ietf-dots-data-channel

This module contains YANG definition for configuring aliases for resources and filtering rules using DOTS data channel. Copyrig...

  • Version: 2020-05-28

    ietf-dots-data-channel@2020-05-28


    
      module ietf-dots-data-channel {
    
        yang-version 1.1;
    
        namespace
          "urn:ietf:params:xml:ns:yang:ietf-dots-data-channel";
    
        prefix data-channel;
    
        import ietf-inet-types {
          prefix inet;
          reference
            "Section 4 of RFC 6991";
    
    
        }
        import ietf-access-control-list {
          prefix ietf-acl;
          reference
            "RFC 8519: YANG Data Model for Network Access
            	  Control Lists (ACLs)";
    
    
        }
        import ietf-packet-fields {
          prefix packet-fields;
          reference
            "RFC 8519: YANG Data Model for Network Access
            	  Control Lists (ACLs)";
    
    
        }
    
        organization
          "IETF DDoS Open Threat Signaling (DOTS) Working Group";
    
        contact
          "WG Web:   <https://datatracker.ietf.org/wg/dots/>
         WG List:  <mailto:dots@ietf.org>
    
         Editor:  Mohamed Boucadair
                  <mailto:mohamed.boucadair@orange.com>
    
         Editor:  Konda, Tirumaleswar Reddy.K
                  <mailto:TirumaleswarReddy_Konda@McAfee.com>
    
         Author:  Jon Shallow
                  <mailto:jon.shallow@nccgroup.com>
    
         Author:  Kaname Nishizuka
                  <mailto:kaname@nttv6.jp>
    
         Author:  Liang Xia
                  <mailto:frank.xialiang@huawei.com>
    
         Author:  Prashanth Patil
                  <mailto:praspati@cisco.com>
    
         Author:  Andrew Mortensen
                  <mailto:amortensen@arbor.net>
    
         Author:  Nik Teague
                  <mailto:nteague@ironmountain.co.uk>";
    
        description
          "This module contains YANG definition for configuring
         aliases for resources and filtering rules using DOTS
         data channel.
    
         Copyright (c) 2020 IETF Trust and the persons identified as
         authors of the code.  All rights reserved.
    
         Redistribution and use in source and binary forms, with or
         without modification, is permitted pursuant to, and subject
         to the license terms contained in, the Simplified BSD License
         set forth in Section 4.c of the IETF Trust's Legal Provisions
         Relating to IETF Documents
         (http://trustee.ietf.org/license-info).
    
         This version of this YANG module is part of RFC 8783; see
         the RFC itself for full legal notices.";
    
        revision "2020-05-28" {
          description "Initial revision.";
          reference
            "RFC 8783: Distributed Denial-of-Service Open Threat
            	  Signaling (DOTS) Data Channel Specification";
    
        }
    
    
        typedef activation-type {
          type enumeration {
            enum "activate-when-mitigating" {
              value 1;
              description
                "The Access Control List (ACL) is installed only when
               a mitigation is active for the DOTS client.";
            }
            enum "immediate" {
              value 2;
              description
                "The ACL is immediately activated.";
            }
            enum "deactivate" {
              value 3;
              description
                "The ACL is maintained by the DOTS server, but it is
               deactivated.";
            }
          }
          description
            "Indicates the activation type of an ACL.";
        }
    
        typedef operator {
          type bits {
            bit not {
              position 0;
              description
                "If set, logical negation of operation.";
            }
            bit match {
              position 1;
              description
                "Match bit.  This is a bitwise match operation
               defined as '(data & value) == value'.";
            }
            bit any {
              position 3;
              description
                "Any bit.  This is a match on any of the bits in
               bitmask.  It evaluates to 'true' if any of the bits
               in the value mask are set in the data,
               i.e., '(data & value) != 0'.";
            }
          }
          description
            "Specifies how to apply the defined bitmask.
           'any' and 'match' bits must not be set simultaneously.";
        }
    
        grouping tcp-flags {
          description "Operations on TCP flags.";
          leaf operator {
            type operator;
            default "match";
            description
              "Specifies how to interpret the TCP flags.";
          }
    
