The Data Model of Network Infrastructure Device Data Plane Security Baseline
draft-xia-sacm-nid-dp-security-baseline-01
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Authors | Liang Xia , Guangying Zheng | ||
| Last updated | 2018-01-24 | ||
| RFC stream | (None) | ||
| Formats | |||
| Additional resources | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-xia-sacm-nid-dp-security-baseline-01
Network Working Group L. Xia
Internet-Draft G. Zheng
Intended status: Standards Track Huawei
Expires: July 29, 2018 January 25, 2018
The Data Model of Network Infrastructure Device Data Plane Security
Baseline
draft-xia-sacm-nid-dp-security-baseline-01
Abstract
This document proposes one part of the security baseline YANG for
network infrastructure device (i.e., router, switch, firewall, etc):
data plane security baseline. The companion documents [I-D.ietf-lin-
sacm-nid-mp-security-baseline], [I- D.ietf-dong-sacm-nid-infra-
security-baseline] cover other parts of the security baseline YANG
for network infrastructure device respectively: management plane
security baseline, infrastructure layer security baseline.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 29, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Xia & Zheng Expires July 29, 2018 [Page 1]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Objective . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Security Baseline . . . . . . . . . . . . . . . . . . . . 3
1.3. Security Baseline Data Model Design . . . . . . . . . . . 4
1.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 6
3. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Data Model Structure . . . . . . . . . . . . . . . . . . . . 6
4.1. Layer 2 protection . . . . . . . . . . . . . . . . . . . 6
4.2. ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.3. URPF . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4. DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . 13
4.5. CPU Protection . . . . . . . . . . . . . . . . . . . . . 18
4.6. TCP/IP Attack Defence . . . . . . . . . . . . . . . . . . 21
5. Network Infrastructure Device Security Baseline Yang Module . 22
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
7. Security Considerations . . . . . . . . . . . . . . . . . . . 44
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
9.1. Normative References . . . . . . . . . . . . . . . . . . 44
9.2. Informative References . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction
1.1. Objective
Network security is an essential part of the overall network
deployment and operation. Due to the following reasons, network
infrastructure devices (e.g. switch, router, firewall) are always the
objective and exploited by the network attackers, which bring damages
to the victim network:
o The existence of a lot of unsafe access channels: for the history
reason, some old and unsafe protocols still run in the network
devices, like: SNMP v1/v2, Telnet, etc, and are not mandatory to
be replaced by the according safer protocols (SNMP v3, SSH).
Attackers easily exploit them for attack (e.g., invalid login,
message eavesdropping);
Xia & Zheng Expires July 29, 2018 [Page 2]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
o The openness nature of TCP/IP network: despite the benefits of
network architecutre design and connectivity brought by the
network openness, a lot of threats exist at the same time.
Spoofing address, security weakness for various protocols, traffic
flooding, and other kinds of threat are originated from the
network openness;
o The security challenge by the network complexity: network are
becoming more complex, with massive nodes, various protocols and
flexible topology. Without careful design and strict management,
as well as operation automation, the policy consistency of network
security manangment cannot be ensured. It's common that part of
the network infrastructure is subject to attack;
o The complex functionality of device: the complexity of device
itself increases the difficulty of carring out the security
hardening measurements, as well as the skill requirements to the
network administrator. As a result, the network administrator may
not be capable of or willing to realize all the security
measurements, in addition to implementing the other basic
functionalities;
o The capacity and capability mismatching between the data plane and
the control plane: there are a large mismatching of the traffic
processing capacity and capability between different planes.
Without effective control, the large volume of traffic from the
data plane will flooding attack the other planes easily.
Therefore, the importance of ensuring the security of the network
infrastructure devices is out of question. To secure the network
infrastructure devices, one important task is to identify as far as
possible the threats and vulnerabilities in the device itself, such
as: unnecessary services, insecure configurations, abnormal status,
etc, then enforce the corresponding security hardening measurements,
such as: update the patch, modify the security configuration, enhance
the security mechanism, etc. We call this task the developing and
deploying the security baseline for the network infrastructure, which
provides a solid foundation for the overall network security. This
document aims to describe the security baseline for the network
infrastructure, which is called security baseline in short in this
document.
1.2. Security Baseline
Basically, security baseline can be designed and deployed into
different layers of the devices:
Xia & Zheng Expires July 29, 2018 [Page 3]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
o application layer: refers to the application platform security
solution and the typical application security mechanisms it
provided like: identity authentication, access control, permission
management, encryption and decryption, auditing and tracking,
privacy protection, to ensure secure application data
transmission/exchange, secure storage, secure processing, ensuring
the secure operation of the application system. Specific examples
may be: web application security, software integrity protection,
encryption of sensitive data, privacy protection, and lawful
interception interfaces and secure third-party component;
o network layer: refers to a series of security measures, to protect
the network resources and network services running on the device
network platform. Network layer security over network product is
complicated. Therefore, it is divided into data plane, control
plane, management plane to consider:
* data plane: focus on the security hardening configuration and
status to protect the data plane traffic against eavesdropping,
tampering, forging and flooding attacking the network;
* control plane: focus on the control signaling security of the
network infrastructure device, to protect their normal exchange
against various attacks (i.e., eavesdropping, tampering,
forging and flooding attack) and restrict the malicious control
signaling, for ensuring the correct network topology and
forwarding behavior;
* management plane: focus on the management information and
platform security. More specific, it includes all the security
configuration and status involved in the network OAM process;
o infrastructure layer: refers to all the security design about the
device itself and its running OS. As the foundation of the upper
layer services, the secure infrastructure layer must be assured.
The specific mechanisms include: OS security, key management,
cryptography security, certificate management, software integrity.
1.3. Security Baseline Data Model Design
The security baseline varies according to many factors, like:
different device types (i.e., router, switch, firewall), the
supporting security features of device, the specific security
requirements of network operator. It's impossible to design a
complete set for it, so this document and the companion ones are
going to propose the most important and universal points of them.
More baseline contents can be added in future following the data
model scheme specified.
Xia & Zheng Expires July 29, 2018 [Page 4]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
[I-D.ietf-birkholz-sacm-yang-content] defines a method of
constructing the YANG data model scheme for the security posture
assessment of the network infrastructure device by brokering of YANG
push telemetry via SACM statements. The basic steps are:
o use YANG push mechanism[I-D.ietf-netconf-yang-push]to collect the
created streams of notifications (telemetry)
[I-D.ietf-netconf-subscribed-notifications]providing SACM content
on SACM data plane, and the filter expressions used in the context
of YANG subscriptions constitute SACM content that is imperative
guidance consumed by SACM components on SACM management plane;
o then encapsulate the above YANG push output into a SACM Content
Element envelope, which is again encapsulated in a SACM statement
envelope;
o lastly, publish the SACM statement into a SACM domain via xmpp-
grid publisher.
In this document, we follow the same way as [I-D.ietf-birkholz-sacm-
yang-content] to define the YANG output for network infrastructure
device security baseline posture based on the SACM information model
definition [I-D.ietf-sacm-information-model].
