idnits 2.17.1 draft-ietf-i2nsf-consumer-facing-interface-dm-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 2 instances of too long lines in the document, the longest one being 15 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 261 has weird spacing: '...thod-id uint...' == Line 1884 has weird spacing: '...roup-id uint1...' -- The document date (July 2, 2018) is 2119 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 3444 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft E. Kim 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: January 3, 2019 T. Ahn 6 Korea Telecom 7 R. Kumar 8 Juniper Networks 9 S. Hares 10 Huawei 11 July 2, 2018 13 I2NSF Consumer-Facing Interface YANG Data Model 14 draft-ietf-i2nsf-consumer-facing-interface-dm-01 16 Abstract 18 This document describes a YANG data model for the Consumer-Facing 19 Interface between an Interface to Network Security Functions (I2NSF) 20 User and Security Controller in an I2NSF system in a Network 21 Functions Virtualization (NFV) environment. The data model is 22 required for enabling different users of a given I2NSF system to 23 define, manage, and monitor security policies for specific flows 24 within an administrative domain. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on January 3, 2019. 43 Copyright Notice 45 Copyright (c) 2018 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 4. Data Modeling for Security Policies for Consumer-Facing 64 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 5. YANG Data Model for Security Policies for Consumer-Facing 66 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 8 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 37 68 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 69 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 37 70 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 71 9.1. Normative References . . . . . . . . . . . . . . . . . . 37 72 9.2. Informative References . . . . . . . . . . . . . . . . . 37 73 Appendix A. Changes from draft-ietf-i2nsf-consumer-facing- 74 interface-dm-00 . . . . . . . . . . . . . . . . . . 39 75 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE 76 Security Services . . . . . . . . . . . . . . . . . 39 77 Appendix C. Policy Instance YANG Example for VoIP/VoLTE Security 78 Services . . . . . . . . . . . . . . . . . . . . . . 41 79 Appendix D. Example XML output for VoIP service . . . . . . . . 51 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 82 1. Introduction 84 This document provides a YANG [RFC6020] data model that defines the 85 required data for the Consumer-Facing Interface between an Interface 86 to Network Security Functions (I2NSF) User and Security Controller in 87 an I2NSF system [i2nsf-framework] in a Network Functions 88 Virtualization (NFV) environment. The data model is required for 89 enabling different users of a given I2NSF system to define, manage 90 and monitor security policies for specific flows within an 91 administrative domain. This document defines a YANG data model based 92 on the information model of I2NSF Consumer-Facing Interface 93 [client-facing-inf-im]. 95 Data models are defined at a lower level of abstraction and provide 96 many details. They provide details about the implementation of a 97 protocol's specification, e.g., rules that explain how to map managed 98 objects onto lower-level protocol constructs. Since conceptual 99 models can be implemented in different ways, multiple data models can 100 be derived by a single information model. 102 The efficient and flexible provisioning of network functions by NFV 103 leads to a rapid advance in the network industry. As practical 104 applications, network security functions (NSFs), such as firewall, 105 intrusion detection system (IDS)/intrusion protection system (IPS), 106 and attack mitigation, can also be provided as virtual network 107 functions (VNF) in the NFV system. By the efficient virtual 108 technology, these VNFs might be automatically provisioned and 109 dynamically migrated based on real-time security requirements. This 110 document presents a YANG data model to implement security functions 111 based on NFV. 113 2. Requirements Language 115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 117 document are to be interpreted as described in RFC 2119 [RFC3444]. 