          leaf bitmask {
            type uint16;
            mandatory true;
            description
              "The bitmask matches the last 4 bits of byte 12
             and byte 13 of the TCP header.  For clarity, the 4 bits
             of byte 12 corresponding to the TCP data offset field
             are not included in any matching.";
          }
        }  // grouping tcp-flags
    
        typedef fragment-type {
          type bits {
            bit df {
              position 0;
              description
                "Don't fragment bit for IPv4.
               Must be set to 0 when it appears in an IPv6 filter.";
            }
            bit isf {
              position 1;
              description "Is a fragment.";
            }
            bit ff {
              position 2;
              description "First fragment.";
            }
            bit lf {
              position 3;
              description "Last fragment.";
            }
          }
          description
            "Different fragment types to match against.";
        }
    
        grouping target {
          description
            "Specifies the targets of the mitigation request.";
          leaf-list target-prefix {
            type inet:ip-prefix;
            description
              "IPv4 or IPv6 prefix identifying the target.";
          }
    
          list target-port-range {
            key "lower-port";
            description
              "Port range.  When only lower-port is
             present, it represents a single port number.";
            leaf lower-port {
              type inet:port-number;
              mandatory true;
              description
                "Lower port number of the port range.";
            }
    
            leaf upper-port {
              type inet:port-number;
              must '. >= ../lower-port' {
                error-message
                  "The upper-port number must be greater than
                 or equal to the lower-port number.";
              }
              description
                "Upper port number of the port range.";
            }
          }  // list target-port-range
    
          leaf-list target-protocol {
            type uint8;
            description
              "Identifies the target protocol number.
    
             Values are taken from the IANA protocol registry:
             https://www.iana.org/assignments/protocol-numbers/
    
             For example, 6 for TCP or 17 for UDP.";
          }
    
          leaf-list target-fqdn {
            type inet:domain-name;
            description
              "FQDN identifying the target.";
          }
    
          leaf-list target-uri {
            type inet:uri;
            description
              "URI identifying the target.";
          }
        }  // grouping target
    
        grouping fragment-fields {
          description
            "Operations on fragment types.";
          leaf operator {
            type operator;
            default "match";
            description
              "Specifies how to interpret the fragment type.";
          }
    
          leaf type {
            type fragment-type;
            mandatory true;
            description
              "Indicates what fragment type to look for.";
          }
        }  // grouping fragment-fields
    
        grouping aliases {
          description
            "Top-level container for aliases.";
          list alias {
            key "name";
            description "List of aliases.";
            leaf name {
              type string;
              description
                "The name of the alias.";
            }
    
            uses target;
    
            leaf pending-lifetime {
              type int32;
              units "minutes";
              config false;
              description
                "Indicates the pending validity lifetime of the alias
               entry.";
            }
          }  // list alias
        }  // grouping aliases
    
        grouping ports {
          description
            "Choice of specifying a source or destination port numbers.";
          choice source-port {
            description
              "Choice of specifying the source port or referring to
             a group of source port numbers.";
            container source-port-range-or-operator {
              description
                "Source port definition.";
              uses packet-fields:port-range-or-operator;
            }  // container source-port-range-or-operator
          }  // choice source-port
    
          choice destination-port {
            description
              "Choice of specifying a destination port or referring
             to a group of destination port numbers.";
            container destination-port-range-or-operator {
              description
                "Destination port definition.";
              uses packet-fields:port-range-or-operator;
            }  // container destination-port-range-or-operator
          }  // choice destination-port
        }  // grouping ports
    
        grouping access-lists {
          description
            "Specifies the ordered set of Access Control Lists.";
          list acl {
            key "name";
            ordered-by user;
            description
              "An ACL is an ordered list of Access Control Entries (ACE).
             Each ACE has a list of match criteria and a list of
             actions.";
            leaf name {
              type string {
                length "1..64";
              }
              description
                "The name of the access list.";
              reference
                "RFC 8519: YANG Data Model for Network Access
                	  Control Lists (ACLs)";
    
            }
    
            leaf type {
              type ietf-acl:acl-type;
              description
                "Type of access control list.  Indicates the primary
               intended type of match criteria (e.g., IPv4, IPv6)
               used in the list instance.";
              reference
                "RFC 8519: YANG Data Model for Network Access
                	  Control Lists (ACLs)";
    
