idnits 2.17.1 draft-xia-sacm-nid-dp-security-baseline-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 27 instances of too long lines in the document, the longest one being 61 characters in excess of 72. ** The abstract seems to contain references ([I-D.ietf-lin-sacm-nid-mp-security-baseline]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 343 has weird spacing: '...ss-type sup...' == Line 350 has weird spacing: '...ss-type sup...' == Line 357 has weird spacing: '...ss-type sup...' == Line 365 has weird spacing: '...ss-type sup...' == Line 372 has weird spacing: '...ss-type sup...' == (1 more instance...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 22, 2018) is 2010 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'I-D.ietf-birkholz-sacm-yang-content' is mentioned on line 194, but not defined == Missing Reference: 'I-D.ietf-lin-sacm-nid-mp-security-baseline' is mentioned on line 223, but not defined == Unused Reference: 'I-D.ietf-netconf-subscribed-notifications' is defined on line 2190, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-netconf-yang-push' is defined on line 2196, but no explicit reference was found in the text == Outdated reference: A later version (-26) exists of draft-ietf-netconf-subscribed-notifications-17 == Outdated reference: A later version (-25) exists of draft-ietf-netconf-yang-push-19 Summary: 2 errors (**), 0 flaws (~~), 14 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group L. Xia 3 Internet-Draft G. Zheng 4 Intended status: Standards Track W. Pan 5 Expires: April 25, 2019 Huawei 6 October 22, 2018 8 The Data Model of Network Infrastructure Device Data Plane Security 9 Baseline 10 draft-xia-sacm-nid-dp-security-baseline-03 12 Abstract 14 This document proposes one part of the security baseline YANG for 15 network infrastructure device (i.e., router, switch, firewall, etc.): 16 data plane security baseline. The companion documents [I-D.ietf-lin- 17 sacm-nid-mp-security-baseline], [I- D.ietf-dong-sacm-nid-infra- 18 security-baseline] cover other parts of the security baseline YANG 19 for network infrastructure device respectively: management plane 20 security baseline, infrastructure layer security baseline. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on April 25, 2019. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Objective . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.2. Security Baseline . . . . . . . . . . . . . . . . . . . . 3 59 1.3. Security Baseline Data Model Design . . . . . . . . . . . 4 60 1.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 5 63 2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 6 64 3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 6 65 4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 6 66 4.1. Layer 2 protection . . . . . . . . . . . . . . . . . . . 6 67 4.2. ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 4.3. URPF . . . . . . . . . . . . . . . . . . . . . . . . . . 11 69 4.4. DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . 12 70 4.5. CPU Protection . . . . . . . . . . . . . . . . . . . . . 17 71 4.6. TCP/IP Attack Defense . . . . . . . . . . . . . . . . . . 20 72 5. Network Infrastructure Device Security Baseline Yang Module . 21 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 74 7. Security Considerations . . . . . . . . . . . . . . . . . . . 46 75 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 46 76 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 77 9.1. Normative References . . . . . . . . . . . . . . . . . . 46 78 9.2. Informative References . . . . . . . . . . . . . . . . . 46 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 81 1. Introduction 83 1.1. Objective 85 Network security is an essential part of the overall network 86 deployment and operation. Due to the following reasons, network 87 infrastructure devices (e.g. switch, router, firewall) are always the 88 objective and exploited by the network attackers, which bring damages 89 to the victim network: 91 o The existence of a lot of unsafe access channels: for the history 92 reason, some old and unsafe protocols still run in the network 93 devices, like: SNMP v1/v2, Telnet, etc., and are not mandatory to 94 be replaced by the according safer protocols (SNMP v3, SSH). 95 Attackers easily exploit them for attack (e.g., invalid login, 96 message eavesdropping); 98 o The openness nature of TCP/IP network: despite the benefits of 99 network architecture design and connectivity brought by the 100 network openness, a lot of threats exist at the same time. 101 Spoofing address, security weakness for various protocols, traffic 102 flooding, and other kinds of threat are originated from the 103 network openness; 105 o The security challenge by the network complexity: network are 106 becoming more complex, with massive nodes, various protocols and 107 flexible topology. Without careful design and strict management, 108 as well as operation automation, the policy consistency of network 109 security management cannot be ensured. It's common that part of 110 the network infrastructure is subject to attack; 112 o The complex functionality of device: the complexity of device 113 itself increases the difficulty of carrying out the security 114 hardening measurements, as well as the skill requirements to the 115 network administrator. As a result, the network administrator may 116 not be capable of or willing to realize all the security 117 measurements, in addition to implementing the other basic 118 functionalities; 120 o The capacity and capability mismatching between the data plane and 121 the control plane: there are a large mismatching of the traffic 122 processing capacity and capability between different planes. 123 Without effective control, the large volume of traffic from the 124 data plane will flooding attack the other planes easily. 126 Therefore, the importance of ensuring the security of the network 127 infrastructure devices is out of question. To secure the network 128 infrastructure devices, one important task is to identify as far as 129 possible the threats and vulnerabilities in the device itself, such 130 as: unnecessary services, insecure configurations, abnormal status, 131 etc., then enforce the corresponding security hardening measurements, 132 such as: update the patch, modify the security configuration, enhance 133 the security mechanism, etc.. We call this task the developing and 134 deploying the security baseline for the network infrastructure, which 135 provides a solid foundation for the overall network security. This 136 document aims to describe the security baseline for the network 137 infrastructure, which is called security baseline in short in this 138 document. 140 1.2. Security Baseline 142 Basically, security baseline can be designed and deployed into 143 different layers of the devices: 145 o application layer: refers to the application platform security 146 solution and the typical application security mechanisms it 147 provided like: identity authentication, access control, permission 148 management, encryption and decryption, auditing and tracking, 149 privacy protection, to ensure secure application data 150 transmission/exchange, secure storage, secure processing, ensuring 151 the secure operation of the application system. Specific examples 152 may be: web application security, software integrity protection, 153 encryption of sensitive data, privacy protection, and lawful 154 interception interfaces and secure third-party component; 156 o network layer: refers to a series of security measures, to protect 157 the network resources and network services running on the device 158 network platform. Network layer security over network product is 159 complicated. Therefore, it is divided into data plane, control 160 plane, management plane to consider: 162 * data plane: focus on the security hardening configuration and 163 status to protect the data plane traffic against eavesdropping, 164 tampering, forging and flooding attacking the network; 166 * control plane: focus on the control signaling security of the 167 network infrastructure device, to protect their normal exchange 168 against various attacks (i.e., eavesdropping, tampering, 169 forging and flooding attack) and restrict the malicious control 170 signaling, for ensuring the correct network topology and 171 forwarding behavior; 173 * management plane: focus on the management information and 174 platform security. More specific, it includes all the security 175 configuration and status involved in the network OAM process; 177 o infrastructure layer: refers to all the security design about the 178 device itself and its running OS. As the foundation of the upper 179 layer services, the secure infrastructure layer must be assured. 