netconfcentral logo

ietf-dots-data-channel

HTML

ietf-dots-data-channel@2020-05-28



  module ietf-dots-data-channel {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-dots-data-channel";

    prefix data-channel;

    import ietf-inet-types {
      prefix inet;
      reference
        "Section 4 of RFC 6991";


    }
    import ietf-access-control-list {
      prefix ietf-acl;
      reference
        "RFC 8519: YANG Data Model for Network Access
        	  Control Lists (ACLs)";


    }
    import ietf-packet-fields {
      prefix packet-fields;
      reference
        "RFC 8519: YANG Data Model for Network Access
        	  Control Lists (ACLs)";


    }

    organization
      "IETF DDoS Open Threat Signaling (DOTS) Working Group";

    contact
      "WG Web:   <https://datatracker.ietf.org/wg/dots/>
WG List:  <mailto:dots@ietf.org>

Editor:  Mohamed Boucadair
	 <mailto:mohamed.boucadair@orange.com>

Editor:  Konda, Tirumaleswar Reddy.K
	 <mailto:TirumaleswarReddy_Konda@McAfee.com>

Author:  Jon Shallow
	 <mailto:jon.shallow@nccgroup.com>

Author:  Kaname Nishizuka
	 <mailto:kaname@nttv6.jp>

Author:  Liang Xia
	 <mailto:frank.xialiang@huawei.com>

Author:  Prashanth Patil
	 <mailto:praspati@cisco.com>

Author:  Andrew Mortensen
	 <mailto:amortensen@arbor.net>

Author:  Nik Teague
	 <mailto:nteague@ironmountain.co.uk>";

    description
      "This module contains YANG definition for configuring
aliases for resources and filtering rules using DOTS
data channel.

Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code.  All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC 8783; see
the RFC itself for full legal notices.";

    revision "2020-05-28" {
      description "Initial revision.";
      reference
        "RFC 8783: Distributed Denial-of-Service Open Threat
        	  Signaling (DOTS) Data Channel Specification";

    }


    typedef activation-type {
      type enumeration {
        enum "activate-when-mitigating" {
          value 1;
          description
            "The Access Control List (ACL) is installed only when
a mitigation is active for the DOTS client.";
        }
        enum "immediate" {
          value 2;
          description
            "The ACL is immediately activated.";
        }
        enum "deactivate" {
          value 3;
          description
            "The ACL is maintained by the DOTS server, but it is
deactivated.";
        }
      }
      description
        "Indicates the activation type of an ACL.";
    }

    typedef operator {
      type bits {
        bit not {
          position 0;
          description
            "If set, logical negation of operation.";
        }
        bit match {
          position 1;
          description
            "Match bit.  This is a bitwise match operation
defined as '(data & value) == value'.";
        }
        bit any {
          position 3;
          description
            "Any bit.  This is a match on any of the bits in
bitmask.  It evaluates to 'true' if any of the bits
in the value mask are set in the data,
i.e., '(data & value) != 0'.";
        }
      }
      description
        "Specifies how to apply the defined bitmask.
'any' and 'match' bits must not be set simultaneously.";
    }

    grouping tcp-flags {
      description "Operations on TCP flags.";
      leaf operator {
        type operator;
        default "match";
        description
          "Specifies how to interpret the TCP flags.";
      }

      leaf bitmask {
        type uint16;
        mandatory true;
        description
          "The bitmask matches the last 4 bits of byte 12
and byte 13 of the TCP header.  For clarity, the 4 bits
of byte 12 corresponding to the TCP data offset field
are not included in any matching.";
      }
    }  // grouping tcp-flags

    typedef fragment-type {
      type bits {
        bit df {
          position 0;
          description
            "Don't fragment bit for IPv4.
Must be set to 0 when it appears in an IPv6 filter.";
        }
        bit isf {
          position 1;
          description "Is a fragment.";
        }
        bit ff {
          position 2;
          description "First fragment.";
        }
        bit lf {
          position 3;
          description "Last fragment.";
        }
      }
      description
        "Different fragment types to match against.";
    }

    grouping target {
      description
        "Specifies the targets of the mitigation request.";
      leaf-list target-prefix {
        type inet:ip-prefix;
        description
          "IPv4 or IPv6 prefix identifying the target.";
      }

      list target-port-range {
        key "lower-port";
        description
          "Port range.  When only lower-port is
present, it represents a single port number.";
        leaf lower-port {
          type inet:port-number;
          mandatory true;
          description
            "Lower port number of the port range.";
        }

        leaf upper-port {
          type inet:port-number;
          must ". >= ../lower-port" {
            error-message
              "The upper-port number must be greater than
or equal to the lower-port number.";
          }
          description
            "Upper port number of the port range.";
        }
      }  // list target-port-range

      leaf-list target-protocol {
        type uint8;
        description
          "Identifies the target protocol number.

Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/

For example, 6 for TCP or 17 for UDP.";
      }

      leaf-list target-fqdn {
        type inet:domain-name;
        description
          "FQDN identifying the target.";
      }

      leaf-list target-uri {
        type inet:uri;
        description
          "URI identifying the target.";
      }
    }  // grouping target

    grouping fragment-fields {
      description
        "Operations on fragment types.";
      leaf operator {
        type operator;
        default "match";
        description
          "Specifies how to interpret the fragment type.";
      }

      leaf type {
        type fragment-type;
        mandatory true;
        description
          "Indicates what fragment type to look for.";
      }
    }  // grouping fragment-fields

    grouping aliases {
      description
        "Top-level container for aliases.";
      list alias {
        key "name";
        description "List of aliases.";
        leaf name {
          type string;
          description
            "The name of the alias.";
        }

        uses target;

        leaf pending-lifetime {
          type int32;
          units "minutes";
          config false;
          description
            "Indicates the pending validity lifetime of the alias
entry.";
        }
      }  // list alias
    }  // grouping aliases

    grouping ports {
      description
        "Choice of specifying a source or destination port numbers.";
      choice source-port {
        description
          "Choice of specifying the source port or referring to
a group of source port numbers.";
        container source-port-range-or-operator {
          description
            "Source port definition.";
          uses packet-fields:port-range-or-operator;
        }  // container source-port-range-or-operator
      }  // choice source-port

      choice destination-port {
        description
          "Choice of specifying a destination port or referring
to a group of destination port numbers.";
        container destination-port-range-or-operator {
          description
            "Destination port definition.";
          uses packet-fields:port-range-or-operator;
        }  // container destination-port-range-or-operator
      }  // choice destination-port
    }  // grouping ports

    grouping access-lists {
      description
        "Specifies the ordered set of Access Control Lists.";
      list acl {
        key "name";
        ordered-by user;
        description
          "An ACL is an ordered list of Access Control Entries (ACE).
Each ACE has a list of match criteria and a list of
actions.";
        leaf name {
          type string {
            length "1..64";
          }
          description
            "The name of the access list.";
          reference
            "RFC 8519: YANG Data Model for Network Access
            	  Control Lists (ACLs)";

        }

        leaf type {
          type ietf-acl:acl-type;
          description
            "Type of access control list.  Indicates the primary
intended type of match criteria (e.g., IPv4, IPv6)
used in the list instance.";
          reference
            "RFC 8519: YANG Data Model for Network Access
            	  Control Lists (ACLs)";

        }

        leaf activation-type {
          type activation-type;
          default "activate-when-mitigating";
          description
            "Indicates the activation type of an ACL.  An ACL can be
deactivated, installed immediately, or installed when
a mitigation is active.";
        }

        leaf pending-lifetime {
          type int32;
          units "minutes";
          config false;
          description
            "Indicates the pending validity lifetime of the ACL
entry.";
        }

        container aces {
          description
            "The Access Control Entries container contains
a list of ACEs.";
          list ace {
            key "name";
            ordered-by user;
            description
              "List of access list entries.";
            leaf name {
              type string {
                length "1..64";
              }
              description
                "A unique name identifying this ACE.";
              reference
                "RFC 8519: YANG Data Model for Network Access
                	  Control Lists (ACLs)";

            }

            container matches {
              description
                "The rules in this set determine what fields will be
matched upon before any action is taken on them.

If no matches are defined in a particular container,
then any packet will match that container.

