This module contains YANG definition for configuring aliases for resources and filtering rules using DOTS data channel. Copyrig...
Version: 2020-05-28
module ietf-dots-data-channel { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dots-data-channel"; prefix data-channel; import ietf-inet-types { prefix inet; reference "Section 4 of RFC 6991"; } import ietf-access-control-list { prefix ietf-acl; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; } import ietf-packet-fields { prefix packet-fields; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; } organization "IETF DDoS Open Threat Signaling (DOTS) Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/dots/> WG List: <mailto:dots@ietf.org> Editor: Mohamed Boucadair <mailto:mohamed.boucadair@orange.com> Editor: Konda, Tirumaleswar Reddy.K <mailto:TirumaleswarReddy_Konda@McAfee.com> Author: Jon Shallow <mailto:jon.shallow@nccgroup.com> Author: Kaname Nishizuka <mailto:kaname@nttv6.jp> Author: Liang Xia <mailto:frank.xialiang@huawei.com> Author: Prashanth Patil <mailto:praspati@cisco.com> Author: Andrew Mortensen <mailto:amortensen@arbor.net> Author: Nik Teague <mailto:nteague@ironmountain.co.uk>"; description "This module contains YANG definition for configuring aliases for resources and filtering rules using DOTS data channel. Copyright (c) 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 8783; see the RFC itself for full legal notices."; revision "2020-05-28" { description "Initial revision."; reference "RFC 8783: Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel Specification"; } typedef activation-type { type enumeration { enum "activate-when-mitigating" { value 1; description "The Access Control List (ACL) is installed only when a mitigation is active for the DOTS client."; } enum "immediate" { value 2; description "The ACL is immediately activated."; } enum "deactivate" { value 3; description "The ACL is maintained by the DOTS server, but it is deactivated."; } } description "Indicates the activation type of an ACL."; } typedef operator { type bits { bit not { position 0; description "If set, logical negation of operation."; } bit match { position 1; description "Match bit. This is a bitwise match operation defined as '(data & value) == value'."; } bit any { position 3; description "Any bit. This is a match on any of the bits in bitmask. It evaluates to 'true' if any of the bits in the value mask are set in the data, i.e., '(data & value) != 0'."; } } description "Specifies how to apply the defined bitmask. 'any' and 'match' bits must not be set simultaneously."; } typedef fragment-type { type bits { bit df { position 0; description "Don't fragment bit for IPv4. Must be set to 0 when it appears in an IPv6 filter."; } bit isf { position 1; description "Is a fragment."; } bit ff { position 2; description "First fragment."; } bit lf { position 3; description "Last fragment."; } } description "Different fragment types to match against."; } container dots-data { description "Main container for DOTS data channel."; list dots-client { key "cuid"; description "List of DOTS clients."; leaf cuid { type string; description "A unique identifier that is generated by a DOTS client to prevent request collisions."; reference "RFC 8782: Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification"; } leaf cdid { type string; description "A client domain identifier conveyed by a server-domain DOTS gateway to a remote DOTS server."; reference "RFC 8782: Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification"; } container aliases { description "Set of aliases that are bound to a DOTS client."; list alias { key "name"; description "List of aliases."; leaf name { type string; description "The name of the alias."; } leaf-list target-prefix { type inet:ip-prefix; description "IPv4 or IPv6 prefix identifying the target."; } list target-port-range { key "lower-port"; description "Port range. When only lower-port is present, it represents a single port number."; leaf lower-port { type inet:port-number; mandatory true; description "Lower port number of the port range."; } leaf upper-port { type inet:port-number; must ". >= ../lower-port" { error-message "The upper-port number must be greater than or equal to the lower-port number."; } description "Upper port number of the port range."; } } // list target-port-range leaf-list target-protocol { type uint8; description "Identifies the target protocol number. Values are taken from the IANA protocol registry: https://www.iana.org/assignments/protocol-numbers/ For example, 6 for TCP or 17 for UDP."; } leaf-list target-fqdn { type inet:domain-name; description "FQDN identifying the target."; } leaf-list target-uri { type inet:uri; description "URI identifying the target."; } leaf pending-lifetime { type int32; units "minutes"; config false; description "Indicates the pending validity lifetime of the alias entry."; } } // list alias } // container aliases