180 The specific mechanisms include: OS security, key management, 181 cryptography security, certificate management, software integrity. 183 1.3. Security Baseline Data Model Design 185 The security baseline varies according to many factors, like: 186 different device types (i.e., router, switch, firewall), the 187 supporting security features of device, the specific security 188 requirements of network operator. It's impossible to design a 189 complete set for it, so this document and the companion ones are 190 going to propose the most important and universal points of them. 191 More baseline contents can be added in future following the data 192 model scheme specified. 194 [I-D.ietf-birkholz-sacm-yang-content] defines a method of 195 constructing the YANG data model scheme for the security posture 196 assessment of the network infrastructure device by brokering of YANG 197 push telemetry via SACM statements. The basic steps are: 199 o use YANG push mechanism[I-D.ietf-netconf-yang-push]to collect the 200 created streams of notifications (telemetry) 201 [I-D.ietf-netconf-subscribed-notifications]providing SACM content 202 on SACM data plane, and the filter expressions used in the context 203 of YANG subscriptions constitute SACM content that is imperative 204 guidance consumed by SACM components on SACM management plane; 206 o then encapsulate the above YANG push output into a SACM Content 207 Element envelope, which is again encapsulated in a SACM statement 208 envelope; 210 o lastly, publish the SACM statement into a SACM domain via xmpp- 211 grid publisher. 213 In this document, we follow the same way as [I-D.ietf-birkholz-sacm- 214 yang-content] to define the YANG output for network infrastructure 215 device security baseline posture based on the SACM information model 216 definition [I-D.ietf-sacm-information-model]. 218 1.4. Summary 220 The following contents propose part of the security baseline YANG 221 output for network infrastructure device: data plane security 222 baseline. The companion documents [I-D.ietf- dong-sacm-nid-cp- 223 security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline], [I- 224 D.ietf-xia-sacm-nid-app-infr-layers-security-baseline] cover other 225 parts of the security baseline YANG output for network infrastructure 226 device respectively: control plane security baseline, management 227 plane security baseline, application layer and infrastructure layer 228 security baseline. 230 2. Terminology 232 2.1. Key Words 234 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 235 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 236 document are to be interpreted as described in [RFC2119]. 238 2.2. Definition of Terms 240 This document uses the terms defined in [I-D.draft-ietf-sacm- 241 terminology]. 243 3. Tree Diagrams 245 A simplified graphical representation of the data model is used in 246 this document. The meaning of the symbols in these diagrams is as 247 follows: 249 o Brackets "[" and "]" enclose list keys. 251 o Abbreviations before data node names: "rw" means configuration 252 (read-write) and "ro" state data (read-only). 254 o Symbols after data node names: "?" means an optional node and "*" 255 denotes a "list" and "leaf-list". 257 o Parentheses enclose choice and case nodes, and case nodes are also 258 marked with a colon (":"). 260 o Ellipsis ("...") stands for contents of subtrees that are not 261 shown. 263 4. Data Model Structure 265 As the network infrastructure device, it makes decision of the 266 forwarding path based on the IP/MAC address and sends the packet in 267 data plane. The NP or ASIC are the main components for the data 268 plane functions. 270 This section describes the key data plane security baseline of the 271 network infrastructure devices, and defines their specific data 272 models. 274 4.1. Layer 2 protection 276 Mac table is the key resource in terms of layer 2 forwarding, also 277 easily attacked by learning massive invalid mac address. The mac 278 limit function is to protect the mac table by limiting the maximum 279 number of learned mac address in appointed interfaces. The mac 280 address is not learned and the packet is discarded when the up-limit 281 is reached, and the alarm is created possibly. 283 If the broadcast traffic is not suppressed in layer 2 network (i.e., 284 Ethernet), a great amount of network bandwidth is consumed by a great 285 deal of broadcast traffic. The network performance is degraded, even 286 interrupting the communication. In such a case, configuring the 287 broadcast traffic suppression on the device to ensure some bandwidth 288 can be reserved for unicast traffic forwarding when broadcast traffic 289 bursts across the network. It's flexible to configure the device to 290 suppress broadcast, multicast, and unknown unicast traffic on an 291 interface, a specified interface in a VLAN, a sub-interface, and over 292 a virtual switch instance (VSI) pseudo wire (PW). 294 module: ietf-layer2-protection 295 +--rw mac-limit 296 | +--rw vlan-mac-limits 297 | | +--rw vlan-mac-limit* [vlan-id] 298 | | +--rw vlan-id mac-vlan-id 299 | | +--rw maximum uint32 300 | | +--rw rate? uint32 301 | | +--rw action? mac-limit-forward 302 | | +--rw alarm? mac-enable-status 303 | +--rw bd-mac-limits 304 | | +--rw bd-mac-limit* [bd-id] 305 | | +--rw bd-id uint32 306 | | +--rw maximum uint32 307 | | +--rw rate? uint32 308 | | +--rw action? mac-limit-forward 309 | | +--rw alarm? mac-enable-status 310 | +--rw vsi-mac-limits 311 | | +--rw vsi-mac-limit* [vsi-name] 312 | | +--rw vsi-name string 313 | | +--rw maximum uint32 314 | | +--rw rate? uint32 315 | | +--rw action? mac-limit-forward 316 | | +--rw alarm? mac-enable-status 317 | +--rw pw-mac-limits 318 | | +--rw pw-mac-limit* [vsi-name pw-name] 319 | | +--rw vsi-name string 320 | | +--rw pw-name string 321 | | +--rw maximum uint32 322 | | +--rw rate? uint32 323 | | +--rw action? mac-limit-forward 324 | | +--rw alarm? mac-enable-status 325 | +--rw if-mac-limits 326 | | +--rw if-mac-limit* [if-name] 327 | | +--rw if-name string 328 | | +--rw maximum uint32 329 | | +--rw rate? uint32 330 | | +--rw action? mac-limit-forward 331 | | +--rw alarm? mac-enable-status 332 | +--rw subif-mac-limits 333 | +--rw subif-mac-limit* [if-name] 334 | +--rw if-name string 335 | +--rw maximum uint32 336 | +--rw rate? uint32 337 | +--rw action? mac-limit-forward 338 | +--rw alarm? mac-enable-status 339 +--rw traffic-suppress 340 +--rw vlan-suppresses 341 | +--rw vlan-suppress* [vlan-id suppress-type direction] 342 | +--rw vlan-id mac-vlan-id 343 | +--rw suppress-type suppress-type 344 | +--rw direction direction-type 345 | +--rw cir? uint64 346 | +--rw cbs? uint64 347 +--rw bd-suppresses 348 | +--rw bd-suppress* [bd-id suppress-type direction] 349 | +--rw bd-id uint32 350 | +--rw suppress-type suppress-type 351 | +--rw direction direction-type 352 | +--rw cir? uint64 353 | +--rw cbs? uint64 354 +--rw vsi-suppresses 355 | +--rw vsi-suppress* [vsi-name suppress-type direction] 356 | +--rw vsi-name string 357 | +--rw suppress-type suppress-type 358 | +--rw direction direction-type 359 | +--rw cir? uint64 360 | +--rw cbs? uint64 361 +--rw pw-suppresses 362 | +--rw