-drop-by-rate? uint32 701 +--rw dhcp-snp-dyn-bind-tbls 702 | +--ro dhcp-snp-dyn-bind-tbl* [ip-address outer-vlan inner-vlan vsi-name vpn-name bridge-domain] 703 | +--ro ip-address pub-type:ipv4address 704 | +--ro outer-vlan uint16 705 | +--ro inner-vlan uint16 706 | +--ro vsi-name string 707 | +--ro vpn-name string 708 | +--ro bridge-domain uint32 709 | +--ro mac-address? pub-type:mac-address 710 | +--ro if-name? pub-type:if-name 711 | +--ro lease? yang:date-and-time 712 +--rw dhcp-snp-vlan-ifs 713 | +--rw dhcp-snp-vlan-if* [vlan-id if-name] 714 | +--rw vlan-id uint16 715 | +--rw if-name pub-type:if-name 716 | +--rw dhcp-snp-enable boolean 717 | +--rw trust-flag boolean 718 | +--rw check-arp-enable boolean 719 | +--rw alarm-arp-enable boolean 720 | +--rw alarm-arp-threshold uint32 721 | +--rw check-ip-enable boolean 722 | +--rw alarm-ip-enable boolean 723 | +--rw alarm-ip-threshold uint32 724 | +--rw alarm-reply-enable boolean 725 | +--rw alarm-reply-threshold uint32 726 | +--rw check-chaddr-enable boolean 727 | +--rw alarm-chaddr-enable boolean 728 | +--rw alarm-chaddr-threshold uint32 729 | +--rw check-req-enable boolean 730 | +--rw alarm-req-enable boolean 731 | +--rw alarm-req-threshold uint32 732 | +--rw dhcp-snp-vlan-if-max-user-num uint32 733 | +--rw alarm-user-limit-enable boolean 734 | +--rw alarm-user-limit-threshold uint32 735 | +--rw dhcp-snp-vlan-if-statistics 736 | +--ro drop-arp-pkt-cnt? uint32 737 | +--ro drop-ip-pkt-cnt? uint32 738 | +--ro drop-dhcp-req-cnt-by-bind-tbl? uint32 739 | +--ro drop-dhcp-req-cnt-by-mac-check? uint32 740 | +--ro drop-dhcp-reply-cnt? uint32 741 +--rw if-static-bind-tbls 742 | +--rw if-static-bind-tbl* [if-name ip-address vlan-id ce-vlan-id] 743 | +--rw if-name pub-type:if-name 744 | +--rw ip-address pub-type:ip-address 745 | +--rw vlan-id uint16 746 | +--rw ce-vlan-id uint16 747 | +--rw mac-address? pub-type:mac-address 748 +--rw vlan-static-bind-tbls 749 | +--rw vlan-static-bind-tbl* [vlan-id ip-address ce-vlan-id] 750 | +--rw vlan-id uint16 751 | +--rw ip-address pub-type:ip-address 752 | +--rw ce-vlan-id uint16 753 | +--rw mac-address? pub-type:mac-address 754 | +--rw if-name? pub-type:if-name 755 +--rw dhcp-snp-bds 756 | +--rw dhcp-snp-bd* [bd-id] 757 | +--rw bd-id uint32 758 | +--rw dhcp-snp-enable? boolean 759 | +--rw dhcp-snp-trust? boolean 760 | +--rw check-arp-enable? boolean 761 | +--rw alarm-arp-enable? boolean 762 | +--rw alarm-arp-threshold? uint32 763 | +--rw check-ip-enable? boolean 764 | +--rw alarm-ip-enable? boolean 765 | +--rw alarm-ip-threshold? uint32 766 | +--rw alarm-reply-enable? boolean 767 | +--rw alarm-reply-threshold? uint32 768 | +--rw check-mac-enable? boolean 769 | +--rw alarm-mac-enable? boolean 770 | +--rw alarm-mac-threshold? uint32 771 | +--rw check-request-enable? boolean 772 | +--rw alarm-request-enable? boolean 773 | +--rw alarm-request-threshold? uint32 774 | +--rw max-user-num? uint32 775 | +--rw alarm-user-limit-enable? boolean 776 | +--rw alarm-user-limit-threshold? uint32 777 | +--rw statistics 778 | +--ro drop-arp-pkt-cnt? uint32 779 | +--ro drop-ip-pkt-cnt? uint32 780 | +--ro drop-dhcp-req-cnt-by-bind-tbl? uint32 781 | +--ro drop-dhcp-req-cnt-by-mac-check? uint32 782 | +--ro drop-dhcp-reply-cnt? uint32 783 +--rw bd-static-bind-tbls 784 | +--rw global-bd-static-bind-tbl* [bd-id ip-address pe-vlan ce-vlan] 785 | +--rw bd-id uint32 786 | +--rw ip-address pub-type:ipv4address 787 | +--rw mac-address? pub-type:mac-address 788 | +--rw pe-vlan uint16 789 | +--rw ce-vlan uint16 790 +--rw dhcp-snp-white-lists 791 +--rw dhcp-snp-white-list* [wht-lst-name] 792 +--rw wht-lst-name string 793 +--rw apply-flag boolean 794 +--rw dhcp-snp-white-rules 795 +--rw dhcp-snp-white-rule* [rule-id] 796 +--rw rule-id uint16 797 +--rw src-ip? inet:ipv4-address-no-zone 798 +--rw src-mask? inet:ipv4-address-no-zone 799 +--rw dst-ip? inet:ipv4-address-no-zone 800 +--rw dst-mask? inet:ipv4-address-no-zone 801 +--rw src-port? dhcp-snp-port 802 +--rw dst-port? dhcp-snp-port 804 4.5. CPU Protection 806 For the network device, there are maybe a large number of packets to 807 be sent to its CPU, or malicious packets attempt to attack the device 808 CPU. If the CPU receives excessive packets, it will be overloaded 809 and support the normal services with very poor performance; In 810 extreme cases, the system fails. 