idnits 2.17.1 draft-ietf-i2nsf-consumer-facing-interface-dm-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 2 instances of too long lines in the document, the longest one being 15 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 218 has weird spacing: '...thod-id uint...' == Line 1843 has weird spacing: '...roup-id uint1...' -- The document date (March 5, 2018) is 2242 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 3444 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft E. Kim 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: September 6, 2018 T. Ahn 6 Korea Telecom 7 R. Kumar 8 Juniper Networks 9 S. Hares 10 Huawei 11 March 5, 2018 13 I2NSF Consumer-Facing Interface YANG Data Model 14 draft-ietf-i2nsf-consumer-facing-interface-dm-00 16 Abstract 18 This document describes a YANG data model for the Consumer-Facing 19 Interface between an Interface to Network Security Functions (I2NSF) 20 User and Security Controller in an I2NSF system in a Network 21 Functions Virtualization (NFV) environment. The data model is 22 required for enabling different users of a given I2NSF system to 23 define, manage, and monitor security policies for specific flows 24 within an administrative domain. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on September 6, 2018. 43 Copyright Notice 45 Copyright (c) 2018 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 4. Data Modeling for Security Policies for Consumer-Facing 64 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 5. YANG Data Model for Security Policies for Consumer-Facing 66 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 8 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 36 68 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 36 69 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 36 70 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 71 9.1. Normative References . . . . . . . . . . . . . . . . . . 36 72 9.2. Informative References . . . . . . . . . . . . . . . . . 36 73 Appendix A. Changes from draft-jeong-i2nsf-consumer-facing- 74 interface-dm-05 . . . . . . . . . . . . . . . . . . 38 75 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE 76 Security Services . . . . . . . . . . . . . . . . . 38 77 Appendix C. Policy Instance YANG Example for VoIP/VoLTE Security 78 Services . . . . . . . . . . . . . . . . . . . . . . 40 79 Appendix D. Example XML output for VoIP service . . . . . . . . 50 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 82 1. Introduction 84 This document provides a YANG [RFC6020] data model that defines the 85 required data for the Consumer-Facing Interface between an Interface 86 to Network Security Functions (I2NSF) User and Security Controller in 87 an I2NSF system [i2nsf-framework] in a Network Functions 88 Virtualization (NFV) environment. The data model is required for 89 enabling different users of a given I2NSF system to define, manage 90 and monitor security policies for specific flows within an 91 administrative domain. This document defines a YANG data model based 92 on the information model of I2NSF Consumer-Facing Interface 93 [client-facing-inf-im]. 95 Data models are defined at a lower level of abstraction and provide 96 many details. They provide details about the implementation of a 97 protocol's specification, e.g., rules that explain how to map managed 98 objects onto lower-level protocol constructs. Since conceptual 99 models can be implemented in different ways, multiple data models can 100 be derived by a single information model. 102 The efficient and flexible provisioning of network functions by NFV 103 leads to a rapid advance in the network industry. As practical 104 applications, network security functions (NSFs), such as firewall, 105 intrusion detection system (IDS)/intrusion protection system (IPS), 106 and attack mitigation, can also be provided as virtual network 107 functions (VNF) in the NFV system. By the efficient virtual 108 technology, these VNFs might be automatically provisioned and 109 dynamically migrated based on real-time security requirements. This 110 document presents a YANG data model to implement security functions 111 based on NFV. 113 2. Requirements Language 115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 117 document are to be interpreted as described in RFC 2119 [RFC3444]. 119 3. Terminology 121 This document uses the terminology described in 122 [i2nsf-terminology][client-facing-inf-im][client-facing-inf-req]. 124 4. Data Modeling for Security Policies for Consumer-Facing Interface 126 The main objective of this data model is to fully transform the 127 information model [client-facing-inf-im] into a YANG data model that 128 can be used for delivering control and management messages via the 129 Consumer-Facing Interface between an I2NSF User and Security 130 Controller for the I2NSF User's high-level security policies. 132 The semantics of the data model must be aligned with the information 133 model of the Consumer-Facing Interface. The transformation of the 134 information model was performed so that this YANG data model can 135 facilitate the efficient delivery of the control or management 136 messages. 138 This data model is designed to support the I2NSF framework that can 139 be extended according to the security needs. In other words, the 140 model design is independent of the content and meaning of specific 141 policies as well as the implementation approach. This document 142 suggests a VoIP/VoLTE security service as a use case for policy rule 143 generation. 145 Multi-tenancy in this document enables multiple administrative 146 domains in order to manage application resources. An Enterprise 147 organization may have multiple tenants or departments such as HR, 148 finance, and legal. Thus, we need an object which defines a set of 149 permissions assigned to a user in an organization that wants to 150 manage its own Security Policies. You can think of it as a way to 151 assign policy users to a job function or a set of permissions within 152 the organization. The policy-role object SHALL have Name, Date and 153 access-profile to grant or deny permissions for the perpose of 154 security policy management. 156 module: policy-general 157 +--rw policy 158 | +--rw rule* [rule-id] 159 | +--rw rule-id uint16 160 | +--rw name? string 161 | +--rw date? yang:date-and-time 162 | +--rw case? string 163 | +--rw event* [event-id] 164 | | +--rw event-id string 165 | | +--rw name? string 166 | | +--rw date? yang:date-and-time 167 | | +--rw event-type? string 168 | | +--rw time-information? string 169 | | +--rw event-map-group? -> /threat-feed/event-map-group 170 | | /event-map-group-id 171 | | +--rw enable? boolean 172 | +--rw condition* [condition-id] 173 | | +--rw condition-id string 174 | | +--rw source? string 175 | | +--rw destination? string 176 | | +--rw match? boolean 177 | | +--rw match-direction? string 178 | | +--rw exception? string 179 | +--rw policy-action* [policy-action-id] 180 | +--rw policy-action-id string 181 | +--rw name? string 182 | +--rw date? yang:date-and-time 183 | +--rw primary-action? string 184 | +--rw secondary-action? string 185 | +--rw owner? string 186 +--rw multi-tenancy 187 | +--rw policy-domain* [policy-domain-id] 188 | | +--rw policy-domain-id uint16 189 | | +--rw name string 190 | | +--rw address? string 191 | | +--rw contact string 192 | | +--rw date yang:date-and-time 193 | | +--rw policy-tenant* [policy-tenant-id] 194 | | | +--rw policy-tenant-id uint16 195 | | | +--rw name string 196 | | | +--rw date yang:date-and-time 197 | | | +--rw domain? -> /multi-tenancy 198 | | | /policy-domain 199 | | | /policy-domain-id 200 | | +--rw authentication-method? -> /multi-tenancy 201 | | /policy-mgnt-auth-method 202 | | /policy-mgnt-auth-method-id 203 | +--rw