container acls { description "Access lists that are bound to a DOTS client."; list acl { key "name"; ordered-by user; description "An ACL is an ordered list of Access Control Entries (ACE). Each ACE has a list of match criteria and a list of actions."; leaf name { type string { length "1..64"; } description "The name of the access list."; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; } leaf type { type ietf-acl:acl-type; description "Type of access control list. Indicates the primary intended type of match criteria (e.g., IPv4, IPv6) used in the list instance."; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; } leaf activation-type { type activation-type; default "activate-when-mitigating"; description "Indicates the activation type of an ACL. An ACL can be deactivated, installed immediately, or installed when a mitigation is active."; } leaf pending-lifetime { type int32; units "minutes"; config false; description "Indicates the pending validity lifetime of the ACL entry."; } container aces { description "The Access Control Entries container contains a list of ACEs."; list ace { key "name"; ordered-by user; description "List of access list entries."; leaf name { type string { length "1..64"; } description "A unique name identifying this ACE."; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; } container matches { description "The rules in this set determine what fields will be matched upon before any action is taken on them. If no matches are defined in a particular container, then any packet will match that container. If no matches are specified at all in an ACE, then any packet will match the ACE."; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; choice l3 { description "Either IPv4 or IPv6."; container ipv4 { when "derived-from(../../../../type, 'ietf-acl:ipv4-acl-type')"; description "Rule set that matches IPv4 header."; leaf dscp { type inet:dscp; description "Differentiated Services Code Point."; reference "RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers."; } leaf ecn { type uint8 { range "0..3"; } description "Explicit Congestion Notification."; reference "RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP."; } leaf length { type uint16; description "In the IPv4 header field, this field is known as the Total Length. Total Length is the length of the datagram, measured in octets, including internet header and data. In the IPv6 header field, this field is known as the Payload Length, which is the length of the IPv6 payload, i.e., the rest of the packet following the IPv6 header, in octets."; reference "RFC 791: Internet Protocol RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; } leaf ttl { type uint8; description "This field indicates the maximum time the datagram is allowed to remain in the internet system. If this field contains the value zero, then the datagram must be dropped. In IPv6, this field is known as the Hop Limit."; reference "RFC 791: Internet Protocol RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; } leaf protocol { type uint8; description "Internet Protocol number. Refers to the protocol of the payload. In IPv6, this field is known as 'next-header', and if extension headers are present, the protocol is present in the 'upper-layer' header."; reference "RFC 791: Internet Protocol RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; } leaf ihl { type uint8 { range "5..60"; } description "In an IPv4 header field, the Internet Header Length (IHL) is the length of the internet header in 32-bit words and thus points to the beginning of the data. Note that the minimum value for a correct header is 5."; } leaf flags { type bits { bit reserved { position 0; description "Reserved. Must be zero."; } bit fragment { position 1; description "Setting the value to 0 indicates may fragment, while setting the value to 1 indicates do not fragment."; } bit more { position 2; description "Setting the value to 0 indicates this is the last fragment, and setting the value to 1 indicates more fragments are coming."; } } description "Bit definitions for the Flags field in the IPv4 header."; } leaf offset { type uint16 { range "20..65535"; } description "The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero. The length is 13 bits"; } leaf identification { type uint16; description "An identifying value assigned by the sender to aid in assembling the fragments of a datagram."; } choice destination-network { description "Choice of specifying a destination IPv4 address or referring to a group of IPv4 destination addresses."; leaf destination-ipv4-network { type inet:ipv4-prefix; description "Destination IPv4 address prefix."; } } // choice destination-network choice source-network { description "Choice of specifying a source IPv4 address or referring to a group of IPv4 source addresses."; leaf source-ipv4-network { type inet:ipv4-prefix; description "Source IPv4 address prefix."; } } // choice source-network