1.4. Summary
The following contents propose part of the security baseline YANG
output for network infrastructure device: data plane security
baseline. The companion documents [I-D.ietf- dong-sacm-nid-cp-
security-baseline], [I-D.ietf-lin-sacm-nid-mp-security-baseline], [I-
D.ietf-xia-sacm-nid-app-infr-layers-security-baseline] cover other
parts of the security baseline YANG output for network infrastructure
device respectively: control plane security baseline, management
plane security baseline, application layer and infrastructure layer
security baseline.
2. Terminology
2.1. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Xia & Zheng Expires July 29, 2018 [Page 5]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
2.2. Definition of Terms
This document uses the terms defined in [I-D.draft-ietf-sacm-
terminology].
3. Tree Diagrams
A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams is as
follows:
o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node and "*"
denotes a "list" and "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
4. Data Model Structure
As the network infrastructure device, it makes decision of the
forwarding path based on the IP/MAC address and sends the packet in
data plane.The NP or ASIC are the main components for the data plane
functions.
This section describes the key data plane security baseline of the
network infrastructure devices, and defines their specific data
models.
4.1. Layer 2 protection
Mac table is the key resource in terms of layer 2 forwarding, also
easily attacked by learning massive invalid mac address. The mac
limit function is to protect the mac table by limiting the maximum
number of learned mac address in appointed interfaces. The mac
address is not learned and the packet is discarded when the up-limit
is reached, and the alarm is created possibly.
If the broadcast traffic is not suppressed in layer 2 network (i.e.,
Ethernet), a great amount of network bandwidth is consumed by a great
deal of broadcast traffic. The network performance is degraded, even
Xia & Zheng Expires July 29, 2018 [Page 6]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
interrupting the communication.In such a case, configuring the
broadcast traffic suppression on the device to ensure some bandwidth
can be reserved for unicast traffic forwarding when broadcast traffic
bursts across the network.It's flexible to configure the device to
suppress broadcast, multicast, and unknown unicast traffic on an
interface, a specified interface in a VLAN, a sub-interface, and over
a virtual switch instance (VSI) pseudo wire (PW).
module: ietf-mac-limit
+--rw mac
+--rw macLimitRules
| +--rw macLimitRule* [ruleName]
| +--rw ruleName string
| +--rw maximum uint32
| +--rw rate? uint16
| +--rw action? macLimitForward
| +--rw alarm? macEnableStatus
+--rw vlanMacLimits
| +--rw vlanMacLimit* [vlanId]
| +--rw vlanId macVlanId
| +--rw maximum uint32
| +--rw rate? uint16
| +--rw action? macLimitForward
| +--rw alarm? macEnableStatus
+--rw vsiMacLimits
| +--rw vsiMacLimit* [vsiName]
| +--rw vsiName string
| +--rw maximum uint32
| +--rw rate? uint16
| +--rw action? macLimitForward
| +--rw alarm? macEnableStatus
+--rw bdMacLimits
| +--rw bdMacLimit* [bdId]
| +--rw bdId uint32
| +--rw maximum uint32
| +--rw rate? uint16
| +--rw action? macLimitForward
| +--rw alarm? macEnableStatus
+--rw pwMacLimits
| +--rw pwMacLimit* [vsiName pwName]
| +--rw vsiName string
| +--rw pwName string
| +--rw maximum uint32
| +--rw rate? uint16
| +--rw action? macLimitForward
| +--rw alarm? macEnableStatus
+--rw ifMacLimits
| +--rw ifMacLimit* [ifName limitType]
Xia & Zheng Expires July 29, 2018 [Page 7]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
| +--rw ifName pub-type:ifName
| +--rw limitType limitType
| +--rw ruleName? -> /mac/macLimitRules/macLimitRule/ruleName
| +--rw maximum uint32
| +--rw rate? uint16
| +--rw action? macLimitForward
| +--rw alarm? macEnableStatus
+--rw ifVlanMacLimits
| +--ro ifVlanMacLimit* [ifName vlanBegin limitType]
| +--ro ifName pub-type:ifName
| +--ro vlanBegin macVlanId
| +--ro vlanEnd? macVlanId
| +--ro limitType limitType
| +--ro ruleName? -> /mac/macLimitRules/macLimitRule/ruleName
| +--ro maximum uint32
| +--ro rate uint16
| +--ro action? macLimitForward
| +--ro alarm? macEnableStatus
+--rw subifMacLimits
| +--rw subifMacLimit* [ifName limitType]
| +--rw ifName pub-type:ifName
| +--rw limitType limitType
| +--ro vsiName string
| +--rw ruleName string
| +--rw maximum uint32
| +--rw rate? uint16
| +--rw action? macLimitForward
| +--rw alarm? macEnableStatus
+--rw vsiStormSupps
| +--rw vsiStormSupp* [vsiName suppressType]
| +--rw vsiName string
| +--rw suppressType suppressType
| +--rw percent? uint64
| +--rw packets? uint64
| +--rw cir? uint64
| +--rw cbs? uint64
+--rw vlanStormSupps
| +--rw vlanStormSupp* [vlanId suppressType]
| +--rw vlanId macVlanId
| +--rw suppressType suppressType
| +--rw percent? uint64
| +--rw packets? uint64
| +--rw cir? uint64
| +--rw cbs? uint64
+--rw pwSuppresss
| +--rw pwSuppress* [vsiName pwName suppressType]
| +--rw vsiName string
| +--rw pwName string
Xia & Zheng Expires July 29, 2018 [Page 8]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
| +--rw suppressType suppressType
| +--rw percent? uint64
| +--rw packets? uint64
| +--rw cir? uint64
| +--rw cbs? uint64
+--rw vsiTotalNumbers
| +--ro vsiTotalNumber* [vsiName slotId macType]
| +--ro vsiName string
| +--ro slotId string
| +--ro macType macType
| +--ro number uint32
+--rw ifStormSupps
| +--rw ifStormSupp* [ifName suppressType]
| +--rw ifName pub-type:ifName
| +--rw suppressType suppressType
| +--rw direction directionType
| +--rw percent? uint64
| +--rw packets? uint64
| +--rw cir? uint64
| +--rw cbs? uint64
+--rw ifStormBlocks
| +--rw ifStormBlock* [ifName blockType direction]
| +--rw ifName pub-type:ifName
| +--rw blockType suppressType
| +--rw direction directionType
+--rw ifStormContrls
+--rw ifStormContrl* [ifName]
+--rw ifName pub-type:ifName
+--rw action? stormCtrlActionType
+--rw trapEnable? enableType
+--rw logEnable? enableType
+--rw interval? uint64
+--rw ifPacketContrlAttributes
| +--rw ifPacketContrlAttribute* [packetType]
| +--rw packetType stormCtrlType
| +--rw rateType? stormCtrlRateType
| +--rw minRate uint32
| +--rw maxRate uint64
+--rw ifstormContrlInfos
+--ro ifstormContrlInfo* [packetType]
+--ro packetType stormCtrlType
+--ro punishStatus? stormCtrlActionType
+--ro lastPunishTime? string
Xia & Zheng Expires July 29, 2018 [Page 9]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
4.2. ARP
ARP security is set of functions to protect the ARP protocol and
networks against malicious attacks so that the network communication
keeps stable and important user information is protected, which
mainly includes:
ARP anti-spoofing functions: protect devices against spoofing ARP
attack packets, improving the security and reliability of network
communication.