policy-role* [policy-role-id] 204 | | +--rw policy-role-id uint16 205 | | +--rw name string 206 | | +--rw date yang:date-and-time 207 | | +--rw access-profile string 208 | +--rw policy-user* [policy-user-id] 209 | | +--rw policy-user-id uint16 210 | | +--rw name string 211 | | +--rw date yang:date-and-time 212 | | +--rw password string 213 | | +--rw email string 214 | | +--rw scope-type? string 215 | | +--rw scope-reference? string 216 | | +--rw role string 217 | +--rw policy-mgnt-auth-method* [policy-mgnt-auth-method-id] 218 | +--rw policy-mgnt-auth-method-id uint16 219 | +--rw name string 220 | +--rw date yang:date-and-time 221 | +--rw authentication-method enumeration 222 | +--rw mutual-authentication boolean 223 | +--rw token-server inet:ipv4-address 224 | +--rw certificate-server inet:ipv4-address 225 | +--rw single-sing-on-server inet:ipv4-address 226 +--rw end-group 227 | +--rw meta-data-source* [meta-data-source-id] 228 | | +--rw meta-data-source-id uint16 229 | | +--rw name string 230 | | +--rw date yang:date-and-time 231 | | +--rw tag-type? boolean 232 | | +--rw tag-server-information? inet:ipv4-address 233 | | +--rw tag-application-protocol? string 234 | | +--rw tag-server-credential? string 235 | +--rw user-group* [user-group-id] 236 | | +--rw user-group-id uint16 237 | | +--rw name? string 238 | | +--rw date? yang:date-and-time 239 | | +--rw group-type? enumeration 240 | | +--rw meta-data-server? inet:ipv4-address 241 | | +--rw group-member? string 242 | | +--rw risk-level? uint16 243 | +--rw device-group* [device-group-id] 244 | | +--rw device-group-id uint16 245 | | +--rw name? string 246 | | +--rw date? yang:date-and-time 247 | | +--rw group-type? enumeration 248 | | +--rw meta-data-server? inet:ipv4-address 249 | | +--rw group-member? string 250 | | +--rw risk-level? uint16 251 | +--rw application-group* [application-group-id] 252 | | +--rw application-group-id uint16 253 | | +--rw name? string 254 | | +--rw date? yang:date-and-time 255 | | +--rw group-type? enumeration 256 | | +--rw meta-data-server? inet:ipv4-address 257 | | +--rw group-member? string 258 | | +--rw risk-level? uint16 259 | +--rw location-group* [location-group-id] 260 | +--rw location-group-id uint16 261 | +--rw name? string 262 | +--rw date? yang:date-and-time 263 | +--rw group-type? enumeration 264 | +--rw meta-data-server? inet:ipv4-address 265 | +--rw group-member? string 266 | +--rw risk-level? uint16 267 +--rw threat-feed 268 | +--rw threat-feed* [threat-feed-id] 269 | | +--rw threat-feed-id uint16 270 | | +--rw name? string 271 | | +--rw date? yang:date-and-time 272 | | +--rw feed-type enumeration 273 | | +--rw feed-server? inet:ipv4-address 274 | | +--rw feed-priority? uint16 275 | +--rw custom-list* [custom-list-id] 276 | | +--rw custom-list-id uint16 277 | | +--rw name? string 278 | | +--rw date? yang:date-and-time 279 | | +--rw list-type enumeration 280 | | +--rw list-property enumeration 281 | | +--rw list-content? string 282 | +--rw malware-scan-group* [malware-scan-group-id] 283 | | +--rw malware-scan-group-id uint16 284 | | +--rw name? string 285 | | +--rw date? yang:date-and-time 286 | | +--rw signature-server? inet:ipv4-address 287 | | +--rw file-types? string 288 | | +--rw malware-signatures? string 289 | +--rw event-map-group* [event-map-group-id] 290 | +--rw event-map-group-id uint16 291 | +--rw name? string 292 | +--rw date? yang:date-and-time 293 | +--rw security-events? string 294 | +--rw threat-map? string 295 +--rw telemetry-data 296 +--rw telemetry-data* [telemetry-data-id] 297 | +--rw telemetry-data-id uint16 298 | +--rw name? string 299 | +--rw date? yang:date-and-time 300 | +--rw logs? boolean 301 | +--rw syslogs? boolean 302 | +--rw snmp? boolean 303 | +--rw sflow? boolean 304 | +--rw netflow? boolean 305 | +--rw interface-stats? boolean 306 +--rw telemetry-source* [telemetry-source-id] 307 | +--rw telemetry-source-id uint16 308 | +--rw name? string 309 | +--rw date? yang:date-and-time 310 | +--rw source-type? enumeration 311 | +--rw nsf-source? inet:ipv4-address 312 | +--rw nsf-credentials? string 313 | +--rw collection-interval? uint16 314 | +--rw collection-method? enumeration 315 | +--rw heartbeat-interval? uint16 316 | +--rw qos-marking? uint16 317 +--rw telemetry-destination* [telemetry-destination-id] 318 +--rw telemetry-destination-id uint16 319 +--rw name? string 320 +--rw date? yang:date-and-time 321 +--rw collector-source? inet:ipv4-address 322 +--rw collector-credentials? string 323 +--rw data-encoding? string 324 +--rw data-transport? enumeration 326 Figure 1: Generic Data Model for Security Policies for cf Interface 328 5. YANG Data Model for Security Policies for Consumer-Facing Interface 330 This section describes a YANG data model for Consumer-Facing 331 Interface, based on the information model of Consumer-Facing 332 Interface to security controller [client-facing-inf-im]. 334 file "policy-general.yang" 335 module ietf-policy-general { 336 namespace 337 "urn:ietf:params:xml:ns:yang:ietf-policy-general"; 338 prefix 339 cf-interface; 341 import ietf-yang-types{ 342 prefix yang; 343 } 345 import ietf-inet-types{ 346 prefix inet; 347 } 349 organization 350 "IETF I2NSF (Interface to Network Security Functions) 351 Working Group"; 353 contact 354 "WG Web: 355 WG List: 357 WG Chair: Adrian Farrel 358 360 WG Chair: Linda Dunbar 361 363 Editor: Jaehoon Paul Jeong 364 "; 366 description 367 "This module defines a YANG data module for consumer-facing 368 interface to security controller."; 370 revision "2018-03-05"{ 371 description "fourth revision"; 372 reference 373 "draft-kumar-i2nsf-client-facing-interface-im-04"; 374 } 375 //Groupings 376 container policy { 377 description 378 "This object is a policy instance to have 379 complete information such as where and when 380 a policy need to be applied."; 382 list rule { 383 key "rule-id"; 384 leaf rule-id { 385 type uint16; 386 description 387 "This is ID for rules."; 388 } 389 description 390 "This is a container for rules."; 391 leaf name { 392 type string; 393 description 394 "This field idenfifies the name of this object."; 395 } 397 leaf date { 398 type yang:date-and-time; 399 description 400 "Date this object was created or last 401 modified"; 402 } 404 leaf case { 405 type string; 406 description 407 "to identify whether the rule belongs to 408 web filter or enterprise mode."; 409 } 411 list event { 412 key "event-id"; 413 description 414 "This represents the security event of a 415 policy-rule."; 417 leaf event-id { 418 type string; 419 mandatory true; 420 description 421 "This represents the event-id."; 422 } 423 leaf name { 424 type string; 425 description 426 "This field idenfifies the name of this object."; 427 } 429 leaf date { 430 type yang:date-and-time; 431 description 432 "Date this object was created or last 433 modified"; 434 } 436 leaf event-type { 437 type string; 438 description 439 "This field identifies the event of 440 policy enforcement trigger type."; 441 } 443 leaf time-information { 444 type string; 445 description 446 "This field contains time calendar such as 447 BEGIN-TIME and END-TIME for one time 448 enforcement or recurring time calendar for 449 periodic enforcement."; 450 } 452 leaf event-map-group { 453 type leafref { 454 path "/threat-feed/event-map-group/event-map-group-id"; 455 } 456 description 457 "This field contains security events or threat 458 map in order to determine when a policy need 459 to be activated. This is a reference to 460 Evnet-Map-Group."; 461 } 463 leaf enable { 464 type boolean; 465 description 466 "This determines whether the condition 467 matches the security event or not."; 468 } 469 } 470 list condition { 471 key "condition-id"; 472 description 473 "This represents the condition of a 474 policy-rule."; 476 leaf condition-id { 477 type string; 478 description 