idnits 2.17.1 draft-hares-i2nsf-capability-yang-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 115 has weird spacing: '...roducts comme...' == Line 131 has weird spacing: '...sf-name strin...' == Line 218 has weird spacing: '...on-info strin...' == Line 472 has weird spacing: '...bgp-rib strin...' -- The document date (October 5, 2016) is 2760 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'ITresource-name' is mentioned on line 440, but not defined -- Looks like a reference, but probably isn't: '2015' on line 148 == Unused Reference: 'RFC2119' is defined on line 1065, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-i2nsf-gap-analysis' is defined on line 1072, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-netmod-acl-model' is defined on line 1100, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-opsawg-firewalls' is defined on line 1106, but no explicit reference was found in the text == Unused Reference: 'RFC2975' is defined on line 1123, but no explicit reference was found in the text == Unused Reference: 'RFC3198' is defined on line 1127, but no explicit reference was found in the text == Unused Reference: 'RFC3234' is defined on line 1133, but no explicit reference was found in the text == Unused Reference: 'RFC3539' is defined on line 1137, but no explicit reference was found in the text == Unused Reference: 'RFC4949' is defined on line 1142, but no explicit reference was found in the text == Unused Reference: 'RFC7277' is defined on line 1146, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-ietf-i2nsf-gap-analysis-00 == Outdated reference: A later version (-16) exists of draft-ietf-i2nsf-problem-and-use-cases-00 == Outdated reference: A later version (-08) exists of draft-ietf-i2nsf-terminology-00 == Outdated reference: A later version (-01) exists of draft-ietf-i2rs-fb-rib-data-model-00 == Outdated reference: A later version (-03) exists of draft-ietf-i2rs-pkt-eca-data-model-00 == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-06 == Outdated reference: A later version (-06) exists of draft-xia-i2nsf-capability-interface-im-05 -- Obsolete informational reference (is this intentional?): RFC 7277 (Obsoleted by RFC 8344) Summary: 0 errors (**), 0 flaws (~~), 23 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF S. Hares 3 Internet-Draft Huawei 4 Intended status: Standards Track R. Moskowitz 5 Expires: April 8, 2017 HTT Consulting 6 Xia 7 Huawei 8 October 5, 2016 10 I2NSF Capability Yang Model 11 draft-hares-i2nsf-capability-yang-01.txt 13 Abstract 15 This document defines a yang model that enables a I2NSF controller to 16 control various network security functions in Network security 17 devices. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 8, 2017. 36 Copyright Notice 38 Copyright (c) 2016 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. High-level Yang . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1. capability per NSF . . . . . . . . . . . . . . . . . . . 3 56 2.2. Network Security Control . . . . . . . . . . . . . . . . 4 57 2.3. Security Content Capabilities . . . . . . . . . . . . . . 6 58 2.4. Attack Mitigation Capabilities . . . . . . . . . . . . . 8 59 2.5. IT Resources linked to Capabilities . . . . . . . . . . . 10 60 2.6. actions . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 3. Use of filter-based RIBS . . . . . . . . . . . . . . . . . . 10 62 4. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 11 63 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 64 6. Security Considerations . . . . . . . . . . . . . . . . . . . 23 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 66 7.1. Normative References . . . . . . . . . . . . . . . . . . 23 67 7.2. Informative References . . . . . . . . . . . . . . . . . 23 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 70 1. Introduction 72 [I-D.ietf-i2nsf-problem-and-use-cases] proposes two different types 73 of interfaces: 75 o North-bound interface (NBI) provided by the network security 76 functions (NSFs) 78 o Interface between I2NSF user/client with network controller: 80 This document provides a yang models that define the capabilities for 81 security devices that can be utilized by I2NSF NBI between the I2RS 82 network controller and the NSF devices to express the NSF devices 83 capabilities. It can also be used by the IN2SF user application (or 84 I2NSF client) to network controller to provide a complete list of the 85 I2NSF capabilities the Network controller can control. 