812 More specifically, services are negatively affected when the CPU is 813 attacked because of the following reasons: 815 o Valid protocol packets are not distinguished from invalid protocol 816 packets. The CPU is busy in processing a large number of invalid 817 protocol packets. Consequently, the CPU usage rises sharply and 818 valid packets cannot be processed properly 820 o Packets of some protocols are sent to the CPU through the same 821 channel. When excessive packets of a certain type of protocol 822 packet block the channel, the transmission of other protocol 823 packets is affected 825 o The bandwidth of a channel is not set appropriately. When an 826 attack occurs, processing of protocol packets on other channels is 827 affected 829 Accordingly, the following countermeasures can be taken by the 830 network device for CPU protection: 832 o Collect and classify protocols related to various services running 833 on equipment 835 o Use ACLs to filter the packets. Valid protocol packets are put 836 into the whitelist and a user-defined flow, other packets are put 837 into the blacklist 839 o Plan the priorities, channel bandwidth, length of packets, and 840 alarm function of the preceding three lists 842 o Disable services that are not deployed on the equipment, and 843 control the total forwarding bandwidth 845 In this manner, the number of packets sent to the CPU is under 846 control, and the bandwidth is ensured preferentially for services 847 with higher priorities. In addition, CPU overload is prevented and 848 an alarm is generated when an attack occurs. 850 module: ietf-cpu-defend 851 +--rw cpu-defend 852 +--rw cpu-defend-policys 853 | +--rw cpu-defend-policy* [policy-id] 854 | +--rw policy-id uint32 855 | +--rw description? string 856 | +--rw white-list-acl-number? uint32 857 | +--rw black-list-acl-number? uint32 858 | +--rw user-defined-flows 859 | | +--rw user-defined-flow* [flow-id] 860 | | +--rw flow-id uint32 861 | | +--rw acl-number uint32 862 | +--rw cpu-defend-rules 863 | +--rw cpu-defend-rule* [rule-type pkt-index user-defined-flow-id protocol-name tcp-ip-name] 864 | +--rw rule-type cpu-defend-rule-type // [total-packet | whitelist | blacklist | use-defined-flow | protocol-name | tcp-ip-type] 865 | +--rw pkt-index? uint16 866 | +--rw user-defined-flow-id? uint32 867 | +--rw protocol-name? protocol-type // [ftp-server | ssh-server | snmp | ... | na] 868 | +--rw tcp-ip-name? tcp-iptype // [tcpsyn | fragment | na] 869 | +--rw CARAttr 870 | | +--rw cir? uint32 871 | | +--rw cbs? uint32 872 | | +--rw pir? uint32 873 | | +--rw pbs? uint32 874 | | +--rw min-pkt-len? uint32 875 | | +--rw pkt-rate? uint32 876 | | +--rw weight? uint16 877 | +--rw priority? priority-enum //{ high | middle | low | be | af1 | af2 | af3 | af4 | ef | cs6 } 878 | +--rw alarm-drop-rate 879 | +--rw enable boolean 880 | +--rw threshold? uint32 881 | +--rw interval? uint16 882 | +--rw speed-threshold? uint32 883 +--rw cpu-defend-policy-cfgs 884 | +--rw cpu-defend-policy-cfg* [slot-id-str] 885 | +--rw slot-id-str -> /devm:devm/lpu-boards/lpu-board/position 886 | +--rw policy-id -> /cpudefend/cpu-defend-policys/cpu-defend-policy/policy-id 887 +--ro display-cars-confs 888 | +--ro display-cars-conf* [slot-id pkt-index] 889 | +--ro slot-id string 890 | +--ro pkt-index uint16 891 | +--ro cir? uint32 892 | +--ro cbs? uint32 893 | +--ro min-pkt? uint32 894 | +--ro priority? priority-enum 895 | +--ro desc? protocol-type 896 +--ro protocol-stats 897 | +--ro protocol-stat* [slot-id] 898 | +--ro slot-id string 899 | +--ro protocol-enable protocol-type //{ftp-server | ssh-server | snmp | ...} 900 | +--ro default-act protocol-enable-def-action // {drop | min_to_cpu} 901 | +--ro default-cir uint32 902 | +--ro default-cbs uint32 903 +--ro secnoncarstats 904 | +--ro secnoncarstat* [sec-slot-id sec-policy-type sec-policy-type-id] 905 | +--ro sec-slot-id string 906 | +--ro sec-policy-type cpudefend-no-car-policy-type 907 | +--ro sec-policy-type-id cpudefend-sec-stat-type-id 908 | +--ro sec-sub-total-pkts? uint64 909 | +--ro sec-sub-pass-pkts? uint64 910 | +--ro sec-sub-drop-pkts? uint64 911 +--ro seccarstats 912 | +--ro seccarstat* [sec-slot-id sec-policy-type sec-policy-type-id] 913 | +--ro sec-slot-id string 914 | +--ro sec-policy-type cpudefend-policy-type 915 | +--ro sec-policy-type-id uint32 916 | +--ro sec-app-enable? boolean 917 | +--ro sec-app-def-act? cpudefend-app-def-action 918 | +--ro sec-proto-enable? boolean 919 | +--ro sec-passed-pkts? uint64 920 | +--ro sec-droped-pkts? uint64 921 | +--ro sec-cfg-cir? uint32 922 | +--ro sec-cfg-cbs? uint32 923 | +--ro sec-actual-cir? uint32 924 | +--ro sec-actual-cbs? uint32 925 | +--ro sec-priority? cpudefend-priority 926 | +--ro sec-min-pkt-len? uint32 927 | +--ro sec-acl-deny-pkts? uint64 928 | +--ro sec-hist-pps? uint64 929 | +--ro sec-hist-pps-time? yang:date-and-time 930 | +--ro sec-last-pps? uint64 931 | +--ro sec-last-drp-btime? yang:date-and-time 932 | +--ro sec-last-drp-etime? yang:date-and-time 933 | +--ro sec-ttl-drop-pkts? uint64 