479 "This represents the condition-id."; 480 } 482 leaf source { 483 type string; 484 description 485 "This field identifies the source of 486 the traffic. This could be reference to 487 either 'Policy Endpoint Group' or 488 'Threat-Feed' or 'Custom-List' if Security 489 Admin wants to specify the source; otherwise, 490 the default is to match all traffic."; 491 } 493 leaf destination { 494 type string; 495 description 496 "This field identifies the source of 497 the traffic. This could be reference to 498 either 'Policy Endpoint Group' or 499 'Threat-Feed' or 'Custom-List' if Security 500 Admin wants to specify the source; otherwise, 501 the default is to match all traffic."; 502 } 504 leaf match { 505 type boolean; 506 description 507 "This field identifies the match criteria used to 508 evaluate whether the specified action need to be 509 taken or not. This could be either a Policy- 510 Endpoint-Group identifying a Application set or a 511 set of traffic rules."; 512 } 514 leaf match-direction { 515 type string; 516 description 517 "This field identifies if the match criteria is 518 to evaluated for both direction of the traffic or 519 only in one direction with default of allowing in 520 the other direction for stateful match conditions. 521 This is optional and by default rule should apply 522 in both directions."; 523 } 525 leaf exception { 526 type string; 527 description 528 "This field identifies the exception 529 consideration when a rule is evaluated for a 530 given communication. This could be reference to 531 Policy-Endpoint-Group object or set of traffic 532 matching criteria."; 533 } 534 } 536 list policy-action { 537 key "policy-action-id"; 539 leaf policy-action-id { 540 type string; 541 mandatory true; 542 description 543 "this represents the policy-action-id."; 544 } 545 description 546 "This object represents actions that a 547 Security Admin wants to perform based on 548 a certain traffic class."; 550 leaf name { 551 type string; 552 description 553 "The name of the policy-action object."; 554 } 556 leaf date { 557 type yang:date-and-time; 558 description 559 "When the object was created or last 560 modified."; 561 } 563 leaf primary-action { 564 type string; 565 description 566 "This field identifies the action when a rule 567 is matched by NSF. The action could be one of 568 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 569 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc."; 570 } 572 leaf secondary-action { 573 type string; 574 description 575 "This field identifies additional actions if 576 a rule is matched. This could be one of 'LOG', 577 'SYSLOG', 'SESSION-LOG', etc."; 578 } 580 leaf owner { 581 type string; 582 description 583 "This field defines the owner of this 584 policy. Only the owner is authorized to 585 modify the contents of the policy."; 586 } 587 } 588 } 589 } 591 container multi-tenancy { 592 description 593 "The descriptions of multi-tenancy."; 595 list policy-domain { 596 key "policy-domain-id"; 598 leaf policy-domain-id { 599 type uint16; 600 description 601 "This represents the list of domains."; 602 } 603 description 604 "this represent the list of policy domains"; 605 leaf name { 606 type string; 607 mandatory true; 608 description 609 "Name of the organization or customer representing 610 this domain."; 611 } 612 leaf address { 613 type string; 614 description 615 "address of an organization or customer."; 616 } 618 leaf contact { 619 type string; 620 mandatory true; 621 description 622 "contact information of the organization 623 or customer."; 624 } 626 leaf date { 627 type yang:date-and-time; 628 mandatory true; 629 description 630 "The date when this account was created 631 or last modified."; 632 } 633 list policy-tenant { 634 key "policy-tenant-id"; 635 leaf policy-tenant-id { 636 type uint16; 637 description 638 "The policy tenant id."; 639 } 640 description 641 "This represents the list of tenants"; 643 leaf name { 644 type string; 645 mandatory true; 646 description 647 "Name of the Department or Division within 648 an organization."; 649 } 651 leaf date { 652 type yang:date-and-time; 653 mandatory true; 654 description 655 "Date this account was created or last modified."; 656 } 658 leaf domain { 659 type leafref { 660 path "/multi-tenancy/policy-domain/policy-domain-id"; 661 } 662 description 663 "This field identifies the domain to which this 664 tenant belongs. This should be reference to a 665 'Policy-Domain' object."; 666 } 667 } 668 leaf authentication-method { 669 type leafref { 670 path "/multi-tenancy/policy-mgnt-auth-method/policy-mgnt-auth-method-id"; 671 } 673 description 674 "Authentication method to be used for this domain. 675 It should be a reference to a 'policy-mgmt-auth-method' 676 object."; 677 } 678 } 680 list policy-role { 681 key "policy-role-id"; 683 leaf policy-role-id { 684 type uint16; 685 mandatory true; 686 description 687 "This defines a set of permissions assigned 688 to a user in an organization that want to manage 689 its own Security Policies."; 690 } 691 description 692 "This represents the list of policy roles."; 694 leaf name { 695 type string; 696 mandatory true; 697 description 698 "This field identifies name of the role."; 699 } 701 leaf date { 702 type yang:date-and-time; 703 mandatory true; 704 description 705 "Date this role was created or last modified."; 706 } 707 leaf access-profile { 708 type string; 709 mandatory true; 710 description 711 "This field identifies the access profile for the 712 role. The profile grants or denies access to policy 713 objects. Multiple access profiles can be 714 concatenated together."; 715 } 716 } 718 list policy-user { 719 key "policy-user-id"; 721 leaf policy-user-id { 722 type uint16; 723 description 724 "This represents the policy-user-id."; 725 } 726 description 727 "This represents the list of policy users."; 728 leaf name { 729 type string; 730 mandatory true; 731 description 732 "The name of a user."; 733 } 735 leaf date { 736 type yang:date-and-time; 737 mandatory true; 738 description 739 "Date this user was created or last modified"; 740 } 742 leaf password { 743 type string; 744 mandatory true; 745 description 746 "User password for basic authentication"; 747 } 749 leaf email { 750 type string; 751 mandatory true; 752 description 753 "The email account of a user"; 754 } 755 leaf scope-type { 756 type string; 757 description 758 "identifies whether a user has domain-wide 759 or tenant-wide privileges"; 760 } 762 leaf scope-reference { 763 type string; 764 description 765 "This references policy-domain or policy-tenant 766 to identify the scope."; 767 } 769 leaf role { 770 type string; 771 mandatory true; 772 description 773 "This references policy-role to define specific 774 permissions"; 775 } 776 } 778 list policy-mgnt-auth-method { 779 key "policy-mgnt-auth-method-id"; 781 leaf policy-mgnt-auth-method-id { 782 type uint16; 783 description 784 "This represents the authentication method id."; 785 } 786 description 787 "The descriptions of policy management 788 authentication methods."; 789 leaf name { 790 type string; 791 mandatory true; 792 description 793 "name of the authentication method"; 794 } 796 leaf date { 797 type yang:date-and-time; 798 mandatory true; 799 description 800 "date when the authentication method 801 was created"; 802 } 803 leaf authentication-method { 804 type enumeration{ 805 enum password{ 806 description 807 "password-based authentication."; 808 } 809 enum token{ 810 description 811 "token-based authentication."; 812 } 813 enum certificate{ 814 description 815 "certificate-based authentication."; 816 } 817 } 818 mandatory true; 819 description 820 "The description of authentication method; 821 token-based, password, certificate, 822 single-sign-on"; 823 } 825 leaf mutual-authentication { 