module ietf-dots-data-channel {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-dots-data-channel";
prefix data-channel;
import ietf-access-control-list {
prefix ietf-acl;
}
import ietf-packet-fields {
prefix packet-fields;
}
import ietf-dots-signal-channel {
prefix dots-signal;
}
organization
"IETF DDoS Open Threat Signaling (DOTS) Working Group";
contact
"WG Web:
WG List:
Editor: Konda, Tirumaleswar Reddy
Editor: Mohamed Boucadair
Author: Kaname Nishizuka
Author: Liang Xia
Author: Prashanth Patil
Author: Andrew Mortensen
Author: Nik Teague
Author: Jon Shallow
";
description
"This module contains YANG definition for configuring
aliases for resources and filtering rules using DOTS
data channel.
Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2018-04-16 {
description
"Initial revision.";
reference
"RFC XXXX: Distributed Denial-of-Service Open Threat
Signaling (DOTS) Data Channel Specification";
}
grouping aliases {
description
"Top level container for aliases";
list alias {
key "name";
description
"List of aliases";
leaf name {
type string;
description
"The name of the alias";
}
uses dots-signal:target;
leaf pending-lifetime {
type int32;
units "minutes";
config false;
description
"Indicates the pending validity lifetime of the alias
entry.";
}
}
}
grouping ports {
choice source-port {
container source-port-range-or-operator {
uses packet-fields:port-range-or-operator;
description
"Source port definition.";
}
description
"Choice of specifying the source port or referring to
a group of source ports.";
}
choice destination-port {
container destination-port-range-or-operator {
uses packet-fields:port-range-or-operator;
description
"Destination port definition.";
}
description
"Choice of specifying a destination port or referring
to a group of destination ports.";
}
description
"Choice of specifying a source or destination ports.";
}
grouping access-lists {
description
"Specifies the ordered set of Access Control Lists.";
list acl {
key "name";
ordered-by user;
description
"An Access Control List (ACL) is an ordered list of
Access Control Entries (ACE). Each Access Control Entry
has a list of match criteria and a list of actions.";
leaf name {
type string {
length "1..64";
}
description
"The name of the access list.";
reference
"RFC ZZZZ: Network Access Control List (ACL)
YANG Data Model";
}
leaf type {
type ietf-acl:acl-type;
description
"Type of access control list. Indicates the primary intended
type of match criteria (e.g., IPv4, IPv6) used in the list
instance.";
reference
"RFC ZZZZ: Network Access Control List (ACL)
YANG Data Model";
}
leaf activation-type {
type enumeration {
enum "activate-when-mitigating" {
value 1;
description
"The ACL is installed only when a mitigation is active.
The ACL is specific to this DOTS client.";
}
enum "immediate" {
value 2;
description
"The ACL is immediately activated.";
}
}
description
"Indicates whether an ACL is to be installed immediately
or when a mitigation is active.";
}
leaf pending-lifetime {
type int32;
units "minutes";
config false;
description
"Indicates the pending validity lifetime of the alias
entry.";
}
container aces {
description
"The Access Control Entries container contains
a list of ACEs.";
list ace {
key "name";
ordered-by user;
description
"List of access list entries.";
leaf name {
type string {
length "1..64";
}
description
"A unique name identifying this Access List
Entry (ACE).";
reference
"RFC ZZZZ: Network Access Control List (ACL)
YANG Data Model";
}
container matches {
description
"The rules in this set determine what fields will be
matched upon before any action is taken on them.
If no matches are defined in a particular container,
then any packet will match that container.
If no matches are specified at all in an ACE, then any
packet will match the ACE.";
reference
"RFC ZZZZ: Network Access Control List (ACL)
YANG Data Model";
choice l3 {
container ipv4 {
when "derived-from(../../../../type," +
"'ietf-acl:ipv4-acl-type')";
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv4-header-fields;
description
"Rule set that matches IPv4 header.";
}
container ipv6 {
when "derived-from(../../../../type," +
"'ietf-acl:ipv6-acl-type')";
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-ipv6-header-fields;
leaf fragment {
type empty;
description
"Handle IPv6 fragments. When this keyword
is present, the match is about assessing
whether a packet is a fragment (that is,
a Fragment header is present).";
}
description
"Rule set that matches IPv6 header.";
}
description
"Either IPv4 or IPv6.";
}
choice l4 {
container tcp {
uses packet-fields:acl-tcp-header-fields;
uses ports;
description
"Rule set that matches TCP header.";
}
container udp {
uses packet-fields:acl-udp-header-fields;
uses ports;
description
"Rule set that matches UDP header.";
}
container icmp {
uses packet-fields:acl-icmp-header-fields;
description
"Rule set that matches ICMP/ICMPv6 header.";
}
description
"Can be TCP, UDP, or ICMP/ICMPv6";
}
}
container actions {
description
"Definitions of action for this ACE.";
leaf forwarding {
type identityref {
base ietf-acl:forwarding-action;
}
mandatory true;
description
"Specifies the forwarding action per ACE.";
reference
"RFC ZZZZ: Network Access Control List (ACL)
YANG Data Model";
}
leaf rate-limit {
when "../forwarding = 'ietf-acl:accept'" {
description
"rate-limit valid only when accept action is used";
}
type decimal64 {
fraction-digits 2;
}
description
"rate-limit traffic";
}
}
container statistics {
config false;
description
"Aggregate statistics.";
uses ietf-acl:acl-counters;
}
}
}
}
}
container dots-data {
description
"Main container for DOTS data channel.";
list dots-client {
key "cuid";
description
"List of DOTS clients.";
leaf cuid {
type string;
description