If no matches are specified at all in an ACE, then any
packet will match the ACE.";
              reference
                "RFC 8519: YANG Data Model for Network Access
                	  Control Lists (ACLs)";

              choice l3 {
                description
                  "Either IPv4 or IPv6.";
                container ipv4 {
                  when
                    "derived-from(../../../../type, 'ietf-acl:ipv4-acl-type')";
                  description
                    "Rule set that matches IPv4 header.";
                  uses packet-fields:acl-ip-header-fields;

                  uses packet-fields:acl-ipv4-header-fields;

                  container fragment {
                    description
                      "Indicates how to handle IPv4 fragments.";
                    uses fragment-fields;
                  }  // container fragment
                }  // container ipv4
                container ipv6 {
                  when
                    "derived-from(../../../../type, 'ietf-acl:ipv6-acl-type')";
                  description
                    "Rule set that matches IPv6 header.";
                  uses packet-fields:acl-ip-header-fields;

                  uses packet-fields:acl-ipv6-header-fields;

                  container fragment {
                    description
                      "Indicates how to handle IPv6 fragments.";
                    uses fragment-fields;
                  }  // container fragment
                }  // container ipv6
              }  // choice l3

              choice l4 {
                description
                  "Can be TCP, UDP, or ICMP/ICMPv6";
                container tcp {
                  description
                    "Rule set that matches TCP header.";
                  uses packet-fields:acl-tcp-header-fields;

                  container flags-bitmask {
                    description
                      "Indicates how to handle TCP flags.";
                    uses tcp-flags;
                  }  // container flags-bitmask

                  uses ports;
                }  // container tcp
                container udp {
                  description
                    "Rule set that matches UDP header.";
                  uses packet-fields:acl-udp-header-fields;

                  uses ports;
                }  // container udp
                container icmp {
                  description
                    "Rule set that matches ICMP/ICMPv6 header.";
                  uses packet-fields:acl-icmp-header-fields;
                }  // container icmp
              }  // choice l4
            }  // container matches

            container actions {
              description
                "Definitions of action for this ACE.";
              leaf forwarding {
                type identityref {
                  base ietf-acl:forwarding-action;
                }
                mandatory true;
                description
                  "Specifies the forwarding action per ACE.";
                reference
                  "RFC 8519: YANG Data Model for Network Access
                  	  Control Lists (ACLs)";

              }

              leaf rate-limit {
                when
                  "../forwarding = 'ietf-acl:accept'" {
                  description
                    "Rate-limit is valid only when accept action is
used.";
                }
                type decimal64 {
                  fraction-digits 2;
                }
                units "bytes per second";
                description
                  "Specifies how to rate-limit the traffic.";
              }
            }  // container actions

            container statistics {
              config false;
              description
                "Aggregate statistics.";
              uses ietf-acl:acl-counters;
            }  // container statistics
          }  // list ace
        }  // container aces
      }  // list acl
    }  // grouping access-lists

    container dots-data {
      description
        "Main container for DOTS data channel.";
      list dots-client {
        key "cuid";
        description "List of DOTS clients.";
        leaf cuid {
          type string;
          description
            "A unique identifier that is generated by a DOTS client
to prevent request collisions.";
          reference
            "RFC 8782: Distributed Denial-of-Service Open Threat
                   Signaling (DOTS) Signal Channel Specification";

        }

        leaf cdid {
          type string;
          description
            "A client domain identifier conveyed by a
server-domain DOTS gateway to a remote DOTS server.";
          reference
            "RFC 8782: Distributed Denial-of-Service Open Threat
                   Signaling (DOTS) Signal Channel Specification";

        }

        container aliases {
          description
            "Set of aliases that are bound to a DOTS client.";
          uses aliases;
        }  // container aliases

        container acls {
          description
            "Access lists that are bound to a DOTS client.";
          uses access-lists;
        }  // container acls
      }  // list dots-client

      container capabilities {
        config false;
        description "Match capabilities";
        leaf-list address-family {
          type enumeration {
            enum "ipv4" {
              value 0;
              description
                "IPv4 is supported.";
            }
            enum "ipv6" {
              value 1;
              description
                "IPv6 is supported.";
            }
          }
          description
            "Indicates the IP address families supported by
the DOTS server.";
        }

        leaf-list forwarding-actions {
          type identityref {
            base ietf-acl:forwarding-action;
          }
          description
            "Supported forwarding action(s).";
        }

        leaf rate-limit {
          type boolean;
          description
            "Support of rate-limit action.";
        }

        leaf-list transport-protocols {
          type uint8;
          description
            "Upper-layer protocol associated with a filtering rule.

Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/

For example, this field contains 1 for ICMP, 6 for TCP
17 for UDP, or 58 for ICMPv6.";
        }

        container ipv4 {
          description
            "Indicates IPv4 header fields that are supported to enforce
ACLs.";
          leaf dscp {
            type boolean;
            description
              "Support of filtering based on Differentiated Services
Code Point (DSCP).";
          }

          leaf ecn {
            type boolean;
            description
              "Support of filtering based on Explicit Congestion
Notification (ECN).";
          }

          leaf length {
            type boolean;
            description
              "Support of filtering based on the Total Length.";
          }

          leaf ttl {
            type boolean;
            description
              "Support of filtering based on the Time to Live (TTL).";
          }

          leaf protocol {
            type boolean;
            description
              "Support of filtering based on protocol field.";
          }

          leaf ihl {
            type boolean;
            description
              "Support of filtering based on the Internet Header
Length (IHL).";
          }

          leaf flags {
            type boolean;
            description
              "Support of filtering based on the 'flags'.";
          }

          leaf offset {
            type boolean;
            description
              "Support of filtering based on the 'offset'.";
          }

          leaf identification {
            type boolean;
            description
              "Support of filtering based on the 'identification'.";
          }

          leaf source-prefix {
            type boolean;
            description
              "Support of filtering based on the source prefix.";
          }

          leaf destination-prefix {
            type boolean;
            description
              "Support of filtering based on the destination prefix.";
          }

          leaf fragment {
            type boolean;
            description
              "Indicates the capability of a DOTS server to
enforce filters on IPv4 fragments.  That is, the match
functionality based on the Layer 3 'fragment' clause
is supported.";
          }
        }  // container ipv4

        container ipv6 {
          description
            "Indicates IPv6 header fields that are supported to enforce
ACLs.";
          leaf dscp {
            type boolean;
            description
              "Support of filtering based on DSCP.";
          }

          leaf ecn {
            type boolean;
            description
              "Support of filtering based on ECN.";
          }

          leaf length {
            type boolean;
            description
              "Support of filtering based on the Payload Length.";
          }

          leaf hoplimit {
            type boolean;
            description
              "Support of filtering based on the Hop Limit.";
          }

          leaf protocol {
            type boolean;
            description
              "Support of filtering based on the Next Header field.";
          }

          leaf destination-prefix {
            type boolean;
            description
              "Support of filtering based on the destination prefix.";
          }

          leaf source-prefix {
            type boolean;
            description
              "Support of filtering based on the source prefix.";
          }

          leaf flow-label {
            type boolean;
            description
              "Support of filtering based on the Flow Label.";
          }

          leaf fragment {
            type boolean;
            description
              "Indicates the capability of a DOTS server to
enforce filters on IPv6 fragments.";
          }
        }  // container ipv6

        container tcp {
          description
            "Set of TCP fields that are supported by the DOTS server
to enforce filters.";
          leaf sequence-number {
            type boolean;
            description
              "Support of filtering based on the TCP sequence number.";
          }

          leaf acknowledgement-number {
            type boolean;
            description
              "Support of filtering based on the TCP acknowledgement
number.";
          }

          leaf data-offset {
            type boolean;
            description
              "Support of filtering based on the TCP data-offset.";
          }

          leaf reserved {
            type boolean;
            description
              "Support of filtering based on the TCP reserved field.";
          }

          leaf flags {
            type boolean;
            description
              "Support of filtering, as defined in RFC 8519, based
on the TCP flags.";
          }

          leaf window-size {
            type boolean;
            description
              "Support of filtering based on the TCP window size.";
          }

          leaf urgent-pointer {
            type boolean;
            description
              "Support of filtering based on the TCP urgent pointer.";
          }

          leaf options {
            type boolean;
            description
              "Support of filtering based on the TCP options.";
          }

          leaf flags-bitmask {
            type boolean;
            description
              "Support of filtering based on the TCP flags bitmask.";
          }

          leaf source-port {
            type boolean;
            description
              "Support of filtering based on the source port number.";
          }

          leaf destination-port {
            type boolean;
            description
              "Support of filtering based on the destination port
number.";
          }

          leaf port-range {
            type boolean;
            description
              "Support of filtering based on a port range.

This includes filtering based on a source port range,
destination port range, or both.  All operators
(i.e, less than or equal to, greater than or equal to,
equal to, and not equal to) are supported.

In particular, this means that the implementation
supports filtering based on
source-port-range-or-operator and
destination-port-range-or-operator.";
          }
        }  // container tcp

        container udp {
          description
            "Set of UDP fields that are supported by the DOTS server
to enforce filters.";
          leaf length {
            type boolean;
            description
              "Support of filtering based on the UDP length.";
          }

          leaf source-port {
            type boolean;
            description
              "Support of filtering based on the source port number.";
          }

          leaf destination-port {
            type boolean;
            description
              "Support of filtering based on the destination port
number.";
          }

          leaf port-range {
            type boolean;
            description
              "Support of filtering based on a port range.