87 This document defines a yang data models based on the 88 [I-D.xia-i2nsf-capability-interface-im], and initial work done in 89 [I-D.xia-i2nsf-service-interface-dm]. Terms used in document are 90 defined in [I-D.ietf-i2nsf-terminology]. 92 This model is an attempt to merge draft-jeong-i2nsf-capability- 93 interface-yang-02.txt, but it has not bene reviewed by this draft's 94 authors. Hopefully, this is a good start for a merge. The Yang 95 module has not been changed to match the high-level-yang. This 96 seemed prudent until we agreed upon the merge. 98 [I-D.xia-i2nsf-capability-interface-im] defines the following type of 99 functionality in NSFs. 101 o network security control 103 o content security control, and 105 o attack mitigation control 107 This document contains high-level yang for each type of control. The 108 features in each section have been built up from the following 109 sources: 111 open-source: firewalls, IDS, IPS. This includes ECA policy for 113 basic-firewalls: in router, switches, firewalls, 115 firewall products commercial level 117 specialized devices IDS, IPS 119 2. High-level Yang 121 This section provides an overview of the high level yang. 123 2.1. capability per NSF 125 The high level yang capabilities per NSF device, controller, or 126 application is the following: 128 ietf-i2nsf-capability 129 +--rw nsf-capabilities 130 +--rw capability* [name] 131 +--rw nsf-name string 132 +--rw cfg-net-secctl-capabilities 133 | uses pkt-eca-policy:pkt-eca-policy-set 134 +--rw cfg-net-sec-content-capabilities 135 | uses i2nsf-content-caps 136 | uses i2nsf-content-sec-actions 137 +--rw cfg-attack-mitigate-capabilities* 138 | uses i2nsf-mitigate-caps 139 +--rw ITResource [ITresource-name] 140 | uses cfg-ITResources 142 Figure 1 144 Each of these section mirror sections in: 145 [I-D.xia-i2nsf-capability-interface-im]. The high level yang for 146 cfg-net-secctl-capabilities, cfg-net-sec-content-capabilities, and 147 cfg-attack-mitigate-capabilities. This draft is also utilizes the 148 concepts originated in Basile, Lioy,Pitscheider, and Zhao[2015] 149 concerning conflict resolution, use of external data, and 150 ITResources. The authors are grateful to Cataldo for pointing out 151 this excellent work. 153 2.2. Network Security Control 155 This section defines the network security control capabilites for 156 each NSF entity (device, controller, APP). The portion of the top 157 level model that this explains is the following: 159 +--rw cfg-net-secctl-capabilities 160 | uses pkt-eca-policy:pkt-eca-policy-set 162 Note that yang simply uses the ietf-pkt-eca-policy-cfg from 163 [I-D.ietf-i2rs-pkt-eca-data-model]. 165 module ietf-pkt-eca-policy 166 +--rw pkt-eca-policy-cfg 167 | +--rw pkt-eca-policy-set 168 | +--rw policies* [policy-name] 169 | | +--rw policy-name string 170 | | +--rw vrf-name string 171 | | +--rw address-family 172 | | +--rw rule-list* [rule-name] 173 | | | +--rw rule-name 174 | | | +--rw rule-order-id uint16 175 | | | +--rw default-action-id integer 176 | | | +--rw default-resolution-strategy-id integer 177 | +--rw rules* [order-id rule-name] 178 | +--rw order-id uint16 179 | +--rw rule-name string 180 | +--rw policy-name string 181 | +--rw cfg-rule-conditions [rule-cnd-id] 182 | | +--rw rule-cnd-id uint32 183 | | +--rw support 184 | | | +--rw event-matches boolean 185 | | | +--rw pkt-matches boolean 186 | | | +--rw usr-context-matches boolean 187 | | +--rw eca-events-match* [rule-event-id] 188 | | | +--rw rule-event-it uint16 189 | | | | ... time-event match (see below) 190 | | +--rw eca-condition-match 191 | | | +--rw eca-pkt-matches* [pkt-match-id] 192 | | | | ...(see packet matches below) 193 | | | | ... (address, packet header, packet payload) 194 | | | +--rw eca-user-context-matches* [usr-match-id] 195 | | | | ... (see user context match below) 196 | +--rw cfg-rule-actions [cfgr-action-id] 197 | | +--rw cfgr-action-id 198 | | +--rw eca-actions* [action-id] 199 | | | +--rw action-id uint32 200 | | | +--rw eca-ingress-actions* 201 | | | | ... (permit, deny, mirror) 202 | | | +--rw eca-fwd-actions* 203 | | | | ... (invoke, tunnel encap, fwd) 204 | | | +--rw eca-egress-acttions* 205 | | | | .. . 