pw-suppress* [vsi-name pw-name suppress-type direction] 363 | +--rw vsi-name string 364 | +--rw pw-name string 365 | +--rw suppress-type suppress-type 366 | +--rw direction direction-type 367 | +--rw cir? uint64 368 | +--rw cbs? uint64 369 +--rw if-suppresses 370 | +--rw if-suppress* [if-name suppress-type direction] 371 | +--rw if-name string 372 | +--rw suppress-type suppress-type 373 | +--rw direction direction-type 374 | +--rw percent? uint64 375 | +--rw packets? uint64 376 | +--rw cir? uint64 377 | +--rw cbs? uint64 378 +--rw sub-if-suppresses 379 | +--rw sub-if-suppress* [if-name suppress-type direction] 380 | +--rw if-name string 381 | +--rw suppress-type suppress-type 382 | +--rw direction direction-type 383 | +--rw cir? uint64 384 | +--rw cbs? uint64 385 +--rw if-storm-controls 386 +--rw if-storm-control* [if-name] 387 +--rw if-name string 388 +--rw action? storm-ctrl-action-type 389 +--rw trap-enable? enable-type 390 +--rw log-enable? enable-type 391 +--rw interval? uint64 392 +--rw if-packet-control-rules 393 | +--rw if-packet-control-rule* [packet-type] 394 | +--rw packet-type storm-ctrl-type 395 | +--rw rate-type? storm-ctrl-rate-type 396 | +--rw min-rate uint64 397 | +--rw max-rate uint64 398 +--ro if-storm-control-infos 399 +--ro ifstorm-control-info* [packet-type] 400 +--ro packet-type storm-ctrl-type 401 +--ro punish-status? storm-ctrl-action-type 402 +--ro last-punish-time? string 404 4.2. ARP 406 ARP security is a set of functions to protect the ARP protocol and 407 networks against malicious attacks so that the network communication 408 keeps stable and important user information is protected, which 409 mainly includes: 411 ARP anti-spoofing functions: protect devices against spoofing ARP 412 attack packets, improving the security and reliability of network 413 communication. 415 ARP anti-flooding functions: relieve CPU load and prevent the ARP 416 table overflow, ensuring normal network operation. 418 module: ietf-arp-sec 419 +--rw arp-sec 420 +--rw arp-packet-validate 421 | +--rw global-validate-type arp-validate-type 422 | +--rw if-validate-rule* [if-name] 423 | +--rw if-name string 424 | +--rw validate-type arp-validate-type 425 +--rw arp-gratuitous-control 426 | +--rw global-send-gratuitous-enable boolean 427 | +--rw global-receive-gratuitous-enable boolean 428 | +--rw if-gratuitous-rule* [if-name] 429 | +--rw if-name string 430 | +--rw send-gratuitous-enable boolean 431 | +--rw receive-gratuitous-enable boolean 432 +--rw arp-learning-control 433 | +--rw global-strict-learning-enable boolean 434 | +--rw if-learning-rule* [if-name] 435 | +--rw if-name string 436 | +--rw learning-disable boolean 437 | +--rw strict-learning-enable boolean 438 +--rw arp-entry-limit 439 | +--rw if-limit-rule* [if-name] 440 | | +--rw if-name string 441 | | +--rw entry-maximum uint32 442 | +--rw if-vlan-limit-rule* [if-name vlan-begin] 443 | +--rw if-name string 444 | +--rw vlan-begin mac-vlan-id 445 | +--rw vlan-end mac-vlan-id 446 | +--rw entry-maximum uint32 447 +--rw arp-rate-limit 448 | +--rw global-rate-limit uint32 449 | +--rw limit-by-source-mac 450 | | +--rw rate-limit-per-source-mac uint32 451 | | +--rw source-mac-rule* [source-mac] 452 | | +--rw source-mac mac-address 453 | | +--rw rate-limit uint32 454 | +--rw limit-by-source-ip 455 | | +--rw rate-limit-per-source-ip uint32 456 | | +--rw source-ip-rule* [source-ip] 457 | | +--rw source-ip inet:ip-address 458 | | +--rw rate-limit uint32 459 | +--rw limit-by-destination-ip 460 | | +--rw rate-limit-per-destination-ip uint32 461 | +--rw limit-by-interface 462 | | +--rw rate-limit-per-interface uint32 463 | | +--rw interface-rule* [if-name] 464 | | +--rw if-name string 465 | | +--rw rate-limit uint32 466 | +--rw limit-by-vlan 467 | +--rw vlan-rule* [vlan-id] 468 | +--rw vlan-id mac-vlan-id 469 | +--rw rate-limit uint32 470 +--rw arp-miss-rate-limit 471 | +--rw global-rate-limit uint32 472 | +--rw limit-by-source-ip 473 | | +--rw rate-limit-per-source-ip uint32 474 | | +--rw source-ip-rule* [source-ip] 475 | | +--rw source-ip inet:ip-address 476 | | +--rw rate-limit uint32 477 | +--rw limit-by-interface 478 | | +--rw rate-limit-per-interface uint32 479 | | +--rw interface-rule* [if-name] 480 | | +--rw if-name string 481 | | +--rw rate-limit uint32 482 | +--rw limit-by-vlan 483 | +--rw vlan-rule* [vlan-id] 484 | +--rw vlan-id mac-vlan-id 485 | +--rw rate-limit uint32 486 +--ro sec-dis-arp-chks 487 +--ro sec-dis-arp-chk* [slot-id check-type] 488 +--ro slot-id string 489 +--ro check-type arp-attack-type 490 +--ro total-packets? uint64 491 +--ro passed-packets? uint64 492 +--ro dropped-packets? uint64 494 4.3. URPF 496 Unicast Reverse Path Forwarding (URPF) is a technology used to defend 497 against network attacks based on source address spoofing. Generally, 498 upon receiving a packet, a router first obtains the destination IP 499 address of the packet and then searches the forwarding table for a 500 route to the destination address. If the router finds such a route, 501 it forwards the packet; otherwise, it discards the packet. A URPF- 502 enabled router, however, obtains the source IP address of a received 503 packet and searches for a route to the source address. If the router 504 fails to find the route, it considers that the source address is a 505 forged one and discards the packet. In this manner, URPF can 506 effectively protect against malicious attacks that are launched by 507 changing the source addresses of packets. 509 URPF can be performed in strict or loose mode. The strict mode 510 checks both the existence of source address in the route table and 511 the interface consistency, while loose mode only checks if the source 512 address is in the route table. In some case, the router may have 513 only one default route to the router of the ISP. Therefore, matching 514 the default route entry needs to be supported. 516 URPF can be performed over interface, defined flow and traffic sent 517 to local CPU. 519 module: ietf-urpf-sec 520 +--rw urpf-sec 521 +--rw interface-urpf 522 | +--rw interface-rule* [if-name] 523 | +--rw if-name string 524 | +--rw urpf-mode urpf-mode-type 525 | +--rw allow-default boolean 526 +--rw flow-urpf 527 augment /policy:policies/policy:policy-entry + 528 /policy:classifier-entry + 529 /policy:classifier-action-entry-cfg + 530 /policy:action-cfg-params: 531 | +--:(urpf) 532 | +--rw urpf-cfg 533 | +--rw urpf-mode urpf-mode-type 534 | +--rw allow-default boolean 535 +--rw local-urpf 536 +--rw slot-rule* [slot-id] 537 +--rw slot-id string 538 +--rw urpf-mode urpf-mode-type 539 +--rw allow-default boolean 541 4.4. DHCP Snooping 543 DHCP, which is widely used on networks, dynamically assigns IP 544 addresses to clients and manages configuration information in a 545 centralized manner. During DHCP packet forwarding, some attacks may 546 occur, such as bogus DHCP server attacks, DHCP exhaustion attacks, 547 denial of service (DoS) attacks, and DHCP flooding attacks. 549 DHCP snooping is a DHCP security feature that functions in a similar 550 way to a firewall between DHCP clients and servers. A DHCP-snooping- 551 capable device intercepts DHCP packets and uses information carried 552 in the packets to create a DHCP snooping binding table. This table 553 records hosts' MAC addresses, IP addresses, IP address lease time, 554 VLAN, and interface information. The device uses this table to check 555 the validity of received DHCP packets. If a DHCP packet does not 556 match any entry in this table, the device discards the packet. 558 Besides the binding table, DHCP snooping has other security features 559 such as trusted interface, max DHCP user limit and whitelist to 560 defend against the bogus DHCP server, DHCP flooding and other fine- 561 grained DHCP attacks. 