119 3. Terminology 121 This document uses the terminology described in 122 [i2nsf-terminology][client-facing-inf-im][client-facing-inf-req]. 124 4. Data Modeling for Security Policies for Consumer-Facing Interface 126 The main objective of this data model is to fully transform the 127 information model [client-facing-inf-im] into a YANG data model that 128 can be used for delivering control and management messages via the 129 Consumer-Facing Interface between an I2NSF User and Security 130 Controller for the I2NSF User's high-level security policies. 132 The semantics of the data model must be aligned with the information 133 model of the Consumer-Facing Interface. The transformation of the 134 information model was performed so that this YANG data model can 135 facilitate the efficient delivery of the control or management 136 messages. 138 This data model is designed to support the I2NSF framework that can 139 be extended according to the security needs. In other words, the 140 model design is independent of the content and meaning of specific 141 policies as well as the implementation approach. This document 142 suggests a VoIP/VoLTE security service as a use case for policy rule 143 generation. 145 +-----------------+ +-----------------+ 146 | | | | 147 | Consumer Facing +------>+ Consumer Facing | 148 | Interface | | Interface | 149 |Information Model| | Data Model | 150 +--------+--------+ +-----------------+ 151 ^ 152 | 153 | 154 +-------------+-------------+ 155 | | 156 | Policy-general | 157 | | 158 +-------------+-------------+ 159 ^ 160 | 161 +------------+-------------+------------+--------------+ 162 | | | | | 163 +-----+----+ +----+-----+ +----+----+ +----+----+ +------+-----+ 164 | | | | | | | | | | 165 | Multi | | Endpoint | | Policy | | Threat | | Telemetry | 166 | tenancy | | groups | | | | feed | | data | 167 +----------+ +----------+ +----+----+ +---------+ +------------+ 168 ^ 169 | 170 | 171 +------+------+ 172 | | 173 | Rule | 174 | | 175 +------+------+ 176 ^ 177 | 178 +----------------+----------------+ 179 | | | 180 +------+------+ +------+------+ +------+------+ 181 | | | | | | 182 | Event | | Condition | | Action | 183 | | | | | | 184 +-------------+ +-------------+ +-------------+ 186 Figure 1: High-level-abstraction for Consumer Facing Interface 188 Multi-tenancy in this document enables multiple administrative 189 domains in order to manage application resources. An Enterprise 190 organization may have multiple tenants or departments such as HR, 191 finance, and legal. Thus, we need an object which defines a set of 192 permissions assigned to a user in an organization that wants to 193 manage its own Security Policies. You can think of it as a way to 194 assign policy users to a job function or a set of permissions within 195 the organization. The policy-role object SHALL have Name, Date and 196 access-profile to grant or deny permissions for the perpose of 197 security policy management. 199 module: policy-general 200 +--rw policy 201 | +--rw rule* [rule-id] 202 | +--rw rule-id uint16 203 | +--rw name? string 204 | +--rw date? yang:date-and-time 205 | +--rw case? string 206 | +--rw event* [event-id] 207 | | +--rw event-id string 208 | | +--rw name? string 209 | | +--rw date? yang:date-and-time 210 | | +--rw event-type? string 211 | | +--rw time-information? string 212 | | +--rw event-map-group? -> /threat-feed/event-map-group 213 | | /event-map-group-id 214 | | +--rw enable? boolean 215 | +--rw condition* [condition-id] 216 | | +--rw condition-id string 217 | | +--rw source? string 218 | | +--rw destination? string 219 | | +--rw match? boolean 220 | | +--rw match-direction? string 221 | | +--rw exception? string 