206 | | | +--rw eca-qos-actions* 207 | | | | ... 208 | | | +--rw eca-security-actions* 209 | +--rw policy-conflict-resolution* [strategy-id] 210 | | +--rw strategy-id integer 211 | | +--rw filter-strategy identityref 212 | | | .. FMR, ADTP, Longest-match 213 | | +--rw global-strategy identityref 214 | | +--rw mandatory-strategy identityref 215 | | +--rw local-strategy identityref 216 | | +--rw resolution-fcn uint32 217 | | +--rw resolution-value uint32 218 | | +--rw resolution-info string 219 | | +--rw associated-ext-data* 220 | | | +--rw ext-data-id integer 221 | +--rw cfg-external-data* [cfg-ext-data-id] 222 | | +--rw cfg-ext-data-id integer 223 | | +--rw data-type integer 224 | | +--rw priority uint64 225 | | | uses external-data-forms 226 | | ... (other external data) 227 +--rw pkt-eca-policy-opstate 228 +--rw pkt-eca-opstate 229 +--rw policies-opstat* [policy-name] 230 | +--rw rules-installed; 231 | +--rw rules_opstat* [rule-name] 232 | +--rw strategy-used [strategy-id] 233 +--rw rules_opstate* [rule-order rule-name] 234 | +--rw status 235 | +--rw rule-inactive-reason 236 | +--rw rule-install-reason 237 | +--rw rule-installer 238 | +--rw refcnt 239 +--rw rules_pktstats* [rule-order rule-name] 240 | +--rw pkts-matched 241 | +--rw pkts-modified 242 | +--rw pkts-forward 243 +--rw op-external-data [op-ext-data-id] 244 | +--rw op-ext-data-id integer 245 | +--rw type identityref 246 | +--rw installed-priority integer 247 | | (other details on external data ) 249 figure 2 251 2.3. Security Content Capabilities 253 This section expands the 255 +--rw cfg-net-sec-content-capabilities 256 | uses i2nsf-content-caps 257 | uses i2nsf-content-sec-actions 259 Content Security Control 261 +--rw cfg-netsec-content-caps* 262 | +--rw cfg-groups* [group-name] 263 | | +--rw group-name string 264 | | +--rw group-rule-list* [rule-name] 265 | | | +--rw rule-name string 266 | | | +--rw rule-order-id integer 267 | | | +--rw default-action-id integer 268 | | | +--rw default-resolution-strategy-id integer| 269 | +--rw cfg-netsec-content-rules* [rule-order-id rule-name] 270 | | +--rw cfg-netsec-content-rule 271 | | | +--rw rule-order-id integer 272 | | | +--rw rule-name string 273 | | | +--rw cfg-filter-rules 274 | | | | +--rw cfg-anti-virus-rule 275 | | | | | +--rw antivirus-support? Boolean 276 | | | | | +--rw source string 277 | | | +--rw cfg-IPS-rule 278 | | | | +--rw ips-support? boolean 279 | | | | +--rw source string 280 | | | +--rw cfg-IDS-rule 281 | | | | +--rw ids-support? boolean 282 | | | | +--rw source string 283 | | | +--rw cfg-url-filter-rule 284 | | | | +--rw url-filtering-support? boolean 285 | | | | +--rw source string 286 | | | +--rw cfg-file-block-rule 287 | | | | +--rw file-blocking-support? boolean 288 | | | | +--rw source string 289 | | | +--rw cfg-data-filter-rule 290 | | | | +--rw data-filtering-support? boolean 291 | | | | +--rw source string 292 | | | | | ... description 293 | | | +--rw cfg-APP-behave-rule 294 | | | | +--rw app-control-support? boolean 295 | | | | +--rw source string 296 | | | +--rw cfg-mail-filter-rule 297 | | | | +--rw mail-filter-support? boolean 298 | | | | +--rw source string 299 | | | +--rw cfg-pkt-capture-rule 300 | | | | +--rw pkt-capture-support? boolean 301 | | | | +--rw source string 302 | | | +--rw cfg-file-isolate-rule 303 | | | | +--rw file-isolation-support? boolean 304 | | | | +--rw source string 305 | | | +--rw voip-volte-rule 306 | | | | +--rw voip-volte-support? boolean 307 +--rw cfg-sec-content-actions 308 | +--voip-volte-rules* [voip-volte-rule-id] 309 | | +--rw voip-volte-rule-id uint16 310 | | +--rw voip-volte-event 311 | | | +--rw called-voip boolean 312 | | | +--rw called-volte boolean 313 | | +--rw condition-match 314 | | | +--rw sip-header* [sip-header-uri] 315 | | | +--rw sip-header-uri string 316 | | | +--rw sip-header-method string 317 | | | +--rw expire-time yang:date-and-time 318 | | | +--rw sip-header-user-agent uint32 319 | | | +--rw cell-region* [cell-id-region] 320 | | | | +-rw cell-id-region uint32 321 | | +--rw action 322 | | | +--rw action-type identityref 323 | | | +--rw (action-type)? 