826 type boolean; 827 mandatory true; 828 description 829 "To identify whether the authentication 830 is mutual"; 831 } 833 leaf token-server { 834 type inet:ipv4-address; 835 mandatory true; 836 description 837 "The token-server information if the 838 authentication method is token-based"; 839 } 841 leaf certificate-server { 842 type inet:ipv4-address; 843 mandatory true; 844 description 845 "The certificate-server information if 846 the authentication method is certificate-based"; 847 } 849 leaf single-sing-on-server { 850 type inet:ipv4-address; 851 mandatory true; 852 description 853 "The single-sign-on-server information 854 if the authentication method is 855 single-sign-on-based"; 856 } 857 } 858 } 859 container end-group { 860 description 861 "A logical entity in their business 862 environment, where a security policy 863 is to be applied."; 865 list meta-data-source { 866 key "meta-data-source-id"; 867 leaf meta-data-source-id { 868 type uint16; 869 mandatory true; 870 description 871 "This represents the meta-data source id."; 872 } 873 description 874 "This represents the meta-data source."; 876 leaf name { 877 type string; 878 mandatory true; 879 description 880 "This identifies the name of the 881 meta-datas-ource."; 882 } 884 leaf date { 885 type yang:date-and-time; 886 mandatory true; 887 description 888 "This identifies the date this object was 889 created or last modified."; 890 } 892 leaf tag-type { 893 type boolean; 894 description 895 "This identifies the group type; user group, 896 app group or device group."; 897 } 898 leaf tag-server-information { 899 type inet:ipv4-address; 900 description 901 "The description of suthentication method; 902 token-based, password, certificate, 903 single-sign-on"; 904 } 906 leaf tag-application-protocol { 907 type string; 908 description 909 "This filed identifies the protocol e.g. LDAP, 910 Active Directory, or CMDB"; 911 } 913 leaf tag-server-credential { 914 type string; 915 description 916 "This field identifies the credential 917 information needed to access the tag server"; 918 } 919 } 921 list user-group{ 922 key "user-group-id"; 924 leaf user-group-id { 925 type uint16; 926 mandatory true; 927 description 928 "This represents the the user group id."; 929 } 930 description 931 "This represents the user group."; 933 leaf name { 934 type string; 935 description 936 "This field identifies the name of user-group."; 937 } 939 leaf date { 940 type yang:date-and-time; 941 description 942 "when this user-group was created or last modified."; 943 } 945 leaf group-type { 946 type enumeration{ 947 enum user-tag{ 948 description 949 "The user group is based on user-tag."; 950 } 951 enum user-name{ 952 description 953 "The user group is based on user-name."; 954 } 955 enum ip-address{ 956 description 957 "The user group is based on ip-address."; 958 } 959 } 961 description 962 "This describes the group type; User-tag, 963 User-name or IP-address."; 964 } 966 leaf meta-data-server { 967 type inet:ipv4-address; 968 description 969 "This references metadata source"; 970 } 972 leaf group-member { 973 type string; 974 description 975 "This describes the user-tag information"; 976 } 978 leaf risk-level { 979 type uint16; 980 description 981 "This represents the threat level; valid range 982 may be 0 to 9."; 983 } 984 } 986 list device-group { 987 key "device-group-id"; 988 leaf device-group-id { 989 type uint16; 990 description 991 "This represents a device group id."; 992 } 993 description 994 "This represents a device group."; 995 leaf name { 996 type string; 997 description 998 "This field identifies the name of 999 a device-group."; 1000 } 1001 leaf date { 1002 type yang:date-and-time; 1003 description 1004 "The date when this group was create or 1005 last modified."; 1006 } 1008 leaf group-type { 1009 type enumeration{ 1010 enum device-tag{ 1011 description 1012 "The device group is based on device-tag."; 1013 } 1014 enum device-name{ 1015 description 1016 "The device group is based on device-name."; 1017 } 1018 enum ip-address{ 1019 description 1020 "The device group is based on ip-address."; 1021 } 1022 } 1023 description 1024 "This describes the group type; device-tag, 1025 device-name or IP-address."; 1026 } 1028 leaf meta-data-server { 1029 type inet:ipv4-address; 1030 description 1031 "This references meta-data-source 1032 object."; 1033 } 1035 leaf group-member { 1036 type string; 1037 description 1038 "This describes the device-tag, device-name or 1039 IP-address information"; 1040 } 1041 leaf risk-level { 1042 type uint16; 1043 description 1044 "This represents the threat level; valid range 1045 may be 0 to 9."; 1046 } 1047 } 1049 list application-group{ 1050 key "application-group-id"; 1051 leaf application-group-id { 1052 type uint16; 1053 description 1054 "This represents an application group id."; 1055 } 1056 description 1057 "This represents an application group."; 1058 leaf name { 1059 type string; 1060 description 1061 "This field identifies the name of 1062 an application group"; 1063 } 1065 leaf date { 1066 type yang:date-and-time; 1067 description 1068 "The date when this group was created or 1069 last modified."; 1070 } 1072 leaf group-type { 1073 type enumeration{ 1074 enum application-tag{ 1075 description 1076 "The application group is based on application-tag."; 1077 } 1078 enum device-name{ 1079 description 1080 "The application group is based on application-name."; 1081 } 1082 enum ip-address{ 1083 description 1084 "The application group is based on ip-address."; 1085 } 1086 } 1087 description 1088 "This identifies the group type; 1089 application-tag, application-name or 1090 IP-address."; 1091 } 1093 leaf meta-data-server { 1094 type inet:ipv4-address; 1095 description 1096 "This references meta-data-source 1097 object."; 1098 } 1100 leaf group-member { 1101 type string; 1102 description 1103 "This describes the application-tag, 1104 application-name or IP-address information"; 1105 } 1107 leaf risk-level { 1108 type uint16; 1109 description 1110 "This represents the threat level; valid range 1111 may be 0 to 9."; 1112 } 1113 } 1115 list location-group{ 1116 key "location-group-id"; 1117 leaf location-group-id { 1118 type uint16; 1119 description 1120 "This represents a location group id."; 1121 } 1122 description 1123 "This represents a location group."; 1125 leaf name { 1126 type string; 1127 description 1128 "This field identifies the name of 1129 a location group"; 1131 } 1133 leaf date { 1134 type yang:date-and-time; 1135 description 1136 "The date when this group was created or 1137 last modified."; 1138 } 1140 leaf group-type { 1141 type enumeration{ 1142 enum location-tag{ 1143 description 1144 "The location group is based on location-tag."; 1145 } 1146 enum location-name{ 1147 description 1148 "The location group is based on location-name."; 1149 } 1150 enum ip-address{ 1151 description 1152 "The location group is based on ip-address."; 1153 } 1154 } 1155 description 1156 "This identifies the group type; 1157 location-tag, location-name or 1158 IP-address."; 1159 } 1161 leaf meta-data-server { 1162 type inet:ipv4-address; 1163 description 1164 "This references meta-data-source 1165 object."; 1166 } 1168 leaf group-member { 1169 type string; 1170 description 1171 "This describes the location-tag, 1172 location-name or IP-address information"; 1173 } 1175 leaf risk-level { 1176 type uint16; 1177 description 1178 "This represents the threat level; valid range 1179 may be 0 to 9."; 1180 } 1181 } 1182 } 1184 container threat-feed { 1185 description 1186 "this describes the list of threat-feed."; 1188 list threat-feed { 1189 key "threat-feed-id"; 1190 leaf threat-feed-id { 1191 type uint16; 1192 mandatory true; 1193 description 1194 "This represents the threat-feed-id."; 1195 } 1196 description 1197 "This represents the threat feed within the 1198 threat-prevention-list."; 1199 leaf name { 1200 type string; 1201 description 1202 "Name of the theat feed."; 1203 } 1205 leaf date { 1206 type yang:date-and-time; 1207 description 1208 "when the threat-feed was created."; 1209 } 1211 leaf feed-type { 1212 type enumeration { 1213 enum unknown { 1214 description 1215 "feed-type is unknown."; 1216 } 1217 enum ip-address { 1218 description 1219 "feed-type is IP address."; 1220 } 1221 enum url { 1222 description 1223 "feed-type is URL."; 1224 } 1225 } 1226 mandatory true; 1227 description 1228 "This determined whether the feed-type is IP address 1229 based or URL based."; 1230 } 1232 leaf feed-server { 1233 type inet:ipv4-address; 1234 description 1235 "this contains threat feed server information."; 1236 } 1238 leaf feed-priority { 1239 type uint16; 1240 description 1241 "this describes the priority of the threat from 1242 0 to 5, where 0 means the threat is minimum and 1243 5 meaning the maximum."; 1244 } 1245 } 1247 list custom-list { 1248 key "custom-list-id"; 1249 leaf custom-list-id { 1250 type uint16; 1251 description 1252 "this describes the custom-list-id."; 1253 } 1254 description 1255 "this describes the threat-prevention custom list."; 1256 leaf name { 1257 type string; 1258 description 1259 "Name of the custom-list."; 1260 } 1262 leaf date { 1263 type yang:date-and-time; 1264 description 1265 "when the custom list was created."; 1266 } 1268 leaf list-type { 1269 type enumeration { 1270 enum unknown { 1271 description 1272 "list-type is unknown."; 1273 } 1274 enum ip-address { 1275 description 1276 "list-type is IP address."; 1277 } 1278 enum mac-address { 1279 description 1280 "list-type is MAC address."; 1282 } 1283 enum url { 1284 description 1285 "list-type is URL."; 1286 } 1287 } 1288 mandatory true; 1289 description 1290 "This determined whether the feed-type is IP address 1291 based or URL based."; 1292 } 1294 leaf list-property { 1295 type enumeration { 1296 enum unknown { 1297 description 1298 "list-property is unknown."; 1299 } 1300 enum blacklist { 1301 description 1302 "list-property is blacklist."; 1303 } 1304 enum whitelist { 1305 description 1306 "list-property is whitelist."; 1307 } 1308 } 1309 mandatory true; 1310 description 1311 "This determined whether the list-type is blacklist 1312 or whitelist."; 1313 } 1315 leaf list-content { 1316 type string; 1317 description 1318 "This describes the contents of the custom-list."; 1319 } 1320 } 1322 list malware-scan-group { 1323 key "malware-scan-group-id"; 1324 leaf malware-scan-group-id { 1325 type uint16; 1326 mandatory true; 1327 description 1328 "This is the malware-scan-group-id."; 1329 } 1330 description 1331 "This represents the malware-scan-group."; 1332 leaf name { 1333 type string; 1334 description 1335 "Name of the malware-scan-group."; 1336 } 1338 leaf date { 1339 type yang:date-and-time; 1340 description 1341 "when the malware-scan-group was created."; 1342 } 1344 leaf signature-server { 1345 type inet:ipv4-address; 1346 description 1347 "This describes the signature server of the 1348 malware-scan-group."; 1349 } 1351 leaf file-types { 1352 type string; 1353 description 1354 "This contains a list of file types needed to 1355 be scanned for the virus."; 1356 } 1358 leaf malware-signatures { 1359 type string; 1360 description 1361 "This contains a list of malware signatures or hash."; 1362 } 1363 } 1365 list event-map-group { 1366 key "event-map-group-id"; 1367 leaf event-map-group-id { 1368 type uint16; 1369 mandatory true; 1370 description 1371 "This is the event-map-group-id."; 1372 } 1373 description 1374 "This represents the event map group."; 1376 leaf name { 1377 type string; 1378 description 1379 "Name of the event-map."; 1380 } 1382 leaf date { 1383 type yang:date-and-time; 1384 description 1385 "when the event-map was created."; 1386 } 1388 leaf security-events { 1389 type string; 1390 description 1391 "This contains a list of security events."; 1392 } 1394 leaf threat-map { 1395 type string; 1396 description 1397 "This contains a list of threat levels."; 1398 } 1399 } 1400 } 1402 container telemetry-data { 1403 description 1404 "Telemetry provides visibility into the network 1405 activities which can be tapped for further 1406 security analytics, e.g., detecting potential 1407 vulnerabilities, malicious activities, etc."; 1409 list telemetry-data { 1410 key "telemetry-data-id"; 1412 leaf telemetry-data-id { 1413 type uint16; 1414 mandatory true; 1415 description 1416 "This is ID for telemetry-data-id."; 1417 } 1418 description 1419 "This is ID for telemetry-data."; 1421 leaf name { 1422 type string; 1423 description 1424 "Name of the telemetry-data object."; 1425 } 1426 leaf date { 1427 type yang:date-and-time; 1428 description 1429 "This field states when the telemery-data 1430 object was created."; 1431 } 1433 leaf logs { 1434 type boolean; 1435 description 1436 "This field identifies whether logs 1437 need to be collected."; 1438 } 1440 leaf syslogs { 1441 type boolean; 1442 description 1443 "This field identifies whether System logs 1444 need to be collected."; 1445 } 1447 leaf snmp { 1448 type boolean; 1449 description 1450 "This field identifies whether 'SNMP traps' and 1451 'SNMP alarms' need to be collected."; 1452 } 1454 leaf sflow { 1455 type boolean; 1456 description 1457 "This field identifies whether 'sFlow' data 1458 need to be collected."; 1459 } 1461 leaf netflow { 1462 type boolean; 1463 description 1464 "This field identifies whether 'NetFlow' data 1465 need to be collected."; 1466 } 1468 leaf interface-stats { 1469 type boolean; 1470 description 1471 "This field identifies whether 'Interface' data 1472 such as packet bytes and counts need to be 1473 collected."; 1475 } 1476 } 1478 list telemetry-source { 1479 key "telemetry-source-id"; 1481 leaf telemetry-source-id { 1482 type uint16; 1483 mandatory true; 1484 description 1485 "This is ID for telemetry-source-id."; 1486 } 1487 description 1488 "This is ID for telemetry-source."; 1490 leaf name { 1491 type string; 1492 description 1493 "This identifies the name of this object."; 1494 } 1496 leaf date { 1497 type yang:date-and-time; 1498 description 1499 "Date this object was created or last modified"; 1500 } 1502 leaf source-type { 1503 type enumeration { 1504 enum network-nsf { 1505 description 1506 "NSF telemetry source type is network-nsf."; 1507 } 1509 enum firewall-nsf { 1510 description 1511 "NSF telemetry source type is firewall-nsf."; 1512 } 1513 enum ids-nsf { 1514 description 1515 "NSF telemetry source type is ids-nsf."; 1516 } 1517 enum ips-nsf { 1518 description 1519 "NSF telemetry source type is ips-nsf."; 1520 } 1521 enum proxy-nsf { 1522 description 1523 "NSF telemetry source type is proxy-nsf."; 1524 } 1525 enum other-nsf { 1526 description 1527 "NSF telemetry source type is other-nsf."; 1528 } 1529 } 1530 description 1531 "This should have one of the following type of 1532 the NSF telemetry source: NETWORK-NSF, 1533 FIREWALL-NSF, IDS-NSF, IPS-NSF, 1534 PROXY-NSF, VPN-NSF, DNS, ACTIVE-DIRECTORY, 1535 IP Reputation Authority, Web Reputation 1536 Authority, Anti-Malware Sandbox, Honey Pot, 1537 DHCP, Other Third Party, ENDPOINT"; 1538 } 1540 leaf nsf-source { 1541 type inet:ipv4-address; 1542 description 1543 "This field contains information such as 1544 IP address and protocol (UDP or TCP) port 1545 number of the NSF providing telemetry data."; 1546 } 1548 leaf nsf-credentials { 1549 type string; 1550 description 1551 "This field contains username and password 1552 to authenticate with the NSF."; 1553 } 1555 leaf collection-interval { 1556 type uint16; 1557 units seconds; 1558 default 5000; 1559 description 1560 "This field contains time in milliseconds 1561 between each data collection. For example, 1562 a