ARP anti-flooding functions: relieve CPU load and prevent the ARP
table overflow, ensuring normal network operation.
Xia & Zheng Expires July 29, 2018 [Page 10]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
module: ietf-arp-sec
+--ro arp-sec
+--ro arpInterf aces
| +--rw arpInterface* [ifName]
| +--rw ifName -> /if:interfaces/if:interface/if:name
| +--rw arpLearnDisable? boolean //arp-learning-control
| +--rw arpLearnStrict? arpStrictLearn //arp-learning-control
| +--rw fakeExpireTime? uint32 //arp-fake-expire-time?
| +--rw dstMacCheck? boolean //validate
| +--rw srcMacCheck? boolean //validate
+--rw secArpGrats
| +--rw secArpGrat* [ifName]
| +--rw ifName -> /if:interfaces/if:interface/if:name
+--rw secArpChkIpEns
| +--rw secArpChkIpEn* [ifName]
| +--rw ifName -> /if:interfaces/if:interface/if:name
+--rw secArpMacIlls
| +--rw secArpMacIll* [ifName]
| +--rw ifName -> /if:interfaces/if:interface/if:name
+--rw secArpReqNoBlks
| +--rw secArpReqNoBlk* [ifName]
| +--rw ifName -> /if:interfaces/if:interface/if:name
+--ro secDisArpChks
| +--ro secDisArpChk* [secSlotId secChkType]
| +--ro secSlotId -> /devm:devm/lpuBoards/lpuBoard/position
| +--ro secChkType cpudefendArpAttackType
| +--ro secTotalPkts? uint64
| +--ro secPassedPkts? uint64
| +--ro secDropedPkts? uint64
+--ro arpIfLimits //arp-table-limit
| +--rw arpIfLimit* [ifName vlanId]
| +--rw ifName -> /if:interfaces/if:interface/if:name
| +--rw vlanId uint16
| +--rw limitNum uint32
| +--ro learnedNum? uint32
+--ro arpSpeedLimits // arp-speed-limit
| +--rw arpSpeedLimit* [slotId suppressType ipType]
| +--rw slotId string
| +--rw suppressType enumeration
| +--rw ipType enumeration
| +--rw suppressValue uint32
+--ro arpGlobalSpeedLimits // arp-speed-limit
+--rw arpGSpeedLimit* [gSuppressType gIpType]
+--rw gSuppressType arpSuppType
+--rw gIpType arpSuppIpType
+--rw gPortType? enumeration
+--rw gSuppressValue uint32
Xia & Zheng Expires July 29, 2018 [Page 11]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
4.3. URPF
Unicast Reverse Path Forwarding (URPF) is a technology used to defend
against network attacks based on source address spoofing. Generally,
upon receiving a packet, a router first obtains the destination IP
address of the packet and then searches the forwarding table for a
route to the destination address. If the router finds such a route,
it forwards the packet; otherwise, it discards the packet. A URPF-
enabled router, however, obtains the source IP address of a received
packet and searches for a route to the source address. If the router
fails to find the route, it considers that the source address is a
forged one and discards the packet. In this manner, URPF can
effectively protect against malicious attacks that are launched by
changing the source addresses of packets.
URPF can be performed in strict or loose mode. The strict mode
checks both the existence of source address in the route table and
the interface consistency, while loose mode only checks if the source
address is in the route table. In some case, the router may have
only one default route to the router of the ISP. Therefore, matching
the default route entry needs to be supported.
URPF can be performed over interface, defined flow and traffic sent
to local CPU.
module: ietf-urpf-sec
+--ro urpf-sec
+--rw interface-urpf* [ifname]
| +--rw ifname if:interface-ref
| +--rw mode? enumeration
| +--rw allow-default? boolean
augment "/policy:policies/policy:policy-entry" +
| "/policy:classifier-entry" +
| "/policy:classifier-action-entry-cfg":
+--rw (action-cfg-params)?
| +--:(urpf)
| +--rw urpf-cfg
| +--rw check-type? urpf-check-type
| +--rw allow-default? Boolean
+--rw local-URPF
+--rw cpu-defend-policy* [name]
+--rw name string
+--description? string
+-- urpf-mode enumeration
+--allow-default boolean
+--slot-id unit16
Xia & Zheng Expires July 29, 2018 [Page 12]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
Identity urpf {
base policy:action-type;
description
" urpf action type";
}
grouping urpf {
container urpf-cfg {
leaf check-type {
type urpf-check-type;
description
"urpf checking";
}
leaf allow-default{
type qos-switch-flag;
description " allowDefault flag";
}
description
"urpf container";
}
description
"dscp marking grouping";
}
augment "/policy:policies" +
"/policy:policy-entry" +
"/policy:classifier-entry" +
"/policy:classifier-action-entry-cfg" +
"/diffserv:action-cfg-params" {
case urpf {
uses sec-ac:urpf;
description
"urpf action";
}
}
4.4. DHCP Snooping
DHCP, which is widely used on networks, dynamically assigns IP
addresses to clients and manages configuration information in a
centralized manner. During DHCP packet forwarding, some attacks may
occur, such as bogus DHCP server attacks, DHCP exhaustion attacks,
denial of service (DoS) attacks, and DHCP flooding attacks.
Xia & Zheng Expires July 29, 2018 [Page 13]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
DHCP snooping is a DHCP security feature that functions in a similar
way to a firewall between DHCP clients and servers. A DHCP-snooping-
capable device intercepts DHCP packets and uses information carried
in the packets to create a DHCP snooping binding table. This table
records hosts' MAC addresses, IP addresses, IP address lease time,
VLAN, and interface information. The device uses this table to check
the validity of received DHCP packets. If a DHCP packet does not
match any entry in this table, the device discards the packet.
Besides the binding table, DHCP snooping has other security features
such as trusted interface, max dhcp user limit and whitelist to
defend against the bogus DHCP server, DHCP flooding and other fine-
grained DHCP attacks.
