Network Working Group L. Xia Internet-Draft G. Zheng Intended status: Standards Track Huawei Expires: March 11, 2018 September 07, 2017 The Data Model of Network Infrastructure Device Data Plane Security Baseline draft-xia-sacm-nid-dp-security-baseline-00 Abstract The following contents propose part of the security baseline YANG output for network infrastructure device: data plane security baseline. The companion documents [I-D.ietf- dong-sacm-nid-cp- security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline], [I- D.ietf-xia-sacm-nid-app-infr-layers-security-baseline] cover other parts of the security baseline YANG output for network infrastructure device respectively: control plane security baseline, management plane security baseline, application layer and infrastructure layer security baseline. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 11, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Xia & Zheng Expires March 11, 2018 [Page 1] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Objective . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2. Security Baseline . . . . . . . . . . . . . . . . . . . . 4 1.3. Security Baseline Data Model Design . . . . . . . . . . . 4 1.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 6 3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 6 4.1. Layer 2 protection . . . . . . . . . . . . . . . . . . . 6 4.2. ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.3. URPF . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.4. DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . 15 4.5. Control Plane Protection . . . . . . . . . . . . . . . . 20 4.6. Data Plane Protection . . . . . . . . . . . . . . . . . . 24 4.7. TCP/IP Attack Defence . . . . . . . . . . . . . . . . . . 35 5. Network Infrastructure Device Security Baseline Yang Module . 35 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 7. Security Considerations . . . . . . . . . . . . . . . . . . . 57 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 57 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 57 9.1. Normative References . . . . . . . . . . . . . . . . . . 57 9.2. Informative References . . . . . . . . . . . . . . . . . 57 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 1. Introduction 1.1. Objective Network security is an integral part of the overall network deployment and operation. Due to some basic reasons, network infrastructure devices (e.g. switches, routers, firewalls) are always the objectives or exploited by the network attackers to bring damages to the victim network: o the existence of a lot of unsafe access channels: for the history reason, some old and unsafe protocols still run in the routers, like: SNMP v1/v2, Telnet, etc, and are not mandatory to be replaced by the according safer protocols (SNMP v3, SSH). Xia & Zheng Expires March 11, 2018 [Page 2] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 Attackers easily exploit them to attack routers (e.g., invalid login, message eavesdropping); o The openness of TCP/IP network: despite the benefits of network architecutre design and connectivity brought by the network openness, a lot of threats exist at the same time. Spoofing address, security weakness for various protocols, traffic flooding, and other kinds of threat are originated from the network openness; o the security challenge by the network complexity: network are becoming more complex, with massive nodes, various protocols and flexible topology. Without care design and strict management, as well as automated operation, the policy consistency of network security manangment cannot be ensured. It's common that part of the network infrastructure is subject to attack; o the complex functionality of device: the complexity of device itself increases the difficulty of carring out the security hardening measurements, as well as the skill requirements to the network administrator. As a result, the network administrator may not be capable of or willing to realize all the security measurements, comparing to the implementation of basic functionality; o the mismatching between the data plane and the control plane: there are a large mismatching of the traffic processing capability between the different planes. Without effective control, the large volumn traffic from the data plane will flooding attack the other planes easily. Apparently, the importantance of ensuring the security of the network infrastructure devices is out of question. To secure the network infrastructure devices, one important task is to identify as far as possible the threats and vulnerabilities in the device itself, such as: unnecessary services, insecure configurations, abnormal status, etc, then enforce the security hardening measurements, such as: update patching, modify the security configuration, enhance the security mechanism, etc. We call this task the developing and deploying the security baseline for the network infrastructure, which provides a solid foundation for the overall network security. This document aims to describe the security baseline for the network infrastructure, which is called security baseline in short in this document. Xia & Zheng Expires March 11, 2018 [Page 3] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 1.2. Security Baseline Basically, security baseline can be designed and deployed into different layers of the devices: o application layer: refers to the application platform security solution and the typical application security mechanisms it provided like: identity authentication, access control, permission management, encryption and decryption, auditing and tracking, privacy protection, to ensure secure application data transmission/exchange, secure storage, secure processing, ensuring the secure operation of the application system. Specific examples may be: web application security, software integrity protection, encryption of sensitive data, privacy protection, and lawful interception interfaces and secure third-party component; o network layer: refers to a series of security measures, to protect the network resources and network services running on the device network platform. Network layer security over network product is complicated. Therefore, it is divided into data plane, control plane, management plane to consider: * data plane: focus on the security hardening configuration and status to protect the data plane traffic against eavesdropping, tampering, forging and flooding attacking the network; * control plane: focus on the control signaling security of the network infrastructure device, to protect their normal exchange against various attacks (i.e., eavesdropping, tampering, forging and flooding attack) and restrict the malicious control signaling, for ensuring the correct network topoloy and forwarding behavior; * management plane: focus on the management information and platform security. More specific, it includes all the security configuration and status involved in the network OAM process; o infrastructure layer: refers to all the security design about the device itself and its running OS. As the foundation of the upper layer services, the secure infrastructure layer must be assured. The specific mechanisms include: OS security, update management, software integrity, web security. 1.3. Security Baseline Data Model Design The security baseline varies according to many factors, like: different device types (i.e., router, switch, firewall), the supporting security features of device, the specific security Xia & Zheng Expires March 11, 2018 [Page 4] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 requirements of network operator. It's impossible to design a complete set for it, so this document and the companion ones are going to propose the most important and universal points of them. More points can be added in future following the data model scheme specified in this document. [I-D.ietf-birkholz-sacm-yang-content] defines a method of constructing the YANG data model scheme for the security posture assessment of the network infrastructure device by brokering of YANG push telemetry via SACM statements. The basic steps are: o use YANG push mechanism[I-D.ietf-netconf-yang-push]to collect the created streams of notifications (telemetry) [I-D.ietf-netconf-subscribed-notifications]providing SACM content on SACM data plane, and the filter expressions used in the context of YANG subscriptions constitute SACM content that is imperative guidance consumed by SACM components on SACM management plane; o then encapsulate the above YANG push output into a SACM Content Element envelope, which is again encapsulated in a SACM statement envelope; o lastly, publish the SACM statement into a SACM domain via xmpp- grid publisher. In this document, we follow the same way as [I-D.ietf-birkholz-sacm- yang-content] to define the YANG output for network infrastructure device security baseline posture based on the SACM information model definition [I-D.ietf-sacm-information-model]. 1.4. Summary The following contents propose part of the security baseline YANG output for network infrastructure device: data plane security baseline. The companion documents [I-D.ietf- dong-sacm-nid-cp- security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline], [I- D.ietf-xia-sacm-nid-app-infr-layers-security-baseline] cover other parts of the security baseline YANG output for network infrastructure device respectively: control plane security baseline, management plane security baseline, application layer and infrastructure layer security baseline. 2. Terminology Xia & Zheng Expires March 11, 2018 [Page 5] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 2.1. Key Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. Definition of Terms This document uses the terms defined in [I-D.draft-ietf-sacm- terminology]. 