563 module: ietf-dhcp-snooping 564 +--rw dhcp-snooping 565 +--rw dhcp-snooping-enable 566 | +--rw global-enable boolean 567 | +--rw enable-vlan* [vlan-id] 568 | | +--rw vlan-id uint16 569 | | +--rw dhcp-snp-enable boolean 570 | +--rw enable-vlan-interface* [vlan-id if-name] 571 | | +--rw vlan-id uint16 572 | | +--rw if-name string 573 | | +--rw dhcp-snp-enable boolean 574 | +--rw enable-interface* [if-name] 575 | | +--rw if-name string 576 | | +--rw dhcp-snp-enable boolean 577 | +--rw enable-bd* [bd-id] 578 | +--rw bd-id uint32 579 | +--rw dhcp-snp-enable boolean 580 +--rw dhcp-snooping-trust 581 | +--rw trust-vlan* [vlan-id] 582 | | +--rw vlan-id uint16 583 | | +--rw dhcp-snp-trust boolean 584 | | +--rw untrust-reply-alarm-enable boolean 585 | | +--rw untrust-reply-alarm-threshold uint32 586 | +--rw trust-vlan-interface* [vlan-id if-name] 587 | | +--rw vlan-id uint16 588 | | +--rw if-name string 589 | | +--rw dhcp-snp-trust boolean 590 | | +--rw untrust-reply-alarm-enable boolean 591 | | +--rw untrust-reply-alarm-threshold uint32 592 | +--rw trust-interface* [if-name] 593 | | +--rw if-name string 594 | | +--rw dhcp-snp-trust boolean 595 | | +--rw untrust-reply-alarm-enable boolean 596 | | +--rw untrust-reply-alarm-threshold uint32 597 | +--rw trust-bd* [bd-id] 598 | +--rw bd-id uint32 599 | +--rw dhcp-snp-trust boolean 600 | +--rw untrust-reply-alarm-enable boolean 601 | +--rw untrust-reply-alarm-threshold uint32 602 +--rw dhcp-snooping-packet-check 603 | +--rw check-vlan* [vlan-id] 604 | | +--rw vlan-id uint16 605 | | +--rw check-vlan-rule* [check-type] 606 | | +--rw check-type check-type 607 | | +--rw check-enable boolean 608 | | +--rw alarm-enable boolean 609 | | +--rw alarm-threshold uint32 610 | +--rw check-vlan-interface* [vlan-id if-name] 611 | | +--rw vlan-id uint16 612 | | +--rw if-name string 613 | | +--rw check-vlan-if-rule* [check-type] 614 | | +--rw check-type check-type 615 | | +--rw check-enable boolean 616 | | +--rw alarm-enable boolean 617 | | +--rw alarm-threshold uint32 618 | +--rw check-interface* [if-name] 619 | | +--rw if-name string 620 | | +--rw check-if-rule* [check-type] 621 | | +--rw check-type check-type 622 | | +--rw check-enable boolean 623 | | +--rw alarm-enable boolean 624 | | +--rw alarm-threshold uint32 625 | +--rw check-bd* [bd-id] 626 | +--rw bd-id uint32 627 | +--rw check-bd-rule* [check-type] 628 | +--rw check-type check-type 629 | +--rw check-enable boolean 630 | +--rw alarm-enable boolean 631 | +--rw alarm-threshold uint32 632 +--rw dhcp-snooping-max-user-limit 633 | +--rw user-limit-vlan* [vlan-id] 634 | | +--rw vlan-id uint16 635 | | +--rw max-user-limit uint32 636 | | +--rw alarm-enable boolean 637 | | +--rw alarm-threshold uint32 638 | +--rw user-limit-vlan-interface* [vlan-id if-name] 639 | | +--rw vlan-id uint16 640 | | +--rw if-name string 641 | | +--rw max-user-limit uint32 642 | | +--rw alarm-enable boolean 643 | | +--rw alarm-threshold uint32 644 | +--rw user-limit-interface* [if-name] 645 | | +--rw if-name string 646 | | +--rw max-user-limit uint32 647 | | +--rw alarm-enable boolean 648 | | +--rw alarm-threshold uint32 649 | +--rw user-limit-bd* [bd-id] 650 | +--rw bd-id uint32 651 | +--rw max-user-limit uint32 652 | +--rw alarm-enable boolean 653 | +--rw alarm-threshold uint32 654 +--rw dhcp-snooping-rate-limit 655 | +--rw global-check-enable boolean 656 | +--rw global-rate-limit uint32 657 | +--rw global-alarm-enable boolean 658 | +--rw global-alarm-threshold uint32 659 | +--rw rate-limit-vlan* [vlan-id] 660 | | +--rw vlan-id uint16 661 | | +--rw check-enable boolean 662 | | +--rw rate-limit uint32 663 | | +--rw alarm-enable boolean 664 | | +--rw alarm-threshold uint32 665 | +--rw rate-limit-vlan-interface* [vlan-id if-name] 666 | | +--rw vlan-id uint16 667 | | +--rw if-name string 668 | | +--rw check-enable boolean 669 | | +--rw rate-limit uint32 670 | | +--rw alarm-enable boolean 671 | | +--rw alarm-threshold uint32 672 | +--rw rate-limit-interface* [if-name] 673 | | +--rw if-name string 674 | | +--rw check-enable boolean 675 | | +--rw rate-limit uint32 676 | | +--rw alarm-enable boolean 677 | | +--rw alarm-threshold uint32 678 | +--rw rate-limit-bd* [bd-id] 679 | +--rw bd-id uint32 680 | +--rw check-enable boolean 681 | +--rw rate-limit uint32 682 | +--rw alarm-enable boolean 683 | +--rw alarm-threshold uint32 684 +--rw dhcp-snooping-static-binding-table 685 | +--rw vlan-static-bind-tbl* [vlan-id ip-address ce-vlan] 686 | | +--rw vlan-id uint16 687 | | +--rw ip-address inet:ip-address 688 | | +--rw mac-address? mac-address 689 | | +--rw if-name? string 690 | | +--rw ce-vlan uint16 691 | +--rw if-static-bind-tbl* [if-name ip-address pe-vlan ce-vlan] 692 | | +--rw if-name string 693 | | +--rw ip-address inet:ip-address 694 | | +--rw mac-address? mac-address 695 | | +--rw pe-vlan uint16 696 | | +--rw ce-vlan uint16 697 | +--rw bd-static-bind-tbl* [bd-id ip-address pe-vlan ce-vlan] 698 | +--rw bd-id uint32 699 | +--rw ip-address inet:ip-address 700 | +--rw mac-address? mac-address 701 | +--rw pe-vlan uint16 702 | +--rw ce-vlan uint16 703 +--rw dhcp-snp-white-lists 704 | +--rw dhcp-snp-white-list* [wht-lst-name] 705 | +--rw wht-lst-name string 706 | +--rw apply-flag boolean 707 | +--rw dhcp-snp-white-rules 708 | +--rw dhcp-snp-white-rule* [rule-id] 709 | +--rw rule-id uint16 710 | +--rw src-ip? inet:ip-address 711 | +--rw src-mask? inet:ip-address 712 | +--rw dst-ip? inet:ip-address 713 | +--rw dst-mask? inet:ip-address 714 | +--rw src-port? dhcp-snp-port 715 | +--rw dst-port? dhcp-snp-port 716 +--ro dhcp-snp-dyn-bind-tbls 717 | +--ro dhcp-snp-dyn-bind-tbl* [ip-address outer-vlan inner-vlan vsi-name vpn-name bridge-domain] 718 | +--ro ip-address inet:ip-address 719 | +--ro outer-vlan uint16 720 | +--ro inner-vlan uint16 721 | +--ro vsi-name string 722 | +--ro vpn-name string 723 | +--ro bridge-domain uint32 724 | +--ro mac-address? mac-address 725 | +--ro if-name? string 726 | +--ro lease? yang:date-and-time 727 +--ro dhcp-snp-statistics 728 +--ro pkt-cnt-drop-by-global-rate uint32 729 +--ro dhcp-snp-vlan-statistics 730 | +--ro dhcp-snp-vlan-statistic* [vlan-id] 731 | +--ro vlan-id uint16 732 | +--ro drop-arp-pkt-cnt? uint32 733 | +--ro drop-ip-pkt-cnt? uint32 734 | +--ro pkt-cnt-drop-by-user-bind? uint32 735 | +--ro pkt-cnt-drop-by-mac-check? uint32 736 | +--ro pkt-cnt-drop-by-untrust-reply? uint32 737 | +--ro pkt-cnt-drop-by-rate? uint32 738 +--ro dhcp-snp-vlan-if-statistics 739 | +--ro dhcp-snp-vlan-if-statistic* [vlan-id if-name] 740 | +--ro vlan-id uint16 741 | +--ro if-name string 742 | +--ro drop-arp-pkt-cnt? uint32 743 | +--ro drop-ip-pkt-cnt? uint32 744 | +--ro pkt-cnt-drop-by-user-bind? uint32 745 | +--ro pkt-cnt-drop-by-mac-check? uint32 746 | +--ro pkt-cnt-drop-by-untrust-reply? uint32 747 | +--ro pkt-cnt-drop-by-rate? uint32 748 +--ro dhcp-snp-if-statistics 749 | +--ro dhcp-snp-if-statistic* [if-name] 750 | +--ro if-name string 751 | +--ro drop-arp-pkt-cnt? uint32 752 | +--ro drop-ip-pkt-cnt? uint32 753 | +--ro pkt-cnt-drop-by-user-bind? uint32 754 | +--ro pkt-cnt-drop-by-mac-check? uint32 755 | +--ro pkt-cnt-drop-by-untrust-reply? uint32 756 | +--ro pkt-cnt-drop-by-rate? uint32 757 +--ro dhcp-snp-bd-statistics 758 +--ro dhcp-snp-bd-statistic* [if-name] 759 +--ro bd-id uint32 760 +--ro drop-arp-pkt-cnt? uint32 761 +--ro drop-ip-pkt-cnt? uint32 762 +--ro pkt-cnt-drop-by-user-bind? uint32 763 +--ro pkt-cnt-drop-by-mac-check? uint32 764 +--ro pkt-cnt-drop-by-untrust-reply? uint32 765 +--ro pkt-cnt-drop-by-rate? uint32 767 4.5. CPU Protection 769 For the network device, there are maybe a large number of packets to 770 be sent to its CPU, or malicious packets attempt to attack the device 771 CPU. If the CPU receives excessive packets, it will be overloaded 772 and support the normal services with very poor performance; In 773 extreme cases, the system fails. 