module: ietf-dhcp-sec
+--rw dhcp
+--rw snooping
+--rw dhcpSnpGlobal
| +--rw dhcpSnpEnable? boolean
| +--rw serverDetectEnable? boolean
| +--rw dhcpSnpUserBindAutoSaveEnable? boolean
| +--rw dhcpSnpUserBindFileName? string
| +--rw globalCheckRateEnable? boolean
| +--rw dhcpSnpGlobalRate? uint16
| +--rw checkRateAlarmEnable? boolean
| +--rw rateThreshold? uint16
| +--rw alarmThreshold? uint16
| +--ro rateLimitPacketCount? uint32
| +--rw dhcpSnpUserOfflineRemoveMac? boolean
| +--rw dhcpSnpArpDetectEnable? boolean
| +--rw dhcpSnpGlobalMaxUser? uint16
| +--rw dhcpSnpUserTransferEnable? boolean
+--rw dhcpSnpVlans
| +--rw dhcpSnpVlan* [vlanId]
| +--rw vlanId uint16
| +--rw dhcpSnpEnable boolean
| +--rw checkRateEnable boolean
| +--rw dhcpSnpVlanRate uint32
| +--rw dhcpSnpVlanTrustEnable boolean
| +--rw checkArpEnable boolean
| +--rw alarmArpEnable boolean
| +--rw alarmArpThreshold uint16
| +--rw checkIpEnable boolean
| +--rw alarmIpEnable boolean
| +--rw alarmIpThreshold uint16
| +--rw alarmReplyEnable boolean
| +--rw alarmReplyThreshold uint16
| +--rw checkMacEnable boolean
Xia & Zheng Expires July 29, 2018 [Page 14]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
| +--rw alarmMacEnable boolean
| +--rw alarmMacThreshold uint16
| +--rw checkUserBindEnable boolean
| +--rw alarmUserBindEnable boolean
| +--rw alarmUserBindThreshold uint16
| +--rw dhcpSnpVlanMaxUserNum uint16
| +--rw alarmUserLimitEnable boolean
| +--rw alarmUserLimitThreshold uint16
| +--rw dhcpSnpVlanStatistics
| +--ro dropArpPktCnt? uint32
| +--ro dropIpPktCnt? uint32
| +--ro dropDhcpReqCntByBindTbl? uint32
| +--ro dropDhcpReqCntByMacCheck? uint32
| +--ro dropDhcpReplyCnt? uint32
+--rw vlanTrustInterfaces
| +--rw vlanTrustInterface* [vlanId ifName]
| +--rw vlanId uint16
| +--rw ifName pub-type:ifName
+--rw dhcpSnpInterfaces
| +--rw dhcpSnpInterface* [ifName]
| +--rw ifName pub-type:ifName
| +--rw dhcpSnpEnable boolean
| +--rw dhcpSnpIfDisable boolean
| +--rw dhcpSnpIfTrustEnable boolean
| +--rw dhcpSnpIfRate uint16
| +--rw checkRateEnable boolean
| +--rw alarmRateEnable boolean
| +--rw alarmRateThreshold uint16
| +--rw checkArpEnable boolean
| +--rw alarmArpEnable boolean
| +--rw alarmArpThreshold uint16
| +--rw checkIpEnable boolean
| +--rw alarmIpEnable boolean
| +--rw alarmIpThreshold uint16
| +--rw alarmReplyEnable boolean
| +--rw alarmReplyThreshold uint16
| +--rw checkMacEnable boolean
| +--rw alarmMacEnable boolean
| +--rw alarmMacThreshold uint16
| +--rw checkUserBindEnable boolean
| +--rw alarmUserBindEnable boolean
| +--rw alarmUserBindThreshold uint16
| +--rw dhcpSnpIntfMaxUserNum uint32
| +--rw alarmUserLimitEnable boolean
| +--rw alarmUserLimitThreshold uint16
| +--rw dhcpSnpInterfStickyMacEnable boolean
| +--rw dhcpSnpIfStatistics
| +--ro dropArpPktCnt? uint32
Xia & Zheng Expires July 29, 2018 [Page 15]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
| +--ro dropIpPktCnt? uint32
| +--ro pktCntDropByUserBind? uint32
| +--ro pktCntDropByMac? uint32
| +--ro pktCntDropByUntrustReply? uint32
| +--ro pktCntDropByRate? uint32
+--rw dhcpSnpDynBindTbls
| +--ro dhcpSnpDynBindTbl* [ipAddress outerVlan innerVlan vsiName vpnName bridgeDomain]
| +--ro ipAddress pub-type:ipv4Address
| +--ro outerVlan uint16
| +--ro innerVlan uint16
| +--ro vsiName string
| +--ro vpnName string
| +--ro bridgeDomain uint32
| +--ro macAddress? pub-type:macAddress
| +--ro ifName? pub-type:ifName
| +--ro lease? yang:date-and-time
+--rw dhcpSnpVlanIfs
| +--rw dhcpSnpVlanIf* [vlanId ifName]
| +--rw vlanId uint16
| +--rw ifName pub-type:ifName
| +--rw dhcpSnpEnable boolean
| +--rw trustFlag boolean
| +--rw checkArpEnable boolean
| +--rw alarmArpEnable boolean
| +--rw alarmArpThreshold uint32
| +--rw checkIpEnable boolean
| +--rw alarmIpEnable boolean
| +--rw alarmIpThreshold uint32
| +--rw alarmReplyEnable boolean
| +--rw alarmReplyThreshold uint32
| +--rw checkChaddrEnable boolean
| +--rw alarmChaddrEnable boolean
| +--rw alarmChaddrThreshold uint32
| +--rw checkReqEnable boolean
| +--rw alarmReqEnable boolean
| +--rw alarmReqThreshold uint32
| +--rw dhcpSnpVlanIfMaxUserNum uint32
| +--rw alarmUserLimitEnable boolean
| +--rw alarmUserLimitThreshold uint32
| +--rw dhcpSnpVlanIfStatistics
| +--ro dropArpPktCnt? uint32
| +--ro dropIpPktCnt? uint32
| +--ro dropDhcpReqCntByBindTbl? uint32
| +--ro dropDhcpReqCntByMacCheck? uint32
| +--ro dropDhcpReplyCnt? uint32
+--rw ifStaticBindTbls
| +--rw ifStaticBindTbl* [ifName ipAddress vlanId ceVlanId]
| +--rw ifName pub-type:ifName
Xia & Zheng Expires July 29, 2018 [Page 16]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
| +--rw ipAddress pub-type:ipAddress
| +--rw vlanId uint16
| +--rw ceVlanId uint16
| +--rw macAddress? pub-type:macAddress
+--rw vlanStaticBindTbls
| +--rw vlanStaticBindTbl* [vlanId ipAddress ceVlanId]
| +--rw vlanId uint16
| +--rw ipAddress pub-type:ipAddress
| +--rw ceVlanId uint16
| +--rw macAddress? pub-type:macAddress
| +--rw ifName? pub-type:ifName
+--rw dhcpSnpBds
| +--rw dhcpSnpBd* [bdId]
| +--rw bdId uint32
| +--rw dhcpSnpEnable? boolean
| +--rw dhcpSnpTrust? boolean
| +--rw checkArpEnable? boolean
| +--rw alarmArpEnable? boolean
| +--rw alarmArpThreshold? uint32
| +--rw checkIpEnable? boolean
| +--rw alarmIpEnable? boolean
| +--rw alarmIpThreshold? uint32
| +--rw alarmReplyEnable? boolean
| +--rw alarmReplyThreshold? uint32
| +--rw checkMacEnable? boolean
| +--rw alarmMacEnable? boolean
| +--rw alarmMacThreshold? uint32
| +--rw checkRequestEnable? boolean
| +--rw alarmRequestEnable? boolean
| +--rw alarmRequestThreshold? uint32
| +--rw maxUserNum? uint32
| +--rw alarmUserLimitEnable? boolean
| +--rw alarmUserLimitThreshold? uint32
| +--rw statistics
| +--ro dropArpPktCnt? uint32
| +--ro dropIpPktCnt? uint32
| +--ro dropDhcpReqCntByBindTbl? uint32
| +--ro dropDhcpReqCntByMacCheck? uint32
| +--ro dropDhcpReplyCnt? uint32
+--rw BdStaticBindTbls
| +--rw globalBdStaticBindTbl* [bdId ipAddress peVlan ceVlan]
| +--rw bdId uint32
| +--rw ipAddress pub-type:ipv4Address
| +--rw macAddress? pub-type:macAddress
| +--rw peVlan uint16
| +--rw ceVlan uint16
+--rw dhcpSnpWhiteLists
+--rw dhcpSnpWhiteList* [whtLstName]
Xia & Zheng Expires July 29, 2018 [Page 17]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
+--rw whtLstName string
+--rw applyFlag boolean
+--rw dhcpSnpWhiteRules
+--rw dhcpSnpWhiteRule* [ruleId]
+--rw ruleId uint16
+--rw srcIP? inet:ipv4-address-no-zone
+--rw srcMask? inet:ipv4-address-no-zone
+--rw dstIP? inet:ipv4-address-no-zone
+--rw dstMask? inet:ipv4-address-no-zone
+--rw srcPort? dhcpSnpPort
+--rw dstPort? dhcpSnpPort
4.5. CPU Protection
For the network device, there are maybe a large number of packets to
be sent to its CPU, or malicious packets attempt to attack the device
CPU. If the CPU receives excessive packets, it will be overloaded
and support the normal services with very poor performance; In
extreme cases, the system fails.