This includes filtering based on a source port range,
destination port range, or both.  All operators
(i.e, less than or equal, greater than or equal,
equal to, and not equal to) are supported.

In particular, this means that the implementation
supports filtering based on
source-port-range-or-operator and
destination-port-range-or-operator.";
          }
        }  // container udp

        container icmp {
          description
            "Set of ICMP/ICMPv6 fields that are supported by the DOTS
server to enforce filters.";
          leaf type {
            type boolean;
            description
              "Support of filtering based on the ICMP/ICMPv6 type.";
          }

          leaf code {
            type boolean;
            description
              "Support of filtering based on the ICMP/ICMPv6 code.";
          }

          leaf rest-of-header {
            type boolean;
            description
              "Support of filtering based on the ICMP four-byte
field / the ICMPv6 message body.";
          }
        }  // container icmp
      }  // container capabilities
    }  // container dots-data
  }  // module ietf-dots-data-channel

Summary

  
  
Organization IETF DDoS Open Threat Signaling (DOTS) Working Group
  
Module ietf-dots-data-channel
Version 2020-05-28
File ietf-dots-data-channel@2020-05-28.yang
  
Prefix data-channel
Namespace urn:ietf:params:xml:ns:yang:ietf-dots-data-channel
  
Cooked /cookedmodules/ietf-dots-data-channel/2020-05-28
YANG /src/ietf-dots-data-channel@2020-05-28.yang
XSD /xsd/ietf-dots-data-channel@2020-05-28.xsd
  
Abstract This module contains YANG definition for configuring aliases for resources and filtering rules using DOTS data channel. Copyrig...
  
Contact
WG Web:   <https://datatracker.ietf.org/wg/dots/>
WG List:  <mailto:dots@ietf.org>

Editor:  Mohamed Boucadair
	 <mailto:mohamed.boucadair@orange.com>

Editor:  Konda, Tirumaleswar Reddy.K
	 <mailto:TirumaleswarReddy_Konda@McAfee.com>

Author:  Jon Shallow
	 <mailto:jon.shallow@nccgroup.com>

Author:  Kaname Nishizuka
	 <mailto:kaname@nttv6.jp>

Author:  Liang Xia
	 <mailto:frank.xialiang@huawei.com>

Author:  Prashanth Patil
	 <mailto:praspati@cisco.com>

Author:  Andrew Mortensen
	 <mailto:amortensen@arbor.net>

Author:  Nik Teague
	 <mailto:nteague@ironmountain.co.uk>

Description

 
This module contains YANG definition for configuring
aliases for resources and filtering rules using DOTS
data channel.

Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code.  All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC 8783; see
the RFC itself for full legal notices.

Typedefs

Typedef Base type Abstract
activation-type enumeration Indicates the activation type of an ACL.
fragment-type bits Different fragment types to match against.
operator bits Specifies how to apply the defined bitmask. 'any' and 'match' bits must not be set simultaneously.

Groupings

Grouping Objects Abstract
access-lists acl Specifies the ordered set of Access Control Lists.
aliases alias Top-level container for aliases.
fragment-fields operator type Operations on fragment types.
ports source-port destination-port Choice of specifying a source or destination port numbers.
target target-prefix target-port-range target-protocol target-fqdn target-uri Specifies the targets of the mitigation request.
tcp-flags operator bitmask Operations on TCP flags.