3. Tree Diagrams A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams is as follows: o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only). o Symbols after data node names: "?" means an optional node and "*" denotes a "list" and "leaf-list". o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. 4. Data Model Structure As the network infrastructure device, it makes decision of the forwarding path based on the IP/MAC address and sends the packet in data plane, and the NP or ASIC are the main components for the data plane functions. Some overall introduction is to be added! 4.1. Layer 2 protection Mac table is the key resource in terms of layer 2 forwarding, also easily attacked by learning massive invalid mac address. the mac limit function is to protect the mac table by limiting the maximum number of learned mac address in appointed interfaces. The mac address is not learned and the packet is discarded when the up-limit is reached, and the alarm is created possibly. Xia & Zheng Expires March 11, 2018 [Page 6] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 If the broadcast traffic is not suppressed in layer 2 network (i.e., Ethernet), a great amount of network bandwidth is consumed by a great deal of broadcast traffic. The network performance is degraded, even interrupting the communication.In such a case, configuring the broadcast traffic suppression on the device to ensure some bandwidth can be reserved for unicast traffic forwarding when broadcast traffic bursts across the network.It's flexible to configure the device to suppress broadcast, multicast, and unknown unicast traffic on an interface, a specified interface in a VLAN, a sub-interface, and over a virtual switch instance (VSI) pseudo wire (PW). module: ietf-mac-limit +--rw mac +--rw macLimitRules | +--rw macLimitRule* [ruleName] | +--rw ruleName string | +--rw maximum uint32 | +--rw rate? uint16 | +--rw action? macLimitForward | +--rw alarm? macEnableStatus +--rw vlanMacLimits | +--rw vlanMacLimit* [vlanId] | +--rw vlanId macVlanId | +--rw maximum uint32 | +--rw rate? uint16 | +--rw action? macLimitForward | +--rw alarm? macEnableStatus +--rw vsiMacLimits | +--rw vsiMacLimit* [vsiName] | +--rw vsiName string | +--rw maximum uint32 | +--rw rate? uint16 | +--rw action? macLimitForward | +--rw alarm? macEnableStatus +--rw bdMacLimits | +--rw bdMacLimit* [bdId] | +--rw bdId uint32 | +--rw maximum uint32 | +--rw rate? uint16 | +--rw action? macLimitForward | +--rw alarm? macEnableStatus +--rw pwMacLimits | +--rw pwMacLimit* [vsiName pwName] | +--rw vsiName string | +--rw pwName string | +--rw maximum uint32 | +--rw rate? uint16 | +--rw action? macLimitForward Xia & Zheng Expires March 11, 2018 [Page 7] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw alarm? macEnableStatus +--rw ifMacLimits | +--rw ifMacLimit* [ifName limitType] | +--rw ifName pub-type:ifName | +--rw limitType limitType | +--rw ruleName? -> /mac/macLimitRules/macLimitRule/ruleName | +--rw maximum uint32 | +--rw rate? uint16 | +--rw action? macLimitForward | +--rw alarm? macEnableStatus +--rw ifVlanMacLimits | +--ro ifVlanMacLimit* [ifName vlanBegin limitType] | +--ro ifName pub-type:ifName | +--ro vlanBegin macVlanId | +--ro vlanEnd? macVlanId | +--ro limitType limitType | +--ro ruleName? -> /mac/macLimitRules/macLimitRule/ruleName | +--ro maximum uint32 | +--ro rate uint16 | +--ro action? macLimitForward | +--ro alarm? macEnableStatus +--rw subifMacLimits | +--rw subifMacLimit* [ifName limitType] | +--rw ifName pub-type:ifName | +--rw limitType limitType | +--ro vsiName string | +--rw ruleName string | +--rw maximum uint32 | +--rw rate? uint16 | +--rw action? macLimitForward | +--rw alarm? macEnableStatus +--rw vsiStormSupps | +--rw vsiStormSupp* [vsiName suppressType] | +--rw vsiName string | +--rw suppressType suppressType | +--rw percent? uint64 | +--rw packets? uint64 | +--rw cir? uint64 | +--rw cbs? uint64 +--rw vlanStormSupps | +--rw vlanStormSupp* [vlanId suppressType] | +--rw vlanId macVlanId | +--rw suppressType suppressType | +--rw percent? uint64 | +--rw packets? uint64 | +--rw cir? uint64 | +--rw cbs? uint64 +--rw pwSuppresss Xia & Zheng Expires March 11, 2018 [Page 8] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw pwSuppress* [vsiName pwName suppressType] | +--rw vsiName string | +--rw pwName string | +--rw suppressType suppressType | +--rw percent? uint64 | +--rw packets? uint64 | +--rw cir? uint64 | +--rw cbs? uint64 +--rw vsiTotalNumbers | +--ro vsiTotalNumber* [vsiName slotId macType] | +--ro vsiName string | +--ro slotId string | +--ro macType macType | +--ro number uint32 +--rw ifStormSupps | +--rw ifStormSupp* [ifName suppressType] | +--rw ifName pub-type:ifName | +--rw suppressType suppressType | +--rw direction directionType | +--rw percent? uint64 | +--rw packets? uint64 | +--rw cir? uint64 | +--rw cbs? uint64 +--rw ifStormBlocks | +--rw ifStormBlock* [ifName blockType direction] | +--rw ifName pub-type:ifName | +--rw blockType suppressType | +--rw direction directionType +--rw ifStormContrls +--rw ifStormContrl* [ifName] +--rw ifName pub-type:ifName +--rw action? stormCtrlActionType +--rw trapEnable? enableType +--rw logEnable? enableType +--rw interval? uint64 +--rw ifPacketContrlAttributes | +--rw ifPacketContrlAttribute* [packetType] | +--rw packetType stormCtrlType | +--rw rateType? stormCtrlRateType | +--rw minRate uint32 | +--rw maxRate uint64 +--rw ifstormContrlInfos +--ro ifstormContrlInfo* [packetType] +--ro packetType stormCtrlType +--ro punishStatus? stormCtrlActionType +--ro lastPunishTime? string Xia & Zheng Expires March 11, 2018 [Page 9] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 4.2. ARP ARP security is set of functions to protect the ARP protocol and networks against malicious attacks so that the network communication keeps stable and important user information is protected, which mainly includes: ARP anti-spoofing functions: protect devices against spoofing ARP attack packets, improving the security and reliability of network communication. ARP anti-flooding functions: relieve CPU load and prevent the ARP table overflow, ensuring normal network operation. Xia & Zheng Expires March 11, 2018 [Page 10] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 module: ietf-arp-sec +--ro arp-sec +--ro arpInterfaces | +--rw arpInterface* [ifName] | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName | +--rw arpLearnDisable? boolean //arp-learning-control | +--rw arpLearnStrict? arpStrictLearn //arp-learning-control | +--rw fakeExpireTime? uint32 //arp-fake-expire-time? | +--rw dstMacCheck? boolean //validate | +--rw srcMacCheck? boolean //validate +--rw secArpGrats | +--rw secArpGrat* [ifName] | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName +--rw secArpChkIpEns | +--rw secArpChkIpEn* [ifName] | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName +--rw secArpMacIlls | +--rw secArpMacIll* [ifName] | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName +--rw secArpReqNoBlks | +--rw secArpReqNoBlk* [ifName] | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName +--ro secDisArpChks | +--ro secDisArpChk* [secSlotId secChkType] | +--ro secSlotId -> /devm:devm/lpuBoards/lpuBoard/position | +--ro secChkType cpudefendArpAttackType | +--ro secTotalPkts? uint64 | +--ro secPassedPkts? uint64 | +--ro secDropedPkts? uint64 +--ro arpIfLimits //arp-table-limit | +--rw arpIfLimit* [ifName vlanId] | +--rw ifName -> /ifm:ifm/interfaces/interface/ifName | +--rw vlanId uint16 | +--rw limitNum uint32 | +--ro learnedNum? uint32 +--ro arpSpeedLimits // arp-speed-limit | +--rw arpSpeedLimit* [slotId suppressType ipType] | +--rw slotId string | +--rw suppressType enumeration | +--rw ipType enumeration | +--rw suppressValue uint32 +--ro arpGlobalSpeedLimits // arp-speed-limit +--rw arpGSpeedLimit* [gSuppressType gIpType] +--rw gSuppressType arpSuppType +--rw gIpType arpSuppIpType +--rw gPortType? enumeration +--rw gSuppressValue uint32 Xia & Zheng Expires March 11, 2018 [Page 11] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 4.3. URPF Unicast Reverse Path Forwarding (URPF) is a technology used to defend against network attacks based on source address spoofing. Generally, upon receiving a packet, a router first obtains the destination IP address of the packet and then searches the forwarding table for a route to the destination address. If the router finds such a route, it forwards the packet; otherwise, it discards the packet. A URPF- enabled router, however, obtains the source IP address of a received packet and searches for a route to the source address. If the router fails to find the route, it considers that the source address is a forged one and discards the packet. In this manner, URPF can effectively protect against malicious attacks that are launched by changing the source addresses of packets. URPF can be performed in strict or loose mode. The strict mode checks both the existence of source address in the route table and the interface consistency, while loose mode only checks if the source address is in the route table. In some case, the router may have only one default route to the router of the ISP. Therefore, matching the default route entry needs to be supported. URPF can be performed over interface, defined flow and traffic sent to local CPU. module: ietf-urpf-sec +--rw urpf-security +--rw interface-urpf* [ifname] | +--rw ifname if:interface-ref | +--rw mode? enumeration | +--rw allow-default? boolean +--rw qosClassifiers | +--rw qosClassifier* [classifierName operator] | +--rw classifierName qosPolicyName | +--rw description? string | +--rw operator qosClassOperator | +--rw