More specifically, services are negatively affected when the CPU is
attacked because of the following reasons:
o Valid protocol packets are not distinguished from invalid protocol
packets. The CPU is busy in processing a large number of invalid
protocol packets. Consequently, the CPU usage rises sharply and
valid packets cannot be processed properly
o Packets of some protocols are sent to the CPU through the same
channel. When excessive packets of a certain type of protocol
packet block the channel, the transmission of other protocol
packets is affected
o The bandwidth of a channel is not set appropriately. When an
attack occurs, processing of protocol packets on other channels is
affected
Accordingly, the following countermeasures can be taken by the
network device for CPU protection:
o Collect and classify protocols related to various services running
on equipment
o Use ACLs to filter the packets. Valid protocol packets are put
into the whitelist and a user-defined flow, other packets are put
into the blacklist
Xia & Zheng Expires July 29, 2018 [Page 18]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
o Plan the priorities, channel bandwidth, length of packets, and
alarm function of the preceding three lists
o Disable services that are not deployed on the equipment, and
control the total forwarding bandwidth
In this manner, the number of packets sent to the CPU is under
control, and the bandwidth is ensured preferentially for services
with higher priorities. In addition, CPU overload is prevented and
an alarm is generated when an attack occurs.
module: ietf-cpuDefend
+--rw cpuDefend
+--rw cpuDefendPolicys
| +--rw cpuDefendPolicy* [policyID]
| +--rw policyID uint32
| +--rw description? string
| +--rw whiteListACLNumber? uint32
| +--rw blackListACLNumber? uint32
| +--rw userDefinedFlows
| | +--rw userDefinedFlow* [flowID]
| | +--rw flowID uint32
| | +--rw aclNumber uint32
| +--rw cpuDefendRules
| +--rw cpuDefendRule* [ruleType pktIndex userDefinedFlowID protocolName tcpIpName]
| +--rw ruleType cpuDefendRuleType // [total-packet | whitelist | blacklist | use-defined-flow | protocolName | TcpIpType]
| +--rw pktIndex? uint16
| +--rw userDefinedFlowID? uint32
| +--rw protocolName? protocolType // [ftpServer | sshServer | snmp | ... | NA]
| +--rw tcpIpName? tcpIPType // [TCPSYN | FRAGMENT | NA]
| +--rw CARAttr
| | +--rw cir? uint32
| | +--rw cbs? uint32
| | +--rw pir? uint32
| | +--rw pbs? uint32
| | +--rw minPktLen? uint32
| | +--rw pktRate? uint32
| | +--rw weight? uint16
| +--rw priority? priorityEnum //{ high | middle | low | be | af1 | af2 | af3 | af4 | ef | cs6 }
| +--rw alarmDropRate
| +--rw enable boolean
| +--rw threshold? uint32
| +--rw interval? uint16
| +--rw speedThreshold? uint32
+--rw cpuDefendPolicyCfgs
| +--rw cpuDefendPolicyCfg* [slotIdStr]
| +--rw slotIdStr -> /devm:devm/lpuBoards/lpuBoard/position
| +--rw policyID -> /cpudefend/cpuDefendPolicys/cpuDefendPolicy/policyID
Xia & Zheng Expires July 29, 2018 [Page 19]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
+--ro displayCARsConfs
| +--ro displayCARsConf* [slotId pktIndex]
| +--ro slotId string
| +--ro pktIndex uint16
| +--ro cir? uint32
| +--ro cbs? uint32
| +--ro minPkt? uint32
| +--ro priority? priorityEnum
| +--ro desc? protocolType
+--ro protocolStats
| +--ro protocolStat* [slotId]
| +--ro slotId string
| +--ro protocolEnable protocolType //{ftpServer | sshServer | snmp | ...}
| +--ro defaultAct protocolEnableDefAction // {Drop | Min_to_cpu}
| +--ro defaultCir uint32
| +--ro defaultCbs uint32
+--ro secnoncarstats
| +--ro secnoncarstat* [secSlotId secPolicyType secPolicyTypeID]
| +--ro secSlotId string
| +--ro secPolicyType cpudefendNoCarPolicyType
| +--ro secPolicyTypeID cpudefendSecStatTypeID
| +--ro secSubTotalPkts? uint64
| +--ro secSubPassPkts? uint64
| +--ro secSubDropPkts? uint64
+--ro seccarstats
| +--ro seccarstat* [secSlotId secPolicyType secPolicyTypeID]
| +--ro secSlotId string
| +--ro secPolicyType cpudefendPolicyType
| +--ro secPolicyTypeID uint32
| +--ro secAppEnable? boolean
| +--ro secAppDefAct? cpudefendAppDefAction
| +--ro secProtoEnable? boolean
| +--ro secPassedPkts? uint64
| +--ro secDropedPkts? uint64
| +--ro secCfgCir? uint32
| +--ro secCfgCbs? uint32
| +--ro secActualCir? uint32
| +--ro secActualCbs? uint32
| +--ro secPriority? cpudefendPriority
| +--ro secMinPktLen? uint32
| +--ro secAclDenyPkts? uint64
| +--ro secHistPps? uint64
| +--ro secHistPpsTime? yang:date-and-time
| +--ro secLastPps? uint64
| +--ro secLastDrpBTime? yang:date-and-time
| +--ro secLastDrpETime? yang:date-and-time
| +--ro secTtlDropPkts? uint64
+--ro totalPktStats
Xia & Zheng Expires July 29, 2018 [Page 20]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
| +--ro totalPktStat* [slotId]
| +--ro slotId string
| +--ro totalPkt? uint64
| +--ro passPkt? uint64
| +--ro dropPkt? uint64
+--rw hostcarNodes
| +--rw hostcarNode* [slotID hostCarType]
| +--rw slotID -> /devm:devm/lpuBoards/lpuBoard/position
| +--rw hostCarType hostCarTypeEnum // {hostcar | http-hostcar | vlan-host-car}
| +--rw ifEnable? socIfEnable
| +--rw cir? uint32
| +--rw pir? uint32
| +--rw cbs? uint32
| +--rw pbs? uint32
| +--rw dropThreshold? uint32
| +--rw interval? uint32
+--ro hostCarStats
| +--ro hostCarStat* [slotID hostCarType statType hostCarID httpHostCarID vlanHostCarID]
| +--ro slotID -> /devm:devm/lpuBoards/lpuBoard/position
| +--ro hostCarType hostCarTypeEnum
| +--ro statType statTypeEnum // {carID | all | auto-adjust | dropped | non-dropped | active}
| +--ro hostCarID uint32
| +--ro httpHostCarID uint32
| +--ro vlanHostCarID uint32
| +--ro passedBytes? uint64
| +--ro droppedBytes? uint64
+--ro hostCarCfgs
+--ro hostCarCfg* [slotID]
+--ro slotID string
+--ro hostCarType? hostCarTypeEnum
+--ro defaultCir? uint32
+--ro defaultPir? uint32
+--ro defaultCbs? uint32
+--ro defaultPbs? uint32
+--ro actualCir? uint32
+--ro actualPir? uint32
+--ro actualCbs? uint32
+--ro actualPbs? uint32
+--ro droprateEn? ifEnable
+--ro logInterval? uint32
+--ro logThreshold? uint32
4.6. TCP/IP Attack Defence
Defense against TCP/IP attacks is applied to the router on the edge
of the network or other routers that are easily to be attacked by
illegal TCP/IP packets. Defense against TCP/IP attacks can protect
Xia & Zheng Expires July 29, 2018 [Page 21]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
the CPU of the router against malformed packets, fragmented packets,
TCP SYN packets, and UDP packets, ensuring that normal services can
be processed.