            }
    
            leaf activation-type {
              type activation-type;
              default "activate-when-mitigating";
              description
                "Indicates the activation type of an ACL.  An ACL can be
               deactivated, installed immediately, or installed when
               a mitigation is active.";
            }
    
            leaf pending-lifetime {
              type int32;
              units "minutes";
              config false;
              description
                "Indicates the pending validity lifetime of the ACL
               entry.";
            }
    
            container aces {
              description
                "The Access Control Entries container contains
               a list of ACEs.";
              list ace {
                key "name";
                ordered-by user;
                description
                  "List of access list entries.";
                leaf name {
                  type string {
                    length "1..64";
                  }
                  description
                    "A unique name identifying this ACE.";
                  reference
                    "RFC 8519: YANG Data Model for Network Access
                    	  Control Lists (ACLs)";
    
                }
    
                container matches {
                  description
                    "The rules in this set determine what fields will be
                   matched upon before any action is taken on them.
    
                   If no matches are defined in a particular container,
                   then any packet will match that container.
    
                   If no matches are specified at all in an ACE, then any
                   packet will match the ACE.";
                  reference
                    "RFC 8519: YANG Data Model for Network Access
                    	  Control Lists (ACLs)";
    
                  choice l3 {
                    description
                      "Either IPv4 or IPv6.";
                    container ipv4 {
                      when
                        "derived-from(../../../../type, "
                          + "'ietf-acl:ipv4-acl-type')";
                      description
                        "Rule set that matches IPv4 header.";
                      uses packet-fields:acl-ip-header-fields;
    
                      uses packet-fields:acl-ipv4-header-fields;
    
                      container fragment {
                        description
                          "Indicates how to handle IPv4 fragments.";
                        uses fragment-fields;
                      }  // container fragment
                    }  // container ipv4
                    container ipv6 {
                      when
                        "derived-from(../../../../type, "
                          + "'ietf-acl:ipv6-acl-type')";
                      description
                        "Rule set that matches IPv6 header.";
                      uses packet-fields:acl-ip-header-fields;
    
                      uses packet-fields:acl-ipv6-header-fields;
    
                      container fragment {
                        description
                          "Indicates how to handle IPv6 fragments.";
                        uses fragment-fields;
                      }  // container fragment
                    }  // container ipv6
                  }  // choice l3
    
                  choice l4 {
                    description
                      "Can be TCP, UDP, or ICMP/ICMPv6";
                    container tcp {
                      description
                        "Rule set that matches TCP header.";
                      uses packet-fields:acl-tcp-header-fields;
    
                      container flags-bitmask {
                        description
                          "Indicates how to handle TCP flags.";
                        uses tcp-flags;
                      }  // container flags-bitmask
    
                      uses ports;
                    }  // container tcp
                    container udp {
                      description
                        "Rule set that matches UDP header.";
                      uses packet-fields:acl-udp-header-fields;
    
                      uses ports;
                    }  // container udp
                    container icmp {
                      description
                        "Rule set that matches ICMP/ICMPv6 header.";
                      uses packet-fields:acl-icmp-header-fields;
                    }  // container icmp
                  }  // choice l4
                }  // container matches
    
                container actions {
                  description
                    "Definitions of action for this ACE.";
                  leaf forwarding {
                    type identityref {
                      base ietf-acl:forwarding-action;
                    }
                    mandatory true;
                    description
                      "Specifies the forwarding action per ACE.";
                    reference
                      "RFC 8519: YANG Data Model for Network Access
                      	  Control Lists (ACLs)";
    
                  }
    
                  leaf rate-limit {
                    when
                      "../forwarding = 'ietf-acl:accept'" {
                      description
                        "Rate-limit is valid only when accept action is
                       used.";
                    }
                    type decimal64 {
                      fraction-digits 2;
                    }
                    units "bytes per second";
                    description
                      "Specifies how to rate-limit the traffic.";
                  }
                }  // container actions
    
                container statistics {
                  config false;
                  description
                    "Aggregate statistics.";
                  uses ietf-acl:acl-counters;
                }  // container statistics
              }  // list ace
            }  // container aces
          }  // list acl
        }  // grouping access-lists
    
        container dots-data {
          description
            "Main container for DOTS data channel.";
          list dots-client {
            key "cuid";
            description "List of DOTS clients.";
            leaf cuid {
              type string;
              description
                "A unique identifier that is generated by a DOTS client
               to prevent request collisions.";
              reference
                "RFC 8782: Distributed Denial-of-Service Open Threat
                       Signaling (DOTS) Signal Channel Specification";
    