324 | | | | +--: (ingress-action) 325 | | | | | +--rw ingress-permit boolean 326 | | | | | | +--rw ingress-deny boolean 327 | | | | | | +--rw ingress-mirror boolean 328 | | | | +--: (egress-action) 329 | | | | | | +--rw egress-redirection boolean 331 figure 3 333 2.4. Attack Mitigation Capabilities 335 The high level yang below expands the following section of the top- 336 level model: 338 +--rw cfg-attack-mitigate-capabilities 339 | uses cfg-attack-mitigate-caps 341 Attack mitigation 343 +--rw cfg-attack-mitigate-caps 344 | +--rw cfg-groups* [group-name] 345 | | +--rw group-name string 346 | | +--rw group-rule-list* [rule-name] 347 | | | +--rw rule-name string 348 | | | +--rw rule-order-id integer 349 | | | +--rw default-action-id integer 350 | | | +--rw default-resolution-strategy-id integer| 351 | +--rw cfg-netsec-content-rules* [rule-order-id rule-name] 352 | | +--rw rule-order-id integer 353 | | +--rw attack-mitigation-type identityref 354 | | +--:(network-attack-type)? 355 | | | +--:sync-flood 356 | | | +--rw syn-flood-support boolean 357 | | | +--rw sync-flood* [sync-flood-fcn] 358 | | | +--rw sync-flood-fcn uint16 359 | | | +--:(udp-flood) 360 | | | | +--rw udp-flood-supported boolean 361 | | | | +--rw udp-flood-fcn string //std or vendor name 362 | | | +--:(icmp-flood) 363 | | | | +--rw icmp-flood-supported boolean 364 | | | | +--rw cfg-icmp-flood* [icmp-flood-fcn] 365 | | | | +--rw icmp-flood-fcn string 366 | | | +--:(ip_frag_flood) 367 | | | | +--rw ipfrag-flood-fcn-supported boolean 368 | | | +--rw cfg-ip-frag-flood* [ipfrag-flood-fcn] 369 | | | | +--rw ipfrag-flood-fcn string //std/vendor name 370 | | | +--:(http_flood) 371 | | | | +--rw http-flood-fcn-supported boolean 372 | | | | +--rw cfg-http-flood* [http-flood-fcn] 373 | | | | +--rw http-flood-fcn string 374 | | | +--:(dns-flood) 375 | | | | +--rw dns-flood-fcn-supported boolean 376 | | | | +--rw cfg-dns-flood* [dns-flood-fcn] 377 | | | | +--rw dns-flood-fcn string //std or vendor name 378 | | | +--:(dns-amplify) 379 | | | | +--rw dns-amp-fcn-supported boolean 380 | | | | +--rw cfg-dns-amplify* [dns-amp-fcn] 381 | | | | +--rw dns-amp-fcn string //std or vendor name 382 | | | +--:(SSL-DDoS) 383 | | | | +--rw ssl-ddos-fcn-support boolean 384 | | | | +--rw cfg-ssl-ddos* [ssl-dos-fcn] 385 | | | | +--rw ssl-dos-fcn string 386 | | | +--: (ip-sweep): 387 | | | | +--rw ipsweep-fcn-supported boolean 388 | | | | +--rw cfg-IP-Sweep* [ipsweep-fcn] 389 | | | | +--rw ipsweep-fcn string //std or vendor name 390 | | | +--: (port-scanning) 391 | | | | +--rw port-scan-fcn-supported boolean 392 | | | | +--rw cfg-Port-scanning [port-scan-fcn] 393 | | | | +--rw port-scan-fcn string //std or vendor name 394 | | | +--: (ping-of-death) 395 | | | | +--rw pingd-fcn-supported boolean 396 | | | | +--rw cfg-ping-of-death* [pingd-function] 397 | | | | +--rw pingd-fcn string //std or vendor name 398 | | | +--:(icmp-oversize) 399 | | | | +--rw o-icmp-fcn-supported boolean 400 | | | +--rw cfg-oversize-ICMP* [o-icmp-fcn] 401 | | | | +--rw o-icmp-fcn string //std or vendor name 402 | | +--:(single-packet-attack)? 403 | | | +--rw single-packet-type? identityref 404 | | | +--:(scan-and-sniff-attack) 405 | | | | +--scan-n-sniff-type identityref 406 | | | | +--(scan-n-sniff-type)? 407 | | | | |--:(ip-sweep-attack) 408 | | | | | +--rw 1p-ip-sweep-attack-support boolean 409 | | | | | +--rw 1p-ip-sweep-attack-fcn string 410 | | | | +--:(port-scanning-attack) 411 | | | | | +--rw 1pk-port-scanning-support boolean 412 | | | | | +--rw 1pk_port-sanning-fcn string 413 | | | +--:(malformed-packet-attack) 414 | | | | +--1pk-malformed-packet-attack-type identityref 415 | | | | +--:(ping-of-death-attack) 416 | | | | | +--rw 1pk-ping-of-death-support boolean 417 | | | | | +--rw 1pk-ping-of-death-fcn string 418 | | | | +--:(teardrop-attack) 419 | | | | | +--rw 1pk-teardrop-attack-support boolean 420 | | | | | +--rw 1pk-teardrop-attack-fcn string 421 | | | +--:(special-packet-attack) 422 | | | | +--rw special-packet-attack-type identityref 423 | | | | +--(special-packet-attack-type)? 424 | | | | | +--:(oversized-icmp-attack) 425 | | | | | | +--rw oversized-icmp-attack-support boolean 426 | | | | | | +--rw oversized-icmp-attack-fcn string 427 | | | | | +--:(tracert-attack) 428 | | | | | | +--rw tracert-attack-support boolean 429 | | | | | | +--rw tracert-attack-fcn string 431 figure 4 433 2.5. IT Resources linked to Capabilities 435 Tis section provides a link between capabilities and IT resources. 