module: ietf-tcp-ip-attack-defence
+--rw secAntiAttackEnable
| +--rw antiEnable? antiAttackEnableCfgType
| +--rw abnormalEnable? antiAttackEnableCfgType
| +--rw udpFloodEnable? antiAttackEnableCfgType
| +--rw tcpSynEnable? antiAttackEnableCfgType
| +--rw icmpFloodEnable? antiAttackEnableCfgType
| +--rw fragmentEnable? antiAttackEnableCfgType
+--rw secAntiAttackCarCfg
| +--rw cirFlag? uint32
| +--rw cirIcmp? uint32
| +--rw cirTcp? uint32
+--rw secAntiAttackStats
| +--ro secAntiAttackStat* [attackType]
| +--ro attackType antiAttackType
| +--ro totalCount? uint64
| +--ro dropCount? uint64
| +--ro passCount? uint64
5. Network Infrastructure Device Security Baseline Yang Module
module ietf-mac-limit {
namespace "urn:ietf:params:xml:ns:yang:ietf-mac-limit";
prefix maclimit;
/*
import huawei-pub-type {
prefix pub-type;
}
*/
import ietf-yang-types {
prefix yang;
}
/*
import huawei-extension {
prefix ext;
}
include huawei-mac-action;
include huawei-mac-type;
*/
organization
"Huawei Technologies.";
contact
"Liang Xia: Frank.xialiang@huawei.com";
Xia & Zheng Expires July 29, 2018 [Page 22]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
"Guangying Zheng: Zhengguangying@huawei.com";
description
"MAC address limit.";
revision 2017-09-01 {
description
"Init revision";
reference "xxx.";
}
container mac {
description
"MAC address forwarding. ";
container macLimitRules {
description
"Global MAC address learning limit rule.";
list macLimitRule {
key "ruleName";
description
"Global MAC address learning limit.";
leaf ruleName {
type string {
length "1..31";
}
description
"Global MAC address learning limit rule name.";
}
leaf maximum {
type uint32 {
range "0..131072";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned.";
}
leaf rate {
type uint16 {
range "0..1000";
}
default "0";
description
"Interval at which MAC addresses are learned.";
}
leaf action {
type macLimitForward;
default "discard";
description
"Discard or forward after the number of learned MAC addresses reaches the maximum number.";
Xia & Zheng Expires July 29, 2018 [Page 23]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
}
leaf alarm {
type macEnableStatus;
default "enable";
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number.";
}
}
}
container vlanMacLimits {
description
"VLAN MAC address limit list.";
list vlanMacLimit {
key "vlanId";
description
"VLAN MAC address limit.";
leaf vlanId {
type macVlanId;
description
"VLAN ID.";
}
leaf maximum {
type uint32 {
range "0..130048";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned in a VLAN.";
}
leaf rate {
type uint16 {
range "0..1000";
}
default "0";
description
"Interval at which MAC addresses are learned in a VLAN.";
}
leaf action {
type macLimitForward;
default "discard";
description
"Discard or forward after the number of learned MAC addresses reaches the maximum number in a VLAN.";
}
leaf alarm {
type macEnableStatus;
default "enable";
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VLAN.";
Xia & Zheng Expires July 29, 2018 [Page 24]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
}
}
}
container vsiMacLimits {
description
"VSI MAC address limit list.";
list vsiMacLimit {
key "vsiName";
description
"VSI MAC address limit.";
leaf vsiName {
type string {
length "1..31";
}
description
"VSI name.";
}
leaf maximum {
type uint32 {
range "0..524288";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned in a VSI.";
}
leaf rate {
type uint16 {
range "0..1000";
}
default "0";
description
"Interval at which MAC addresses are learned in a VSI.";
}
leaf action {
type macLimitForward;
default "discard";
description
"Discard or forward after the number of learned MAC addresses reaches the maximum number in a VSI.";
}
leaf alarm {
type macEnableStatus;
default "disable";
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a VSI.";
}
leaf upThreshold {
type uint8 {
range "80..100";
Xia & Zheng Expires July 29, 2018 [Page 25]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
}
mandatory true;
description
"Upper limit for the number of MAC addresses.";
}
leaf downThreshold {
type uint8 {
range "60..100";
}
mandatory true;
description
"Upper limit for the number of MAC addresses.";
}
}
}
container bdMacLimits {
description
"BD MAC address limit list.";
list bdMacLimit {
key "bdId";
description
"BD MAC address limit.";
leaf bdId {
type uint32 {
range "1..16777215";
}
description
"Specifies the ID of a bridge domain.";
}
leaf maximum {
type uint32 {
range "0..130048";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned in a BD.";
}
leaf rate {
type uint16 {
range "0..1000";
}
default "0";
description
"Interval at which MAC addresses are learned in a BD.";
}
leaf action {
type macLimitForward;
default "discard";
Xia & Zheng Expires July 29, 2018 [Page 26]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
description
"Forward or discard the packet.";
}
leaf alarm {
type macEnableStatus;
default "enable";
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number.";
}
}
}
container pwMacLimits {
description
"PW MAC address limit list.";
list pwMacLimit {
key "vsiName pwName";
description
"PW MAC address limit.";
leaf vsiName {
type string {
length "1..31";
}
description
"VSI name.";
}
leaf pwName {
type string {
length "1..15";
}
description
"PW name.";
}
leaf maximum {
type uint32 {
range "0..130048";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned in a PW.";
}
leaf rate {
type uint16 {
range "0..1000";
}
default "0";
description
"Interval at which MAC addresses are learned in a PW.";
}
Xia & Zheng Expires July 29, 2018 [Page 27]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
leaf action {
type macLimitForward;
default "discard";
description
"Discard or forward after the number of learned MAC addresses reaches the maximum number in a PW.";
}
leaf alarm {
type macEnableStatus;
default "enable";
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number in a PW.";
}
}
}
container ifMacLimits {
description
"Interface MAC address limit list.";
list ifMacLimit {
key "ifName limitType";
description
"Interface MAC address limit.";
leaf ifName {
type pub-type:ifName;
description
"Interface name.";
}
leaf limitType {
type limitType;
description
"Interface MAC limit type.";
}
leaf ruleName {
type leafref {
path "/mac/macLimitRules/macLimitRule/ruleName";
}
description
"Rule name.";
}
leaf maximum {
type uint32 {
range "0..131072";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned on an interface.";
}
leaf rate {
type uint16 {
Xia & Zheng Expires July 29, 2018 [Page 28]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
range "0..1000";
}
default "0";
description
"Interval (ms) at which MAC addresses are learned on an interface.";