            }
    
            leaf cdid {
              type string;
              description
                "A client domain identifier conveyed by a
               server-domain DOTS gateway to a remote DOTS server.";
              reference
                "RFC 8782: Distributed Denial-of-Service Open Threat
                       Signaling (DOTS) Signal Channel Specification";
    
            }
    
            container aliases {
              description
                "Set of aliases that are bound to a DOTS client.";
              uses aliases;
            }  // container aliases
    
            container acls {
              description
                "Access lists that are bound to a DOTS client.";
              uses access-lists;
            }  // container acls
          }  // list dots-client
    
          container capabilities {
            config false;
            description "Match capabilities";
            leaf-list address-family {
              type enumeration {
                enum "ipv4" {
                  value 0;
                  description
                    "IPv4 is supported.";
                }
                enum "ipv6" {
                  value 1;
                  description
                    "IPv6 is supported.";
                }
              }
              description
                "Indicates the IP address families supported by
               the DOTS server.";
            }
    
            leaf-list forwarding-actions {
              type identityref {
                base ietf-acl:forwarding-action;
              }
              description
                "Supported forwarding action(s).";
            }
    
            leaf rate-limit {
              type boolean;
              description
                "Support of rate-limit action.";
            }
    
            leaf-list transport-protocols {
              type uint8;
              description
                "Upper-layer protocol associated with a filtering rule.
    
               Values are taken from the IANA protocol registry:
               https://www.iana.org/assignments/protocol-numbers/
    
               For example, this field contains 1 for ICMP, 6 for TCP
               17 for UDP, or 58 for ICMPv6.";
            }
    
            container ipv4 {
              description
                "Indicates IPv4 header fields that are supported to enforce
               ACLs.";
              leaf dscp {
                type boolean;
                description
                  "Support of filtering based on Differentiated Services
                 Code Point (DSCP).";
              }
    
              leaf ecn {
                type boolean;
                description
                  "Support of filtering based on Explicit Congestion
                 Notification (ECN).";
              }
    
              leaf length {
                type boolean;
                description
                  "Support of filtering based on the Total Length.";
              }
    
              leaf ttl {
                type boolean;
                description
                  "Support of filtering based on the Time to Live (TTL).";
              }
    
              leaf protocol {
                type boolean;
                description
                  "Support of filtering based on protocol field.";
              }
    
              leaf ihl {
                type boolean;
                description
                  "Support of filtering based on the Internet Header
                 Length (IHL).";
              }
    
              leaf flags {
                type boolean;
                description
                  "Support of filtering based on the 'flags'.";
              }
    
              leaf offset {
                type boolean;
                description
                  "Support of filtering based on the 'offset'.";
              }
    
              leaf identification {
                type boolean;
                description
                  "Support of filtering based on the 'identification'.";
              }
    
              leaf source-prefix {
                type boolean;
                description
                  "Support of filtering based on the source prefix.";
              }
    
              leaf destination-prefix {
                type boolean;
                description
                  "Support of filtering based on the destination prefix.";
              }
    
              leaf fragment {
                type boolean;
                description
                  "Indicates the capability of a DOTS server to
                 enforce filters on IPv4 fragments.  That is, the match
                 functionality based on the Layer 3 'fragment' clause
                 is supported.";
              }
            }  // container ipv4
    
            container ipv6 {
              description
                "Indicates IPv6 header fields that are supported to enforce
               ACLs.";
              leaf dscp {
                type boolean;
                description
                  "Support of filtering based on DSCP.";
              }
    
              leaf ecn {
                type boolean;
                description
                  "Support of filtering based on ECN.";
              }
    
              leaf length {
                type boolean;
                description
                  "Support of filtering based on the Payload Length.";
              }
    