436 This section has a lsit of IT Resources by name. Additional input is 437 needed. 439 +--rw cfg-ITResources 440 | +--ITResources* [ITresource-name] 441 | | +--rw ITresource-name string 442 | | .. 444 2.6. actions 446 The following notifications indicate when rules are added or deleted. 448 (to be completed after discussion with Paul Jeong, Jin-Yong Kim, 449 and Dae-Young Hyun, and Jung-Soo Park, and Taei-Jin Ahn.) 451 3. Use of filter-based RIBS 453 The packet-eca policy is kept for configuration, I2RS ephemeral 454 state, and BGP stored policy state in filter-based RIBS. These RIBS 455 have the high-level yang structures below and are described in 456 [I-D.ietf-i2rs-fb-rib-data-model]. These filter-ribs may be 457 leveraged in I2NSF storage devices for the policy storage. 459 +--rw fb-ribs 460 +--rw fb-rib* [rib-name] 461 | +--rw rib-name string 462 | | rw fb-type identityref /config, i2rs, bgp 463 | +--rw rib-afi rt:address-family 464 | +--rw fb-rib-intf* [name] 465 | | +--rw name string 466 | | +--rw intf if:interface 467 | +--rw default-ribs 468 | | +--rw rt-rib string // routing kernel rib 469 | | +--rw config-rib string; // static rt-rib 470 | | +--rw i2rs-rib string; // ephemeral rt-rib 471 | | +--rw bgp-instance-name string // bgp instance 472 | | +--rw bgp-rib string // bgp rib 473 | +--rw fb-rib-refs 474 | | +--rw fb-rib-update-ref uint32 //count of writes 475 | +--rw mounts-using* 476 | | +--rw mount-name string // 477 | +--use pkt-eca:pkt-eca-policy-set 479 figure 5 481 4. YANG Modules 483 file "ietf-i2nsf-capability@2016-10-01.yang" 484 module ietf-i2nsf-capability { 485 namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; 486 // replace with iana namespace when assigned 487 prefix "i2nsf-capability"; 488 import ietf-pkt-eca-policy { 489 prefix pkt-eca-policy; 490 } 491 // meta 493 organization "IETF I2NSF WG"; 495 contact 496 "email: Susan Hares: shares@ndzh.com 497 email: Robert Moskowitz rgm@htt-consult.com; 498 email: Frank Xia 499 email: Aldo Basile cataldo.basile@polito.it"; 501 description 502 "This module describes a capability model 503 for I2NSF devices ."; 505 revision "2016-10-01" { 506 description "second revision"; 507 reference "draft-hares-i2nsf-capability-yang-01.txt"; 508 } 510 grouping ITResources { 511 list ITResource { 512 key ITResource-id; 513 leaf ITResource-id { 514 type uint64; 515 description "ID for ITResource"; 516 } 517 leaf ITResource-name { 518 type string; 519 description "ITResource name."; 520 } 521 description "list of IT Resources."; 522 } 523 description "IT Resource grouping."; 524 } 526 grouping cfg-sec-content-caps { 527 list cfg-fcn-groups { // functions in 2 lists: 528 key "group-name"; // group and functions 529 leaf group-name { 530 type string; 531 description " name of function 532 group"; 533 } 534 list group-fnc-list { 535 key "fcn-name"; 536 leaf fcn-name { 537 type string; 538 description "security content 539 function name"; 540 } 541 leaf fcn-order-id { 542 type uint64; 543 description "function order 544 in list of functions."; 545 } 546 leaf default-action-id { 547 type uint64; 548 description "default 549 extended action id"; 550 } 551 leaf default-cr-resolve-id { 552 type uint32; 553 description "default 554 policy conflict resolution 555 policy identifier."; 556 } 557 description "list of 558 functions per group. 559 e.g. group A has 560 5 functions."; 561 } 563 description "list of 564 groups with associated 565 security content functions."; 566 } 568 list cfg-sec-content-fcns { 569 key "fcn-order-id function-name"; 570 leaf fcn-order-id { 571 type uint64; 572 description "order id for rule"; 573 } 574 leaf function-name { 575 type string; 576 description "rule name"; 577 } 578 list anti-virus { 579 key "anti-virus-name"; 580 leaf anti-virus-name { 581 type string; 582 description "name of 583 anti-virtus functionalty"; 584 } 585 leaf anti-virus-supported { 586 type boolean; 587 description "anti-virus 588 feature supported"; 589 } 590 description "anti-virus functions"; 591 } 592 list IPS { 593 key "IPS-name"; 594 leaf IPS-name { 595 type string; 596 description "name of 597 anti-virtus functionalty"; 598 } 599 leaf IPS-supported { 600 type boolean; 601 description "IPS 602 capability 603 supported"; 604 } 605 description "IPS capability"; 606 } 608 list IDS { 609 key "IDS-name"; 610 leaf IDS-name { 