775 More specifically, services are negatively affected when the CPU is 776 attacked because of the following reasons: 778 o Valid protocol packets are not distinguished from invalid protocol 779 packets. The CPU is busy in processing a large number of invalid 780 protocol packets. Consequently, the CPU usage rises sharply and 781 valid packets cannot be processed properly 783 o Packets of some protocols are sent to the CPU through the same 784 channel. When excessive packets of a certain type of protocol 785 packet block the channel, the transmission of other protocol 786 packets is affected 788 o The bandwidth of a channel is not set appropriately. When an 789 attack occurs, processing of protocol packets on other channels is 790 affected 792 Accordingly, the following countermeasures can be taken by the 793 network device for CPU protection: 795 o Collect and classify protocols related to various services running 796 on equipment 798 o Use ACLs to filter the packets. Valid protocol packets are put 799 into the whitelist and a user-defined flow, other packets are put 800 into the blacklist 802 o Plan the priorities, channel bandwidth, length of packets, and 803 alarm function of the preceding three lists 805 o Disable services that are not deployed on the equipment, and 806 control the total forwarding bandwidth 808 In this manner, the number of packets sent to the CPU is under 809 control, and the bandwidth is ensured preferentially for services 810 with higher priorities. In addition, CPU overload is prevented and 811 an alarm is generated when an attack occurs. 813 module: ietf-cpu-defend 814 +--rw cpu-defend 815 +--rw cpu-defend-policies 816 | +--rw cpu-defend-policy* [policy-id] 817 | +--rw policy-id uint32 818 | +--rw description? string 819 | +--rw white-list-acl-number? uint32 820 | +--rw black-list-acl-number? uint32 821 | +--rw user-defined-flows 822 | | +--rw user-defined-flow* [flow-id] 823 | | +--rw flow-id uint32 824 | | +--rw acl-number uint32 825 | +--rw cpu-defend-car-rules 826 | +--rw cpu-defend-car-rule* [rule-type pkt-index flow-id protocol-type tcp-ip-type] 827 | +--rw rule-type rule-type 828 | +--rw pkt-index? uint16 829 | +--rw flow-id? uint32 830 | +--rw protocol? protocol-type 831 | +--rw tcp-ip-type? tcp-ip-type 832 | +--rw car-attr 833 | | +--rw cir? uint32 834 | | +--rw cbs? uint32 835 | | +--rw pir? uint32 836 | | +--rw pbs? uint32 837 | | +--rw min-pkt-len? uint32 838 | | +--rw pkt-rate? uint32 839 | | +--rw weight? uint16 840 | +--rw priority? priority-type 841 | +--rw drop-alarm 842 | +--rw enable boolean 843 | +--rw packets-threshold? uint32 844 | +--rw interval? uint16 845 | +--rw speed-threshold? uint32 846 +--rw cpu-defend-policy-bindings 847 | +--rw cpu-defend-policy-binding* [slot-id] 848 | +--rw slot-id string 849 | +--rw policy-id uint32 850 +--ro cpu-defend-cars-cfgs 851 | +--ro cpu-defend-cars-cfg* [slot-id pkt-index] 852 | +--ro slot-id string 853 | +--ro pkt-index uint16 854 | +--ro cir? uint32 855 | +--ro cbs? uint32 856 | +--ro min-pkt? uint32 857 | +--ro priority? priority-type 858 | +--ro protocol protocol-type 859 +--ro protocol-stats 860 | +--ro protocol-stat* [slot-id protocol] 861 | +--ro slot-id string 862 | +--ro protocol protocol-type 863 | +--ro default-act action-type 864 | +--ro default-cir uint32 865 | +--ro default-cbs uint32 866 +--ro sec-non-car-stats 867 | +--ro sec-non-car-stat* [slot-id policy-type protocol] 868 | +--ro slot-id string 869 | +--ro policy-type policy-type 870 | +--ro protocol protocol-type 871 | +--ro total-packets? uint64 872 | +--ro passed-packets? uint64 873 | +--ro dropped-packets? uint64 874 +--ro sec-car-stats 875 | +--ro sec-car-stat* [slot-id policy-type policy-index] 876 | +--ro slot-id string 877 | +--ro policy-type policy-type 878 | +--ro policy-index uint32 879 | +--ro app-enable? boolean 880 | +--ro app-default-act? action-type 881 | +--ro proto-enable? boolean 882 | +--ro passed-packets? uint64 883 | +--ro dropped-packets? uint64 884 | +--ro cfg-cir? uint32 885 | +--ro cfg-cbs? uint32 886 | +--ro actual-cir? uint32 887 | +--ro actual-cbs? uint32 888 | +--ro priority? priority-type 889 | +--ro min-pkt-len? uint32 890 | +--ro acl-deny-packets? uint64 891 | +--ro hist-pps? uint64 892 | +--ro hist-pps-time? yang:date-and-time 893 | +--ro average-drop-rate? uint64 894 | +--ro drop-begin-time? yang:date-and-time 895 | +--ro drop-end-time? yang:date-and-time 896 | +--ro total-dropped-packets? uint64 897 +--ro total-packet-stats 898 | +--ro total-packet-stat* [slot-id] 899 | +--ro slot-id string 900 | +--ro total-packets? uint64 901 | +--ro passed-packets? uint64 902 | +--ro dropped-packets? uint64 903 +--rw hostcar-policies 904 | +--rw hostcar-policy* [slot-id host-car-type] 905 | +--rw slot-id string 906 | +--rw host-car-type host-car-type 907 | +--rw cir? uint32 908 | +--rw pir? uint32 909 | +--rw cbs? uint32 910 | +--rw pbs? uint32 911 | +--rw automatic-adjustment 912 | +--rw enable? boolean 913 | +--rw drop-threshold? uint32 914 | +--rw interval? uint32 915 +--ro host-car-stats 916 | +--ro host-car-stat* [slot-id host-car-type stat-type host-car-id http-host-car-id vlan-host-car-id] 917 | +--ro slot-id string 918 | +--ro host-car-type host-car-type 919 | +--ro stat-type stat-type 920 | +--ro host-car-id uint32 921 | +--ro http-host-car-id uint32 922 | +--ro vlan-host-car-id uint32 923 | +--ro passed-bytes? uint64 924 | +--ro dropped-bytes? uint64 925 +--ro host-car-cfgs 926 +--ro host-car-cfg* [slot-id] 927 +--ro slot-id string 928 +--ro host-car-type? host-car-type-enum 929 +--ro default-cir? uint32 930 +--ro default-pir? uint32 931 +--ro default-cbs? uint32 932 +--ro default-pbs? uint32 933 +--ro actual-cir? uint32 934 +--ro actual-pir? uint32 935 +--ro actual-cbs? uint32 936 +--ro actual-pbs? uint32 937 +--ro droprate-en? boolean 938 +--ro log-interval? uint32 939 +--ro log-threshold? uint32 941 4.6. TCP/IP Attack Defense 943 Defense against TCP/IP attacks is applied to the router on the edge 944 of the network or other routers that are easily to be attacked by 945 illegal TCP/IP packets. Defense against TCP/IP attacks can protect 946 the CPU of the router against malformed packets, fragmented packets, 947 TCP SYN packets, and UDP packets, ensuring that normal services can 948 be processed. 950 module: ietf-tcp-ip-attack-defense 951 +--rw tcp-ip-attack-defense 952 +--rw anti-enable? boolean 953 +--rw abnormal-enable? boolean 954 +--rw udp-flood-enable? boolean 955 +--rw tcp-syn-enable? boolean 956 +--rw icmp-flood-enable? boolean 957 +--rw fragment-enable? boolean 958 +--rw sec-anti-attack-car-cfg 959 | +--rw cir-fragment? uint32 960 | +--rw cir-icmp? uint32 961 | +--rw cir-tcp? uint32 962 +--rw sec-anti-attack-stats 963 +--ro sec-anti-attack-stat* [attack-type] 964 +--ro attack-type anti-attack-type 965 +--ro total-count? uint64 966 +--ro drop-count? uint64 967 +--ro pass-count? uint64 969 5. Network Infrastructure Device Security Baseline Yang Module 971 file "ietf-mac-limit@2018-06-04.yang" 973 module ietf-mac-limit { 974 namespace "urn:ietf:params:xml:ns:yang:ietf-mac-limit"; 975 prefix mac-limit; 976 organization 977 "IETF SACM Working Group"; 978 contact 979 "Liang Xia: Frank.xialiang@huawei.com; 980 Guangying Zheng: Zhengguangying@huawei.com"; 981 description 982 "MAC address limit."; 984 revision 2018-06-04 { 985 description 986 "Init revision"; 987 reference "xxx."; 988 } 990 /* 991 * Typedefs 992 */ 993 typedef mac-limit-forward { 994 type enumeration { 995 enum "forward" { 996 description 997 "Forward."; 998 } 999 enum "discard" { 1000 description 1001 "Discard."; 1002 } 1003 } 1004 description 1005 "MAC Limit Forward"; 1006 } 1007 typedef mac-enable-status { 1008 type enumeration { 1009 enum "enable" { 1010 description 1011 "Enable."; 1012 } 1013 enum "disable" { 1014 description 1015 "Disable."; 1016 } 1017 } 1018 description 1019 "MAC Enable Status"; 1020 } 1021 typedef mac-vlan-id { 1022 type uint16 { 1023 range "1..4094"; 1024 } 1025 description 1026 "MAC Vlan Id"; 1027 } 1028 typedef mac-type { 1029 type enumeration { 1030 enum "static" { 1031 description 1032 "Static MAC address entry."; 1033 } 1034 enum "dynamic" { 1035 description 1036 "Dynamic MAC address entry."; 1037 } 1038 enum "black-hole" { 1039 description 1040 "Blackhole MAC address entry"; 1041 } 1042 enum "sticky" { 1043 description 1044 "sticky