container fragment { description "Indicates how to handle IPv4 fragments."; leaf operator { type operator; default "match"; description "Specifies how to interpret the fragment type."; } leaf type { type fragment-type; mandatory true; description "Indicates what fragment type to look for."; } } // container fragment } // container ipv4 container ipv6 { when "derived-from(../../../../type, 'ietf-acl:ipv6-acl-type')"; description "Rule set that matches IPv6 header."; leaf dscp { type inet:dscp; description "Differentiated Services Code Point."; reference "RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers."; } leaf ecn { type uint8 { range "0..3"; } description "Explicit Congestion Notification."; reference "RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP."; } leaf length { type uint16; description "In the IPv4 header field, this field is known as the Total Length. Total Length is the length of the datagram, measured in octets, including internet header and data. In the IPv6 header field, this field is known as the Payload Length, which is the length of the IPv6 payload, i.e., the rest of the packet following the IPv6 header, in octets."; reference "RFC 791: Internet Protocol RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; } leaf ttl { type uint8; description "This field indicates the maximum time the datagram is allowed to remain in the internet system. If this field contains the value zero, then the datagram must be dropped. In IPv6, this field is known as the Hop Limit."; reference "RFC 791: Internet Protocol RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; } leaf protocol { type uint8; description "Internet Protocol number. Refers to the protocol of the payload. In IPv6, this field is known as 'next-header', and if extension headers are present, the protocol is present in the 'upper-layer' header."; reference "RFC 791: Internet Protocol RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; } choice destination-network { description "Choice of specifying a destination IPv6 address or referring to a group of IPv6 destination addresses."; leaf destination-ipv6-network { type inet:ipv6-prefix; description "Destination IPv6 address prefix."; } } // choice destination-network choice source-network { description "Choice of specifying a source IPv6 address or referring to a group of IPv6 source addresses."; leaf source-ipv6-network { type inet:ipv6-prefix; description "Source IPv6 address prefix."; } } // choice source-network leaf flow-label { type inet:ipv6-flow-label; description "IPv6 Flow label."; } container fragment { description "Indicates how to handle IPv6 fragments."; leaf operator { type operator; default "match"; description "Specifies how to interpret the fragment type."; } leaf type { type fragment-type; mandatory true; description "Indicates what fragment type to look for."; } } // container fragment } // container ipv6 } // choice l3 choice l4 { description "Can be TCP, UDP, or ICMP/ICMPv6"; container tcp { description "Rule set that matches TCP header."; leaf sequence-number { type uint32; description "Sequence number that appears in the packet."; } leaf acknowledgement-number { type uint32; description "The acknowledgement number that appears in the packet."; } leaf data-offset { type uint8 { range "5..15"; } description "Specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words; thus, this gives a minimum size of 20 bytes and a maximum of 60 bytes, allowing for up to 40 bytes of options in the header."; } leaf reserved { type uint8; description "Reserved for future use."; } leaf flags { type bits { bit cwr { position 1; description "The Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECN-Echo (ECE) flag set and had responded in the congestion control mechanism."; reference "RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP."; } bit ece { position 2; description "ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates the following: if the SYN flag is set (1), the TCP peer is ECN capable, and if the SYN flag is clear (0), a packet with the Congestion Experienced flag set (ECN=11) in the IP header was received during normal transmission (added to the header by RFC 3168). This serves as an indication of network congestion (or impending congestion) to the TCP sender."; reference "RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP."; } bit urg { position 3; description "Indicates that the Urgent Pointer field is significant."; } bit ack { position 4; description "Indicates that the Acknowledgement field is significant. All packets after the initial SYN packet sent by the client should have this flag set."; } bit psh { position 5; description "Push function. Asks to push the buffered data to the receiving application."; } bit rst { position 6; description "Reset the connection."; } bit syn { position 7; description "Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid for when it is set, and