              leaf hoplimit {
                type boolean;
                description
                  "Support of filtering based on the Hop Limit.";
              }
    
              leaf protocol {
                type boolean;
                description
                  "Support of filtering based on the Next Header field.";
              }
    
              leaf destination-prefix {
                type boolean;
                description
                  "Support of filtering based on the destination prefix.";
              }
    
              leaf source-prefix {
                type boolean;
                description
                  "Support of filtering based on the source prefix.";
              }
    
              leaf flow-label {
                type boolean;
                description
                  "Support of filtering based on the Flow Label.";
              }
    
              leaf fragment {
                type boolean;
                description
                  "Indicates the capability of a DOTS server to
                 enforce filters on IPv6 fragments.";
              }
            }  // container ipv6
    
            container tcp {
              description
                "Set of TCP fields that are supported by the DOTS server
               to enforce filters.";
              leaf sequence-number {
                type boolean;
                description
                  "Support of filtering based on the TCP sequence number.";
              }
    
              leaf acknowledgement-number {
                type boolean;
                description
                  "Support of filtering based on the TCP acknowledgement
                 number.";
              }
    
              leaf data-offset {
                type boolean;
                description
                  "Support of filtering based on the TCP data-offset.";
              }
    
              leaf reserved {
                type boolean;
                description
                  "Support of filtering based on the TCP reserved field.";
              }
    
              leaf flags {
                type boolean;
                description
                  "Support of filtering, as defined in RFC 8519, based
                 on the TCP flags.";
              }
    
              leaf window-size {
                type boolean;
                description
                  "Support of filtering based on the TCP window size.";
              }
    
              leaf urgent-pointer {
                type boolean;
                description
                  "Support of filtering based on the TCP urgent pointer.";
              }
    
              leaf options {
                type boolean;
                description
                  "Support of filtering based on the TCP options.";
              }
    
              leaf flags-bitmask {
                type boolean;
                description
                  "Support of filtering based on the TCP flags bitmask.";
              }
    
              leaf source-port {
                type boolean;
                description
                  "Support of filtering based on the source port number.";
              }
    
              leaf destination-port {
                type boolean;
                description
                  "Support of filtering based on the destination port
                 number.";
              }
    
              leaf port-range {
                type boolean;
                description
                  "Support of filtering based on a port range.
    
                 This includes filtering based on a source port range,
                 destination port range, or both.  All operators
                 (i.e, less than or equal to, greater than or equal to,
                 equal to, and not equal to) are supported.
    
                 In particular, this means that the implementation
                 supports filtering based on
                 source-port-range-or-operator and
                 destination-port-range-or-operator.";
              }
            }  // container tcp
    
            container udp {
              description
                "Set of UDP fields that are supported by the DOTS server
               to enforce filters.";
              leaf length {
                type boolean;
                description
                  "Support of filtering based on the UDP length.";
              }
    
              leaf source-port {
                type boolean;
                description
                  "Support of filtering based on the source port number.";
              }
    
              leaf destination-port {
                type boolean;
                description
                  "Support of filtering based on the destination port
                 number.";
              }
    
              leaf port-range {
                type boolean;
                description
                  "Support of filtering based on a port range.
    
                 This includes filtering based on a source port range,
                 destination port range, or both.  All operators
                 (i.e, less than or equal, greater than or equal,
                 equal to, and not equal to) are supported.
    
                 In particular, this means that the implementation
                 supports filtering based on
                 source-port-range-or-operator and
                 destination-port-range-or-operator.";
              }
            }  // container udp
    
            container icmp {
              description
                "Set of ICMP/ICMPv6 fields that are supported by the DOTS
               server to enforce filters.";
              leaf type {
                type boolean;
                description
                  "Support of filtering based on the ICMP/ICMPv6 type.";
              }
    
              leaf code {
                type boolean;
                description
                  "Support of filtering based on the ICMP/ICMPv6 code.";
              }
    
              leaf rest-of-header {
                type boolean;
                description
                  "Support of filtering based on the ICMP four-byte
                 field / the ICMPv6 message body.";
              }
            }  // container icmp
          }  // container capabilities
        }  // container dots-data
      }  // module ietf-dots-data-channel
    

© 2023 YumaWorks, Inc. All rights reserved.