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
dots-data container Main container for DOTS data channel.
   capabilities container Match capabilities
      address-family leaf-list Indicates the IP address families supported by the DOTS server.
      forwarding-actions leaf-list Supported forwarding action(s).
      icmp container Set of ICMP/ICMPv6 fields that are supported by the DOTS server to enforce filters.
         code leaf Support of filtering based on the ICMP/ICMPv6 code.
         rest-of-header leaf Support of filtering based on the ICMP four-byte field / the ICMPv6 message body.
         type leaf Support of filtering based on the ICMP/ICMPv6 type.
      ipv4 container Indicates IPv4 header fields that are supported to enforce ACLs.
         destination-prefix leaf Support of filtering based on the destination prefix.
         dscp leaf Support of filtering based on Differentiated Services Code Point (DSCP).
         ecn leaf Support of filtering based on Explicit Congestion Notification (ECN).
         flags leaf Support of filtering based on the 'flags'.
         fragment leaf Indicates the capability of a DOTS server to enforce filters on IPv4 fragments. That is, the match functionality based on the Layer 3 'fragment' clause is supported.
         identification leaf Support of filtering based on the 'identification'.
         ihl leaf Support of filtering based on the Internet Header Length (IHL).
         length leaf Support of filtering based on the Total Length.
         offset leaf Support of filtering based on the 'offset'.
         protocol leaf Support of filtering based on protocol field.
         source-prefix leaf Support of filtering based on the source prefix.
         ttl leaf Support of filtering based on the Time to Live (TTL).
      ipv6 container Indicates IPv6 header fields that are supported to enforce ACLs.
         destination-prefix leaf Support of filtering based on the destination prefix.
         dscp leaf Support of filtering based on DSCP.
         ecn leaf Support of filtering based on ECN.
         flow-label leaf Support of filtering based on the Flow Label.
         fragment leaf Indicates the capability of a DOTS server to enforce filters on IPv6 fragments.
         hoplimit leaf Support of filtering based on the Hop Limit.
         length leaf Support of filtering based on the Payload Length.
         protocol leaf Support of filtering based on the Next Header field.
         source-prefix leaf Support of filtering based on the source prefix.
      rate-limit leaf Support of rate-limit action.
      tcp container Set of TCP fields that are supported by the DOTS server to enforce filters.
         acknowledgement-number leaf Support of filtering based on the TCP acknowledgement number.
         data-offset leaf Support of filtering based on the TCP data-offset.
         destination-port leaf Support of filtering based on the destination port number.
         flags leaf Support of filtering, as defined in RFC 8519, based on the TCP flags.
         flags-bitmask leaf Support of filtering based on the TCP flags bitmask.
         options leaf Support of filtering based on the TCP options.
         port-range leaf Support of filtering based on a port range. This includes filtering based on a source port range, destination port range, or both. All operators (i.e, less than or equal to, greater than or equal to, equal to, and not equal to) are supported. In partic...
         reserved leaf Support of filtering based on the TCP reserved field.
         sequence-number leaf Support of filtering based on the TCP sequence number.
         source-port leaf Support of filtering based on the source port number.
         urgent-pointer leaf Support of filtering based on the TCP urgent pointer.
         window-size leaf Support of filtering based on the TCP window size.
      transport-protocols leaf-list Upper-layer protocol associated with a filtering rule. Values are taken from the IANA protocol registry: https://www.iana.org/assignments/protocol-numbers/ For example, this field contains 1 for ICMP, 6 for TCP 17 for UDP, or 58 for ICMPv6.
      udp container Set of UDP fields that are supported by the DOTS server to enforce filters.
         destination-port leaf Support of filtering based on the destination port number.
         length leaf Support of filtering based on the UDP length.
         port-range leaf Support of filtering based on a port range. This includes filtering based on a source port range, destination port range, or both. All operators (i.e, less than or equal, greater than or equal, equal to, and not equal to) are supported. In particular, ...
         source-port leaf Support of filtering based on the source port number.
   dots-client list List of DOTS clients.
      acls container Access lists that are bound to a DOTS client.
         acl list An ACL is an ordered list of Access Control Entries (ACE). Each ACE has a list of match criteria and a list of actions.
            aces container The Access Control Entries container contains a list of ACEs.
               ace list List of access list entries.
                  actions container Definitions of action for this ACE.
                     forwarding leaf Specifies the forwarding action per ACE.
                     rate-limit leaf Specifies how to rate-limit the traffic.
                  matches container The rules in this set determine what fields will be matched upon before any action is taken on them. If no matches are defined in a particular container, then any packet will match that container. If no matches are specified at all in an ACE, then any p...
                     l3 choice Either IPv4 or IPv6.
                        ipv4 case ipv4
                           ipv4 container Rule set that matches IPv4 header.
                              destination-network choice Choice of specifying a destination IPv4 address or referring to a group of IPv4 destination addresses.
                                 destination-ipv4-network case destination-ipv4-network
                                    destination-ipv4-network leaf Destination IPv4 address prefix.
                              dscp leaf Differentiated Services Code Point.
                              ecn leaf Explicit Congestion Notification.
                              flags leaf Bit definitions for the Flags field in the IPv4 header.
                              fragment container Indicates how to handle IPv4 fragments.