934 +--ro total-pkt-stats 935 | +--ro total-pkt-stat* [slot-id] 936 | +--ro slot-id string 937 | +--ro total-pkt? uint64 938 | +--ro pass-pkt? uint64 939 | +--ro drop-pkt? uint64 940 +--rw hostcar-nodes 941 | +--rw hostcar-node* [slot-id host-car-type] 942 | +--rw slot-id -> /devm:devm/lpu-boards/lpu-board/position 943 | +--rw host-car-type host-car-type-enum // {hostcar | http-hostcar | vlan-host-car} 944 | +--rw if-enable? soc-if-enable 945 | +--rw cir? uint32 946 | +--rw pir? uint32 947 | +--rw cbs? uint32 948 | +--rw pbs? uint32 949 | +--rw drop-threshold? uint32 950 | +--rw interval? uint32 951 +--ro host-car-stats 952 | +--ro host-car-stat* [slot-id host-car-type stat-type host-car-id http-host-car-id vlan-host-car-id] 953 | +--ro slot-id -> /devm:devm/lpu-boards/lpu-board/position 954 | +--ro host-car-type host-car-type-enum 955 | +--ro stat-type stat-type-enum // {car-id | all | auto-adjust | dropped | non-dropped | active} 956 | +--ro host-car-id uint32 957 | +--ro http-host-car-id uint32 958 | +--ro vlan-host-car-id uint32 959 | +--ro passed-bytes? uint64 960 | +--ro dropped-bytes? uint64 961 +--ro host-car-cfgs 962 +--ro host-car-cfg* [slot-id] 963 +--ro slot-id string 964 +--ro host-car-type? host-car-type-enum 965 +--ro default-cir? uint32 966 +--ro default-pir? uint32 967 +--ro default-cbs? uint32 968 +--ro default-pbs? uint32 969 +--ro actual-cir? uint32 970 +--ro actual-pir? uint32 971 +--ro actual-cbs? uint32 972 +--ro actual-pbs? uint32 973 +--ro droprate-en? if-enable 974 +--ro log-interval? uint32 975 +--ro log-threshold? uint32 977 4.6. TCP/IP Attack Defence 979 Defense against TCP/IP attacks is applied to the router on the edge 980 of the network or other routers that are easily to be attacked by 981 illegal TCP/IP packets. Defense against TCP/IP attacks can protect 982 the CPU of the router against malformed packets, fragmented packets, 983 TCP SYN packets, and UDP packets, ensuring that normal services can 984 be processed. 986 module: ietf-tcp-ip-attack-defence 987 +--rw sec-anti-attack-enable 988 | +--rw anti-enable? anti-attack-enable-cfg-type 989 | +--rw abnormal-enable? anti-attack-enable-cfg-type 990 | +--rw udp-flood-enable? anti-attack-enable-cfg-type 991 | +--rw tcp-syn-enable? anti-attack-enable-cfg-type 992 | +--rw icmp-flood-enable? anti-attack-enable-cfg-type 993 | +--rw fragment-enable? anti-attack-enable-cfg-type 994 +--rw sec-anti-attack-car-cfg 995 | +--rw cir-flag? uint32 996 | +--rw cir-icmp? uint32 997 | +--rw cir-tcp? uint32 998 +--rw sec-anti-attack-stats 999 | +--ro sec-anti-attack-stat* [attack-type] 1000 | +--ro attack-type anti-attack-type 1001 | +--ro total-count? uint64 1002 | +--ro drop-count? uint64 1003 | +--ro pass-count? uint64 1005 5. Network Infrastructure Device Security Baseline Yang Module 1007 file "ietf-mac-limit@2018-06-04.yang" 1009 module ietf-mac-limit { 1010 namespace "urn:ietf:params:xml:ns:yang:ietf-mac-limit"; 1011 prefix mac-limit; 1012 organization 1013 "IETF SACM Working Group"; 1014 contact 1015 "Liang Xia: Frank.xialiang@huawei.com; 1016 Guangying Zheng: Zhengguangying@huawei.com"; 1017 description 1018 "MAC address limit."; 1020 revision 2018-06-04 { 1021 description 1022 "Init revision"; 1023 reference "xxx."; 1024 } 1026 /* 1027 * Typedefs 1028 */ 1029 typedef mac-limit-forward { 1030 type enumeration { 1031 enum "forward" { 1032 description 1033 "Forward."; 1034 } 1035 enum "discard" { 1036 description 1037 "Discard."; 1038 } 1039 } 1040 description 1041 "MAC Limit Forward"; 1042 } 1043 typedef mac-enable-status { 1044 type enumeration { 1045 enum "enable" { 1046 description 1047 "Enable."; 1048 } 1049 enum "disable" { 1050 description 1051 "Disable."; 1052 } 1053 } 1054 description 1055 "MAC Enable Status"; 1056 } 1057 typedef mac-vlan-id { 1058 type uint16 { 1059 range "1..4094"; 1060 } 1061 description 1062 "MAC Vlan Id"; 1063 } 1064 typedef mac-type { 1065 type enumeration { 1066 enum "static" { 1067 description 1068 "Static MAC address entry."; 1069 } 1070 enum "dynamic" { 1071 description 1072 "Dynamic MAC address entry."; 1073 } 1074 enum "black-hole" { 1075 description 1076 "Blackhole MAC address entry"; 1077 } 1078 enum "sticky" { 1079 description 1080 "sticky MAC address entry"; 1081 } 1082 enum "security" { 1083 description 1084 "security MAC address entry"; 1085 } 1086 enum "evn" { 1087 description 1088 "EVN MAC address entry."; 1089 } 1090 enum "mux" { 1091 description 1092 "MUX MAC address entry."; 1093 } 1094 enum "snooping" { 1095 description 1096 "SNOOPING MAC address entry."; 1097 } 1098 enum "tunnel" { 1099 description 1100 "TUNNEL MAC address entry."; 1101 } 1102 enum "authen" { 1103 description 1104 "AUTHEN MAC address entry."; 1105 } 1106 } 1107 description 1108 "MAC Type"; 1109 } 1110 typedef suppress-type { 1111 type enumeration { 1112 enum "broadcast" { 1113 description 1114 "Broadcast."; 1115 } 1116 enum "multicast" { 1117 description 1118 "Multicast."; 1119 } 1120 enum "unknown-unicast" { 1121 description 1122 "Unknown unicast."; 1123 } 1124 enum "unicast" { 1125 description 1126 "Unicast."; 1127 } 1128 } 1129 description 1130 "Suppress Type"; 1131 } 1132 typedef limit-type { 1133 type enumeration { 1134 enum "-mac-limit" { 1135 description 1136 "Interface MAC rule limit."; 1137 } 1138 enum "mac-apply" { 1139 description 1140 "Interface MAC rule application."; 1141 } 1142 } 1143 description 1144 "Limit Type"; 1145 } 1147 typedef mac-pw-encap-type { 1148 type enumeration { 1149 enum "ethernet" { 1150 description 1151 "Ethernet."; 1152 } 1153 enum "vlan" { 1154 description 1155 "VLAN."; 1156 } 1157 } 1158 description 1159 "MAC PW Encapsulation Type"; 1160 } 1162 typedef suppress-style { 1163 type enumeration { 1164 enum "percent" { 1165 description 1166 "Percent."; 1167 } 1168 enum "absolute-value" { 1169 description 1170 "Absolute value."; 1171 } 1173 } 1174 description 1175 "Suppress Style"; 1176 } 1178 typedef direction-type { 1179 type enumeration { 1180 enum "inbound" { 1181 description 1182 "Inbound."; 1183 } 1184 enum "outbound" { 1185 description 1186 "Outbound."; 1187 } 1188 } 1189 description 1190 "Direction Type"; 1191 } 1193 typedef storm-ctrl-action-type { 1194 type enumeration { 1195 enum "normal" { 1196 description 1197 "Normal."; 1198 } 1199 enum "error-down" { 1200 description 1201 "Error down."; 1202 } 1203 enum "block" { 1204 description 1205 "Block."; 1206 } 1207 enum "suppress" { 1208 description 1209 "Suppress"; 1210 } 1211 } 1212 description 1213 "Storm Ctrl Action Type"; 1214 } 1216 typedef enable-type { 1217 type enumeration { 1218 enum "disable" { 1219 description 1220 "Disable."; 1222 } 1223 enum "enable" { 1224 description 1225 "Enable."; 1226 } 1227 } 1228 description 1229 "Enable Type"; 1230 } 1232 typedef storm-ctrl-type { 1233 type enumeration { 1234 enum "broadcast" { 1235 description 1236 "Broadcast."; 1237 } 1238 enum "multicast" { 1239 description 1240 "Multicast."; 1241 } 1242 enum "unicast" { 1243 description 1244 "Unicast."; 1245 } 1246 enum "unknown-unicast" { 1247 description 1248 "Unknown unicast."; 1249 } 1250 } 1251 description 1252 "Storm Ctrl Type"; 1253 } 1255 typedef storm-ctrl-rate-type { 1256 type enumeration { 1257 enum "pps" { 1258 description 1259 "Packets per second."; 1260 } 1261 enum "percent" { 1262 description 1263 "Percent."; 1264 } 1265 enum "kbps" { 1266 description 1267 "Kilo bits per second."; 1268 } 1269 } 1270 description 1271 "Storm Ctrl Rate Type"; 1272 } 1274 container mac { 1275 description 1276 "MAC address forwarding. "; 1277 container mac-limit-rules { 1278 description 1279 "Global MAC address learning limit rule."; 1280 list mac-limit-rule { 1281 key "rule-name"; 1282 description 1283 "Global MAC address learning limit."; 1284 leaf rule-name { 1285 type string { 1286 length "1..31"; 1287 } 1288 description 1289 "Global MAC address learning limit rule name."; 1290 } 1291 leaf maximum { 1292 type uint32 { 1293 range "0..131072"; 1294 } 1295 mandatory true; 1296 description 1297 "Maximum number of MAC addresses that can be learned."; 1298 } 1299 leaf rate { 1300 type uint16 { 1301 range "0..1000"; 1302 } 1303 default "0"; 1304 description 1305 "Interval at which MAC addresses are learned."; 1306 } 1307 leaf action { 1308 type mac-limit-forward; 1309 default "discard"; 1310 description 1311 "Discard or forward after the number of learned MAC addresses reaches the maximum number."; 1312 } 1313 leaf alarm { 1314 type mac-enable-status; 1315 default "enable"; 1316 description 1317 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1318 } 1319 } 1320 } 1321 container vlan-mac-limits { 1322 description 1323 "VLAN MAC address limit list."; 1324 list vlan-mac-limit { 1325 key "vlan-id"; 1326 description 1327 "VLAN MAC address limit."; 1328 leaf vlan-id { 1329 type mac-vlan-id; 1330 description 1331 "VLAN ID."; 1332 } 1333 leaf maximum { 1334 type uint32 { 1335 range "0..130048"; 1336 } 1337 mandatory true; 1338 description 1339 "Maximum number of MAC addresses that can be learned in a VLAN."; 1340 } 1341 leaf rate { 1342 type uint16 { 1343 range "0..1000"; 1344 } 1345 default "0"; 1346 description 1347 "Interval at which MAC addresses are learned in a VLAN."; 1348 } 1349 leaf action { 1350 type mac-limit-forward; 1351 default "discard"; 1352 description 1353 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VLAN."; 1354 } 1355 leaf alarm { 1356 type mac-enable-status; 1357 default "enable"; 1358 description 1359 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VLAN."; 1360 } 1361 } 1362 } 1363 container vsi-mac-limits { 1364 description 1365 "VSI MAC address limit list."; 1366 list vsi-mac-limit { 1367 key "vsi-name"; 1368 description 1369 "VSI MAC address limit."; 1370 leaf vsi-name { 1371 type string { 1372 length "1..31"; 1373 } 1374 description 1375 "VSI name."; 1376 } 1377 leaf maximum { 1378 type uint32 { 1379 range "0..524288"; 1380 } 1381 mandatory true; 1382 description 1383 "Maximum number of MAC addresses that can be learned in a VSI."; 1384 } 1385 leaf rate { 1386 type uint16 { 1387 range "0..1000"; 1388 } 1389 default "0"; 1390 description 1391 "Interval at which MAC addresses are learned in a VSI."; 1392 } 1393 leaf action { 1394 type mac-limit-forward; 1395 default "discard"; 1396 description 1397 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VSI."; 1398 } 1399 leaf alarm { 1400 type mac-enable-status; 1401 default "disable"; 1402 description 1403 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VSI."; 1404 } 1405 leaf up-threshold { 1406 type uint8 { 1407 range "80..100"; 1408 } 1409 mandatory true; 1410 description 1411 "Upper limit for the number of MAC addresses."; 1412 } 1413 leaf down-threshold { 1414 type uint8 { 1415 range "60..100"; 1416 } 1417 mandatory true; 1418 description 1419 "Upper limit for the number of MAC addresses."; 1420 } 1421 } 1422 } 1423 container bd-mac-limits { 1424 description 1425 "BD MAC address limit list."; 1426 list bd-mac-limit { 1427 key "bd-id"; 1428 description 1429 "BD MAC address limit."; 1430 leaf bd-id { 1431 type uint32 { 1432 range "1..16777215"; 1433 } 1434 description 1435 "Specifies the ID of a bridge domain."; 1436 } 1437 leaf maximum { 1438 type uint32 { 1439 range "0..130048"; 1440 } 1441 mandatory true; 1442 description 1443 "Maximum number of MAC addresses that can be learned in a BD."; 1444 } 1445 leaf rate { 1446 type uint16 { 1447 range "0..1000"; 1448 } 1449 default "0"; 1450 description 1451 "Interval at which MAC addresses are learned in a BD."; 1452 } 1453 leaf action { 1454 type mac-limit-forward; 1455 default "discard"; 1457 description 1458 "Forward or discard the packet."; 1460 } 1461 leaf alarm { 1462 type mac-enable-status; 1463 default "enable"; 1464 description 1465 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1466 } 1467 } 1468 } 1469 container pw-mac-limits { 1470 description 1471 "PW MAC address limit list."; 1472 list pw-mac-limit { 1473 key "vsi-name pw-name"; 1474 description 1475 "PW MAC address limit."; 1476 leaf vsi-name { 1477 type string { 1478 length "1..31"; 1479 } 1480 description 1481 "VSI name."; 1482 } 1483 leaf pw-name { 1484 type string { 1485 length "1..15"; 1486 } 1487 description 1488 "PW name."; 1489 } 1490 leaf maximum { 1491 type uint32 { 1492 range "0..130048"; 1493 } 1494 mandatory true; 1495 description 1496 "Maximum number of MAC addresses that can be learned in a PW."; 1497 } 1498 leaf rate { 1499 type uint16 { 1500 range "0..1000"; 1501 } 1502 default "0"; 1503 description 1504 "Interval at which MAC addresses are learned in a PW."; 1505 } 1506 leaf action { 1507 type mac-limit-forward; 1508 default "discard"; 1509 description 1510 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a PW."; 1511 } 1512 leaf alarm { 1513 type mac-enable-status; 1514 default "enable"; 1515 description 1516 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a PW."; 1517 } 1518 } 1519 } 1520 container if-mac-limits { 1521 description 1522 "Interface MAC address limit list."; 1523 list if-mac-limit { 1524 key "if-name limit-type"; 1525 description 1526 "Interface MAC address limit."; 1527 leaf if-name { 1528 type string; 1529 description 1530 "Interface name."; 1531 } 1532 leaf limit-type { 1533 type limit-type; 1534 description 1535 "Interface MAC limit type."; 1536 } 1537 leaf rule-name { 1538 type leafref { 1539 path "/mac/mac-limit-rules/mac-limit-rule/rule-name"; 1540 } 1541 description 1542 "Rule name."; 1543 } 1544 leaf maximum { 1545 type uint32 { 1546 range "0..131072"; 1547 } 1548 mandatory true; 1549 description 1550 "Maximum number of MAC addresses that can be learned on an interface."; 1551 } 1552 leaf rate { 1553 type uint16 { 1554 range "0..1000"; 1555 } 1556 default "0"; 1557 description 1558 "Interval (ms) at which MAC addresses are learned on an interface."; 1559 } 1560 leaf action { 1561 type mac-limit-forward; 1562 default "discard"; 1563 description 1564 "Discard or forward after the number of learned MAC addresses reaches the maximum number on an interface"; 1565 } 1566 leaf alarm { 1567 type mac-enable-status; 