qosRuleAnys | | +--rw qosRuleAny* [protoFamily] | | +--rw protoFamily qosIPFamily | +--rw qosRuleMacs | | +--rw qosRuleMac* [macType macAddr] | | +--rw macType qosMacType | | +--rw macAddr pub-type:macAddress | +--rw qosRuleProto6s | | +--rw qosRuleProto6* [protoFamily protocol] | | +--rw protoFamily qosIPv6Family | | +--rw protocol uint8 | +--rw qosRuleIPv6Addrs Xia & Zheng Expires March 11, 2018 [Page 12] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | | +--rw qosRuleIPv6Addr* [addressType ipAddress6 prefixLen] | | +--rw addressType qosAddressType | | +--rw ipAddress6 pub-type:ipv6Address | | +--rw prefixLen uint8 | +--rw qosRuleTcpFlags | | +--rw qosRuleTcpFlag* [tcpFlag] | | +--rw tcpFlag uint8 | +--rw qosRuleAcls | | +--rw qosRuleAcl* [aclFamily aclName] | | +--rw aclFamily qosIPFamily | | +--rw aclName string | +--rw qosRulePrioritys | +--rw qosRulePriority* [priorityType priorityValue] | +--rw priorityType qosPriorityType | +--rw priorityValue uint8 +--rw qosBehaviors | +--rw qosBehavior* [behaviorName] | +--rw behaviorName qosPolicyName | +--rw description? string | +--rw qosActFilters | | +--rw qosActFilter* | | +--rw actionType qosActionFilter | | +--rw filter qosFilterFlag | +--rw qosActPortMirrors | | +--rw qosActPortMirror* [actionType] | | +--rw actionType qosActionPortMirror | | +--rw enable qosPortMirror | +--rw qosActCars | | +--rw qosActCar* [actionType] | | +--rw actionType qosActionCar | | +--rw cir uint32 | | +--rw pir? uint32 | | +--rw cbs? uint32 | | +--rw pbs? uint32 | | +--rw greenAction? qosCarRedActionType | | +--rw greenServiceClass? qosServiceClass | | +--rw greenColor? qosColor | | +--rw yellowAction? qosCarRedActionType | | +--rw yellowServiceClass? qosServiceClass | | +--rw yellowColor? qosColor | | +--rw redAction? qosCarRedActionType | | +--rw redServiceClass? qosServiceClass | | +--rw redColor? qosColor | +--rw qosActRemarks | | +--rw qosActRemark* [actionType] | | +--rw actionType qosActionRemark | | +--rw remarkValue uint8 | +--rw qosActSrvClss Xia & Zheng Expires March 11, 2018 [Page 13] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | | +--rw qosActSrvCls* [actionType] | | +--rw actionType qosActionServiceClass | | +--rw serviceClass qosServiceClass | | +--rw color qosColor | +--rw qosActUrpfs | | +--rw qosActUrpf* [actionType] | | +--rw actionType qosActionUrpf | | +--rw checkType qosUrpfCheckType | | +--rw allowDefault? qosSwitchFlag | +--rw qosActLoads | | +--rw qosActLoad* [actionType] | | +--rw actionType qosActionLoadBalance | | +--rw balanceType qosLoadBalanceType | +--rw qosActNsSamplers | | +--rw qosActNsSampler* [flowType] | | +--rw flowType qosNsFlowType | | +--rw sampleType qosSampleType | | +--rw sampleValue uint16 | +--rw qosActRdrNhps | | +--rw qosActRdrNhp* [rdrType] | | +--rw rdrType qosRdrType | | +--rw nextHop pub-type:ipv4Address | | +--rw ifName pub-type:ifName | +--rw qosActRdrMhps | | +--rw qosActRdrMhp* [rdrType] | | +--rw rdrType qosRdrType | | +--rw loadBalance? boolean | | +--rw qosRdrNhps | | +--rw qosRdrNhp* [nextHop] | | +--rw nextHop pub-type:ipv4Address | | +--rw ifName pub-type:ifName | +--rw qosActRdrNhp6s | | +--rw qosActRdrNhp6* [rdrType] | | +--rw rdrType qosRdrType | | +--rw nextHop pub-type:ipv6Address | | +--rw ifName pub-type:ifName | +--rw qosActRdrMhp6s | | +--rw qosActRdrMhp6* [rdrType] | | +--rw rdrType qosRdrType | | +--rw loadBalance? boolean | | +--rw qosRdrNhp6s | | +--rw qosRdrNhp6* [nextHop] | | +--rw nextHop pub-type:ipv6Address | | +--rw ifName pub-type:ifName | +--rw qosActRdrVpns | | +--rw qosActRdrVpn* [actionType] | | +--rw actionType qosActionRedirectVpnGroup | | +--rw vpnGroupName qosPolicyName Xia & Zheng Expires March 11, 2018 [Page 14] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw qosActRdrLsps | +--rw qosActRdrLsp* [actionType] | +--rw actionType qosActionRedirectLsp | +--rw configType qosLspRdrType | +--rw destAddr pub-type:ipv4Address | +--rw nextHop pub-type:ipv4Address | +--rw ifName pub-type:ifName | +--rw secondary qosEnableFlag+--rw qosPolicys +--rw qosPolicy* [policyName] | +--rw policyName qosPolicyName | +--ro policyID? uint32 | +--rw description? string | +--rw step? uint16 | +--rw shareMode? qosSwitchFlag | +--rw statFlag? qosSwitchFlag | +--rw v6QosLocalIDEns | | +--rw v6QosLocalIDEn* [v6QosLocalIDEn] | | +--rw v6QosLocalIDEn boolean | +--rw qosPolicyNodes | | +--rw qosPolicyNode* [classifierName] | | +--rw classifierName string | | +--rw behaviorName string | | +--rw priority? uint16 | +--rw qosPolicyNodeNewModes | +--rw qosPolicyNodeNewMode* [classifierName streamDirection groupType groupName] | +--rw classifierName string | +--rw streamDirection streamDirectionType | +--rw groupType groupType | +--rw groupName string | +--rw behaviorName string | +--rw precedence? uint16 +--rw local-URPF +--rw cpu-defend-policy* [name] +--rw name string +--description? string +-- urpf-mode enumeration +--allow-default boolean +--slot-id unit16 4.4. DHCP Snooping DHCP, which is widely used on networks, dynamically assigns IP addresses to clients and manages configuration information in a centralized manner. During DHCP packet forwarding, some attacks may occur, such as bogus DHCP server attacks, DHCP exhaustion attacks, denial of service (DoS) attacks, and DHCP flooding attacks. Xia & Zheng Expires March 11, 2018 [Page 15] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 DHCP snooping is a DHCP security feature that functions in a similar way to a firewall between DHCP clients and servers. A DHCP-snooping- capable device intercepts DHCP packets and uses information carried in the packets to create a DHCP snooping binding table. This table records hosts' MAC addresses, IP addresses, IP address lease time, VLAN, and interface information. The device uses this table to check the validity of received DHCP packets. If a DHCP packet does not match any entry in this table, the device discards the packet. Besides the binding table, DHCP snooping has other security features such as trusted interface, max dhcp user limit and whitelist to defend against the bogus DHCP server, DHCP flooding and other fine- grained DHCP attacks. module: ietf-dhcp-sec +--rw dhcp +--rw snooping +--rw dhcpSnpGlobal | +--rw dhcpSnpEnable? boolean | +--rw serverDetectEnable? boolean | +--rw dhcpSnpUserBindAutoSaveEnable? boolean | +--rw dhcpSnpUserBindFileName? string | +--rw globalCheckRateEnable? boolean | +--rw dhcpSnpGlobalRate? uint16 | +--rw checkRateAlarmEnable? boolean | +--rw rateThreshold? uint16 | +--rw alarmThreshold? uint16 | +--ro rateLimitPacketCount? uint32 | +--rw dhcpSnpUserOfflineRemoveMac? boolean | +--rw dhcpSnpArpDetectEnable? boolean | +--rw dhcpSnpGlobalMaxUser? uint16 | +--rw dhcpSnpUserTransferEnable? boolean +--rw dhcpSnpVlans | +--rw dhcpSnpVlan* [vlanId] | +--rw vlanId uint16 | +--rw dhcpSnpEnable boolean | +--rw checkRateEnable boolean | +--rw dhcpSnpVlanRate uint32 | +--rw dhcpSnpVlanTrustEnable boolean | +--rw checkArpEnable boolean | +--rw alarmArpEnable boolean | +--rw alarmArpThreshold uint16 | +--rw checkIpEnable boolean | +--rw alarmIpEnable boolean | +--rw alarmIpThreshold uint16 | +--rw alarmReplyEnable boolean | +--rw alarmReplyThreshold uint16 | +--rw checkMacEnable boolean Xia & Zheng Expires March 11, 2018 [Page 16] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw alarmMacEnable boolean | +--rw alarmMacThreshold uint16 | +--rw checkUserBindEnable boolean | +--rw alarmUserBindEnable boolean | +--rw alarmUserBindThreshold uint16 | +--rw dhcpSnpVlanMaxUserNum uint16 | +--rw alarmUserLimitEnable boolean | +--rw alarmUserLimitThreshold uint16 | +--rw dhcpSnpVlanStatistics | +--ro dropArpPktCnt? uint32 | +--ro dropIpPktCnt? uint32 | +--ro dropDhcpReqCntByBindTbl? uint32 | +--ro dropDhcpReqCntByMacCheck? uint32 | +--ro dropDhcpReplyCnt? uint32 +--rw vlanTrustInterfaces | +--rw vlanTrustInterface* [vlanId ifName] | +--rw vlanId uint16 | +--rw ifName pub-type:ifName +--rw dhcpSnpInterfaces | +--rw dhcpSnpInterface* [ifName] | +--rw ifName pub-type:ifName | +--rw dhcpSnpEnable boolean | +--rw dhcpSnpIfDisable boolean | +--rw dhcpSnpIfTrustEnable boolean | +--rw dhcpSnpIfRate uint16 | +--rw checkRateEnable boolean | +--rw alarmRateEnable boolean | +--rw alarmRateThreshold uint16 | +--rw checkArpEnable boolean | +--rw alarmArpEnable boolean | +--rw alarmArpThreshold uint16 | +--rw checkIpEnable boolean | +--rw alarmIpEnable boolean | +--rw alarmIpThreshold uint16 | +--rw alarmReplyEnable boolean | +--rw alarmReplyThreshold uint16 | +--rw checkMacEnable boolean | +--rw alarmMacEnable boolean | +--rw alarmMacThreshold uint16 | +--rw checkUserBindEnable boolean | +--rw alarmUserBindEnable boolean | +--rw alarmUserBindThreshold uint16 | +--rw dhcpSnpIntfMaxUserNum uint32 | +--rw alarmUserLimitEnable boolean | +--rw alarmUserLimitThreshold uint16 | +--rw dhcpSnpInterfStickyMacEnable boolean | +--rw dhcpSnpIfStatistics | +--ro dropArpPktCnt? uint32 Xia & Zheng Expires March 11, 2018 [Page 17] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro dropIpPktCnt? uint32 | +--ro pktCntDropByUserBind? uint32 | +--ro pktCntDropByMac? uint32 | +--ro pktCntDropByUntrustReply? uint32 | +--ro pktCntDropByRate? uint32 +--rw dhcpSnpDynBindTbls | +--ro dhcpSnpDynBindTbl* [ipAddress outerVlan innerVlan vsiName vpnName bridgeDomain] | +--ro ipAddress pub-type:ipv4Address | +--ro outerVlan uint16 | +--ro innerVlan uint16 | +--ro vsiName string | +--ro vpnName string | +--ro bridgeDomain uint32 | +--ro macAddress? pub-type:macAddress | +--ro ifName? pub-type:ifName | +--ro lease? yang:date-and-time +--rw dhcpSnpVlanIfs | +--rw dhcpSnpVlanIf* [vlanId ifName] | +--rw vlanId uint16 | +--rw ifName pub-type:ifName | +--rw dhcpSnpEnable boolean | +--rw trustFlag boolean | +--rw checkArpEnable