MAC address entry"; 1045 } 1046 enum "security" { 1047 description 1048 "security MAC address entry"; 1049 } 1050 enum "evn" { 1051 description 1052 "EVN MAC address entry."; 1053 } 1054 enum "mux" { 1055 description 1056 "MUX MAC address entry."; 1057 } 1058 enum "snooping" { 1059 description 1060 "SNOOPING MAC address entry."; 1061 } 1062 enum "tunnel" { 1063 description 1064 "TUNNEL MAC address entry."; 1065 } 1066 enum "authen" { 1067 description 1068 "AUTHEN MAC address entry."; 1069 } 1070 } 1071 description 1072 "MAC Type"; 1073 } 1074 typedef suppress-type { 1075 type enumeration { 1076 enum "broadcast" { 1077 description 1078 "Broadcast."; 1079 } 1080 enum "multicast" { 1081 description 1082 "Multicast."; 1083 } 1084 enum "unknown-unicast" { 1085 description 1086 "Unknown unicast."; 1087 } 1088 enum "unicast" { 1089 description 1090 "Unicast."; 1091 } 1093 } 1094 description 1095 "Suppress Type"; 1096 } 1097 typedef limit-type { 1098 type enumeration { 1099 enum "-mac-limit" { 1100 description 1101 "Interface MAC rule limit."; 1102 } 1103 enum "mac-apply" { 1104 description 1105 "Interface MAC rule application."; 1106 } 1107 } 1108 description 1109 "Limit Type"; 1110 } 1112 typedef mac-pw-encap-type { 1113 type enumeration { 1114 enum "ethernet" { 1115 description 1116 "Ethernet."; 1117 } 1118 enum "vlan" { 1119 description 1120 "VLAN."; 1121 } 1122 } 1123 description 1124 "MAC PW Encapsulation Type"; 1125 } 1127 typedef suppress-style { 1128 type enumeration { 1129 enum "percent" { 1130 description 1131 "Percent."; 1132 } 1133 enum "absolute-value" { 1134 description 1135 "Absolute value."; 1136 } 1137 } 1138 description 1139 "Suppress Style"; 1140 } 1141 typedef direction-type { 1142 type enumeration { 1143 enum "inbound" { 1144 description 1145 "Inbound."; 1146 } 1147 enum "outbound" { 1148 description 1149 "Outbound."; 1150 } 1151 } 1152 description 1153 "Direction Type"; 1154 } 1156 typedef storm-ctrl-action-type { 1157 type enumeration { 1158 enum "normal" { 1159 description 1160 "Normal."; 1161 } 1162 enum "error-down" { 1163 description 1164 "Error down."; 1165 } 1166 enum "block" { 1167 description 1168 "Block."; 1169 } 1170 enum "suppress" { 1171 description 1172 "Suppress"; 1173 } 1174 } 1175 description 1176 "Storm Ctrl Action Type"; 1177 } 1179 typedef enable-type { 1180 type enumeration { 1181 enum "disable" { 1182 description 1183 "Disable."; 1184 } 1185 enum "enable" { 1186 description 1187 "Enable."; 1188 } 1190 } 1191 description 1192 "Enable Type"; 1193 } 1195 typedef storm-ctrl-type { 1196 type enumeration { 1197 enum "broadcast" { 1198 description 1199 "Broadcast."; 1200 } 1201 enum "multicast" { 1202 description 1203 "Multicast."; 1204 } 1205 enum "unicast" { 1206 description 1207 "Unicast."; 1208 } 1209 enum "unknown-unicast" { 1210 description 1211 "Unknown unicast."; 1212 } 1213 } 1214 description 1215 "Storm Ctrl Type"; 1216 } 1218 typedef storm-ctrl-rate-type { 1219 type enumeration { 1220 enum "pps" { 1221 description 1222 "Packets per second."; 1223 } 1224 enum "percent" { 1225 description 1226 "Percent."; 1227 } 1228 enum "kbps" { 1229 description 1230 "Kilo bits per second."; 1231 } 1232 } 1233 description 1234 "Storm Ctrl Rate Type"; 1235 } 1236 container mac { 1237 description 1238 "MAC address forwarding. "; 1239 container mac-limit-rules { 1240 description 1241 "Global MAC address learning limit rule."; 1242 list mac-limit-rule { 1243 key "rule-name"; 1244 description 1245 "Global MAC address learning limit."; 1246 leaf rule-name { 1247 type string { 1248 length "1..31"; 1249 } 1250 description 1251 "Global MAC address learning limit rule name."; 1252 } 1253 leaf maximum { 1254 type uint32 { 1255 range "0..131072"; 1256 } 1257 mandatory true; 1258 description 1259 "Maximum number of MAC addresses that can be learned."; 1260 } 1261 leaf rate { 1262 type uint16 { 1263 range "0..1000"; 1264 } 1265 default "0"; 1266 description 1267 "Interval at which MAC addresses are learned."; 1268 } 1269 leaf action { 1270 type mac-limit-forward; 1271 default "discard"; 1272 description 1273 "Discard or forward after the number of learned MAC addresses reaches the maximum number."; 1274 } 1275 leaf alarm { 1276 type mac-enable-status; 1277 default "enable"; 1278 description 1279 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1280 } 1281 } 1282 } 1283 container vlan-mac-limits { 1284 description 1285 "VLAN MAC address limit list."; 1286 list vlan-mac-limit { 1287 key "vlan-id"; 1288 description 1289 "VLAN MAC address limit."; 1290 leaf vlan-id { 1291 type mac-vlan-id; 1292 description 1293 "VLAN ID."; 1294 } 1295 leaf maximum { 1296 type uint32 { 1297 range "0..130048"; 1298 } 1299 mandatory true; 1300 description 1301 "Maximum number of MAC addresses that can be learned in a VLAN."; 1302 } 1303 leaf rate { 1304 type uint16 { 1305 range "0..1000"; 1306 } 1307 default "0"; 1308 description 1309 "Interval at which MAC addresses are learned in a VLAN."; 1310 } 1311 leaf action { 1312 type mac-limit-forward; 1313 default "discard"; 1314 description 1315 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VLAN."; 1316 } 1317 leaf alarm { 1318 type mac-enable-status; 1319 default "enable"; 1320 description 1321 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VLAN."; 1322 } 1323 } 1324 } 1325 container vsi-mac-limits { 1326 description 1327 "VSI MAC address limit list."; 1328 list vsi-mac-limit { 1329 key "vsi-name"; 1330 description 1331 "VSI MAC address limit."; 1333 leaf vsi-name { 1334 type string { 1335 length "1..31"; 1336 } 1337 description 1338 "VSI name."; 1339 } 1340 leaf maximum { 1341 type uint32 { 1342 range "0..524288"; 1343 } 1344 mandatory true; 1345 description 1346 "Maximum number of MAC addresses that can be learned in a VSI."; 1347 } 1348 leaf rate { 1349 type uint16 { 1350 range "0..1000"; 1351 } 1352 default "0"; 1353 description 1354 "Interval at which MAC addresses are learned in a VSI."; 1355 } 1356 leaf action { 1357 type mac-limit-forward; 1358 default "discard"; 1359 description 1360 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VSI."; 1361 } 1362 leaf alarm { 1363 type mac-enable-status; 1364 default "disable"; 1365 description 1366 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VSI."; 1367 } 1368 leaf up-threshold { 1369 type uint8 { 1370 range "80..100"; 1371 } 1372 mandatory true; 1373 description 1374 "Upper limit for the number of MAC addresses."; 1375 } 1376 leaf down-threshold { 1377 type uint8 { 1378 range "60..100"; 1379 } 1380 mandatory true; 1381 description 1382 "Upper limit for the number of MAC addresses."; 1383 } 1384 } 1385 } 1386 container bd-mac-limits { 1387 description 1388 "BD MAC address limit list."; 1389 list bd-mac-limit { 1390 key "bd-id"; 1391 description 1392 "BD MAC address limit."; 1393 leaf bd-id { 1394 type uint32 { 1395 range "1..16777215"; 1396 } 1397 description 1398 "Specifies the ID of a bridge domain."; 1399 } 1400 leaf maximum { 1401 type uint32 { 1402 range "0..130048"; 1403 } 1404 mandatory true; 1405 description 1406 "Maximum number of MAC addresses that can be learned in a BD."; 1407 } 1408 leaf rate { 1409 type uint16 { 1410 range "0..1000"; 1411 } 1412 default "0"; 1413 description 1414 "Interval at which MAC addresses are learned in a BD."; 1415 } 1416 leaf action { 1417 type mac-limit-forward; 1418 default "discard"; 1420 description 1421 "Forward or discard the packet."; 1422 } 1423 leaf alarm { 1424 type mac-enable-status; 1425 default "enable"; 1426 description 1427 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1428 } 1430 } 1431 } 1432 container pw-mac-limits { 1433 description 1434 "PW MAC address limit list."; 1435 list pw-mac-limit { 1436 key "vsi-name pw-name"; 1437 description 1438 "PW MAC address limit."; 1439 leaf vsi-name { 1440 type string { 1441 length "1..31"; 1442 } 1443 description 1444 "VSI name."; 1445 } 1446 leaf pw-name { 1447 type string { 1448 length "1..15"; 1449 } 1450 description 1451 "PW name."; 1452 } 