value of 5000 means data is streamed to 1563 collector every 5 seconds. Value of 0 means 1564 data streaming is event-based"; 1565 } 1567 leaf collection-method { 1568 type enumeration { 1569 enum unknown { 1570 description 1571 "collection-method is unknown."; 1572 } 1573 enum push-based { 1574 description 1575 "collection-method is PUSH-based."; 1576 } 1577 enum pull-based { 1578 description 1579 "collection-method is PULL-based."; 1580 } 1581 } 1582 description 1583 "This field contains a method of collection, 1584 i.e., whether it is PUSH-based or PULL-based."; 1585 } 1586 leaf heartbeat-interval { 1587 type uint16; 1588 units seconds; 1589 description 1590 "time in seconds the source sends telemetry 1591 heartbeat."; 1592 } 1594 leaf qos-marking { 1595 type uint16; 1596 description 1597 "DSCP value must be contained in this field."; 1598 } 1599 } 1601 list telemetry-destination { 1602 key "telemetry-destination-id"; 1604 leaf telemetry-destination-id { 1605 type uint16; 1606 description 1607 "this represents the telemetry-destination-id"; 1608 } 1609 description 1610 "This object contains information related to 1611 telemetry destination. The destination is 1612 usually a collector which is either a part of 1613 Security Controller or external system 1614 such as Security Information and Event 1615 Management (SIEM)."; 1617 leaf name { 1618 type string; 1619 description 1620 "This identifies the name of this object."; 1621 } 1623 leaf date { 1624 type yang:date-and-time; 1625 description 1626 "Date this object was created or last 1627 modified"; 1628 } 1630 leaf collector-source { 1631 type inet:ipv4-address; 1632 description 1633 "This field contains information such as 1634 IP address and protocol (UDP or TCP) port 1635 number for the collector's destination."; 1636 } 1638 leaf collector-credentials { 1639 type string; 1640 description 1641 "This field contains the username and 1642 password for the collector."; 1643 } 1645 leaf data-encoding { 1646 type string; 1647 description 1648 "This field contains the telemetry data encoding 1649 in the form of schema."; 1650 } 1652 leaf data-transport { 1653 type enumeration{ 1654 enum grpc { 1655 description 1656 "telemetry data protocol is grpc."; 1657 } 1658 enum buffer-over-udp{ 1659 description 1660 "telemetry data protocol is buffer over UDP."; 1661 } 1662 } 1663 description 1664 "This field contains streaming telemetry data 1665 protocols. This could be gRPC, protocol 1666 buffer over UDP, etc."; 1668 } 1669 } 1670 } 1671 } 1672 1674 Figure 2: YANG for policy-general 1676 6. Security Considerations 1678 The data model for the I2NSF Consumer-Facing Interface is derived 1679 from the I2NSF Consumer-Facing Interface Information Model 1680 [client-facing-inf-im], so the same security considerations with the 1681 information model should be included in this document. The data 1682 model needs to support a mechanism to protect Consumer-Facing 1683 Interface to Security Controller. 1685 7. Acknowledgements 1687 This work was supported by Institute for Information & communications 1688 Technology Promotion(IITP) grant funded by the Korea government(MSIP) 1689 (No.R-20160222-002755, Cloud based Security Intelligence Technology 1690 Development for the Customized Security Service Provisioning). 1692 This document has greatly benefited from inputs by Hyoungshick Kim, 1693 Mahdi F. Dachmehchi, Seungjin Lee, Jinyong Tim Kim, and Daeyoung 1694 Hyun. 1696 8. Contributors 1698 I2NSF is a group effort. The following people actively contributed 1699 to the consumer facing interface data model, and are considered co- 1700 authors: o Hyoungshick Kim (Sungkyunkwan University) o Seungjin Lee 1701 (Sungkyunkwan University) 1703 9. References 1705 9.1. Normative References 1707 [RFC3444] Pras, A., "On the Difference between Information Models 1708 and Data Models", RFC 3444, January 2003. 1710 9.2. Informative References 1712 [client-facing-inf-im] 1713 Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, 1714 S., and L. Xia, "Information model for Client-Facing 1715 Interface to Security Controller", draft-kumar-i2nsf- 1716 client-facing-interface-im-04 (work in progress), July 1717 2017. 1719 [client-facing-inf-req] 1720 Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, 1721 S., and L. Xia, "Requirements for Client-Facing Interface 1722 to Security Controller", draft-ietf-i2nsf-client-facing- 1723 interface-req-03 (work in progress), July 2017. 1725 [i2nsf-framework] 1726 Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1727 Kumar, "Framework for Interface to Network Security 1728 Functions", draft-ietf-i2nsf-framework-08 (work in 1729 progress), October 2017. 1731 [i2nsf-terminology] 1732 Hares, S., Strassner, J., Lopez, D., Birkholz, H., and L. 1733 Xia, "Information model for Client-Facing Interface to 1734 Security Controller", draft-ietf-i2nsf-terminology-04 1735 (work in progress), July 2017. 1737 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1738 Network Configuration Protocol (NETCONF)", RFC 6020, 1739 October 2010. 1741 Appendix A. Changes from draft-jeong-i2nsf-consumer-facing-interface- 1742 dm-05 1744 The following changes have been made from draft-jeong-i2nsf-consumer- 1745 facing-interface-dm-05: 1747 o In Section 4, the YANG has been modified to represent a policy 1748 delivered over the consumer facing interface. More specifically, 1749 the YANG model has been modified so that a policy-domain object 1750 can have multiple tenants, and as a result, the policy-tenant leaf 1751 in the tree is added to be the child of policy-domain object. 1752 This clarifies the relationship between a domain and tenants. 1754 o The overall organization of the YANG data model and its data types 1755 have also been reviewed and corrected, and produced the 1756 corresponding data tree as shown in the Section 5. The reviewed 1757 data tree model and YANG fully adopted Event-Condition-Action 1758 (ECA) scheme as suggested in the most recent draft about the I2NSF 1759 Consumer-Facing Interface Information Model [client-facing-inf-im] 1760 and I2NSF Framework [i2nsf-framework]. 1762 o The data tree model in Appendix B and Yang in Appendix C have also 1763 been modified for better adoption of ECA based policy generation. 1765 o A revised version of an example XML format output is as shown in 1766 Appendix D for VoIP service policy based on Yang in Appendix C. 1768 o Overall editorial errors have been corrected. 1770 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE Security 1771 Services 1773 A common scenario for VoIP/VoLTE policy enforcement could be that a 1774 malicious call is made to a benign user of any telecommunication 1775 company. For example, imagine a case wherea company "A" employs a 1776 hacker with a malicious attempt to hack a user's phone with malware. 1777 The company "A" is located in a country, such as Africa, and uses the 1778 user's hacked phone to call the company. The hacked user is unaware 1779 of the company "A" so complains about the international call that was 1780 made to the company "B", which is the user's telecommunications 1781 company. The company "A" charges the company "B" for the 1782 international call. The company "B" cannot charge the user for the 1783 call, and has no choice but to pay the company "A". The following 1784 shows the example data tree model for the VoIP/VoLTE services. 1785 Multi-tenancy, endpoint groups, threat prevention, and telemetry data 1786 components are general part of the tree model, so we can just modify 1787 the policy instance in order to generate and enforce high-level 1788 policies. The policy-calendar can act as a scheduler to set the star 1789 and end time to block calls which uses suspicious ids, or calls from 1790 other countries. 