boolean | +--rw alarmArpEnable boolean | +--rw alarmArpThreshold uint32 | +--rw checkIpEnable boolean | +--rw alarmIpEnable boolean | +--rw alarmIpThreshold uint32 | +--rw alarmReplyEnable boolean | +--rw alarmReplyThreshold uint32 | +--rw checkChaddrEnable boolean | +--rw alarmChaddrEnable boolean | +--rw alarmChaddrThreshold uint32 | +--rw checkReqEnable boolean | +--rw alarmReqEnable boolean | +--rw alarmReqThreshold uint32 | +--rw dhcpSnpVlanIfMaxUserNum uint32 | +--rw alarmUserLimitEnable boolean | +--rw alarmUserLimitThreshold uint32 | +--rw dhcpSnpVlanIfStatistics | +--ro dropArpPktCnt? uint32 | +--ro dropIpPktCnt? uint32 | +--ro dropDhcpReqCntByBindTbl? uint32 | +--ro dropDhcpReqCntByMacCheck? uint32 | +--ro dropDhcpReplyCnt? uint32 +--rw ifStaticBindTbls | +--rw ifStaticBindTbl* [ifName ipAddress vlanId ceVlanId] | +--rw ifName pub-type:ifName Xia & Zheng Expires March 11, 2018 [Page 18] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw ipAddress pub-type:ipAddress | +--rw vlanId uint16 | +--rw ceVlanId uint16 | +--rw macAddress? pub-type:macAddress +--rw vlanStaticBindTbls | +--rw vlanStaticBindTbl* [vlanId ipAddress ceVlanId] | +--rw vlanId uint16 | +--rw ipAddress pub-type:ipAddress | +--rw ceVlanId uint16 | +--rw macAddress? pub-type:macAddress | +--rw ifName? pub-type:ifName +--rw dhcpSnpBds | +--rw dhcpSnpBd* [bdId] | +--rw bdId uint32 | +--rw dhcpSnpEnable? boolean | +--rw dhcpSnpTrust? boolean | +--rw checkArpEnable? boolean | +--rw alarmArpEnable? boolean | +--rw alarmArpThreshold? uint32 | +--rw checkIpEnable? boolean | +--rw alarmIpEnable? boolean | +--rw alarmIpThreshold? uint32 | +--rw alarmReplyEnable? boolean | +--rw alarmReplyThreshold? uint32 | +--rw checkMacEnable? boolean | +--rw alarmMacEnable? boolean | +--rw alarmMacThreshold? uint32 | +--rw checkRequestEnable? boolean | +--rw alarmRequestEnable? boolean | +--rw alarmRequestThreshold? uint32 | +--rw maxUserNum? uint32 | +--rw alarmUserLimitEnable? boolean | +--rw alarmUserLimitThreshold? uint32 | +--rw statistics | +--ro dropArpPktCnt? uint32 | +--ro dropIpPktCnt? uint32 | +--ro dropDhcpReqCntByBindTbl? uint32 | +--ro dropDhcpReqCntByMacCheck? uint32 | +--ro dropDhcpReplyCnt? uint32 +--rw BdStaticBindTbls | +--rw globalBdStaticBindTbl* [bdId ipAddress peVlan ceVlan] | +--rw bdId uint32 | +--rw ipAddress pub-type:ipv4Address | +--rw macAddress? pub-type:macAddress | +--rw peVlan uint16 | +--rw ceVlan uint16 +--rw dhcpSnpWhiteLists +--rw dhcpSnpWhiteList* [whtLstName] Xia & Zheng Expires March 11, 2018 [Page 19] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 +--rw whtLstName string +--rw applyFlag boolean +--rw dhcpSnpWhiteRules +--rw dhcpSnpWhiteRule* [ruleId] +--rw ruleId uint16 +--rw srcIP? inet:ipv4-address-no-zone +--rw srcMask? inet:ipv4-address-no-zone +--rw dstIP? inet:ipv4-address-no-zone +--rw dstMask? inet:ipv4-address-no-zone +--rw srcPort? dhcpSnpPort +--rw dstPort? dhcpSnpPort 4.5. Control Plane Protection When a large number of protocols runs on the router, a lot of packets need be sent to the control plane for processing. In such a case, the router control plane is prone to be attacked. To protect it, protocol packet control is needed. This function allows only specified protocol packets to be sent to control plane, and reduces malicious packet attacks on the control plane to ensure that devices work properly. module: ietf-hostdefend-sec +--rw hostdefend +--rw secma global | +--rw secMAEnable? boolean | +--rw secMABgp? hostdefendMAAction | +--rw secMAFtp? hostdefendMAAction | +--rw secMALdp? hostdefendMAAction | +--rw secMAOspf? hostdefendMAAction | +--rw secMARip? hostdefendMAAction | +--rw secMARsvp? hostdefendMAAction | +--rw secMASnmp? hostdefendMAAction | +--rw secMASsh? hostdefendMAAction | +--rw secMATlnt? hostdefendMAAction | +--rw secMATftp? hostdefendMAAction | +--rw secMAIsis? hostdefendMAAction | +--rw secMAPimSm? hostdefendMAAction | +--rw secMABgp4Plus? hostdefendMAAction | +--rw secMAIPv6Ftp? hostdefendMAAction | +--rw secMAOspfv3? hostdefendMAAction | +--rw secMAIPv6PimSm? hostdefendMAAction | +--rw secMAIPv6Ssh? hostdefendMAAction | +--rw secMAIPv6Telnet? hostdefendMAAction +--rw secmaslots | +--rw secmaslot* [secMASlotPlcyID] | +--rw secMASlotPlcyID uint32 | +--rw secMABgp? hostdefendMAAction Xia & Zheng Expires March 11, 2018 [Page 20] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw secMAFtp? hostdefendMAAction | +--rw secMALdp? hostdefendMAAction | +--rw secMAOspf? hostdefendMAAction | +--rw secMARip? hostdefendMAAction | +--rw secMARsvp? hostdefendMAAction | +--rw secMASnmp? hostdefendMAAction | +--rw secMASsh? hostdefendMAAction | +--rw secMATelnet? hostdefendMAAction | +--rw secMATftp? hostdefendMAAction | +--rw secMAIsis? hostdefendMAAction | +--rw secMAPimSm? hostdefendMAAction | +--rw secMABgp4Plus? hostdefendMAAction | +--rw secMAIPv6Ftp? hostdefendMAAction | +--rw secMAOspfv3? hostdefendMAAction | +--rw secMAIPv6PimSm? hostdefendMAAction | +--rw secMAIPv6Ssh? hostdefendMAAction | +--rw secMAIPv6Telnet? hostdefendMAAction +--rw secmaslotcfgs | +--rw secmaslotcfg* [secMASlotIdStr] | +--rw secMASlotIdStr hostdefendMaSlotId | +--rw secMASlotPlcyID uint32 +--rw secmaintfs | +--rw secmaintf* [secMAIntfPlcyID] | +--rw secMAIntfPlcyID uint32 | +--rw secMABgp? hostdefendMAAction | +--rw secMAFtp? hostdefendMAAction | +--rw secMALdp? hostdefendMAAction | +--rw secMAOspf? hostdefendMAAction | +--rw secMARip? hostdefendMAAction | +--rw secMARsvp? hostdefendMAAction | +--rw secMASnmp? hostdefendMAAction | +--rw secMASsh? hostdefendMAAction | +--rw secMATelnet? hostdefendMAAction | +--rw secMATftp? hostdefendMAAction | +--rw secMAIsis? hostdefendMAAction | +--rw secMAPimSm? hostdefendMAAction | +--rw secMABgp4Plus? hostdefendMAAction | +--rw secMAIPv6Ftp? hostdefendMAAction | +--rw secMAOspfv3? hostdefendMAAction | +--rw secMAIPv6PimSm? hostdefendMAAction | +--rw secMAIPv6Ssh? hostdefendMAAction | +--rw secMAIPv6Telnet? hostdefendMAAction +--rw secmaintfcfgs | +--rw secmaintfcfg* [ifName] | +--rw ifName pub-type:ifName | +--rw secMAIntfPlcyID uint32 +--rw secFragCarStats | +--ro secFragCarStat* [secSlotId] Xia & Zheng Expires March 11, 2018 [Page 21] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro secSlotId string | +--ro secTotalPktNum? uint64 | +--ro secDropPktNum? uint64 | +--ro secPassPktNum? uint64 +--rw secMaDefendStats | +--ro secMaDefendStat* [slotId protocolType] | +--ro slotId string | +--ro protocolType hostdefendMaDefendPROTOCOL | +--ro totalPktNum? uint64 | +--ro passPktNum? uint64 | +--ro dropPktNum? uint64 +--rw secHostCaptPkts | +--rw secHostCaptPkt* [captureIndex] | +--rw captureIndex uint8 | +--rw hostCaptPro uint32 | +--rw hostCaptType hostdefendCaptPhyType | +--rw ifName? pub-type:ifName | +--rw captLinkType? hostdefendCaptLinkType | +--rw peVlan? uint32 | +--rw peEnd? uint32 | +--rw ceVlan? uint32 | +--rw ceEnd? uint32 | +--rw captPktNum? uint32 | +--rw captTimeOut? uint32 | +--rw captPktLenType? hostdefendPktLenType | +--rw captPktLen? uint32 | +--rw captAclType? hostdefendAclType | +--rw captAcl? hostdefendCaptAcl | +--rw captIpv6Acl? hostdefendCaptIpv6Acl | +--rw terminal? hostdefendDestType | +--rw fileName? string | +--rw fileSize? uint32 +--rw secMaDefendIfStats | +--ro secMaDefendIfStat* [protocolType] | +--ro ifName? pub-type:ifName | +--ro protocolType hostdefendMaDefendPROTOCOL | +--ro totalPktNum? uint64 | +--ro passPktNum? uint64 | +--ro dropPktNum? uint64 +--rw secIsolates | +--rw secIsolate* [secStatus] | +--rw secStatus hostdefendIsolateStatus +--rw serviceSecurityV4s | +--rw serviceSecurityV4* [policyName] | +--rw policyName mpacPolicyName | +--rw step? uint32 | +--rw description? string | +--rw ruleIPv4s Xia & Zheng Expires March 11, 2018 [Page 22] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw ruleIPv4* [ruleName] | +--rw ruleName string | +--rw ruleID? uint32 | +--rw action mpacRuleAction | +--rw protocolType mpacProtocolType | +--rw protocolName? mpacProtoName | +--rw ipProtocolNum? uint8 | +--rw sourceIP? pub-type:ipv4Address | +--rw sourceWild? pub-type:ipv4Address | +--rw destinationIP? pub-type:ipv4Address | +--rw destinationWild? pub-type:ipv4Address | +--rw sourcePort? uint16 | +--rw destinationPort? uint16 | +--rw match4Stats | +--ro match4Stat* | +--ro matchCount? uint64 +--rw serviceSecurityV6s | +--rw serviceSecurityV6* [policyName] | +--rw policyName mpacPolicyName | +--rw step? uint32 | +--rw description? string | +--rw ruleIPv6s | +--rw ruleIPv6* [ruleName] | +--rw ruleName string | +--rw ruleID? uint32 | +--rw action mpacRuleAction | +--rw protocolType mpacProtocolType | +--rw protocolName? mpacProto6Name | +--rw ipProtocolNum? uint8 | +--rw sourceIP? pub-type:ipv6Address | +--rw sourcePrefix? uint32 | +--rw destinationIP? pub-type:ipv6Address | +--rw destinationPrefix? uint32 | +--rw sourcePort? uint16 | +--rw destinationPort? uint16 | +--rw match6Stats | +--ro match6Stat* | +--ro matchCount? uint64 +--rw serviceSecurityCfgGlobals | +--rw serviceSecurityCfgGlobal* [family] | +--rw family enumeration | +--rw policyNameV4? -> /hostdefend/serviceSecurityV4s/serviceSecurityV4/policyName | +--rw policyNameV6? -> /hostdefend/serviceSecurityV6s/serviceSecurityV6/policyName +--rw serviceSecurityCfgIfs | +--rw serviceSecurityCfgIf* [ifName family] | +--rw ifName pub-type:ifName | +--rw family mpacProtocolFamily | +--rw policyNameV4? -> /hostdefend/serviceSecurityV4s/serviceSecurityV4/policyName Xia & Zheng Expires March 11, 2018 [Page 23] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw policyNameV6? -> /hostdefend/serviceSecurityV6s/serviceSecurityV6/policyName +--rw secHostIfStats | +--ro secHostIfStat* [ifName] | +--ro ifName string | +--ro recvPacket? uint64 | +--ro secIfProtocolStats | +--ro secIfProtocolStat* | +--ro layer? hostIfStatsProtocolLayType | +--ro protocol? hostIfStatsProtocolType | +--ro expectedPkts? uint32 | +--ro unexpectedPkts? uint32 +--rw secIfProtocolCfgs | +--rw secIfProtocolCfg* [ifName] | +--rw ifName string +--rw secCaptPktInstances +--ro secCaptPktInstance* +--ro secInstanceId? uint8 +--ro inBoundInst? uint32 +--ro outBoundInst? uint32 +--ro totalInst? uint32 +--ro hostInst? uint32 +--ro protocolNum? uint32 +--ro ifName? string +--ro captureStatus? hostdefendStatusType +--ro captTimeOut? uint32 +--ro setPktNum? uint32 +--ro setPktSize? uint32 +--ro deletePktNum? uint32 +--ro deletePktSize? uint32 +--ro getPktNum? uint32 +--ro getPktSize? uint32 +--ro firPktTime? string +--ro lastPktTime? string +--ro acl? string +--ro remainTime? uint32 +--ro pktDevName? string +--ro fileName? string +--ro linkType? hostdefendCaptLinkType +--ro hostCaptType? hostdefendCaptType 4.6. Data Plane Protection In the data plane of router, before various protocol packets are sent to the control plane for further processing. Necessary control policies or functions(i.e., CAR, Alarm control, packet capture, etc) and a number of packet statistics are needed in data plane to protect the devices, as well as get more visibility of router status. Xia & Zheng Expires March 11, 2018 [Page 24] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 module: ietf-cpudefend-sec +--rw cpudefend +--rw secpolicys | +--rw secpolicy* [secPolicyID] | +--rw secPolicyID uint32 | +--rw secDescription? string | +--rw secpolicyattcfg | | +--rw secIsAttackSrc? boolean | | +--rw secAttSrcRate? cpudefendAttSampleRate | | +--rw secAttSrcAppLnk? boolean | | +--rw secAttSrcCpCar? boolean | | +--rw secAttSrcMa? boolean | | +--rw secAttSrcTcpip? boolean | +--rw secTMSQConfig | | +--rw secStatus? boolean | +--rw secpolicyproseq | | +--rw secProSeqWL? cpudefendProcessSeq | | +--rw secProSeqBL? cpudefendProcessSeq | | +--rw secProSeqUF? cpudefendProcessSeq | +--rw secpolicyapplnk | | +--rw secDftAction? cpudefendAppDefAction | +--rw secpolicyallpkt | | +--rw secRateValue? uint32 | | +--rw secRateFlag? cpudefendTotalCar | +--rw secpolicycars | | +--rw secpolicycar* [secPolicyType secPolicyTypeID subProtoType subTcpIpType] | | +--rw secPolicyType cpudefendPolicyCarType | | +--rw secPolicyTypeID uint32 | | +--rw subProtoType cpudefendCPCARProtocol | | +--rw subTcpIpType cpudefendTcpipCarType | | +--rw secPolicyCir? uint32 | | +--rw secPolicyCbs? uint32 | | +--rw secPolicyCbs4Sh? uint32 | | +--rw secMinPktLen? uint32 | +--rw secpolicyswitchs | | +--rw secpolicyswitch* [secPolicyType secPolicyTypeID subTcpIpType] | | +--rw secPolicyType cpudefendPolicySwitchType | | +--rw secPolicyTypeID cpudefendAclProtocolTypeID | | +--rw subTcpIpType cpudefendTcpipType | | +--rw secPolicyEnable? boolean | +--rw secpolicyalarms | | +--rw secpolicyalarm* [secPolicyType secPolicyTypeID] | | +--rw secPolicyType secPolicyAlarmType | | +--rw secPolicyTypeID uint32 | | +--rw secAlarmFlag? boolean | | +--rw secAlarmThld? uint32 | | +--rw secAlarmInt? uint32 | | +--rw secAlarmSpd? uint32 Xia & Zheng Expires March 11, 2018 [Page 25] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | | +--rw secAlarmResume? uint32 | +--rw secpolicyprios | | +--rw secpolicyprio* [secPolicyType secPolicyTypeID subProtoType] | | +--rw secPolicyType cpudefendPolicyPrioType | | +--rw secPolicyTypeID uint32 | | +--rw subProtoType cpudefendCPCARProtocol | | +--rw secPriority cpudefendPriority | +--rw secpolicyacls | | +--rw secpolicyacl* [secPolicyType secPolicyTypeID] | | +--rw secPolicyType cpudefendPolicyAclType | | +--rw secPolicyTypeID uint32 | | +--rw secAclNum uint32 | | +--rw secPrior? boolean | +--rw secDevUrpfs | | +--rw secDevUrpf* [secUrpfLooseType] | | +--rw secUrpfLooseType cpudefendUrpfMode | | +--rw secEnableDefaultRoute? boolean | +--rw sECCrssBrdCarNodes | +--rw sECCrssBrdCarNode* [secPolicyCir] | +--rw secPolicyCir uint32 | +--rw secPolicyCbs? uint32 +--rw secpolicycfgs | +--rw secpolicycfg* [secSlotIdStr] | +--rw secSlotIdStr -> /devm:devm/lpuBoards/lpuBoard/position | +--rw secPolicyID -> /cpudefend/secpolicys/secpolicy/secPolicyID +--ro seccarsysids | +--ro seccarsysid* [secSlotId secCarSysId] | +--ro secSlotId string | +--ro secPolicyID? uint32 | +--ro secCarSysId uint16 | +--ro secCarCir? uint32 | +--ro secCarCbs? uint32 | +--ro secDefaultCir? uint32 | +--ro secDefaultCbs? uint32 | +--ro secDescription? string +--ro secappstats | +--ro secappstat* [secSlotId] | +--ro secSlotId string | +--ro secAppEnable? cpudefendAppStatus | +--ro secAppDefAct? cpudefendAppDefAction | +--ro secFtpServer? cpudefendAppStatus | +--ro secSshServer? cpudefendAppStatus | +--ro secSnmp? cpudefendAppStatus | +--ro secTelnetServer? cpudefendAppStatus | +--ro secTftp? cpudefendAppStatus | +--ro secBgp? cpudefendAppStatus | +--ro secLdp? cpudefendAppStatus | +--ro secRsvp? cpudefendAppStatus Xia & Zheng Expires March 11, 2018 [Page 26] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro secOspf? cpudefendAppStatus | +--ro secRip? cpudefendAppStatus | +--ro secMsdp? cpudefendAppStatus | +--ro secPim? cpudefendAppStatus | +--ro secIgmp? cpudefendAppStatus | +--ro secIsis? cpudefendAppStatus | +--ro secFtpClient? cpudefendAppStatus | +--ro secTelnetClient? cpudefendAppStatus | +--ro secSshClient? cpudefendAppStatus | +--ro secNtp? cpudefendAppStatus | +--ro secRadius? cpudefendAppStatus | +--ro secHwtacacs? cpudefendAppStatus | +--ro secLspping? cpudefendAppStatus | +--ro secIcmp? cpudefendAppStatus | +--ro secVrrp? cpudefendAppStatus | +--ro secDhcp? cpudefendAppStatus | +--ro secDnsClient? cpudefendAppStatus | +--ro secSysLog? cpudefendAppStatus | +--ro secBfd? cpudefendAppStatus | +--ro sec8021ag? cpudefendAppStatus | +--ro secLacp? cpudefendAppStatus | +--ro secBgpV6? cpudefendAppStatus | +--ro secOspfV3? cpudefendAppStatus | +--ro secFtpV6Server? cpudefendAppStatus | +--ro secFtpV6Client? cpudefendAppStatus | +--ro secIcmpV6? cpudefendAppStatus | +--ro secPimV6? cpudefendAppStatus | +--ro secSshV6Server? cpudefendAppStatus | +--ro secTelnetV6Client? cpudefendAppStatus | +--ro secTelnetV6Server? cpudefendAppStatus | +--ro secDnsV6? cpudefendAppStatus | +--ro secWebAuthServ? cpudefendAppStatus | +--ro secDiameter? cpudefendAppStatus | +--ro secOpenflow? cpudefendAppStatus | +--ro secUnicastVrrp? cpudefendAppStatus | +--ro secIgpmu? cpudefendAppStatus | +--ro secIpfpm? cpudefendAppStatus +--ro secnoncarstats | +--ro secnoncarstat* [secSlotId secPolicyType secPolicyTypeID] | +--ro secSlotId string | +--ro secPolicyType cpudefendNoCarPolicyType | +--ro secPolicyTypeID cpudefendSecStatTypeID | +--ro secSubTotalPkts? uint64 | +--ro secSubPassPkts? uint64 | +--ro secSubDropPkts? uint64 +--ro seccarstats | +--ro seccarstat* [secSlotId secPolicyType secPolicyTypeID] | +--ro secSlotId string Xia & Zheng Expires March 11, 2018 [Page 27] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro secPolicyType cpudefendPolicyType | +--ro secPolicyTypeID uint32 | +--ro secAppEnable? boolean | +--ro secAppDefAct? cpudefendAppDefAction | +--ro secProtoEnable? boolean | +--ro secPassedPkts? uint64 | +--ro secDropedPkts? uint64 | +--ro secCfgCir? uint32 | +--ro secCfgCbs? uint32 | +--ro secActualCir? uint32 | +--ro secActualCbs? uint32 | +--ro secPriority? cpudefendPriority | +--ro secMinPktLen? uint32 | +--ro secAclDenyPkts? uint64 | +--ro secHistPps? uint64 | +--ro secHistPpsTime? yang:date-and-time | +--ro secLastPps? uint64 | +--ro secLastDrpBTime? yang:date-and-time | +--ro secLastDrpETime? yang:date-and-time | +--ro secTtlDropPkts? uint64 +--ro secattsrcorgs | +--ro secattsrcorg* [secPktNumber secSlotId] | +--ro secBufferSize? uint32 | +--ro secRecordNumber? uint32 | +--ro secCoverFlag? uint32 | +--ro secPktNumber uint32 | +--ro secSlotId string | +--ro ifName? pub-type:ifName | +--ro secPVlanId? uint16 | +--ro secCVlanId? uint16 | +--ro secAttType? cpudefendATTSRCTYPE | +--ro secDateTime? yang:date-and-time | +--ro secAttSrcData? string +--ro secAttSrcVerboses | +--ro secAttSrcVerbose* [secPktNumber secSlotId] | +--ro secBufferSize? uint32 | +--ro secRecordNumber? uint32 | +--ro secCoverFlag? uint32 | +--ro secPktNumber uint32 | +--ro secSlotId string | +--ro ifName pub-type:ifName | +--ro secPeVlanID? uint16 | +--ro secCeVlanID? uint16 | +--ro secAttType? cpudefendATTSRCTYPE | +--ro secStartTime? yang:date-and-time | +--ro secL2Type? cpudefendAttSrcL2Type | +--ro secLinkType? uint16 | +--ro secSrcMac? pub-type:macAddress Xia & Zheng Expires March 11, 2018 [Page 28] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro secDestMac? pub-type:macAddress | +--ro secL25Type? cpudefendAttSrcL25Type | +--ro secArpType? cpudefendAttSrcArpType | +--ro secMplsLabelNum? uint16 | +--ro secMplsLabel1? uint16 | +--ro secMplsLabel2? uint16 | +--ro secMplsLabel3? uint16 | +--ro secMplsLabel4? uint16 | +--ro secMplsLabel5? uint16 | +--ro secL3Type? cpudefendAttSrcL3Type | +--ro secIPVersion? uint8 | +--ro secIPHeaderLen? uint8 | +--ro secIPTos? uint8 | +--ro secIPLen? uint16 | +--ro secIPId? uint16 | +--ro secIPOff? uint16 | +--ro secIPTtl? uint8 | +--ro secIPProtocol? uint8 | +--ro secIPCheckSum? uint16 | +--ro secSrcAddr? inet:ipv4-address-no-zone | +--ro secDstAddr? inet:ipv4-address-no-zone | +--ro secL4Type? cpudefendAttSrcL4Type | +--ro secSrcPort? uint16 | +--ro secDstPort? uint16 | +--ro secTcpSeqNum? uint32 | +--ro secTcpAckNum? uint32 | +--ro secTcpFlag? uint8 | +--ro secTcpWinSize? uint16 | +--ro secCheckSum? uint16 | +--ro secUdpLen? uint16 | +--ro secIcmpIgmpType? uint8 | +--ro secIcmpIgmpCode? uint8 | +--ro secIgmpGroup? inet:ipv4-address-no-zone | +--ro secAttSrcData? string | +--ro secATMVPI? uint16 | +--ro secATMVCI? uint16 | +--ro secSysid? uint32 +--ro