222 | +--rw policy-action* [policy-action-id] 223 | +--rw policy-action-id string 224 | +--rw name? string 225 | +--rw date? yang:date-and-time 226 | +--rw primary-action? string 227 | +--rw secondary-action? string 228 | +--rw owner? string 229 +--rw multi-tenancy 230 | +--rw policy-domain* [policy-domain-id] 231 | | +--rw policy-domain-id uint16 232 | | +--rw name string 233 | | +--rw address? string 234 | | +--rw contact string 235 | | +--rw date yang:date-and-time 236 | | +--rw policy-tenant* [policy-tenant-id] 237 | | | +--rw policy-tenant-id uint16 238 | | | +--rw name string 239 | | | +--rw date yang:date-and-time 240 | | | +--rw domain? -> /multi-tenancy 241 | | | /policy-domain 242 | | | /policy-domain-id 243 | | +--rw authentication-method? -> /multi-tenancy 244 | | /policy-mgnt-auth-method 245 | | /policy-mgnt-auth-method-id 246 | +--rw policy-role* [policy-role-id] 247 | | +--rw policy-role-id uint16 248 | | +--rw name string 249 | | +--rw date yang:date-and-time 250 | | +--rw access-profile string 251 | +--rw policy-user* [policy-user-id] 252 | | +--rw policy-user-id uint16 253 | | +--rw name string 254 | | +--rw date yang:date-and-time 255 | | +--rw password string 256 | | +--rw email string 257 | | +--rw scope-type? string 258 | | +--rw scope-reference? string 259 | | +--rw role string 260 | +--rw policy-mgnt-auth-method* [policy-mgnt-auth-method-id] 261 | +--rw policy-mgnt-auth-method-id uint16 262 | +--rw name string 263 | +--rw date yang:date-and-time 264 | +--rw authentication-method enumeration 265 | +--rw mutual-authentication boolean 266 | +--rw token-server inet:ipv4-address 267 | +--rw certificate-server inet:ipv4-address 268 | +--rw single-sing-on-server inet:ipv4-address 269 +--rw endpoint-group 270 | +--rw meta-data-source* [meta-data-source-id] 271 | | +--rw meta-data-source-id uint16 272 | | +--rw name string 273 | | +--rw date yang:date-and-time 274 | | +--rw tag-type? boolean 275 | | +--rw tag-server-information? inet:ipv4-address 276 | | +--rw tag-application-protocol? string 277 | | +--rw tag-server-credential? string 278 | +--rw user-group* [user-group-id] 279 | | +--rw user-group-id uint16 280 | | +--rw name? string 281 | | +--rw date? yang:date-and-time 282 | | +--rw group-type? enumeration 283 | | +--rw meta-data-server? inet:ipv4-address 284 | | +--rw group-member? string 285 | | +--rw risk-level? uint16 286 | +--rw device-group* [device-group-id] 287 | | +--rw device-group-id uint16 288 | | +--rw name? string 289 | | +--rw date? yang:date-and-time 290 | | +--rw group-type? enumeration 291 | | +--rw meta-data-server? inet:ipv4-address 292 | | +--rw group-member? string 293 | | +--rw risk-level? uint16 294 | +--rw application-group* [application-group-id] 295 | | +--rw application-group-id uint16 296 | | +--rw name? string 297 | | +--rw date? yang:date-and-time 298 | | +--rw group-type? enumeration 299 | | +--rw meta-data-server? inet:ipv4-address 300 | | +--rw group-member? string 301 | | +--rw risk-level? uint16 302 | +--rw location-group* [location-group-id] 303 | +--rw location-group-id uint16 304 | +--rw name? string 305 | +--rw date? yang:date-and-time 306 | +--rw group-type? enumeration 307 | +--rw meta-data-server? inet:ipv4-address 308 | +--rw group-member? string 309 | +--rw risk-level? uint16 310 +--rw threat-feed 311 | +--rw threat-feed* [threat-feed-id] 312 | | +--rw threat-feed-id uint16 313 | | +--rw name? string 314 | | +--rw date? yang:date-and-time 315 | | +--rw feed-type enumeration 316 | | +--rw feed-server? inet:ipv4-address 317 | | +--rw feed-priority? uint16 318 | +--rw custom-list* [custom-list-id] 319 | | +--rw custom-list-id uint16 320 | | +--rw name? string 321 | | +--rw date? yang:date-and-time 322 | | +--rw list-type enumeration 323 | | +--rw list-property enumeration 324 | | +--rw list-content? string 325 | +--rw malware-scan-group* [malware-scan-group-id] 326 | | +--rw malware-scan-group-id uint16 327 | | +--rw name? string 328 | | +--rw date? yang:date-and-time 329 | | +--rw