}
leaf action {
type macLimitForward;
default "discard";
description
"Discard or forward after the number of learned MAC addresses reaches the maximum number on an interface";
}
leaf alarm {
type macEnableStatus;
default "enable";
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on an interface.";
}
}
}
container ifVlanMacLimits {
description
"Interface + VLAN MAC address limit list.";
list ifVlanMacLimit {
key "ifName vlanBegin limitType";
config false;
description
"Interface + VLAN MAC address limit.";
leaf ifName {
type pub-type:ifName;
description
"Name of an interface. ";
}
leaf vlanBegin {
type macVlanId;
description
"Start VLAN ID.";
}
leaf vlanEnd {
type macVlanId;
description
"End VLAN ID.";
}
leaf limitType {
type limitType;
description
"Interface MAC limit type.";
}
Xia & Zheng Expires July 29, 2018 [Page 29]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
leaf ruleName {
type leafref {
path "/mac/macLimitRules/macLimitRule/ruleName";
}
description
"Rule name.";
}
leaf maximum {
type uint32 {
range "0..131072";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned on an interface.";
}
leaf rate {
type uint16 {
range "0..1000";
}
mandatory true;
description
"Interval (ms) at which MAC addresses are learned on an interface.";
}
leaf action {
type macLimitForward;
default "discard";
description
"Discard or forward the packet.";
}
leaf alarm {
type macEnableStatus;
default "enable";
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number.";
}
}
}
container subifMacLimits {
description
"Sub-interface MAC address limit list.";
list subifMacLimit {
key "ifName limitType";
description
"Sub-interface MAC address limit.";
leaf ifName {
type pub-type:ifName;
description
"Name of a sub-interface. ";
Xia & Zheng Expires July 29, 2018 [Page 30]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
}
leaf limitType {
type limitType;
description
"Sub-interface MAC limit type.";
}
leaf vsiName {
type string {
length "1..36";
}
config false;
mandatory true;
description
"VSI name , EVPN name or bridge domain ID.";
}
leaf ruleName {
type string {
length "1..31";
}
mandatory true;
description
"Rule name.";
}
leaf maximum {
type uint32 {
range "0..131072";
}
mandatory true;
description
"Maximum number of MAC addresses that can be learned on a sub-interface.";
}
leaf rate {
type uint16 {
range "0..1000";
}
default "0";
description
"Interval (ms) at which MAC addresses are learned on a sub-interface.";
}
leaf action {
type macLimitForward;
default "discard";
description
"Discard or forward after the number of learned MAC addresses reaches the maximum number on a sub-interface.";
}
leaf alarm {
type macEnableStatus;
default "enable";
Xia & Zheng Expires July 29, 2018 [Page 31]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
description
"Whether an alarm is generated after the number of learned MAC addresses reaches the maximum number on a sub-interface.";
}
}
}
container vsiStormSupps {
description
"VSI Suppression List.";
list vsiStormSupp {
key "vsiName suppressType";
description
"VSI Suppression.";
leaf vsiName {
type string {
length "1..31";
}
description
"VSI name.";
}
leaf suppressType {
type suppressType;
description
"Traffic suppression type.";
}
leaf cir {
type uint64 {
range "0..4294967295";
}
default "0";
description
"CIR value.";
}
leaf cbs {
type uint64 {
range "0..4294967295";
}
description
"CBS value.";
}
}
}
container vlanStormSupps {
description
"VLAN Suppression List.";
list vlanStormSupp {
key "vlanId suppressType";
description
"VLAN Suppression.";
Xia & Zheng Expires July 29, 2018 [Page 32]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
leaf vlanId {
type macVlanId;
description
"VLAN ID.";
}
leaf suppressType {
type suppressType;
description
"Traffic suppression type.";
}
leaf cir {
type uint64 {
range "64..4294967295";
}
default "64";
description
"CIR value.";
}
leaf cbs {
type uint64 {
range "10000..4294967295";
}
description
"CBS value.";
}
}
}
container subIfSuppresss {
description
"Sub-interface traffic suppression list.";
list subIfSuppress {
key "ifName suppressType direction";
description
"Sub-Interface traffic suppression.";
leaf ifName {
type pub-type:ifName;
description
"Sub-interface name.";
}
leaf suppressType {
type suppressType;
description
"Suppression type.";
}
leaf direction {
type directionType;
description
"Suppression direction.";
Xia & Zheng Expires July 29, 2018 [Page 33]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
}
leaf cir {
type uint64 {
range "0..4294967295";
}
default "0";
description
"CIR value.";
}
leaf cbs {
type uint64 {
range "0..4294967295";
}
description
"CBS value.";
}
}
}
container pwSuppresss {
description
"PW traffic suppress list.";
list pwSuppress {
key "vsiName pwName suppressType";
description
"PW traffic suppression.";
leaf vsiName {
type string {
length "1..31";
}
description
"VSI name.";
}
leaf pwName {
type string {
length "1..15";
}
description
"PW name.";
}
leaf suppressType {
type suppressType;
description
"Traffic suppression type.";
}
leaf cir {
type uint64 {
range "100..4294967295";
}
Xia & Zheng Expires July 29, 2018 [Page 34]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
default "100";
description
"CIR value.";
}
leaf cbs {
type uint64 {
range "100..4294967295";
}
description
"CBS value.";
}
}
}
container pwSuppressPtns {
description
"PW traffic suppress list.";
list pwSuppressPtn {
key "vsiName peerIp pwId pwEncap";
description
"PW traffic suppression.";
leaf vsiName {
type string {
length "1..31";
}
description
"VSI name.";
}
leaf peerIp {
type string {
length "0..255";
pattern "((([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\\.){3}([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))";
}
description
"Peer IP address.";
}
leaf pwId {
type uint32 {
range "1..4294967295";
}
description
"PW ID.";
}
leaf pwEncap {
type macPwEncapType;
description
"PW encapsulation type.";
}
leaf isEnable {
Xia & Zheng Expires July 29, 2018 [Page 35]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
type boolean;
default "true";
description
"Enable status.";
}
leaf suppressType {
type suppressStyle;
default "absoluteValue";
description
"Traffic suppression type.";
}
leaf broadcast {
type uint32 {
range "0..200000000";
}
default "1000";
description
"Broadcast suppression (kbit/s)";
}
leaf unicast {
type uint32 {
range "0..200000000";
}
default "1000";
description
"Unknown unicast suppression (kbit/s).";
}
leaf multicast {
type uint32 {
range "0..200000000";
}
default "1000";
description
"Multicast suppression (kbit/s).";
}
}
}
container vsiInSuppressions {
description
"VSI inbound traffic suppression list.";
list vsiInSuppression {
key "vsiName";
description