secTotalPktStats | +--ro secTotalPktStat* [secSlotId] | +--ro secSlotId string | +--ro secTotalPkt? uint64 | +--ro secPassPkt? uint64 | +--ro secDropPkt? uint64 +--rw secArpCarValues | +--rw secArpCarValue* [secIfName] | +--rw secIfName -> /ifm:ifm/interfaces/interface/ifName | +--rw secEnable? boolean | +--rw secRateLimit? uint32 Xia & Zheng Expires March 11, 2018 [Page 29] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 +--ro secSlotArpAtcks | +--ro secSlotArpAtck* [secIfIndex secHistory] | +--ro secIfIndex -> /ifm:ifm/interfaces/interface/ifName | +--ro secVlanId? uint32 | +--ro secIfSubIndex? pub-type:ifName | +--ro secPeVlanId? uint32 | +--ro secCeVlanId? uint32 | +--ro secCtrlVlan? uint32 | +--ro secEnableArpCar? boolean | +--ro secPassBytes? uint64 | +--ro secPassPkts? uint64 | +--ro secDropBytes? uint64 | +--ro secDropPkts? uint64 | +--ro secStartTime? yang:date-and-time | +--ro secHistory sec_history_type | +--ro secEndTime? yang:date-and-time | +--ro secPassedBytes? uint64 | +--ro secPassedPkts? uint64 | +--ro secDroppedBytes? uint64 | +--ro secDroppedPkts? uint64 +--rw secArpSafeguards | +--rw secArpSafeguard* [secIfIndex] | +--rw secIfIndex -> /ifm:ifm/interfaces/interface/ifName +--ro secArpSafeGStats | +--ro secArpSafeGStat* [secSlotId] | +--ro secSlotId string | +--ro secRequestCnt? uint64 | +--ro secReplyCnt? uint64 | +--ro secTocpCnt? uint64 | +--ro secDropCnt? uint64 +--rw secEnL2LoDetects | +--rw secEnL2LoDetect* [secSlotId] | +--rw secSlotId -> /devm:devm/lpuBoards/lpuBoard/position | +--rw secDetectFlag? boolean +--rw secL2LoDteTraps | +--rw secL2LoDteTrap* [secSlotId] | +--rw secSlotId -> /devm:devm/lpuBoards/lpuBoard/position | +--rw secTrapFlag? boolean +--rw secL2LoDteShuts | +--rw secL2LoDteShut* [secSlotId] | +--rw secSlotId -> /devm:devm/lpuBoards/lpuBoard/position | +--rw secShutFlag? boolean | +--rw secUpTimes? uint16 | +--rw secUpInterval? uint16 +--ro secL2LoDisStaIns | +--ro secL2LoDisStaIn* [secSlotId] | +--ro secSlotId string | +--ro secActionFlag? cpudefendL2LoopAction Xia & Zheng Expires March 11, 2018 [Page 30] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro secIfName? pub-type:ifName | +--ro secVlanID? uint16 | +--ro secLoopLevel? cpudefendL2LoopLevel | +--ro secPortState? cpudefendL2LoopIntfStatus +--ro secL2LoDisPckIns | +--ro secL2LoDisPckIn* [secSlotId] | +--ro secSlotId string | +--ro secIfName? pub-type:ifName | +--ro secNumber? uint16 | +--ro secPeVlanId? uint16 | +--ro secCeVlanId? uint16 | +--ro secProtocol? cpudefendSecStatTypeID | +--ro secPktType? cpudefendL2LoopPacketType | +--ro secSrcMac? pub-type:macAddress +--rw secTMSQWeights | +--rw secTMSQWeight* [secPolicyID secSQType] | +--rw secPolicyID uint32 | +--rw secSQType cpudefendTMSQWeightType | +--rw secSQWeight? uint32 | +--rw secSQCir? uint32 | +--rw secSQPir? uint32 +--ro secDisSQStats | +--ro secDisSQStat* [secSlotId secSQType] | +--ro secSlotId string | +--ro secSQType cpudefendTMSQWeightType | +--ro secPassedPkts? uint64 | +--ro secDropedPkts? uint64 | +--ro secDisFQStats | +--ro secDisFQStat* | +--ro secBEPassPkts? uint64 | +--ro secBEDropPkts? uint64 | +--ro secAF1PassPkts? uint64 | +--ro secAF1DropPkts? uint64 | +--ro secAF2PassPkts? uint64 | +--ro secAF2DropPkts? uint64 | +--ro secAF3PassPkts? uint64 | +--ro secAF3DropPkts? uint64 | +--ro secAF4PassPkts? uint64 | +--ro secAF4DropPkts? uint64 | +--ro secEFPassPkts? uint64 | +--ro secEFDropPkts? uint64 | +--ro secCS6PassPkts? uint64 | +--ro secCS6DropPkts? uint64 | +--ro secCS7PassPkts? uint64 | +--ro secCS7DropPkts? uint64 +--ro secDisSQWeights | +--ro secDisSQWeight* [secSlotId secSQType] | +--ro secSlotId string Xia & Zheng Expires March 11, 2018 [Page 31] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro secSQType cpudefendTMSQWeightType | +--ro secConfigSQCir? uint32 | +--ro secDftSQCir? uint32 | +--ro secConfigSQPir? uint32 | +--ro secDftSQPir? uint32 | +--ro secConfigWeight? uint32 | +--ro secDftWeight? uint32 +--rw sechostcarNodes | +--rw sechostcarNode* [slotID hostCarType] | +--rw slotID -> /devm:devm/lpuBoards/lpuBoard/position | +--rw hostCarType cpudefendhostCarType | +--rw cir? uint32 | +--rw pir? uint32 | +--rw cbs? uint32 | +--rw pbs? uint32 +--rw secHstcAdjustNodes | +--rw socHstcAdjustNode* [slotID hostCarType] | +--rw slotID string | +--rw hostCarType cpudefendhostCarType | +--rw ifEnable? socIfEnable +--rw secHstcAdjNodes | +--rw socHstcAdjNode* [slotID hostCarType] | +--rw slotID string | +--rw hostCarType cpudefendhostCarType | +--rw dropThreshold? uint32 | +--rw interval? uint32 +--ro secDisDefaultCars | +--ro secDisDefaultCar* [secSlotId secSysId] | +--ro secSlotId string | +--ro secSysId uint16 | +--ro secCir? uint32 | +--ro secCbs? uint32 | +--ro secMinPkt? uint32 | +--ro secPriority? cpudefendSecPriority | +--ro secTypeId? cpudefendSecTypeId +--ro secCurrentCarNodes | +--ro secCurrentCarNode* [secSlotId secPolicyTypeID] | +--ro secSlotId string | +--ro secPolicyTypeID uint32 | +--ro secPolicyCir? uint32 | +--ro secPolicyCbs? uint32 | +--ro secMinPkt? uint32 | +--ro secPriority? cpudefendSecPriority | +--ro desc? cpudefendSecTypeId +--ro secAttSrcFiles | +--ro secAttSrcFile* [fileName] | +--ro fileName string | +--ro secRecordNum? uint32 Xia & Zheng Expires March 11, 2018 [Page 32] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro secPktNumber? uint32 | +--ro secPeVlanID? uint16 | +--ro secCeVlanID? uint16 | +--ro secStartTime? yang:date-and-time | +--ro secL2Type? cpudefendAttSrcL2Type | +--ro secLinkType? uint16 | +--ro secSrcMac? pub-type:macAddress | +--ro secDestMac? pub-type:macAddress | +--ro secL25Type? cpudefendAttSrcL25Type | +--ro secArpType? cpudefendAttSrcArpType | +--ro secMplsLabelNum? uint16 | +--ro secMplsLabel1? uint16 | +--ro secMplsLabel2? uint16 | +--ro secMplsLabel3? uint16 | +--ro secMplsLabel4? uint16 | +--ro secMplsLabel5? uint16 | +--ro secL3Type? cpudefendAttSrcL3Type | +--ro secIPVersion? uint8 | +--ro secIPHeaderLen? uint8 | +--ro secIPTos? uint8 | +--ro secIPLen? uint16 | +--ro secIPId? uint16 | +--ro secIPOff? uint16 | +--ro secIPTtl? uint8 | +--ro secIPProtocol? uint8 | +--ro secIPCheckSum? uint16 | +--ro secSrcAddr? inet:ipv4-address-no-zone | +--ro secDstAddr? inet:ipv4-address-no-zone | +--ro secL4Type? cpudefendAttSrcL4Type | +--ro secSrcPort? uint16 | +--ro secDstPort? uint16 | +--ro secTcpSeqNum? uint32 | +--ro secTcpAckNum? uint32 | +--ro secTcpFlag? uint8 | +--ro secTcpWinSize? uint8 | +--ro secCheckSum? uint16 | +--ro secUdpLen? uint16 | +--ro secIcmpIgmpType? uint8 | +--ro secIcmpIgmpCode? uint8 | +--ro secIgmpGroup? inet:ipv4-address-no-zone | +--ro secAttSrcData? string | +--ro secVpi? uint16 | +--ro secVci? uint16 +--ro secHostCarStats | +--ro secHostCarStat* [slotID hostCarType statType hostCarID httpHostCarID vlanHostCarID] | +--ro slotID -> /devm:devm/lpuBoards/lpuBoard/position | +--ro hostCarType cpudefendhostCarType | +--ro statType cpudefendstatType Xia & Zheng Expires March 11, 2018 [Page 33] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--ro hostCarID uint32 | +--ro httpHostCarID uint32 | +--ro vlanHostCarID uint32 | +--ro passedBytes? uint64 | +--ro droppedBytes? uint64 +--ro secHostCarCfgs | +--ro secHostCarCfg* [socSlotID] | +--ro secSlotID string | +--ro hostCarType? cpudefendhostCarType | +--ro defaultCir? uint32 | +--ro defaultPir? uint32 | +--ro defaultCbs? uint32 | +--ro defaultPbs? uint32 | +--ro actualCir? uint32 | +--ro actualPir? uint32 | +--ro actualCbs? uint32 | +--ro actualPbs? uint32 | +--ro droprateEn? socIfEnable | +--ro logInterval? uint32 | +--ro logThreshold? uint32 +--ro secAccessUsers | +--ro secAccessUser* [secSlotId hostcarCarID] | +--ro secSlotId -> /devm:devm/lpuBoards/lpuBoard/position | +--ro hostcarCarID uint32 | +--ro passedBytes? uint64 | +--ro droppedBytes? uint64 | +--ro secUserName? string | +--ro userStatus? cpudefendUserStatus | +--ro secUsrIPV4Addr? inet:ipv4-address-no-zone | +--ro secUsrIPV6Addr? inet:ipv6-address-no-zone | +--ro secUsrMac? pub-type:macAddress | +--ro outterVlanId? uint16 | +--ro innerVlanId? uint16 +--rw secCaptPktActNodes | +--rw secCaptPktActNode* [captureIndex] | +--rw captureIndex uint8 | +--rw secIfName -> /ifm:ifm/interfaces/interface/ifName | +--rw direction? cpudefendCaptDirection | +--rw pktNumber? uint32 | +--rw timeOut? uint32 | +--rw pktLen? uint32 | +--rw captAclType? cpudefendCaptAclType | +--rw secCaptAcl? cpudefendCaptAcl | +--rw secCaptIpv6Acl? cpudefendCaptIpv6Acl | +--rw vlanType? cpudefendvlanType | +--rw peBegin? uint16 | +--rw peEnd? uint16 | +--rw ceBegin? uint16 Xia & Zheng Expires March 11, 2018 [Page 34] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 | +--rw ceEnd? uint16 | +--rw bufferonly? cpudefendDestType | +--rw fileName? string | +--rw fileSize? uint8 | +--rw overwrite? boolean 4.7. TCP/IP Attack Defence Defense against TCP/IP attacks is applied to the router on the edge of the network or other routers that are easily to be attacked by illegal TCP/IP packets. Defense against TCP/IP attacks can protect the CPU of the router against malformed packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that normal services can be processed. module: ietf-tcp-ip-attack-defence +--rw secAntiAttackEnable | +--rw antiEnable? antiAttackEnableCfgType | +--rw abnormalEnable? antiAttackEnableCfgType | +--rw udpFloodEnable? antiAttackEnableCfgType | +--rw tcpSynEnable? antiAttackEnableCfgType | +--rw icmpFloodEnable? antiAttackEnableCfgType | +--rw fragmentEnable? antiAttackEnableCfgType +--rw secAntiAttackCarCfg | +--rw cirFrag? uint32 | +--rw cirIcmp? uint32 | +--rw cirTcp? uint32 +--rw secAntiAttackStats | +--ro secAntiAttackStat* [attackType] | +--ro attackType antiAttackType | +--ro totalCount? uint64 | +--ro dropCount? uint64 | +--ro passCount? uint64 5. Network Infrastructure Device Security Baseline Yang Module module ietf-mac-limit { namespace "urn:ietf:params:xml:ns:yang:ietf-mac-limit"; prefix maclimit; /* import huawei-pub-type { prefix pub-type; } */ import ietf-yang-types { prefix yang; } /* Xia & Zheng Expires March 11, 2018 [Page 35] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 import huawei-extension { prefix ext; } include huawei-mac-action; include huawei-mac-type; */ organization "Huawei Technologies."; contact "Liang Xia: Frank.xialiang@huawei.com"; "Guangying Zheng: Zhengguangying@huawei.com"; description "MAC address limit."; revision 2017-09-01 { description "Init revision"; reference "xxx."; } container mac { description "MAC address forwarding. "; container macLimitRules { description "Global MAC address learning limit rule."; list macLimitRule { key "ruleName"; description "Global MAC address learning limit."; leaf ruleName { type string { length "1..31"; } description "Global MAC address learning limit rule name."; } leaf maximum { type uint32 { range "0..131072"; } mandatory true; description "Maximum number of MAC addresses that can be learned."; } leaf rate { type uint16 { Xia & Zheng Expires March 11, 2018 [Page 36] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 range "0..1000"; } default "0"; description "Interval at which MAC addresses are learned."; } leaf action { type macLimitForward; default "discard"; description "Discard or forward after the number of learned MAC addresses reaches the maximum number."; } leaf alarm { type macEnableStatus; default "enable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; } } } container vlanMacLimits { description "VLAN MAC address limit list."; list vlanMacLimit { key "vlanId"; description "VLAN MAC address limit."; leaf vlanId { type macVlanId; description "VLAN ID."; } leaf maximum { type uint32 { range "0..130048"; } mandatory true; description "Maximum number of MAC addresses that can be learned in a VLAN."; } leaf rate { type uint16 { range "0..1000"; } default "0"; description "Interval at which MAC addresses are learned in a VLAN."; } Xia & Zheng Expires March 11, 2018 [Page 37] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 leaf action { type macLimitForward; default "discard"; description "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VLAN."; } leaf alarm { type macEnableStatus; default "enable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VLAN."; } } } container vsiMacLimits { description "VSI MAC address limit list."; list vsiMacLimit { key "vsiName"; description "VSI MAC address limit."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf maximum { type uint32 { range "0..524288"; } mandatory true; description "Maximum number of MAC addresses that can be learned in a VSI."; } leaf rate { type uint16 { range "0..1000"; } default "0"; description "Interval at which MAC addresses are learned in a VSI."; } leaf action { type macLimitForward; default "discard"; description Xia & Zheng Expires March 11, 2018 [Page 38] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 "Discard or forward after the number of learned MAC addresses reaches the maximum number in a VSI."; } leaf alarm { type macEnableStatus; default "disable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VSI."; } leaf upThreshold { type uint8 { range "80..100"; } mandatory true; description "Upper limit for the number of MAC addresses."; } leaf downThreshold { type uint8 { range "60..100"; } mandatory true; description "Upper limit for the number of MAC addresses."; } } } container bdMacLimits { description "BD MAC address limit list."; list bdMacLimit { key "bdId"; description "BD MAC address limit."; leaf bdId { type uint32 { range "1..16777215"; } description "Specifies the ID of a bridge domain."; } leaf maximum { type uint32 { range "0..130048"; } mandatory true; description "Maximum number of MAC addresses that can be learned in a BD."; } Xia & Zheng Expires March 11, 2018 [Page 39] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 leaf rate { type uint16 { range "0..1000"; } default "0"; description "Interval at which MAC addresses are learned in a BD."; } leaf action { type macLimitForward; default "discard"; description "Forward or discard the packet."; } leaf alarm { type macEnableStatus; default "enable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; } } } container pwMacLimits { description "PW MAC address limit list."; list pwMacLimit { key "vsiName pwName"; description "PW MAC address limit."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf pwName { type string { length "1..15"; } description "PW name."; } leaf maximum { type uint32 { range "0..130048"; } mandatory true; Xia & Zheng Expires March 11, 2018 [Page 40] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 description "Maximum number of MAC addresses that can be learned in a PW."; } leaf rate { type uint16 { range "0..1000"; } default "0"; description "Interval at which MAC addresses are learned in a PW."; } leaf action { type macLimitForward; default "discard"; description "Discard or forward after the number of learned MAC addresses reaches the maximum number in a PW."; } leaf alarm { type macEnableStatus; default "enable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a PW."; } } } container ifMacLimits { description "Interface MAC address limit list."; list ifMacLimit { key "ifName limitType"; description "Interface MAC address limit."; leaf ifName { type pub-type:ifName; description "Interface name."; } leaf limitType { type limitType; description "Interface MAC limit type."; } leaf ruleName { type leafref { path "/mac/macLimitRules/macLimitRule/ruleName"; } description "Rule name."; Xia & Zheng Expires March 11, 2018 [Page 41] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 } leaf maximum { type uint32 { range "0..131072"; } mandatory true; description "Maximum number of MAC addresses that can be learned on an interface."; } leaf rate { type uint16 { range "0..1000"; } default "0"; description "Interval (ms) at which MAC addresses are learned on an interface."; } leaf action { type macLimitForward; default "discard"; description "Discard or forward after the number of learned MAC addresses reaches the maximum number on an interface"; } leaf alarm { type macEnableStatus; default "enable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on an interface."; } } } container ifVlanMacLimits { description "Interface + VLAN MAC address limit list."; list ifVlanMacLimit { key "ifName vlanBegin limitType"; config false; description "Interface + VLAN MAC address limit."; leaf ifName { type pub-type:ifName; description "Name of an interface. "; } leaf vlanBegin { type macVlanId; description "Start VLAN ID."; Xia & Zheng Expires March 11, 2018 [Page 42] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 } leaf vlanEnd { type macVlanId; description "End VLAN ID."; } leaf limitType { type limitType; description "Interface MAC limit type."; } leaf ruleName { type leafref { path "/mac/macLimitRules/macLimitRule/ruleName"; } description "Rule name."; } leaf maximum { type uint32 { range "0..131072"; } mandatory true; description "Maximum number of MAC addresses that can be learned on an interface."; } leaf rate { type uint16 { range "0..1000"; } mandatory true; description "Interval (ms) at which MAC addresses are learned on an interface."; } leaf action { type macLimitForward; default "discard"; description "Discard or forward the packet."; } leaf alarm { type macEnableStatus; default "enable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number."; } } } Xia & Zheng Expires March 11, 2018 [Page 43] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 container subifMacLimits { description "Sub-interface MAC address limit list."; list subifMacLimit { key "ifName limitType"; description "Sub-interface MAC address limit."; leaf ifName { type pub-type:ifName; description "Name of a sub-interface. "; } leaf limitType { type limitType; description "Sub-interface MAC limit type."; } leaf vsiName { type string { length "1..36"; } config false; mandatory true; description "VSI name , EVPN name or bridge domain ID."; } leaf ruleName { type string { length "1..31"; } mandatory true; description "Rule name."; } leaf maximum { type uint32 { range "0..131072"; } mandatory true; description "Maximum number of MAC addresses that can be learned on a sub-interface."; } leaf rate { type uint16 { range "0..1000"; } default "0"; description Xia & Zheng Expires March 11, 2018 [Page 44] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 "Interval (ms) at which MAC addresses are learned on a sub-interface."; } leaf action { type macLimitForward; default "discard"; description "Discard or forward after the number of learned MAC addresses reaches the maximum number on a sub-interface."; } leaf alarm { type macEnableStatus; default "enable"; description "Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on a sub-interface."; } } } container vsiStormSupps { description "VSI Suppression List."; list vsiStormSupp { key "vsiName suppressType"; description "VSI Suppression."