611 type string; 612 description "name of IDS"; 613 } 614 leaf IDS-supported { 615 type boolean; 616 description "anti-virus 617 feature supported"; 618 } 619 description "IDS 620 capabilities"; 621 } 623 list url-filter { 624 key "url-filter-name"; 625 leaf url-filter-name { 626 type string; 627 description "name of IDS"; 628 } 629 leaf url-filter-supported { 630 type boolean; 631 description "url filter 632 feature supported"; 633 } 634 description "URL filter 635 capabilities"; 636 } 638 list file-block { 639 key "fblock-name"; 640 leaf fblock-name { 641 type string; 642 description "name of 643 file block function"; 644 } 645 leaf fblock-supported { 646 type boolean; 647 description "anti-virus 648 feature supported"; 649 } 650 description "file block 651 capabilities"; 652 } 654 list data-filter { 655 key "dfilter-name"; 656 leaf dfilter-name { 657 type string; 658 description "name of 659 data filer"; 660 } 661 leaf dfilter-supported { 662 type boolean; 663 description "anti-virus 664 feature supported"; 665 } 666 description "data filter 667 capabilities"; 668 } 670 list app-behave { 671 key "app-behave-name"; 672 leaf app-behave-name { 673 type string; 674 description "name of 675 application behavior 676 control function."; 677 } 678 leaf app-behave-supported { 679 type boolean; 680 description "application 681 behavior control 682 security capability 683 supported."; 684 } 685 description "Application 686 behavior control security 687 capabilities"; 688 } 690 list mail-filter { 691 key "mfilter-name"; 692 leaf mfilter-name { 693 type string; 694 description "name of 695 data filer"; 697 } 698 leaf mfilter-supported { 699 type boolean; 700 description "mail filter 701 supported"; 702 } 703 description "mail filter"; 704 } 706 list pkt-capture { 707 key "pkt-capture-name"; 708 leaf pkt-capture-name { 709 type string; 710 description "name of 711 data filer"; 712 } 713 leaf pkt-capture-supported { 714 type boolean; 715 description "pkt capture 716 facility supported"; 717 } 718 description "packet capture 719 facility supported "; 720 } 722 list file-isolate { 723 key "f-isolate-name"; 724 leaf f-isolate-name { 725 type string; 726 description "name of 727 file isolate capability"; 728 } 729 leaf f-isolate-supported { 730 type boolean; 731 description "file isolate 732 capability supported "; 733 } 734 description "file isolate 735 capability "; 736 } 737 description "list of 738 security content capabilities."; 739 } 740 description "configured 741 security content capabilities"; 742 } 743 grouping cfg-content-sec-actions { 744 list content-sec-actions { 745 key "action-name"; 746 leaf action-name { 747 type string; 748 description "name of extra 749 content security action 750 beyond function policy"; 751 } 752 description "list 753 of content security actions"; 754 } 755 description "configure 756 content security actions 757 configured beyond capability 758 function existance"; 759 } 761 grouping cfg-attack-mitigate-caps { 762 // group and then rules 763 list cfg-mitigate-fncs-groups { 764 key "group-name"; 765 leaf group-name { 766 type string; 767 description " name of function 768 group"; 769 } 770 list group-mitigate-fncs-list { 771 key "fcn-name"; 772 leaf fcn-name { 773 type string; 774 description "security content 775 function name"; 776 } 777 leaf fcn-order-id { 778 type uint64; 779 description "function order 780 in list of functions."; 781 } 782 leaf default-action-id { 783 type uint64; 784 description "default 785 extended action id"; 786 } 787 leaf default-cr-resolve-id { 788 type uint32; 789 description "default 790 policy conflict resolution 791 policy identifier."; 792 } 793 description "list of 794 functions per group. 