others when it is clear."; } bit fin { position 8; description "Last package from the sender."; } } description "Also known as Control Bits. Contains nine 1-bit flags."; reference "RFC 793: Transmission Control Protocol."; } leaf window-size { type uint16; units "bytes"; description "The size of the receive window, which specifies the number of window size units beyond the segment identified by the sequence number in the Acknowledgement field that the sender of this segment is currently willing to receive."; } leaf urgent-pointer { type uint16; description "This field is an offset from the sequence number indicating the last urgent data byte."; } leaf options { type binary { length "1..40"; } description "The length of this field is determined by the Data Offset field. Options have up to three fields: Option-Kind (1 byte), Option-Length (1 byte), and Option-Data (variable). The Option-Kind field indicates the type of option and is the only field that is not optional. Depending on what kind of option we are dealing with, the next two fields may be set: the Option-Length field indicates the total length of the option, and the Option-Data field contains the value of the option, if applicable."; } container flags-bitmask { description "Indicates how to handle TCP flags."; leaf operator { type operator; default "match"; description "Specifies how to interpret the TCP flags."; } leaf bitmask { type uint16; mandatory true; description "The bitmask matches the last 4 bits of byte 12 and byte 13 of the TCP header. For clarity, the 4 bits of byte 12 corresponding to the TCP data offset field are not included in any matching."; } } // container flags-bitmask choice source-port { description "Choice of specifying the source port or referring to a group of source port numbers."; container source-port-range-or-operator { description "Source port definition."; choice port-range-or-operator { description "Choice of specifying a port range or a single port along with an operator."; case range { leaf lower-port { type inet:port-number; must ". <= ../upper-port" { error-message "The lower-port must be less than or equal to the upper-port."; } mandatory true; description "Lower boundary for a port."; } leaf upper-port { type inet:port-number; mandatory true; description "Upper boundary for a port."; } } // case range case operator { leaf operator { type operator; default "eq"; description "Operator to be applied on the port below."; } leaf port { type inet:port-number; mandatory true; description "Port number along with the operator on which to match."; } } // case operator } // choice port-range-or-operator } // container source-port-range-or-operator } // choice source-port choice destination-port { description "Choice of specifying a destination port or referring to a group of destination port numbers."; container destination-port-range-or-operator { description "Destination port definition."; choice port-range-or-operator { description "Choice of specifying a port range or a single port along with an operator."; case range { leaf lower-port { type inet:port-number; must ". <= ../upper-port" { error-message "The lower-port must be less than or equal to the upper-port."; } mandatory true; description "Lower boundary for a port."; } leaf upper-port { type inet:port-number; mandatory true; description "Upper boundary for a port."; } } // case range case operator { leaf operator { type operator; default "eq"; description "Operator to be applied on the port below."; } leaf port { type inet:port-number; mandatory true; description "Port number along with the operator on which to match."; } } // case operator } // choice port-range-or-operator } // container destination-port-range-or-operator } // choice destination-port } // container tcp container udp { description "Rule set that matches UDP header."; leaf length { type uint16; description "A field that specifies the length in bytes of the UDP header and UDP data. The minimum length is 8 bytes because that is the length of the header. The field size sets a theoretical limit of 65,535 bytes (8-byte header plus 65,527 bytes of data) for a UDP datagram. However, the actual limit for the data length, which is imposed by the underlying IPv4 protocol, is 65,507 bytes (65,535 minus 8-byte UDP header minus 20-byte IP header). In IPv6 jumbograms, it is possible to have UDP packets of a size greater than 65,535 bytes. RFC 2675 specifies that the Length field is set to zero if the length of the UDP header plus UDP data is greater than 65,535."; } choice source-port { description "Choice of specifying the source port or referring to a group of source port numbers."; container source-port-range-or-operator { description "Source port definition."; choice port-range-or-operator { description "Choice of specifying a port range or a single port along with an operator."; case range { leaf lower-port { type inet:port-number; must ". <= ../upper-port" { error-message "The lower-port must be less than or equal to the upper-port."; } mandatory true; description "Lower boundary for a port."; } leaf upper-port { type inet:port-number; mandatory true; description "Upper boundary for a port."; } } // case range case operator { leaf operator { type operator; default "eq"; description "Operator to be applied on the port below."; } leaf port { type inet:port-number; mandatory true; description "Port number along with the operator on which to match."; } } // case operator } // choice port-range-or-operator } // container source-port-range-or-operator } // choice source-port choice destination-port { description "Choice of specifying a destination port or referring to a group of destination port numbers."; container destination-port-range-or-operator { description "Destination port definition."; choice port-range-or-operator { description "Choice of specifying a port range or a single port along with an operator."; case range { leaf lower-port { type inet:port-number; must ". <= ../upper-port" { error-message "The lower-port must be less than or equal to the upper-port."; } mandatory true; description "Lower boundary for a port."; } leaf upper-port { type inet:port-number; mandatory true; description "Upper boundary for a port."; } } // case range case operator { leaf operator { type operator; default "eq"; description "Operator to be applied on the port below."; } leaf port { type inet:port-number; mandatory true; description "Port number along with the operator on which to match."; } } // case operator } // choice port-range-or-operator } // container destination-port-range-or-operator } // choice destination-port } // container udp container icmp { description "Rule set that matches ICMP/ICMPv6 header."; leaf type { type uint8; description "Also known as control messages."; reference "RFC 792: Internet Control Message Protocol RFC 4443: Internet Control Message Protocol (ICMPv6) for Internet Protocol Version 6 (IPv6) Specification."; } leaf code { type uint8; description "ICMP subtype. Also known as control messages."; reference "RFC 792: Internet Control Message Protocol RFC 4443: Internet Control Message Protocol (ICMPv6) for Internet Protocol Version 6 (IPv6) Specification."; } leaf rest-of-header { type binary; description "Unbounded in length, the contents vary based on the ICMP type and code. Also referred to as 'Message Body' in ICMPv6."; reference "RFC 792: Internet Control Message Protocol RFC 4443: Internet Control Message Protocol (ICMPv6) for Internet Protocol Version 6 (IPv6) Specification."; } } // container icmp } // choice l4 } // container matches container actions { description "Definitions of action for this ACE."; leaf forwarding { type identityref { base ietf-acl:forwarding-action; } mandatory true; description "Specifies the forwarding action per ACE."; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; } leaf rate-limit { when "../forwarding = 'ietf-acl:accept'" { description "Rate-limit is valid only when accept action is used."; } type decimal64 { fraction-digits 2; } units "bytes per second"; description "Specifies how to rate-limit the traffic."; } } // container actions container statistics { config false; description "Aggregate statistics."; leaf matched-packets { type yang:counter64; config false; description "Count of the number of packets matching the current ACL entry. An implementation should provide this counter on a per-interface, per-ACL-entry basis if possible. If an implementation only supports ACL counters on a per- entry basis (i.e., not broken out per interface), then the value should be equal to the aggregate count across all interfaces. An implementation that provides counters on a per-entry, per- interface basis is not required to also provide an aggregate count, e.g., per entry -- the user is expected to be able to implement the required aggregation if such a count is needed."; } leaf matched-octets { type yang:counter64; config false; description "Count of the number of octets (bytes) matching the current ACL entry. An implementation should provide this counter on a per-interface, per-ACL-entry basis if possible. If an implementation only supports ACL counters per entry (i.e., not broken out per interface), then the value should be equal to the aggregate count across all interfaces. An implementation that provides counters per entry per interface is not required to also provide an aggregate count, e.g., per entry -- the user is expected to be able to implement the required aggregation if such a count is needed."; } } // container statistics } // list ace } // container aces } // list acl } // container acls container vendor-mapping { description "Used by DOTS clients to share their vendor attack mapping information with DOTS servers."; list vendor { key "vendor-id"; description "Vendor attack mapping information related to the client/server."; leaf vendor-id { type uint32; description "The Vendor ID is a security vendor's Private Enterprise Number as registered with IANA."; reference "IANA: Private Enterprise Numbers (https://www.iana.org/assignments/enterprise-numbers/)"; } leaf vendor-name { type string; description "The name of the vendor (e.g., company A)."; } leaf description-lang { type string { pattern '((([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?)