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf suppressType { type suppressType; description "Traffic suppression type."; } leaf cir { type uint64 { range "0..4294967295"; } default "0"; description "CIR value."; } leaf cbs { type uint64 { range "0..4294967295"; } description Xia & Zheng Expires March 11, 2018 [Page 45] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 "CBS value."; } } } container vlanStormSupps { description "VLAN Suppression List."; list vlanStormSupp { key "vlanId suppressType"; description "VLAN Suppression."; leaf vlanId { type macVlanId; description "VLAN ID."; } leaf suppressType { type suppressType; description "Traffic suppression type."; } leaf cir { type uint64 { range "64..4294967295"; } default "64"; description "CIR value."; } leaf cbs { type uint64 { range "10000..4294967295"; } description "CBS value."; } } } container subIfSuppresss { description "Sub-interface traffic suppression list."; list subIfSuppress { key "ifName suppressType direction"; description "Sub-Interface traffic suppression."; leaf ifName { type pub-type:ifName; description Xia & Zheng Expires March 11, 2018 [Page 46] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 "Sub-interface name."; } leaf suppressType { type suppressType; description "Suppression type."; } leaf direction { type directionType; description "Suppression direction."; } leaf cir { type uint64 { range "0..4294967295"; } default "0"; description "CIR value."; } leaf cbs { type uint64 { range "0..4294967295"; } description "CBS value."; } } } container pwSuppresss { description "PW traffic suppress list."; list pwSuppress { key "vsiName pwName suppressType"; description "PW traffic suppression."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf pwName { type string { length "1..15"; } description Xia & Zheng Expires March 11, 2018 [Page 47] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 "PW name."; } leaf suppressType { type suppressType; description "Traffic suppression type."; } leaf cir { type uint64 { range "100..4294967295"; } default "100"; description "CIR value."; } leaf cbs { type uint64 { range "100..4294967295"; } description "CBS value."; } } } container pwSuppressPtns { description "PW traffic suppress list."; list pwSuppressPtn { key "vsiName peerIp pwId pwEncap"; description "PW traffic suppression."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf peerIp { type string { length "0..255"; pattern "((([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\\.){3}([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))"; } description "Peer IP address."; } leaf pwId { type uint32 { Xia & Zheng Expires March 11, 2018 [Page 48] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 range "1..4294967295"; } description "PW ID."; } leaf pwEncap { type macPwEncapType; description "PW encapsulation type."; } leaf isEnable { type boolean; default "true"; description "Enable status."; } leaf suppressType { type suppressStyle; default "absoluteValue"; description "Traffic suppression type."; } leaf broadcast { type uint32 { range "0..200000000"; } default "1000"; description "Broadcast suppression (kbit/s)"; } leaf unicast { type uint32 { range "0..200000000"; } default "1000"; description "Unknown unicast suppression (kbit/s)."; } leaf multicast { type uint32 { range "0..200000000"; } default "1000"; description "Multicast suppression (kbit/s)."; } } } Xia & Zheng Expires March 11, 2018 [Page 49] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 container vsiInSuppressions { description "VSI inbound traffic suppression list."; list vsiInSuppression { key "vsiName"; description "VSI inbound traffic suppression."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf inboundSupp { type macEnableStatus; default "enable"; description "Inbound suppression."; } } } container vsiOutSuppressions { description "VSI outbound traffic suppression list."; list vsiOutSuppression { key "vsiName"; description "VSI outbound traffic suppression."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf outboundSupp { type macEnableStatus; default "enable"; description "Outbound suppression."; } } } container vsiSuppresss { description "VSI traffic suppression list."; list vsiSuppress { Xia & Zheng Expires March 11, 2018 [Page 50] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 key "subIfName"; description "VSI traffic suppression."; leaf vsiName { type string { length "1..31"; } mandatory true; description "VSI name."; } leaf subIfName { type pub-type:ifName; description "Sub-interface name."; } leaf isEnable { type boolean; default "true"; description "Enable status."; } leaf suppressType { type suppressStyle; default "percent"; description "Traffic suppression type."; } leaf broadcast { type uint32 { range "0..200000000"; } default "64"; description "Broadcast suppression (kbit/s)"; } leaf broadcastPercent { type uint32 { range "0..100"; } default "1"; description "Broadcast suppression."; } leaf unicast { type uint32 { range "0..200000000"; } Xia & Zheng Expires March 11, 2018 [Page 51] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 default "64"; description "Unknown unicast suppression (kbit/s)."; } leaf unicastPercent { type uint32 { range "0..100"; } default "1"; description "Unknown unicast suppression."; } leaf multicast { type uint32 { range "0..200000000"; } default "64"; description "Multicast suppression (kbit/s)."; } leaf multicastPercent { type uint32 { range "0..100"; } default "1"; description "Multicast suppression."; } } } container vsiTotalNumbers { description "List of MAC address total numbers in a VSI."; list vsiTotalNumber { key "vsiName slotId macType"; config false; description "Total number of MAC addresses in a VSI."; leaf vsiName { type string { length "1..31"; } description "VSI name."; } leaf slotId { type string { length "1..24"; Xia & Zheng Expires March 11, 2018 [Page 52] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 } description "Slot ID."; } leaf macType { type macType; description "MAC address type."; } leaf number { type uint32; mandatory true; description "Number of MAC addresses."; } } } container ifStormSupps { description "Interface traffic suppression list."; list ifStormSupp { key "ifName suppressType"; description "Interface traffic suppression."; leaf ifName { type pub-type:ifName; description "Name of an interface. "; } leaf suppressType { type suppressType; description "Suppression type."; } leaf percent { type uint64 { range "0..99"; } description "Percent."; } leaf packets { type uint64 { range "0..148810000"; } description "Packets per second."; } Xia & Zheng Expires March 11, 2018 [Page 53] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 leaf cir { type uint64 { range "0..100000000"; } description "CIR(Kbit/s)."; } leaf cbs { type uint64 { range "10000..4294967295"; } description "CBS(Bytes)."; } } } container ifStormBlocks { description "Interface traffic block list."; list ifStormBlock { key "ifName blockType direction"; description "Interface traffic suppression."; leaf ifName { type pub-type:ifName; description "Name of an interface. "; } leaf blockType { type suppressType; description "Block type."; } leaf direction { type directionType; description "Direction."; } } } container ifStormContrls { description "Interface storm control list."; list ifStormContrl { key "ifName"; description "Interface storm control."; leaf ifName { Xia & Zheng Expires March 11, 2018 [Page 54] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 type pub-type:ifName; description "Name of an interface. "; } leaf action { type stormCtrlActionType; default "normal"; description "Action type."; } leaf trapEnable { type enableType; default "disable"; description "Trap state."; } leaf logEnable { type enableType; default "disable"; description "Log state."; } leaf interval { type uint64 { range "1..180"; } default "5"; description "Detect interval."; } container ifPacketContrlAttributes { description "Storm control rate list."; list ifPacketContrlAttribute { key "packetType"; description "Storm control rate."; leaf packetType { type stormCtrlType; description "Packet type."; } leaf rateType { type stormCtrlRateType; default "pps"; description "Storm control rate type."; } Xia & Zheng Expires March 11, 2018 [Page 55] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 leaf minRate { type uint32 { range "1..148810000"; } mandatory true; description "Storm control min rate."; } leaf maxRate { type uint64 { range "1..148810000"; } mandatory true; description "Storm control max rate."; } } } container ifstormContrlInfos { description "Storm control info list."; list ifstormContrlInfo { key "packetType"; config false; description "Storm control info"; leaf packetType { type stormCtrlType; description "Packet type."; } leaf punishStatus { type stormCtrlActionType; description "Storm control status."; } leaf lastPunishTime { type string { length "1..50"; } description "Last punish time."; } } } } } } Xia & Zheng Expires March 11, 2018 [Page 56] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 } 6. IANA Considerations This document makes no request of IANA. Note to RFC Editor: this section may be removed on publication as an RFC. 7. Security Considerations To be added. 8. Acknowledgements 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 9.2. Informative References [I-D.ietf-netconf-subscribed-notifications] Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and A. Tripathy, "Custom Subscription to Event Notifications", draft-ietf-netconf-subscribed-notifications-03 (work in progress), July 2017. [I-D.ietf-netconf-yang-push] Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen- Nygaard, E., Bierman, A., and B. Lengyel, "Subscribing to YANG datastore push updates", draft-ietf-netconf-yang- push-08 (work in progress), August 2017. [I-D.ietf-sacm-information-model] Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, M., Haynes, D., and H. Birkholz, "SACM Information Model", draft-ietf-sacm-information-model-10 (work in progress), April 2017. Xia & Zheng Expires March 11, 2018 [Page 57] Internet-DraftNetwork Infrastructure Device Data Plane SecSeptember 2017 Authors' Addresses Liang Xia Huawei Email: frank.xialiang@huawei.com Guangying Zheng Huawei Email: zhengguangying@huawei.com Xia & Zheng Expires March 11, 2018 [Page 58]