795 e.g. group A has 796 5 functions."; 797 } 799 description "list of 800 groups with associated 801 attack mitigate functions."; 802 } 804 list cfg-attack-mitigate-rule { 805 key "rule-order-id rule-name"; 806 leaf rule-order-id { 807 type uint64; 808 description "order id for 809 configured mitigate 810 function"; 811 } 812 leaf rule-name { 813 type string; 814 description "mitigate 815 rule name"; 816 } 817 list cfg-sync-flood { 818 key sync-flood-fcn; 819 leaf sync-flood-fcn { 820 type string; 821 description "name of 822 sync flood functionalty"; 823 } 824 leaf sync-flood-fcn-supported { 825 type boolean; 826 description "sync-flood 827 mitigation fcn supported"; 828 } 829 description "list of 830 sync flood mitigation 831 functions "; 832 } 833 list cfg-udp-flood { 834 key "udp-flood-fcn"; 835 leaf udp-flood-fcn { 836 type string; 837 description "name of 838 udp flood mitigation function "; 839 } 840 leaf udp-flood-fcn-supported { 841 type boolean; 842 description "udp flood 843 prevent function 844 capability supported"; 845 } 846 description "list of 847 udp-flood mitigation 848 functions node 849 (configured capability)."; 850 } 852 list cfg-icmp-flood { 853 key "icmp-flood-fcn"; 854 leaf icmp-flood-fcn { 855 type string; 856 description "name of 857 icmp flood prevention 858 function"; 859 } 860 leaf icmp-flood-fcn-supported { 861 type boolean; 862 description "icmp 863 flood mitigation 864 feature supported"; 865 } 866 description "list for 867 icmp flood prevention 868 functions part of 869 attack mitigation 870 capabilities."; 871 } 873 list cfg-http-flood { 874 key "http-flood-fcn"; 875 leaf http-flood-fcn { 876 type string; 877 description "name of 878 http flood 879 mitigation function"; 880 } 881 leaf http-flood-fcn-supported { 882 type boolean; 883 description "support 884 for http flood function 885 capability is active."; 886 } 887 description "list of 888 http flood 889 mitigation functions 890 configured "; 891 } 893 list cfg-dns-flood { 894 key "dns-flood-fcn"; 895 leaf dns-flood-fcn { 896 type string; 897 description "name of 898 dns flood mitigation 899 function"; 900 } 901 leaf dns-flood-fcn-supported { 902 type boolean; 903 description "dns flood 904 mitigation support is 905 active."; 906 } 907 description "list of 908 dns flood 909 mitigation functions 910 configured."; 911 } 913 list cfg-dns-amplify { 914 key "dns-amplify-fcn"; 915 leaf dns-amplify-fcn { 916 type string; 917 description "name of 918 dns amplify mitigation 919 function."; 920 } 921 leaf dfilter-supported { 922 type boolean; 923 description "dns 924 amplification mitigation 925 function is active."; 926 } 927 description "list of 928 dns amplification 929 mitigation functions 930 configured."; 931 } 932 list SSL-DoS { 933 key "ssl-dos-fcn"; 934 leaf ssl-dos-fcn { 935 type string; 936 description "name of 937 SSL DoS mitigation 938 function"; 939 } 940 leaf ssl-dos-supported { 941 type boolean; 942 description "SSL DoS 943 mitigation function is 944 active."; 945 } 946 description "List of 947 SSL DoS functions configured."; 948 } 950 list cfg-IP-Sweep { 951 key "ipsweep-fcn"; 952 leaf ipsweep-fcn { 953 type string; 954 description "name of 955 ip sweep mitigation 956 function."; 957 } 958 leaf ipsweep-fcn-supported { 959 type boolean; 960 description "IP Sweep 961 mitigation function 962 active."; 963 } 964 description "list of 965 IP Sweep mitigation 966 functions in NSF device."; 967 } 969 list cfg-Port-scanning { 970 key "port-scan-fcn"; 971 leaf port-scan-fcn { 972 type string; 973 description "name of 974 port-scan mitigation 975 function."; 976 } 977 leaf port-scan-fcn-supported { 978 type boolean; 979 description "port scanning 980 mitigation fcn supported."; 981 } 982 description "List of 983 port scanning mitigation 984 functions. "; 985 } 987 list cfg-ping-of-death { 988 key "pingd-fcn"; 989 leaf pingd-fcn { 990 type string; 991 description "name of 992 ping of death 993 mitigation function"; 994 } 995 leaf pingd-fcn-supported{ 996 type boolean; 997 description "active support 998 for this ping of death 999 mitigation function"; 1000 } 1001 description "List of ping of 1002 death mitigation 1003 functions."; 1004 } 1005 description "attack 1006 mitigation rule ."; 1007 } // rules 1008 description "configured 1009 attack mitigation functions."; 1011 } // cfg-attack-mitigate-policy-set 1013 container i2nsf-capabilities { 1014 list capabilty { 1015 key "nsf-name"; 1016 leaf nsf-name { 1017 type string; 1018 description "name of 1019 nsf or nsf group 1020 capabilities drawn from."; 1021 } 1022 container cfg-net-secctl-capabilities { 1023 uses pkt-eca-policy:pkt-eca-policy-set; 1024 description "network security 1025 control capabilities configured."; 1026 } 1027 container cfg-sec-content-capabilities { 1028 uses cfg-sec-content-caps; 1029 uses cfg-content-sec-actions; 1030 description "security content 1031 capabilities configured."; 1032 } 1033 container cfg-attack-mitigate-capabilites { 1034 uses cfg-attack-mitigate-caps; 1035 description "attack mitigation capabilities"; 1036 } 1037 container cfg-ITResources { 1038 uses ITResources; 1039 description "IT Resources 1040 associated with NSF."; 1041 } 1042 description "List of NSF 1043 capabilities per nsf, nsf group 1044 or nsf application."; 1045 } //end of list 1047 description "I2NSF capabilities"; 1048 } // end of container 1049 } 1050 1052 5. IANA Considerations 1054 No IANA considerations exist for this document at this time. URL 1055 will be added. 