1792 module: policy-voip 1793 +--rw policy-voip 1794 | +--rw rule-voip* [rule-voip-id] 1795 | | +--rw rule-voip-id uint16 1796 | | +--rw name? string 1797 | | +--rw date? yang:date-and-time 1798 | | +--rw event* [event-id] 1799 | | | +--rw event-id string 1800 | | | +--rw name? string 1801 | | | +--rw date? yang:date-and-time 1802 | | | +--rw event-type? string 1803 | | | +--rw Time-Information? string 1804 | | | +--rw event-map-group? -> /threat-feed/event-map-group 1805 | | | /event-map-group-id 1806 | | | +--rw enable? boolean 1807 | | +--rw condition* [condition-id] 1808 | | | +--rw condition-id string 1809 | | | +--rw source-caller? -> /threat-feed/threat-feed 1810 | | | /threat-feed-id 1811 | | | +--rw destination-callee? -> /threat-feed/custom-list 1812 | | | /custom-list-id 1813 | | | +--rw match? boolean 1814 | | | +--rw match-direction? string 1815 | | | +--rw exception? string 1816 | | +--rw action* [action-id] 1817 | | | +--rw action-id string 1818 | | | +--rw name? string 1819 | | | +--rw date? yang:date-and-time 1820 | | | +--rw primary-action? string 1821 | | | +--rw secondary-action? string 1822 | | +--rw precedence? uint16 1823 | +--rw owner* [owner-id] 1824 | +--rw owner-id string 1825 | +--rw name? string 1826 | +--rw date? yang:date-and-time 1827 +--rw threat-feed 1828 +--rw threat-feed* [threat-feed-id] 1829 | +--rw threat-feed-id uint16 1830 | +--rw name? string 1831 | +--rw date? yang:date-and-time 1832 | +--rw feed-type enumeration 1833 | +--rw feed-server? inet:ipv4-address 1834 | +--rw feed-priority? uint16 1835 +--rw custom-list* [custom-list-id] 1836 | +--rw custom-list-id uint16 1837 | +--rw name? string 1838 | +--rw date? yang:date-and-time 1839 | +--rw list-type enumeration 1840 | +--rw list-property enumeration 1841 | +--rw list-content? string 1842 +--rw malware-scan-group* [malware-scan-group-id] 1843 | +--rw malware-scan-group-id uint16 1844 | +--rw name? string 1845 | +--rw date? yang:date-and-time 1846 | +--rw signature-server? inet:ipv4-address 1847 | +--rw file-types? string 1848 | +--rw malware-signatures? string 1849 +--rw event-map-group* [event-map-group-id] 1850 +--rw event-map-group-id uint16 1851 +--rw name? string 1852 +--rw date? yang:date-and-time 1853 +--rw security-events? string 1854 +--rw threat-map? string 1856 Figure 3: Policy Instance Example for VoIP/VoLTE Security Services 1858 Appendix C. Policy Instance YANG Example for VoIP/VoLTE Security 1859 Services 1861 The following YANG data model is a policy instance for VoIP/VoLTE 1862 security services. The policy-calendar can act as a scheduler to set 1863 the start time and end time to block malicious calls which use 1864 suspicious IDs, or calls from other countries. 1866 file "ietf-i2nsf-cf-interface-voip.yang" 1868 module ietf-policy-voip { 1869 namespace 1870 "urn:ietf:params:xml:ns:yang:ietf-policy-voip"; 1871 prefix 1872 "cf-interface"; 1874 import ietf-yang-types{ 1875 prefix yang; 1876 } 1878 import ietf-inet-types{ 1879 prefix inet; 1880 } 1881 organization 1882 "IETF I2NSF (Interface to Network Security Functions) 1883 Working Group"; 1885 contact 1886 "WG Web: 1887 WG List: 1889 WG Chair: Adrian Farrel 1890 1892 WG Chair: Linda Dunbar 1893 1895 Editor: Jaehoon Paul Jeong 1896 "; 1898 description 1899 "This module defines a YANG data module for consumer-facing 1900 interface to security controller."; 1902 revision "2018-03-05"{ 1903 description "sixth revision"; 1904 reference 1905 "draft-kumar-i2nsf-client-facing-interface-im-04"; 1906 } 1908 container policy-voip { 1909 description 1910 "This object is a policy instance to have 1911 complete information such as where and when 1912 a policy need to be applied."; 1913 list rule-voip { 1914 key "rule-voip-id"; 1915 leaf rule-voip-id { 1916 type uint16; 1917 mandatory true; 1918 description 1919 "This is ID for rules."; 1920 } 1921 description 1922 "This is a container for rules."; 1923 leaf name { 1924 type string; 1925 description 1926 "This field idenfifies the name of this object."; 1927 } 1928 leaf date { 1929 type yang:date-and-time; 1930 description 1931 "Date this object was created or last 1932 modified"; 1933 } 1934 list event { 1935 key "event-id"; 1936 description 1937 "This represents the security event of a 1938 policy-rule."; 1939 leaf event-id { 1940 type string; 1941 mandatory true; 1942 description 1943 "This represents the event-id."; 1944 } 1945 leaf name { 1946 type string; 1947 description 1948 "This field idenfifies the name of this object."; 1949 } 1950 leaf date { 1951 type yang:date-and-time; 1952 description 1953 "Date this object was created or last 1954 modified"; 1955 } 1956 leaf event-type { 1957 type string; 1958 description 1959 "This field identifies the event event type 1960 ."; 1961 } 1962 leaf Time-Information { 1963 type string; 1964 description 1965 "This field contains time calendar such as 1966 BEGIN-TIME and END-TIME for one time 1967 enforcement or recurring time calendar for 1968 periodic enforcement."; 1969 } 1970 leaf event-map-group { 1971 type leafref{ 1972 path "/threat-feed/event-map-group/event-map-group-id"; 1973 } 1974 description 1975 "This field contains security events or threat 1976 map in order to determine when a policy need 1977 to be activated. This is a reference to 1978 Evnet-Map-Group."; 1980 } 1981 leaf enable { 1982 type boolean; 1983 description 1984 "This determines whether the condition 1985 matches the security event or not."; 1986 } 1987 } 1988 list condition { 1989 key "condition-id"; 1990 description 1991 "This represents the condition of a 1992 policy-rule."; 1993 leaf condition-id { 1994 type string; 1995 description 1996 "This represents the condition-id."; 1997 } 1998 leaf source-caller { 1999 type leafref { 2000 path "/threat-feed/threat-feed/threat-feed-id"; 2001 } 2002 description 2003 "This field identifies the source of 2004 the traffic. This could be reference to 2005 either 'Policy Endpoint Group' or 2006 'Threat-Feed' or 'Custom-List' if Security 2007 Admin wants to specify the source; otherwise, 2008 the default is to match all traffic."; 2009 } 2010 leaf destination-callee { 2011 type leafref { 2012 path "/threat-feed/custom-list/custom-list-id"; 2013 } 2014 description 2015 "This field identifies the source of 2016 the traffic. This could be reference to 2017 either 'Policy Endpoint Group' or 2018 'Threat-Feed' or 'Custom-List' if Security 2019 Admin wants to specify the source; otherwise, 2020 the default is to match all traffic."; 2021 } 2022 leaf match { 2023 type boolean; 2024 description 2025 "This field identifies the match criteria used to 2026 evaluate whether the specified action need to be 2027 taken or not. This could be either a Policy- 2028 Endpoint-Group identifying a Application set or a 2029 set of traffic rules."; 2030 } 2031 leaf match-direction { 2032 type string; 2033 description 2034 "This field identifies if the match criteria is 2035 to evaluated for both direction of the traffic or 2036 only in one direction with default of allowing in 2037 the other direction for stateful match conditions. 