"VSI inbound traffic suppression.";
leaf vsiName {
type string {
length "1..31";
}
Xia & Zheng Expires July 29, 2018 [Page 36]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
description
"VSI name.";
}
leaf inboundSupp {
type macEnableStatus;
default "enable";
description
"Inbound suppression.";
}
}
}
container vsiOutSuppressions {
description
"VSI outbound traffic suppression list.";
list vsiOutSuppression {
key "vsiName";
description
"VSI outbound traffic suppression.";
leaf vsiName {
type string {
length "1..31";
}
description
"VSI name.";
}
leaf outboundSupp {
type macEnableStatus;
default "enable";
description
"Outbound suppression.";
}
}
}
container vsiSuppresss {
description
"VSI traffic suppression list.";
list vsiSuppress {
key "subIfName";
description
"VSI traffic suppression.";
leaf vsiName {
type string {
length "1..31";
}
mandatory true;
description
"VSI name.";
}
Xia & Zheng Expires July 29, 2018 [Page 37]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
leaf subIfName {
type pub-type:ifName;
description
"Sub-interface name.";
}
leaf isEnable {
type boolean;
default "true";
description
"Enable status.";
}
leaf suppressType {
type suppressStyle;
default "percent";
description
"Traffic suppression type.";
}
leaf broadcast {
type uint32 {
range "0..200000000";
}
default "64";
description
"Broadcast suppression (kbit/s)";
}
leaf broadcastPercent {
type uint32 {
range "0..100";
}
default "1";
description
"Broadcast suppression.";
}
leaf unicast {
type uint32 {
range "0..200000000";
}
default "64";
description
"Unknown unicast suppression (kbit/s).";
}
leaf unicastPercent {
type uint32 {
range "0..100";
}
default "1";
description
"Unknown unicast suppression.";
Xia & Zheng Expires July 29, 2018 [Page 38]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
}
leaf multicast {
type uint32 {
range "0..200000000";
}
default "64";
description
"Multicast suppression (kbit/s).";
}
leaf multicastPercent {
type uint32 {
range "0..100";
}
default "1";
description
"Multicast suppression.";
}
}
}
container vsiTotalNumbers {
description
"List of MAC address total numbers in a VSI.";
list vsiTotalNumber {
key "vsiName slotId macType";
config false;
description
"Total number of MAC addresses in a VSI.";
leaf vsiName {
type string {
length "1..31";
}
description
"VSI name.";
}
leaf slotId {
type string {
length "1..24";
}
description
"Slot ID.";
}
leaf macType {
type macType;
description
"MAC address type.";
}
leaf number {
type uint32;
Xia & Zheng Expires July 29, 2018 [Page 39]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
mandatory true;
description
"Number of MAC addresses.";
}
}
}
container ifStormSupps {
description
"Interface traffic suppression list.";
list ifStormSupp {
key "ifName suppressType";
description
"Interface traffic suppression.";
leaf ifName {
type pub-type:ifName;
description
"Name of an interface. ";
}
leaf suppressType {
type suppressType;
description
"Suppression type.";
}
leaf percent {
type uint64 {
range "0..99";
}
description
"Percent.";
}
leaf packets {
type uint64 {
range "0..148810000";
}
description
"Packets per second.";
}
leaf cir {
type uint64 {
range "0..100000000";
}
description
"CIR(Kbit/s).";
}
leaf cbs {
type uint64 {
range "10000..4294967295";
}
Xia & Zheng Expires July 29, 2018 [Page 40]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
description
"CBS(Bytes).";
}
}
}
container ifStormBlocks {
description
"Interface traffic block list.";
list ifStormBlock {
key "ifName blockType direction";
description
"Interface traffic suppression.";
leaf ifName {
type pub-type:ifName;
description
"Name of an interface. ";
}
leaf blockType {
type suppressType;
description
"Block type.";
}
leaf direction {
type directionType;
description
"Direction.";
}
}
}
container ifStormContrls {
description
"Interface storm control list.";
list ifStormContrl {
key "ifName";
description
"Interface storm control.";
leaf ifName {
type pub-type:ifName;
description
"Name of an interface. ";
}
leaf action {
type stormCtrlActionType;
default "normal";
description
"Action type.";
}
leaf trapEnable {
Xia & Zheng Expires July 29, 2018 [Page 41]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
type enableType;
default "disable";
description
"Trap state.";
}
leaf logEnable {
type enableType;
default "disable";
description
"Log state.";
}
leaf interval {
type uint64 {
range "1..180";
}
default "5";
description
"Detect interval.";
}
container ifPacketContrlAttributes {
description
"Storm control rate list.";
list ifPacketContrlAttribute {
key "packetType";
description
"Storm control rate.";
leaf packetType {
type stormCtrlType;
description
"Packet type.";
}
leaf rateType {
type stormCtrlRateType;
default "pps";
description
"Storm control rate type.";
}
leaf minRate {
type uint32 {
range "1..148810000";
}
mandatory true;
description
"Storm control min rate.";
}
leaf maxRate {
type uint64 {
range "1..148810000";
Xia & Zheng Expires July 29, 2018 [Page 42]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
}
mandatory true;
description
"Storm control max rate.";
}
}
}
container ifstormContrlInfos {
description
"Storm control info list.";
list ifstormContrlInfo {
key "packetType";
config false;
description
"Storm control info";
leaf packetType {
type stormCtrlType;
description
"Packet type.";
}
leaf punishStatus {
type stormCtrlActionType;
description
"Storm control status.";
}
leaf lastPunishTime {
type string {
length "1..50";
}
description
"Last punish time.";
}
}
}
}
}
}
}
6. IANA Considerations
This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an
RFC.
Xia & Zheng Expires July 29, 2018 [Page 43]
Internet-DrafNetwork Infrastructure Device Data Plane Secur January 2018
7. Security Considerations
To be added.
8. Acknowledgements
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
9.2. Informative References
[I-D.ietf-netconf-subscribed-notifications]
Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and
A. Tripathy, "Custom Subscription to Event Streams",
draft-ietf-netconf-subscribed-notifications-08 (work in
progress), December 2017.
[I-D.ietf-netconf-yang-push]
Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen-
Nygaard, E., Bierman, A., and B. Lengyel, "YANG Datastore
Subscription", draft-ietf-netconf-yang-push-12 (work in
progress), December 2017.
[I-D.ietf-sacm-information-model]
Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus,
M., Haynes, D., and H. Birkholz, "SACM Information Model",
draft-ietf-sacm-information-model-10 (work in progress),
April 2017.
Authors' Addresses
Liang Xia
Huawei
Email: frank.xialiang@huawei.com
Guangying Zheng
Huawei
Email: zhengguangying@huawei.com
Xia & Zheng Expires July 29, 2018 [Page 44]