1453 leaf maximum { 1454 type uint32 { 1455 range "0..130048"; 1456 } 1457 mandatory true; 1458 description 1459 "Maximum number of MAC addresses that can be learned in a PW."; 1460 } 1461 leaf rate { 1462 type uint16 { 1463 range "0..1000"; 1464 } 1465 default "0"; 1466 description 1467 "Interval at which MAC addresses are learned in a PW."; 1468 } 1469 leaf action { 1470 type mac-limit-forward; 1471 default "discard"; 1472 description 1473 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a PW."; 1474 } 1475 leaf alarm { 1476 type mac-enable-status; 1477 default "enable"; 1478 description 1479 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a PW."; 1480 } 1481 } 1482 } 1483 container if-mac-limits { 1484 description 1485 "Interface MAC address limit list."; 1486 list if-mac-limit { 1487 key "if-name limit-type"; 1488 description 1489 "Interface MAC address limit."; 1490 leaf if-name { 1491 type string; 1492 description 1493 "Interface name."; 1494 } 1495 leaf limit-type { 1496 type limit-type; 1497 description 1498 "Interface MAC limit type."; 1499 } 1500 leaf rule-name { 1501 type leafref { 1502 path "/mac/mac-limit-rules/mac-limit-rule/rule-name"; 1503 } 1504 description 1505 "Rule name."; 1506 } 1507 leaf maximum { 1508 type uint32 { 1509 range "0..131072"; 1510 } 1511 mandatory true; 1512 description 1513 "Maximum number of MAC addresses that can be learned on an interface."; 1514 } 1515 leaf rate { 1516 type uint16 { 1517 range "0..1000"; 1518 } 1519 default "0"; 1520 description 1521 "Interval (ms) at which MAC addresses are learned on an interface."; 1522 } 1523 leaf action { 1524 type mac-limit-forward; 1525 default "discard"; 1526 description 1527 "Discard or forward after the number of learned MAC addresses reaches the maximum number on an interface"; 1528 } 1529 leaf alarm { 1530 type mac-enable-status; 1531 default "enable"; 1532 description 1533 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on an interface."; 1534 } 1535 } 1536 } 1537 container if-vlan-mac-limits { 1538 description 1539 "Interface + VLAN MAC address limit list."; 1540 list if-vlan-mac-limit { 1541 key "if-name vlan-begin limit-type"; 1542 config false; 1543 description 1544 "Interface + VLAN MAC address limit."; 1545 leaf if-name { 1546 type string; 1547 description 1548 "-name of an interface. "; 1549 } 1550 leaf vlan-begin { 1551 type mac-vlan-id; 1552 description 1553 "Start VLAN ID."; 1554 } 1555 leaf vlan-end { 1556 type mac-vlan-id; 1557 description 1558 "End VLAN ID."; 1559 } 1560 leaf limit-type { 1561 type limit-type; 1562 description 1563 "Interface MAC limit type."; 1564 } 1565 leaf rule-name { 1566 type leafref { 1567 path "/mac/mac-limit-rules/mac-limit-rule/rule-name"; 1568 } 1569 description 1570 "Rule name."; 1571 } 1572 leaf maximum { 1573 type uint32 { 1574 range "0..131072"; 1575 } 1576 mandatory true; 1577 description 1578 "Maximum number of MAC addresses that can be learned on an interface."; 1579 } 1580 leaf rate { 1581 type uint16 { 1582 range "0..1000"; 1583 } 1584 mandatory true; 1585 description 1586 "Interval (ms) at which MAC addresses are learned on an interface."; 1587 } 1588 leaf action { 1589 type mac-limit-forward; 1590 default "discard"; 1591 description 1592 "Discard or forward the packet."; 1593 } 1594 leaf alarm { 1595 type mac-enable-status; 1596 default "enable"; 1597 description 1598 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; 1599 } 1600 } 1601 } 1602 container subif-mac-limits { 1603 description 1604 "Sub-interface MAC address limit list."; 1605 list subif-mac-limit { 1606 key "if-name limit-type"; 1607 description 1608 "Sub-interface MAC address limit."; 1609 leaf if-name { 1610 type string; 1611 description 1612 "-name of a sub-interface. "; 1613 } 1614 leaf limit-type { 1615 type limit-type; 1616 description 1617 "Sub-interface MAC limit type."; 1618 } 1619 leaf vsi-name { 1620 type string { 1621 length "1..36"; 1623 } 1624 config false; 1625 mandatory true; 1626 description 1627 "VSI name , EVPN name or bridge domain ID."; 1628 } 1629 leaf rule-name { 1630 type string { 1631 length "1..31"; 1632 } 1633 mandatory true; 1634 description 1635 "Rule name."; 1636 } 1637 leaf maximum { 1638 type uint32 { 1639 range "0..131072"; 1640 } 1641 mandatory true; 1642 description 1643 "Maximum number of MAC addresses that can be learned on a sub-interface."; 1644 } 1645 leaf rate { 1646 type uint16 { 1647 range "0..1000"; 1648 } 1649 default "0"; 1650 description 1651 "Interval (ms) at which MAC addresses are learned on a sub-interface."; 1652 } 1653 leaf action { 1654 type mac-limit-forward; 1655 default "discard"; 1656 description 1657 "Discard or forward after the number of learned MAC addresses reaches the maximum number on a sub-interface."; 1658 } 1659 leaf alarm { 1660 type mac-enable-status; 1661 default "enable"; 1662 description 1663 "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on a sub-interface."; 1664 } 1665 } 1666 } 1667 container vsi-storm-supps { 1668 description 1669 "VSI Suppression List."; 1670 list vsi-storm-supp { 1671 key "vsi-name suppress-type"; 1672 description 1673 "VSI Suppression."; 1674 leaf vsi-name { 1675 type string { 1676 length "1..31"; 1677 } 1678 description 1679 "VSI name."; 1680 } 1681 leaf suppress-type { 1682 type suppress-type; 1683 description 1684 "Traffic suppression type."; 1685 } 1686 leaf cir { 1687 type uint64 { 1688 range "0..4294967295"; 1689 } 1690 default "0"; 1691 description 1692 "CIR value."; 1693 } 1694 leaf cbs { 1695 type uint64 { 1696 range "0..4294967295"; 1697 } 1698 description 1699 "CBS value."; 1700 } 1701 } 1702 } 1703 container vlan-storm-supps { 1704 description 1705 "VLAN Suppression List."; 1706 list vlan-storm-supp { 1707 key "vlan-id suppress-type"; 1708 description 1709 "VLAN Suppression."; 1710 leaf vlan-id { 1711 type mac-vlan-id; 1712 description 1713 "VLAN ID."; 1714 } 1715 leaf suppress-type { 1716 type suppress-type; 1717 description 1718 "Traffic suppression type."; 1720 } 1721 leaf cir { 1722 type uint64 { 1723 range "64..4294967295"; 1724 } 1725 default "64"; 1726 description 1727 "CIR value."; 1728 } 1729 leaf cbs { 1730 type uint64 { 1731 range "10000..4294967295"; 1732 } 1733 description 1734 "CBS value."; 1735 } 1736 } 1737 } 1738 container sub-if-suppresss { 1739 description 1740 "Sub-interface traffic suppression list."; 1741 list sub-if-suppress { 1742 key "if-name suppress-type direction"; 1743 description 1744 "Sub-Interface traffic suppression."; 1745 leaf if-name { 1746 type string; 1747 description 1748 "Sub-interface name."; 1749 } 1750 leaf suppress-type { 1751 type suppress-type; 1752 description 1753 "Suppression type."; 1754 } 1755 leaf direction { 1756 type direction-type; 1757 description 1758 "Suppression direction."; 1759 } 1760 leaf cir { 1761 type uint64 { 1762 range "0..4294967295"; 1763 } 1764 default "0"; 1765 description 1766 "CIR value."; 1767 } 1768 leaf cbs { 1769 type uint64 { 1770 range "0..4294967295"; 1771 } 1772 description 1773 "CBS value."; 1774 } 1775 } 1776 } 1777 container pw-suppresss { 1778 description 1779 "PW traffic suppress list."; 1780 list pw-suppress { 1781 key "vsi-name pw-name suppress-type"; 1782 description 1783 "PW traffic suppression."; 1784 leaf vsi-name { 1785 type string { 1786 length "1..31"; 1787 } 1788 description 1789 "VSI name."; 1790 } 1791 leaf pw-name { 1792 type string { 1793 length "1..15"; 1794 } 1795 description 1796 "PW name."; 1797 } 1798 leaf suppress-type { 1799 type suppress-type; 1800 description 1801 "Traffic suppression type."; 1802 } 1803 leaf cir { 1804 type uint64 { 1805 range "100..4294967295"; 1806 } 1807 default "100"; 1808 description 1809 "CIR value."; 1810 } 1811 leaf cbs { 1812 type uint64 { 1813 range "100..4294967295"; 1814 } 1815 description 1816 "CBS value."; 1817 } 1818 } 1819 } 1821 container vsi-in-suppressions { 1822 description 1823 "VSI inbound traffic suppression list."; 1824 list vsi-in-suppression { 1825 key "vsi-name"; 1826 description 