|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WYZa-wyz](-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]|[Ii]-[Hh][Aa][Kk]|[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))'; } default "en-US"; description "Indicates the language tag that is used for 'attack-description'."; reference "RFC 5646: Tags for Identifying Languages, Section 2.1"; } leaf last-updated { type uint64; mandatory true; description "The time the mapping table was updated. It is represented in seconds relative to 1970-01-01T00:00:00Z."; } list attack-mapping { key "attack-id"; description "Attack mapping details."; leaf attack-id { type uint32; description "Unique identifier assigned by the vendor for the attack."; } leaf attack-description { type string; mandatory true; description "Textual representation of the attack description. Natural Language Processing techniques (e.g., word embedding) might provide some utility in mapping the attack description to an attack type."; } } // list attack-mapping } // list vendor } // container vendor-mapping } // list dots-client container capabilities { config false; description "Match capabilities"; leaf-list address-family { type enumeration { enum "ipv4" { value 0; description "IPv4 is supported."; } enum "ipv6" { value 1; description "IPv6 is supported."; } } description "Indicates the IP address families supported by the DOTS server."; } leaf-list forwarding-actions { type identityref { base ietf-acl:forwarding-action; } description "Supported forwarding action(s)."; } leaf rate-limit { type boolean; description "Support of rate-limit action."; } leaf-list transport-protocols { type uint8; description "Upper-layer protocol associated with a filtering rule. Values are taken from the IANA protocol registry: https://www.iana.org/assignments/protocol-numbers/ For example, this field contains 1 for ICMP, 6 for TCP 17 for UDP, or 58 for ICMPv6."; } container ipv4 { description "Indicates IPv4 header fields that are supported to enforce ACLs."; leaf dscp { type boolean; description "Support of filtering based on Differentiated Services Code Point (DSCP)."; } leaf ecn { type boolean; description "Support of filtering based on Explicit Congestion Notification (ECN)."; } leaf length { type boolean; description "Support of filtering based on the Total Length."; } leaf ttl { type boolean; description "Support of filtering based on the Time to Live (TTL)."; } leaf protocol { type boolean; description "Support of filtering based on protocol field."; } leaf ihl { type boolean; description "Support of filtering based on the Internet Header Length (IHL)."; } leaf flags { type boolean; description "Support of filtering based on the 'flags'."; } leaf offset { type boolean; description "Support of filtering based on the 'offset'."; } leaf identification { type boolean; description "Support of filtering based on the 'identification'."; } leaf source-prefix { type boolean; description "Support of filtering based on the source prefix."; } leaf destination-prefix { type boolean; description "Support of filtering based on the destination prefix."; } leaf fragment { type boolean; description "Indicates the capability of a DOTS server to enforce filters on IPv4 fragments. That is, the match functionality based on the Layer 3 'fragment' clause is supported."; } } // container ipv4 container ipv6 { description "Indicates IPv6 header fields that are supported to enforce ACLs."; leaf dscp { type boolean; description "Support of filtering based on DSCP."; } leaf ecn { type boolean; description "Support of filtering based on ECN."; } leaf length { type boolean; description "Support of filtering based on the Payload Length."; } leaf hoplimit { type boolean; description "Support of filtering based on the Hop Limit."; } leaf protocol { type boolean; description "Support of filtering based on the Next Header field."; } leaf destination-prefix { type boolean; description "Support of filtering based on the destination prefix."; } leaf source-prefix { type boolean; description "Support of filtering based on the source prefix."; } leaf flow-label { type boolean; description "Support of filtering based on the Flow Label."; } leaf fragment { type boolean; description "Indicates the capability of a DOTS server to enforce filters on IPv6 fragments."; } } // container ipv6 container tcp { description "Set of TCP fields that are supported by the DOTS server to enforce filters."; leaf sequence-number { type boolean; description "Support of filtering