"A unique identifier that is randomly generated by
a DOTS client to prevent request collisions.";
reference
"RFC YYYY: Distributed Denial-of-Service Open Threat
Signaling (DOTS) Signal Channel Specification";
}
leaf cdid {
type string;
description
"A client domain identifier conveyed by a
server-domain DOTS gateway to a remote DOTS server.";
reference
"RFC YYYY: Distributed Denial-of-Service Open Threat
Signaling (DOTS) Signal Channel Specification";
}
container aliases {
description
"Set of aliases that are bound to a DOTS client.";
uses aliases;
}
container acls {
description
"Access lists that are bound to a DOTS client.";
uses access-lists;
}
}
container capabilities {
config false;
description
"Match capabilities";
leaf-list address-family {
type enumeration {
enum "ipv4" {
description
"IPv4 is supported.";
}
enum "ipv6" {
description
"IPv6 is supported.";
}
}
description
"Indicates the IP address families supported by
the DOTS server.";
}
leaf-list forwarding-actions {
type identityref {
base ietf-acl:forwarding-action;
}
description
"Supported forwarding action(s).";
}
leaf rate-limit {
type boolean;
description
"Support of rate-limit action.";
}
leaf-list fragment {
type enumeration {
enum "unsupported" {
description
"No fragment support.";
}
enum "v4-fragment" {
description
"Filtering IPv4 fragments is supported.";
}
enum "v6-fragment" {
description
"Filtering IPv6 fragments is supported.";
}
}
description
"Indicates the capability of a DOTS server to
enforce filters on fragments.";
}
leaf-list transport-protocols {
type uint8;
description
"Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping.";
}
container ipv4 {
description
"Indicates IPv4 header fields that are supported to enforce
ACLs.";
leaf dscp {
type boolean;
description
"Support of filtering based on DSCP.";
}
leaf ecn {
type boolean;
description
"Support of filtering based on ECN.";
}
leaf length {
type boolean;
description
"Support of filtering based on the Total Length.";
}
leaf ttl {
type boolean;
description
"Support of filtering based on the TTL.";
}
leaf protocol {
type boolean;
description
"Support of filtering based on protocol field.";
}
leaf ihl {
type boolean;
description
"Support of filtering based on the Internet Header
Length (IHL).";
}
leaf flags {
type boolean;
description
"Support of filtering based on the flags.";
}
leaf offset {
type boolean;
description
"Support of filtering based on the fragment offset.";
}
leaf identification {
type boolean;
description
"Support of filtering based on the fragment
identification.";
}
leaf source-prefix {
type boolean;
description
"Support of filtering based on the source prefix.";
}
leaf destination-prefix {
type boolean;
description
"Support of filtering based on the destination prefix.";
}
}
container ipv6 {
description
"Indicates IPv6 header fields that are supported to enforce
ACLs.";
leaf dscp {
type boolean;
description
"Support of filtering based on DSCP.";
}
leaf ecn {
type boolean;
description
"Support of filtering based on ECN.";
}
leaf flow-label {
type boolean;
description
"Support of filtering based on the Flow label.";
}
leaf length {
type boolean;
description
"Support of filtering based on the Payload Length.";
}
leaf protocol {
type boolean;
description
"Support of filtering based on the Next Header field.";
}
leaf hoplimit {
type boolean;
description
"Support of filtering based on the Hop Limit.";
}
leaf source-prefix {
type boolean;
description
"Support of filtering based on the source prefix.";
}
leaf destination-prefix {
type boolean;
description
"Support of filtering based on the destination prefix.";
}
}
container tcp {
description
"Set of TCP fields that are supported by the DOTS server
to enfoce filters.";
leaf sequence-number {
type boolean;
description
"Support of filtering based on the TCP sequence number.";
}
leaf acknowledgement-number {
type boolean;
description
"Support of filtering based on the TCP acknowledgement
number.";
}
leaf data-offset {
type boolean;
description
"Support of filtering based on the TCP data-offset.";
}
leaf reserved {
type boolean;
description
"Support of filtering based on the TCP reserved field.";
}
leaf flags {
type boolean;
description
"Support of filtering based on the TCP flags.";
}
leaf window-size {
type boolean;
description
"Support of filtering based on the TCP window size.";
}
leaf urgent-pointer {
type boolean;
description
"Support of filtering based on the TCP urgent pointer.";
}
leaf options {
type boolean;
description
"Support of filtering based on the TCP options.";
}
leaf source-port {
type boolean;
description
"Support of filtering based on the source port number.";
}
leaf destination-port {
type boolean;
description
"Support of filtering based on the destination port
number.";
}
leaf port-range {
type boolean;
description
"Support of filtering based on a port range.";
}
}
container udp {
description
"Set of UDP fields that are supported by the DOTS server
to enforce filters.";
leaf length {
type boolean;
description
"Support of filtering based on the UDP length.";
}
leaf source-port {
type boolean;
description
"Support of filtering based on the source port number.";
}
leaf destination-port {
type boolean;
description
"Support of filtering based on the destination port
number.";
}
leaf port-range {
type boolean;
description
"Support of filtering based on a port range.";
}
}
container icmp {
description
"Set of ICMP/ICMPv6 fields that are supported by the DOTS
server to enforce filters.";
leaf type {
type boolean;
description
"Support of filtering based on the ICMP/ICMPv6 type.";
}
leaf code {
type boolean;
description
"Support of filtering based on the ICMP/ICMPv6 code.";
}
leaf rest-of-header {
type boolean;
description
"Support of filtering based on the ICMP four-bytes
field.";
}
}
}
}
}