                                 operator leaf Specifies how to interpret the fragment type.
                                 type leaf Indicates what fragment type to look for.
                              identification leaf An identifying value assigned by the sender to aid in assembling the fragments of a datagram.
                              ihl leaf In an IPv4 header field, the Internet Header Length (IHL) is the length of the internet header in 32-bit words and thus points to the beginning of the data. Note that the minimum value for a correct header is 5.
                              length leaf In the IPv4 header field, this field is known as the Total Length. Total Length is the length of the datagram, measured in octets, including internet header and data. In the IPv6 header field, this field is known as the Payload Length, which is the leng...
                              offset leaf The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero. The length is 13 bits
                              protocol leaf Internet Protocol number. Refers to the protocol of the payload. In IPv6, this field is known as 'next-header', and if extension headers are present, the protocol is present in the 'upper-layer' header.
                              source-network choice Choice of specifying a source IPv4 address or referring to a group of IPv4 source addresses.
                                 source-ipv4-network case source-ipv4-network
                                    source-ipv4-network leaf Source IPv4 address prefix.
                              ttl leaf This field indicates the maximum time the datagram is allowed to remain in the internet system. If this field contains the value zero, then the datagram must be dropped. In IPv6, this field is known as the Hop Limit.
                        ipv6 case ipv6
                           ipv6 container Rule set that matches IPv6 header.
                              destination-network choice Choice of specifying a destination IPv6 address or referring to a group of IPv6 destination addresses.
                                 destination-ipv6-network case destination-ipv6-network
                                    destination-ipv6-network leaf Destination IPv6 address prefix.
                              dscp leaf Differentiated Services Code Point.
                              ecn leaf Explicit Congestion Notification.
                              flow-label leaf IPv6 Flow label.
                              fragment container Indicates how to handle IPv6 fragments.
                                 operator leaf Specifies how to interpret the fragment type.
                                 type leaf Indicates what fragment type to look for.
                              length leaf In the IPv4 header field, this field is known as the Total Length. Total Length is the length of the datagram, measured in octets, including internet header and data. In the IPv6 header field, this field is known as the Payload Length, which is the leng...
                              protocol leaf Internet Protocol number. Refers to the protocol of the payload. In IPv6, this field is known as 'next-header', and if extension headers are present, the protocol is present in the 'upper-layer' header.
                              source-network choice Choice of specifying a source IPv6 address or referring to a group of IPv6 source addresses.
                                 source-ipv6-network case source-ipv6-network
                                    source-ipv6-network leaf Source IPv6 address prefix.
                              ttl leaf This field indicates the maximum time the datagram is allowed to remain in the internet system. If this field contains the value zero, then the datagram must be dropped. In IPv6, this field is known as the Hop Limit.
                     l4 choice Can be TCP, UDP, or ICMP/ICMPv6
                        icmp case icmp
                           icmp container Rule set that matches ICMP/ICMPv6 header.
                              code leaf ICMP subtype. Also known as control messages.
                              rest-of-header leaf Unbounded in length, the contents vary based on the ICMP type and code. Also referred to as 'Message Body' in ICMPv6.
                              type leaf Also known as control messages.
                        tcp case tcp
                           tcp container Rule set that matches TCP header.
                              acknowledgement-number leaf The acknowledgement number that appears in the packet.
                              data-offset leaf Specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words; thus, this gives a minimum size of 20 bytes and a maximum of 60 bytes, allowing for up to 40 bytes of options in the header.
                              destination-port choice Choice of specifying a destination port or referring to a group of destination port numbers.
                                 destination-port-range-or-operator case destination-port-range-or-operator
                                    destination-port-range-or-operator container Destination port definition.
                                       port-range-or-operator choice Choice of specifying a port range or a single port along with an operator.
                                          operator case operator port
                                             operator leaf Operator to be applied on the port below.
                                             port leaf Port number along with the operator on which to match.
                                          range case lower-port upper-port
                                             lower-port leaf Lower boundary for a port.
                                             upper-port leaf Upper boundary for a port.
                              flags leaf Also known as Control Bits. Contains nine 1-bit flags.
                              flags-bitmask container Indicates how to handle TCP flags.
                                 bitmask leaf The bitmask matches the last 4 bits of byte 12 and byte 13 of the TCP header. For clarity, the 4 bits of byte 12 corresponding to the TCP data offset field are not included in any matching.
                                 operator leaf Specifies how to interpret the TCP flags.