based on the TCP sequence number."; } leaf acknowledgement-number { type boolean; description "Support of filtering based on the TCP acknowledgement number."; } leaf data-offset { type boolean; description "Support of filtering based on the TCP data-offset."; } leaf reserved { type boolean; description "Support of filtering based on the TCP reserved field."; } leaf flags { type boolean; description "Support of filtering, as defined in RFC 8519, based on the TCP flags."; } leaf window-size { type boolean; description "Support of filtering based on the TCP window size."; } leaf urgent-pointer { type boolean; description "Support of filtering based on the TCP urgent pointer."; } leaf options { type boolean; description "Support of filtering based on the TCP options."; } leaf flags-bitmask { type boolean; description "Support of filtering based on the TCP flags bitmask."; } leaf source-port { type boolean; description "Support of filtering based on the source port number."; } leaf destination-port { type boolean; description "Support of filtering based on the destination port number."; } leaf port-range { type boolean; description "Support of filtering based on a port range. This includes filtering based on a source port range, destination port range, or both. All operators (i.e, less than or equal to, greater than or equal to, equal to, and not equal to) are supported. In particular, this means that the implementation supports filtering based on source-port-range-or-operator and destination-port-range-or-operator."; } } // container tcp container udp { description "Set of UDP fields that are supported by the DOTS server to enforce filters."; leaf length { type boolean; description "Support of filtering based on the UDP length."; } leaf source-port { type boolean; description "Support of filtering based on the source port number."; } leaf destination-port { type boolean; description "Support of filtering based on the destination port number."; } leaf port-range { type boolean; description "Support of filtering based on a port range. This includes filtering based on a source port range, destination port range, or both. All operators (i.e, less than or equal, greater than or equal, equal to, and not equal to) are supported. In particular, this means that the implementation supports filtering based on source-port-range-or-operator and destination-port-range-or-operator."; } } // container udp container icmp { description "Set of ICMP/ICMPv6 fields that are supported by the DOTS server to enforce filters."; leaf type { type boolean; description "Support of filtering based on the ICMP/ICMPv6 type."; } leaf code { type boolean; description "Support of filtering based on the ICMP/ICMPv6 code."; } leaf rest-of-header { type boolean; description "Support of filtering based on the ICMP four-byte field / the ICMPv6 message body."; } } // container icmp leaf vendor-mapping-enabled { type boolean; config false; description "Indicates that the DOTS server supports sharing attack vendor mapping details with DOTS clients."; } } // container capabilities container vendor-mapping { config false; description "Includes the list of vendor attack mapping details that will be shared with DOTS clients upon request."; list vendor { key "vendor-id"; description "Vendor attack mapping information related to the client/server."; leaf vendor-id { type uint32; description "The Vendor ID is a security vendor's Private Enterprise Number as registered with IANA."; reference "IANA: Private Enterprise Numbers (https://www.iana.org/assignments/enterprise-numbers/)"; } leaf vendor-name { type string; description "The name of the vendor (e.g., company A)."; } leaf description-lang { type string { pattern '((([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?)|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WYZa-wyz](-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]|[Ii]-[Hh][Aa][Kk]|[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))'; } default "en-US"; description "Indicates the language tag that is used for 'attack-description'."; reference "RFC 5646: Tags for Identifying Languages, Section 2.1"; } leaf last-updated { type uint64; mandatory true; description "The time the mapping table was updated. It is represented in seconds relative to 1970-01-01T00:00:00Z."; } list attack-mapping { key "attack-id"; description "Attack mapping details."; leaf attack-id { type uint32; description "Unique identifier assigned by the vendor for the attack."; } leaf attack-description { type string; mandatory true; description "Textual representation of the attack description. Natural Language Processing techniques (e.g., word embedding) might provide some utility in mapping the attack description to an attack type."; } } // list attack-mapping } // list vendor } // container vendor-mapping } // container dots-data } // module ietf-dots-data-channel
© 2023 YumaWorks, Inc. All rights reserved.