1057 6. Security Considerations 1059 Security of I2NSF is defined in (need reference here). 1061 7. References 1063 7.1. Normative References 1065 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1066 Requirement Levels", BCP 14, RFC 2119, 1067 DOI 10.17487/RFC2119, March 1997, 1068 . 1070 7.2. Informative References 1072 [I-D.ietf-i2nsf-gap-analysis] 1073 Hares, S., Moskowitz, R., and D. Zhang, "Analysis of 1074 Existing work for I2NSF", draft-ietf-i2nsf-gap-analysis-00 1075 (work in progress), February 2016. 1077 [I-D.ietf-i2nsf-problem-and-use-cases] 1078 Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C. 1079 Jacquenet, "I2NSF Problem Statement and Use cases", draft- 1080 ietf-i2nsf-problem-and-use-cases-00 (work in progress), 1081 February 2016. 1083 [I-D.ietf-i2nsf-terminology] 1084 Hares, S., Strassner, J., Lopez, D., and L. Xia, 1085 "Interface to Network Security Functions (I2NSF) 1086 Terminology", draft-ietf-i2nsf-terminology-00 (work in 1087 progress), May 2016. 1089 [I-D.ietf-i2rs-fb-rib-data-model] 1090 Hares, S., Kini, S., Dunbar, L., Krishnan, R., Bogdanovic, 1091 D., and R. White, "Filter-Based RIB Data Model", draft- 1092 ietf-i2rs-fb-rib-data-model-00 (work in progress), June 1093 2016. 1095 [I-D.ietf-i2rs-pkt-eca-data-model] 1096 Hares, S., Wu, Q., and R. White, "Filter-Based Packet 1097 Forwarding ECA Policy", draft-ietf-i2rs-pkt-eca-data- 1098 model-00 (work in progress), June 2016. 1100 [I-D.ietf-netmod-acl-model] 1101 Bogdanovic, D., Koushik, K., Huang, L., and D. Blair, 1102 "Network Access Control List (ACL) YANG Data Model", 1103 draft-ietf-netmod-acl-model-06 (work in progress), 1104 December 2015. 1106 [I-D.ietf-opsawg-firewalls] 1107 Baker, F. and P. Hoffman, "On Firewalls in Internet 1108 Security", draft-ietf-opsawg-firewalls-01 (work in 1109 progress), October 2012. 1111 [I-D.xia-i2nsf-capability-interface-im] 1112 Xia, L., Zhang, D., elopez@fortinet.com, e., Bouthors, N., 1113 and L. Fang, "Information Model of Interface to Network 1114 Security Functions Capability Interface", draft-xia-i2nsf- 1115 capability-interface-im-05 (work in progress), March 2016. 1117 [I-D.xia-i2nsf-service-interface-dm] 1118 Xia, L., Strassner, J., and D. Bogdanovic, "Data Model of 1119 Interface to Network Security Functions Service 1120 Interface", draft-xia-i2nsf-service-interface-dm-00 (work 1121 in progress), February 2015. 1123 [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to 1124 Accounting Management", RFC 2975, DOI 10.17487/RFC2975, 1125 October 2000, . 1127 [RFC3198] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, 1128 M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, 1129 J., and S. Waldbusser, "Terminology for Policy-Based 1130 Management", RFC 3198, DOI 10.17487/RFC3198, November 1131 2001, . 1133 [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and 1134 Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002, 1135 . 1137 [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and 1138 Accounting (AAA) Transport Profile", RFC 3539, 1139 DOI 10.17487/RFC3539, June 2003, 1140 . 1142 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 1143 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 1144 . 1146 [RFC7277] Bjorklund, M., "A YANG Data Model for IP Management", 1147 RFC 7277, DOI 10.17487/RFC7277, June 2014, 1148 . 1150 Authors' Addresses 1152 Susan Hares 1153 Huawei 1154 7453 Hickory Hill 1155 Saline, MI 48176 1156 USA 1158 Phone: +1-734-604-0332 1159 Email: shares@ndzh.com 1161 Robert Moskowitz 1162 HTT Consulting 1163 Oak Park, MI 1164 USA 1166 Phone: +1-248-968-9809 1167 Email: rgm@htt-consult.com 1168 Liang Xia (Frank) 1169 Huawei 1170 101 Software Avenue, Yuhuatai District 1171 Nanjing, Jiangsu 1172 China 1174 Email: Frank.xialiang@huawei.com