1827 "VSI inbound traffic suppression."; 1828 leaf vsi-name { 1829 type string { 1830 length "1..31"; 1831 } 1832 description 1833 "VSI name."; 1834 } 1835 leaf inbound-supp { 1836 type mac-enable-status; 1837 default "enable"; 1838 description 1839 "Inbound suppression."; 1840 } 1841 } 1842 } 1843 container vsi-out-suppressions { 1844 description 1845 "VSI outbound traffic suppression list."; 1846 list vsi-out-suppression { 1847 key "vsi-name"; 1848 description 1849 "VSI outbound traffic suppression."; 1850 leaf vsi-name { 1851 type string { 1852 length "1..31"; 1853 } 1854 description 1855 "VSI name."; 1856 } 1857 leaf out-bound-supp { 1858 type mac-enable-status; 1859 default "enable"; 1860 description 1861 "Outbound suppression."; 1862 } 1863 } 1865 } 1866 container vsi-suppresss { 1867 description 1868 "VSI traffic suppression list."; 1869 list vsi-suppress { 1870 key "sub-if-name"; 1871 description 1872 "VSI traffic suppression."; 1873 leaf vsi-name { 1874 type string { 1875 length "1..31"; 1876 } 1877 mandatory true; 1878 description 1879 "VSI name."; 1880 } 1882 leaf sub-if-name { 1883 type string; 1884 description 1885 "Sub-interface name."; 1886 } 1887 leaf is-enable { 1888 type boolean; 1889 default "true"; 1890 description 1891 "Enable status."; 1892 } 1893 leaf suppress-type { 1894 type suppress-style; 1895 default "percent"; 1896 description 1897 "Traffic suppression type."; 1898 } 1899 leaf broadcast { 1900 type uint32 { 1901 range "0..200000000"; 1902 } 1903 default "64"; 1904 description 1905 "Broadcast suppression (kbit/s)"; 1906 } 1907 leaf broadcast-percent { 1908 type uint32 { 1909 range "0..100"; 1910 } 1911 default "1"; 1912 description 1913 "Broadcast suppression."; 1914 } 1915 leaf unicast { 1916 type uint32 { 1917 range "0..200000000"; 1918 } 1919 default "64"; 1920 description 1921 "Unknown unicast suppression (kbit/s)."; 1922 } 1923 leaf unicast-percent { 1924 type uint32 { 1925 range "0..100"; 1926 } 1927 default "1"; 1928 description 1929 "Unknown unicast suppression."; 1931 } 1932 leaf multicast { 1933 type uint32 { 1934 range "0..200000000"; 1935 } 1936 default "64"; 1937 description 1938 "Multicast suppression (kbit/s)."; 1939 } 1940 leaf multicast-percent { 1941 type uint32 { 1942 range "0..100"; 1943 } 1944 default "1"; 1945 description 1946 "Multicast suppression."; 1947 } 1948 } 1949 } 1950 container vsi-total-numbers { 1951 description 1952 "List of MAC address total numbers in a VSI."; 1953 list vsi-total-number { 1954 key "vsi-name slot-id mac-type"; 1955 config false; 1956 description 1957 "Total number of MAC addresses in a VSI."; 1958 leaf vsi-name { 1959 type string { 1960 length "1..31"; 1962 } 1963 description 1964 "VSI name."; 1965 } 1966 leaf slot-id { 1967 type string { 1968 length "1..24"; 1969 } 1970 description 1971 "Slot ID."; 1972 } 1973 leaf mac-type { 1974 type mac-type; 1975 description 1976 "MAC address type."; 1977 } 1978 leaf number { 1979 type uint32; 1980 mandatory true; 1981 description 1982 "Number of MAC addresses."; 1983 } 1984 } 1985 } 1986 container if-storm-supps { 1987 description 1988 "Interface traffic suppression list."; 1989 list if-storm-supp { 1990 key "if-name suppress-type"; 1991 description 1992 "Interface traffic suppression."; 1993 leaf if-name { 1994 type string; 1995 description 1996 "-name of an interface. "; 1997 } 1998 leaf suppress-type { 1999 type suppress-type; 2000 description 2001 "Suppression type."; 2002 } 2003 leaf percent { 2004 type uint64 { 2005 range "0..99"; 2006 } 2007 description 2008 "Percent."; 2009 } 2010 leaf packets { 2011 type uint64 { 2012 range "0..148810000"; 2013 } 2014 description 2015 "Packets per second."; 2016 } 2017 leaf cir { 2018 type uint64 { 2019 range "0..100000000"; 2020 } 2021 description 2022 "CIR(Kbit/s)."; 2023 } 2024 leaf cbs { 2025 type uint64 { 2026 range "10000..4294967295"; 2027 } 2028 description 2029 "CBS(Bytes)."; 2030 } 2031 } 2032 } 2033 container if-storm-blocks { 2034 description 2035 "Interface traffic block list."; 2036 list if-storm-block { 2037 key "if-name block-type direction"; 2038 description 2039 "Interface traffic suppression."; 2040 leaf if-name { 2041 type string; 2042 description 2043 "-name of an interface. "; 2044 } 2045 leaf block-type { 2046 type suppress-type; 2047 description 2048 "Block type."; 2049 } 2050 leaf direction { 2051 type direction-type; 2052 description 2053 "Direction."; 2054 } 2055 } 2056 } 2057 container if-storm-contrls { 2058 description 2059 "Interface storm control list."; 2060 list if-storm-contrl { 2061 key "if-name"; 2062 description 2063 "Interface storm control."; 2064 leaf if-name { 2065 type string; 2066 description 2067 "-name of an interface. "; 2068 } 2069 leaf action { 2070 type storm-ctrl-action-type; 2071 default "normal"; 2072 description 2073 "Action type."; 2074 } 2075 leaf trap-enable { 2077 type enable-type; 2078 default "disable"; 2079 description 2080 "Trap state."; 2081 } 2082 leaf log-enable { 2083 type enable-type; 2084 default "disable"; 2085 description 2086 "Log state."; 2087 } 2088 leaf interval { 2089 type uint64 { 2090 range "1..180"; 2091 } 2092 default "5"; 2093 description 2094 "Detect interval."; 2095 } 2096 container if-packet-contrl-attributes { 2097 description 2098 "Storm control rate list."; 2099 list if-packet-contrl-attribute { 2100 key "packet-type"; 2101 description 2102 "Storm control rate."; 2103 leaf packet-type { 2104 type storm-ctrl-type; 2105 description 2106 "Packet type."; 2107 } 2108 leaf rate-type { 2109 type storm-ctrl-rate-type; 2110 default "pps"; 2111 description 2112 "Storm control rate type."; 2113 } 2114 leaf min-rate { 2115 type uint32 { 2116 range "1..148810000"; 2117 } 2118 mandatory true; 2119 description 2120 "Storm control min rate."; 2121 } 2122 leaf max-rate { 2123 type uint64 { 2124 range "1..148810000"; 2125 } 2126 mandatory true; 2127 description 2128 "Storm control max rate."; 2129 } 2130 } 2131 } 2132 container ifstorm-contrl-infos { 2133 description 2134 "Storm control info list."; 2135 list ifstorm-contrl-info { 2136 key "packet-type"; 2137 config false; 2138 description 2139 "Storm control info"; 2140 leaf packet-type { 2141 type storm-ctrl-type; 2142 description 2143 "Packet type."; 2144 } 2145 leaf punish-status { 2146 type storm-ctrl-action-type; 2147 description 2148 "Storm control status."; 2149 } 2150 leaf last-punish-time { 2151 type string { 2152 length "1..50"; 2153 } 2154 description 2155 "Last punish time."; 2156 } 2157 } 2158 } 2159 } 2160 } 2161 } 2162 } 2164 2166 6. IANA Considerations 2168 This document makes no request of IANA. 2170 Note to RFC Editor: this section may be removed on publication as an 2171 RFC. 2173 7. Security Considerations 2175 To be added. 2177 8. Acknowledgements 2179 9. References 2181 9.1. Normative References 2183 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2184 Requirement Levels", BCP 14, RFC 2119, 2185 DOI 10.17487/RFC2119, March 1997, 2186 . 2188 9.2. Informative References 2190 [I-D.ietf-netconf-subscribed-notifications] 2191 Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and 2192 A. Tripathy, "Customized Subscriptions to a Publisher's 2193 Event Streams", draft-ietf-netconf-subscribed- 2194 notifications-17 (work in progress), September 2018. 2196 [I-D.ietf-netconf-yang-push] 2197 Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen- 2198 Nygaard, E., Bierman, A., and B. Lengyel, "YANG Datastore 2199 Subscription", draft-ietf-netconf-yang-push-19 (work in 2200 progress), September 2018. 2202 [I-D.ietf-sacm-information-model] 2203 Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, 2204 M., Haynes, D., and H. Birkholz, "SACM Information Model", 2205 draft-ietf-sacm-information-model-10 (work in progress), 2206 April 2017. 2208 Authors' Addresses 2210 Liang Xia 2211 Huawei 2213 Email: frank.xialiang@huawei.com 2215 Guangying Zheng 2216 Huawei 2218 Email: zhengguangying@huawei.com 2220 Wei Pan 2221 Huawei 2223 Email: william.panwei@huawei.com