1568 default "enable"; 1569 description 1570 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on an interface."; 1571 } 1572 } 1573 } 1574 container if-vlan-mac-limits { 1575 description 1576 "Interface + VLAN MAC address limit list."; 1577 list if-vlan-mac-limit { 1578 key "if-name vlan-begin limit-type"; 1579 config false; 1580 description 1581 "Interface + VLAN MAC address limit."; 1582 leaf if-name { 1583 type string; 1584 description 1585 "-name of an interface. "; 1586 } 1587 leaf vlan-begin { 1588 type mac-vlan-id; 1589 description 1590 "Start VLAN ID."; 1591 } 1592 leaf vlan-end { 1593 type mac-vlan-id; 1594 description 1595 "End VLAN ID."; 1596 } 1597 leaf limit-type { 1598 type limit-type; 1599 description 1600 "Interface MAC limit type."; 1601 } 1602 leaf rule-name { 1603 type leafref { 1604 path "/mac/mac-limit-rules/mac-limit-rule/rule-name"; 1605 } 1606 description 1607 "Rule name."; 1608 } 1609 leaf maximum { 1610 type uint32 { 1611 range "0..131072"; 1612 } 1613 mandatory true; 1614 description 1615 "Maximum number of MAC addresses that can be learned on an interface."; 1616 } 1617 leaf rate { 1618 type uint16 { 1619 range "0..1000"; 1620 } 1621 mandatory true; 1622 description 1623 "Interval (ms) at which MAC addresses are learned on an interface."; 1624 } 1625 leaf action { 1626 type mac-limit-forward; 1627 default "discard"; 1628 description 1629 "Discard or forward the packet."; 1630 } 1631 leaf alarm { 1632 type mac-enable-status; 1633 default "enable"; 1634 description 1635 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1636 } 1637 } 1638 } 1639 container subif-mac-limits { 1640 description 1641 "Sub-interface MAC address limit list."; 1642 list subif-mac-limit { 1643 key "if-name limit-type"; 1644 description 1645 "Sub-interface MAC address limit."; 1646 leaf if-name { 1647 type string; 1648 description 1649 "-name of a sub-interface. "; 1650 } 1651 leaf limit-type { 1652 type limit-type; 1653 description 1654 "Sub-interface MAC limit type."; 1655 } 1656 leaf vsi-name { 1657 type string { 1658 length "1..36"; 1659 } 1660 config false; 1661 mandatory true; 1662 description 1663 "VSI name , EVPN name or bridge domain ID."; 1664 } 1665 leaf rule-name { 1666 type string { 1667 length "1..31"; 1668 } 1669 mandatory true; 1670 description 1671 "Rule name."; 1672 } 1673 leaf maximum { 1674 type uint32 { 1675 range "0..131072"; 1676 } 1677 mandatory true; 1678 description 1679 "Maximum number of MAC addresses that can be learned on a sub-interface."; 1680 } 1681 leaf rate { 1682 type uint16 { 1683 range "0..1000"; 1684 } 1685 default "0"; 1686 description 1687 "Interval (ms) at which MAC addresses are learned on a sub-interface."; 1688 } 1689 leaf action { 1690 type mac-limit-forward; 1691 default "discard"; 1692 description 1693 "Discard or forward after the number of learned MAC addresses reaches the maximum number on a sub-interface."; 1694 } 1695 leaf alarm { 1696 type mac-enable-status; 1697 default "enable"; 1698 description 1699 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on a sub-interface."; 1701 } 1702 } 1703 } 1704 container vsi-storm-supps { 1705 description 1706 "VSI Suppression List."; 1707 list vsi-storm-supp { 1708 key "vsi-name suppress-type"; 1709 description 1710 "VSI Suppression."; 1711 leaf vsi-name { 1712 type string { 1713 length "1..31"; 1714 } 1715 description 1716 "VSI name."; 1717 } 1718 leaf suppress-type { 1719 type suppress-type; 1720 description 1721 "Traffic suppression type."; 1722 } 1723 leaf cir { 1724 type uint64 { 1725 range "0..4294967295"; 1726 } 1727 default "0"; 1728 description 1729 "CIR value."; 1730 } 1731 leaf cbs { 1732 type uint64 { 1733 range "0..4294967295"; 1734 } 1735 description 1736 "CBS value."; 1737 } 1738 } 1739 } 1740 container vlan-storm-supps { 1741 description 1742 "VLAN Suppression List."; 1743 list vlan-storm-supp { 1744 key "vlan-id suppress-type"; 1745 description 1746 "VLAN Suppression."; 1747 leaf vlan-id { 1748 type mac-vlan-id; 1749 description 1750 "VLAN ID."; 1751 } 1752 leaf suppress-type { 1753 type suppress-type; 1754 description 1755 "Traffic suppression type."; 1756 } 1757 leaf cir { 1758 type uint64 { 1759 range "64..4294967295"; 1760 } 1761 default "64"; 1762 description 1763 "CIR value."; 1764 } 1765 leaf cbs { 1766 type uint64 { 1767 range "10000..4294967295"; 1768 } 1769 description 1770 "CBS value."; 1771 } 1772 } 1773 } 1774 container sub-if-suppresss { 1775 description 1776 "Sub-interface traffic suppression list."; 1777 list sub-if-suppress { 1778 key "if-name suppress-type direction"; 1779 description 1780 "Sub-Interface traffic suppression."; 1781 leaf if-name { 1782 type string; 1783 