2038 This is optional and by default rule should apply 2039 in both directions."; 2040 } 2041 leaf exception { 2042 type string; 2043 description 2044 "This field identifies the exception 2045 consideration when a rule is evaluated for a 2046 given communication. This could be reference to 2047 Policy-Endpoint-Group object or set of traffic 2048 matching criteria."; 2049 } 2050 } 2051 list action { 2052 key "action-id"; 2053 leaf action-id { 2054 type string; 2055 mandatory true; 2056 description 2057 "this represents the policy-action-id."; 2058 } 2059 description 2060 "This object represents actions that a 2061 Security Admin wants to perform based on 2062 a certain traffic class."; 2063 leaf name { 2064 type string; 2065 description 2066 "The name of the policy-action object."; 2067 } 2069 leaf date { 2070 type yang:date-and-time; 2071 description 2072 "When the object was created or last 2073 modified."; 2074 } 2075 leaf primary-action { 2076 type string; 2077 description 2078 "This field identifies the action when a rule 2079 is matched by NSF. The action could be one of 2080 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 2081 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc."; 2082 } 2083 leaf secondary-action { 2084 type string; 2085 description 2086 "This field identifies additional actions if 2087 a rule is matched. This could be one of 'LOG', 2088 'SYSLOG', 'SESSION-LOG', etc."; 2089 } 2090 } 2091 leaf precedence { 2092 type uint16; 2093 description 2094 "This field identifies the precedence 2095 assigned to this rule by Security Admin. 2096 This is helpful in conflict resolution 2097 when two or more rules match a given 2098 traffic class."; 2099 } 2100 } 2101 list owner { 2102 key "owner-id"; 2103 leaf owner-id { 2104 type string; 2105 mandatory true; 2106 description 2107 "this represents the owner-id."; 2108 } 2109 description 2110 "This field defines the owner of this policy. 2111 Only the owner is authorized to modify the 2112 contents of the policy."; 2113 leaf name { 2114 type string; 2115 description 2116 "The name of the owner."; 2117 } 2118 leaf date { 2119 type yang:date-and-time; 2120 description 2121 "When the object was created or last 2122 modified."; 2123 } 2125 } 2126 } 2127 container threat-feed { 2128 description 2129 "this describes the list of threat-feed."; 2131 list threat-feed { 2132 key "threat-feed-id"; 2133 leaf threat-feed-id { 2134 type uint16; 2135 mandatory true; 2136 description 2137 "This represents the threat-feed-id."; 2138 } 2139 description 2140 "This represents the threat feed within the 2141 threat-prevention-list."; 2142 leaf name { 2143 type string; 2144 description 2145 "Name of the theat feed."; 2146 } 2148 leaf date { 2149 type yang:date-and-time; 2150 description 2151 "when the threat-feed was created."; 2152 } 2154 leaf feed-type { 2155 type enumeration { 2156 enum unknown { 2157 description 2158 "feed-type is unknown."; 2159 } 2160 enum ip-address { 2161 description 2162 "feed-type is IP address."; 2163 } 2164 enum url { 2165 description 2166 "feed-type is URL."; 2167 } 2168 } 2169 mandatory true; 2170 description 2171 "This determined whether the feed-type is IP address 2172 based or URL based."; 2174 } 2176 leaf feed-server { 2177 type inet:ipv4-address; 2178 description 2179 "this contains threat feed server information."; 2180 } 2182 leaf feed-priority { 2183 type uint16; 2184 description 2185 "this describes the priority of the threat from 2186 0 to 5, where 0 means the threat is minimum and 2187 5 meaning the maximum."; 2188 } 2189 } 2191 list custom-list { 2192 key "custom-list-id"; 2193 leaf custom-list-id { 2194 type uint16; 2195 description 2196 "this describes the custom-list-id."; 2197 } 2198 description 2199 "this describes the threat-prevention custom list."; 2200 leaf name { 2201 type string; 2202 description 2203 "Name of the custom-list."; 2204 } 2206 leaf date { 2207 type yang:date-and-time; 2208 description 2209 "when the custom list was created."; 2210 } 2212 leaf list-type { 2213 type enumeration { 2214 enum unknown { 2215 description 2216 "list-type is unknown."; 2217 } 2218 enum ip-address { 2219 description 2220 "list-type is IP address."; 2221 } 2222 enum mac-address { 2223 description 2224 "list-type is MAC address."; 2225 } 2226 enum url { 2227 description 2228 "list-type is URL."; 2229 } 2230 } 2231 mandatory true; 2232 description 2233 "This determined whether the feed-type is IP address 2234 based or URL based."; 2235 } 2237 leaf list-property { 2238 type enumeration { 2239 enum unknown { 2240 description 2241 "list-property is unknown."; 2242 } 2243 enum blacklist { 2244 description 2245 "list-property is blacklist."; 2246 } 2247 enum whitelist { 2248 description 2249 "list-property is whitelist."; 2250 } 2251 } 2252 mandatory true; 2253 description 2254 "This determined whether the list-type is blacklist 2255 or whitelist."; 2256 } 2258 leaf list-content { 2259 type string; 2260 description 2261 "This describes the contents of the custom-list."; 2262 } 2263 } 2265 list malware-scan-group { 2266 key "malware-scan-group-id"; 2267 leaf malware-scan-group-id { 2268 type uint16; 2269 mandatory true; 2270 description 2271 "This is the malware-scan-group-id."; 2272 } 2273 description 2274 "This represents the malware-scan-group."; 2275 leaf name { 2276 type string; 2277 description 2278 "Name of the malware-scan-group."; 2279 } 2281 leaf date { 2282 type yang:date-and-time; 2283 description 2284 "when the malware-scan-group was created."; 2285 } 2287 leaf signature-server { 2288 type inet:ipv4-address; 2289 description 2290 "This describes the signature server of the 2291 malware-scan-group."; 2292 } 2294 leaf file-types { 2295 type string; 2296 description 2297 "This contains a list of file types needed to 2298 be scanned for the virus."; 2299 } 2301 leaf malware-signatures { 2302 type string; 2303 description 2304 "This contains a list of malware signatures or hash."; 2305 } 2306 } 2308 list event-map-group { 2309 key "event-map-group-id"; 2310 leaf event-map-group-id { 2311 type uint16; 2312 mandatory true; 2313 description 2314 "This is the event-map-group-id."; 2315 } 2316 description 2317 "This represents the event map group."; 2318 leaf name { 2319 type string; 2320 description 2321 "Name of the event-map."; 2322 } 2324 leaf date { 2325 type yang:date-and-time; 2326 description 2327 "when the event-map was created."; 2328 } 2330 leaf security-events { 2331 type string; 2332 description 2333 "This contains a list of security events."; 2334 } 2336 leaf threat-map { 2337 type string; 2338 description 2339 "This contains a list of threat levels."; 2340 } 2341 } 2342 } 2343 } 2345 2347 Figure 4: Policy Instance YANG Example for VoIP Security Services 2349 Appendix D. Example XML output for VoIP service 2351 In this section, we present an XML example for VoIP service. Here, 2352 we are going to drop calls commin from a country with an Ip from 2353 South Africa that is classified as malicious. 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 01 2366 voip-policy-example 2367 2017.10.25/20:30:32 2368 2369 01 2370 voip_call 2371 2017.10.25/20:30:32 2372 malicious 2373 2374 22:00 2375 08:00 2376 2377 19 2378 True 2379 2380 2381 01 2382 105.176.0.0 2383 192.168.171.35 2384 default 2385 00 2386 2387 2388 01 2389 action-voip 2390 2017.10.25/20:30:32 2391 DENY 2392 LOG 2393 2394 none 2395 2396 01 2397 i2nsf-admin 2398 2399 2400 2401 2402 2403 2404 2406 Figure 5: An XML example for VoIP service 2408 Authors' Addresses 2410 Jaehoon Paul Jeong 2411 Department of Software 2412 Sungkyunkwan University 2413 2066 Seobu-Ro, Jangan-Gu 2414 Suwon, Gyeonggi-Do 16419 2415 Republic of Korea 2417 Phone: +82 31 299 4957 2418 Fax: +82 31 290 7996 2419 EMail: pauljeong@skku.edu 2420 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2422 Eunsoo Kim 2423 Department of Electrical and Computer Engineering 2424 Sungkyunkwan University 2425 2066 Seobu-Ro, Jangan-Gu 2426 Suwon, Gyeonggi-Do 16419 2427 Republic of Korea 2429 Phone: +82 31 299 4104 2430 EMail: eskim86@skku.edu 2431 URI: http://seclab.skku.edu/people/eunsoo-kim/ 2433 Tae-Jin Ahn 2434 Korea Telecom 2435 70 Yuseong-Ro, Yuseong-Gu 2436 Daejeon 305-811 2437 Republic of Korea 2439 Phone: +82 42 870 8409 2440 EMail: taejin.ahn@kt.com 2442 Rakesh Kumar 2443 Juniper Networks 2444 1133 Innovation Way 2445 Sunnyvale, CA 94089 2446 USA 2448 EMail: rkkumar@juniper.net 2449 Susan Hares 2450 Huawei 2451 7453 Hickory Hill 2452 Saline, MI 48176 2453 USA 2455 Phone: +1-734-604-0332 2456 EMail: shares@ndzh.com