                              options leaf The length of this field is determined by the Data Offset field. Options have up to three fields: Option-Kind (1 byte), Option-Length (1 byte), and Option-Data (variable). The Option-Kind field indicates the type of option and is the only field that is ...
                              reserved leaf Reserved for future use.
                              sequence-number leaf Sequence number that appears in the packet.
                              source-port choice Choice of specifying the source port or referring to a group of source port numbers.
                                 source-port-range-or-operator case source-port-range-or-operator
                                    source-port-range-or-operator container Source port definition.
                                       port-range-or-operator choice Choice of specifying a port range or a single port along with an operator.
                                          operator case operator port
                                             operator leaf Operator to be applied on the port below.
                                             port leaf Port number along with the operator on which to match.
                                          range case lower-port upper-port
                                             lower-port leaf Lower boundary for a port.
                                             upper-port leaf Upper boundary for a port.
                              urgent-pointer leaf This field is an offset from the sequence number indicating the last urgent data byte.
                              window-size leaf The size of the receive window, which specifies the number of window size units beyond the segment identified by the sequence number in the Acknowledgement field that the sender of this segment is currently willing to receive.
                        udp case udp
                           udp container Rule set that matches UDP header.
                              destination-port choice Choice of specifying a destination port or referring to a group of destination port numbers.
                                 destination-port-range-or-operator case destination-port-range-or-operator
                                    destination-port-range-or-operator container Destination port definition.
                                       port-range-or-operator choice Choice of specifying a port range or a single port along with an operator.
                                          operator case operator port
                                             operator leaf Operator to be applied on the port below.
                                             port leaf Port number along with the operator on which to match.
                                          range case lower-port upper-port
                                             lower-port leaf Lower boundary for a port.
                                             upper-port leaf Upper boundary for a port.
                              length leaf A field that specifies the length in bytes of the UDP header and UDP data. The minimum length is 8 bytes because that is the length of the header. The field size sets a theoretical limit of 65,535 bytes (8-byte header plus 65,527 bytes of data) for a UD...
                              source-port choice Choice of specifying the source port or referring to a group of source port numbers.
                                 source-port-range-or-operator case source-port-range-or-operator
                                    source-port-range-or-operator container Source port definition.
                                       port-range-or-operator choice Choice of specifying a port range or a single port along with an operator.
                                          operator case operator port
                                             operator leaf Operator to be applied on the port below.
                                             port leaf Port number along with the operator on which to match.
                                          range case lower-port upper-port
                                             lower-port leaf Lower boundary for a port.
                                             upper-port leaf Upper boundary for a port.
                  name leaf A unique name identifying this ACE.
                  statistics container Aggregate statistics.
                     matched-octets leaf Count of the number of octets (bytes) matching the current ACL entry. An implementation should provide this counter on a per-interface, per-ACL-entry basis if possible. If an implementation only supports ACL counters per entry (i.e., not broken out per ...
                     matched-packets leaf Count of the number of packets matching the current ACL entry. An implementation should provide this counter on a per-interface, per-ACL-entry basis if possible. If an implementation only supports ACL counters on a per- entry basis (i.e., not broken out...
            activation-type leaf Indicates the activation type of an ACL. An ACL can be deactivated, installed immediately, or installed when a mitigation is active.
            name leaf The name of the access list.
            pending-lifetime leaf Indicates the pending validity lifetime of the ACL entry.
            type leaf Type of access control list. Indicates the primary intended type of match criteria (e.g., IPv4, IPv6) used in the list instance.
      aliases container Set of aliases that are bound to a DOTS client.
         alias list List of aliases.
            name leaf The name of the alias.
            pending-lifetime leaf Indicates the pending validity lifetime of the alias entry.
            target-fqdn leaf-list FQDN identifying the target.
            target-port-range list Port range. When only lower-port is present, it represents a single port number.
               lower-port leaf Lower port number of the port range.
               upper-port leaf Upper port number of the port range.
            target-prefix leaf-list IPv4 or IPv6 prefix identifying the target.
            target-protocol leaf-list Identifies the target protocol number. Values are taken from the IANA protocol registry: https://www.iana.org/assignments/protocol-numbers/ For example, 6 for TCP or 17 for UDP.
            target-uri leaf-list URI identifying the target.
      cdid leaf A client domain identifier conveyed by a server-domain DOTS gateway to a remote DOTS server.
      cuid leaf A unique identifier that is generated by a DOTS client to prevent request collisions.