description 1784 "Sub-interface name."; 1785 } 1786 leaf suppress-type { 1787 type suppress-type; 1788 description 1789 "Suppression type."; 1790 } 1791 leaf direction { 1792 type direction-type; 1793 description 1794 "Suppression direction."; 1795 } 1796 leaf cir { 1797 type uint64 { 1798 range "0..4294967295"; 1799 } 1800 default "0"; 1801 description 1802 "CIR value."; 1803 } 1804 leaf cbs { 1805 type uint64 { 1806 range "0..4294967295"; 1807 } 1808 description 1809 "CBS value."; 1810 } 1811 } 1812 } 1813 container pw-suppresss { 1814 description 1815 "PW traffic suppress list."; 1816 list pw-suppress { 1817 key "vsi-name pw-name suppress-type"; 1818 description 1819 "PW traffic suppression."; 1820 leaf vsi-name { 1821 type string { 1822 length "1..31"; 1823 } 1824 description 1825 "VSI name."; 1826 } 1827 leaf pw-name { 1828 type string { 1829 length "1..15"; 1830 } 1831 description 1832 "PW name."; 1833 } 1834 leaf suppress-type { 1835 type suppress-type; 1836 description 1837 "Traffic suppression type."; 1838 } 1839 leaf cir { 1840 type uint64 { 1841 range "100..4294967295"; 1842 } 1843 default "100"; 1844 description 1845 "CIR value."; 1846 } 1847 leaf cbs { 1848 type uint64 { 1849 range "100..4294967295"; 1850 } 1851 description 1852 "CBS value."; 1853 } 1854 } 1855 } 1857 container vsi-in-suppressions { 1858 description 1859 "VSI inbound traffic suppression list."; 1860 list vsi-in-suppression { 1861 key "vsi-name"; 1862 description 1863 "VSI inbound traffic suppression."; 1864 leaf vsi-name { 1865 type string { 1866 length "1..31"; 1867 } 1868 description 1869 "VSI name."; 1870 } 1871 leaf inbound-supp { 1872 type mac-enable-status; 1873 default "enable"; 1874 description 1875 "Inbound suppression."; 1876 } 1877 } 1878 } 1879 container vsi-out-suppressions { 1880 description 1881 "VSI outbound traffic suppression list."; 1882 list vsi-out-suppression { 1883 key "vsi-name"; 1884 description 1885 "VSI outbound traffic suppression."; 1886 leaf vsi-name { 1887 type string { 1888 length "1..31"; 1889 } 1890 description 1891 "VSI name."; 1892 } 1893 leaf out-bound-supp { 1894 type mac-enable-status; 1895 default "enable"; 1896 description 1897 "Outbound suppression."; 1898 } 1899 } 1900 } 1901 container vsi-suppresss { 1902 description 1903 "VSI traffic suppression list."; 1904 list vsi-suppress { 1905 key "sub-if-name"; 1906 description 1907 "VSI traffic suppression."; 1908 leaf vsi-name { 1909 type string { 1910 length "1..31"; 1911 } 1912 mandatory true; 1913 description 1914 "VSI name."; 1915 } 1917 leaf sub-if-name { 1918 type string; 1919 description 1920 "Sub-interface name."; 1921 } 1922 leaf is-enable { 1923 type boolean; 1924 default "true"; 1925 description 1926 "Enable status."; 1927 } 1928 leaf suppress-type { 1929 type suppress-style; 1930 default "percent"; 1931 description 1932 "Traffic suppression type."; 1933 } 1934 leaf broadcast { 1935 type uint32 { 1936 range "0..200000000"; 1937 } 1938 default "64"; 1939 description 1940 "Broadcast suppression (kbit/s)"; 1942 } 1943 leaf broadcast-percent { 1944 type uint32 { 1945 range "0..100"; 1946 } 1947 default "1"; 1948 description 1949 "Broadcast suppression."; 1950 } 1951 leaf unicast { 1952 type uint32 { 1953 range "0..200000000"; 1954 } 1955 default "64"; 1956 description 1957 "Unknown unicast suppression (kbit/s)."; 1958 } 1959 leaf unicast-percent { 1960 type uint32 { 1961 range "0..100"; 1962 } 1963 default "1"; 1964 description 1965 "Unknown unicast suppression."; 1967 } 1968 leaf multicast { 1969 type uint32 { 1970 range "0..200000000"; 1971 } 1972 default "64"; 1973 description 1974 "Multicast suppression (kbit/s)."; 1975 } 1976 leaf multicast-percent { 1977 type uint32 { 1978 range "0..100"; 1979 } 1980 default "1"; 1981 description 1982 "Multicast suppression."; 1983 } 1984 } 1985 } 1986 container vsi-total-numbers { 1987 description 1988 "List of MAC address total numbers in a VSI."; 1989 list vsi-total-number { 1990 key "vsi-name slot-id mac-type"; 1991 config false; 1992 description 1993 "Total number of MAC addresses in a VSI."; 1994 leaf vsi-name { 1995 type string { 1996 length "1..31"; 1997 } 1998 description 1999 "VSI name."; 2000 } 2001 leaf slot-id { 2002 type string { 2003 length "1..24"; 2004 } 2005 description 2006 "Slot ID."; 2007 } 2008 leaf mac-type { 2009 type mac-type; 2010 description 2011 "MAC address type."; 2012 } 2013 leaf number { 2014 type uint32; 2015 mandatory true; 2016 description 2017 "Number of MAC addresses."; 2018 } 2019 } 2020 } 2021 container if-storm-supps { 2022 description 2023 "Interface traffic suppression list."; 2024 list if-storm-supp { 2025 key "if-name suppress-type"; 2026 description 2027 "Interface traffic suppression."; 2028 leaf if-name { 2029 type string; 2030 description 2031 "-name of an interface. "; 2032 } 2033 leaf suppress-type { 2034 type suppress-type; 2035 description 2036 "Suppression type."; 2037 } 2038 leaf percent { 2039 type uint64 { 2040 range "0..99"; 2041 } 2042 description 2043 "Percent."; 2044 } 2045 leaf packets { 2046 type uint64 { 2047 range "0..148810000"; 2048 } 2049 description 2050 "Packets per second."; 2051 } 2052 leaf cir { 2053 type uint64 { 2054 range "0..100000000"; 2055 } 2056 description 2057 "CIR(Kbit/s)."; 2058 } 2059 leaf cbs { 2060 type uint64 { 2061 range "10000..4294967295"; 2062 } 2063 description 2064 "CBS(Bytes)."; 2065 } 2066 } 2067 } 2068 container if-storm-blocks { 2069 description 2070 "Interface traffic block list."; 2071 list if-storm-block { 2072 key "if-name block-type direction"; 2073 description 2074 "Interface traffic suppression."; 2075 leaf if-name { 2076 type string; 2077 description 2078 "-name of an interface. "; 2079 } 2080 leaf block-type { 2081 type suppress-type; 2082 description 2083 "Block type."; 2084 } 2085 leaf direction { 2086 type direction-type; 2087 description 2088 "Direction."; 2089 } 2090 } 2091 } 2092 container if-storm-contrls { 2093 description 2094 "Interface storm control list."; 2095 list if-storm-contrl { 2096 key "if-name"; 2097 description 2098 "Interface storm control."; 2099 leaf if-name { 2100 type string; 2101 description 2102 "-name of an interface. "; 2103 } 2104 leaf action { 2105 type storm-ctrl-action-type; 2106 default "normal"; 2107 description 2108 "Action type."; 2109 } 2110 leaf trap-enable { 2112 type enable-type; 2113 default "disable"; 2114 description 2115 "Trap state."; 2116 } 2117 leaf log-enable { 2118 type enable-type; 2119 default "disable"; 2120 description 2121 "Log state."; 2122 } 2123 leaf interval { 2124 type uint64 { 2125 range "1..180"; 2126 } 2127 default "5"; 2128 description 2129 "Detect interval."; 2130 } 2131 container if-packet-contrl-attributes { 2132 description 2133 "Storm control rate list."; 2135 list if-packet-contrl-attribute { 2136 key "packet-type"; 2137 description 2138 "Storm control rate."; 2139 leaf packet-type { 2140 type storm-ctrl-type; 2141 description 2142 "Packet type."; 2143 } 2144 leaf rate-type { 2145 type storm-ctrl-rate-type; 2146 default "pps"; 2147 description 2148 "Storm control rate type."; 2149 } 2150 leaf min-rate { 2151 type uint32 { 2152 range "1..148810000"; 2153 } 2154 mandatory true; 2155 description 2156 "Storm control min rate."; 2157 } 2158 leaf max-rate { 2159 type uint64 { 2160 range "1..148810000"; 2161 } 2162 mandatory true; 2163 description 2164 "Storm control max rate."; 2165 } 2166 } 2167 } 2168 container ifstorm-contrl-infos { 2169 description 2170 "Storm control info list."; 2171 list ifstorm-contrl-info { 2172 key "packet-type"; 2173 config false; 2174 description 2175 "Storm control info"; 2176 leaf packet-type { 2177 type storm-ctrl-type; 2178 description 2179 "Packet type."; 2180 } 2181 leaf punish-status { 2182 type storm-ctrl-action-type; 2183 description 2184 "Storm control status."; 2185 } 2186 leaf last-punish-time { 2187 type string { 2188 length "1..50"; 2189 } 2190 description 2191 "Last punish time."; 2192 } 2193 } 2194 } 2195 } 2196 } 2197 } 2198 } 2200 2202 6. IANA Considerations 2204 This document makes no request of IANA. 2206 Note to RFC Editor: this section may be removed on publication as an 2207 RFC. 2209 7. Security Considerations 2211 To be added. 2213 8. Acknowledgements 2215 9. References 2217 9.1. Normative References 2219 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2220 Requirement Levels", BCP 14, RFC 2119, 2221 DOI 10.17487/RFC2119, March 1997, 2222 . 2224 9.2. Informative References 2226 [I-D.ietf-netconf-subscribed-notifications] 2227 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 2228 A. Tripathy, "Customized Subscriptions to a Publisher's 2229 Event Streams", draft-ietf-netconf-subscribed- 2230 notifications-12 (work in progress), April 2018. 2232 [I-D.ietf-netconf-yang-push] 2233 Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen- 2234 Nygaard, E., Bierman, A., and B. Lengyel, "YANG Datastore 2235 Subscription", draft-ietf-netconf-yang-push-16 (work in 2236 progress), May 2018. 2238 [I-D.ietf-sacm-information-model] 2239 Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, 2240 M., Haynes, D., and H. Birkholz, "SACM Information Model", 2241 draft-ietf-sacm-information-model-10 (work in progress), 2242 April 2017. 2244 Authors' Addresses 2246 Liang Xia 2247 Huawei 2249 Email: frank.xialiang@huawei.com 2251 Guangying Zheng 2252 Huawei 2254 Email: zhengguangying@huawei.com