signature-server? inet:ipv4-address 330 | | +--rw file-types? string 331 | | +--rw malware-signatures? string 332 | +--rw event-map-group* [event-map-group-id] 333 | +--rw event-map-group-id uint16 334 | +--rw name? string 335 | +--rw date? yang:date-and-time 336 | +--rw security-events? string 337 | +--rw threat-map? string 338 +--rw telemetry-data 339 +--rw telemetry-data* [telemetry-data-id] 340 | +--rw telemetry-data-id uint16 341 | +--rw name? string 342 | +--rw date? yang:date-and-time 343 | +--rw logs? boolean 344 | +--rw syslogs? boolean 345 | +--rw snmp? boolean 346 | +--rw sflow? boolean 347 | +--rw netflow? boolean 348 | +--rw interface-stats? boolean 349 +--rw telemetry-source* [telemetry-source-id] 350 | +--rw telemetry-source-id uint16 351 | +--rw name? string 352 | +--rw date? yang:date-and-time 353 | +--rw source-type? enumeration 354 | +--rw nsf-source? inet:ipv4-address 355 | +--rw nsf-credentials? string 356 | +--rw collection-interval? uint16 357 | +--rw collection-method? enumeration 358 | +--rw heartbeat-interval? uint16 359 | +--rw qos-marking? uint16 360 +--rw telemetry-destination* [telemetry-destination-id] 361 +--rw telemetry-destination-id uint16 362 +--rw name? string 363 +--rw date? yang:date-and-time 364 +--rw collector-source? inet:ipv4-address 365 +--rw collector-credentials? string 366 +--rw data-encoding? string 367 +--rw data-transport? enumeration 369 Figure 2: Generic Data Model for Security Policies for cf Interface 371 5. YANG Data Model for Security Policies for Consumer-Facing Interface 373 This section describes a YANG data model for Consumer-Facing 374 Interface, based on the information model of Consumer-Facing 375 Interface to security controller [client-facing-inf-im]. 377 file "policy-general.yang" 378 module ietf-policy-general { 379 namespace 380 "urn:ietf:params:xml:ns:yang:ietf-policy-general"; 381 prefix 382 cf-interface; 384 import ietf-yang-types{ 385 prefix yang; 386 } 388 import ietf-inet-types{ 389 prefix inet; 390 } 392 organization 393 "IETF I2NSF (Interface to Network Security Functions) 394 Working Group"; 396 contact 397 "WG Web: 398 WG List: 400 WG Chair: Adrian Farrel 401 403 WG Chair: Linda Dunbar 404 406 Editor: Jaehoon Paul Jeong 407 "; 409 description 410 "This module defines a YANG data module for consumer-facing 411 interface to security controller."; 413 revision "2018-07-02"{ 414 description "fourth revision"; 415 reference 416 "draft-kumar-i2nsf-client-facing-interface-im-04"; 417 } 419 //Groupings 420 container policy { 421 description 422 "This object is a policy instance to have 423 complete information such as where and when 424 a policy need to be applied."; 426 list rule { 427 key "rule-id"; 428 leaf rule-id { 429 type uint16; 430 description 431 "This is ID for rules."; 432 } 433 description 434 "This is a container for rules."; 435 leaf name { 436 type string; 437 description 438 "This field idenfifies the name of this object."; 439 } 441 leaf date { 442 type yang:date-and-time; 443 description 444 "Date this object was created or last 445 modified"; 446 } 448 leaf case { 449 type string; 450 description 451 "to identify whether the rule belongs to 452 web filter or enterprise mode."; 453 } 455 list event { 456 key "event-id"; 457 description 458 "This represents the security event of a 459 policy-rule."; 461 leaf event-id { 462 type string; 463 mandatory true; 464 description 465 "This represents the event-id."; 466 } 468 leaf name { 469 type string; 470 description 471 "This field idenfifies the name of this object."; 472 } 474 leaf date { 475 type yang:date-and-time; 476 description 477 "Date this object was created or last 478 modified"; 479 } 481 leaf event-type { 482 type string; 483 description 484 "This field identifies the event of 485 policy enforcement trigger type."; 486 } 488 leaf time-information { 489 type string; 490 description 491 "This field contains time calendar such as 492 BEGIN-TIME and END-TIME for one time 493 enforcement or recurring time calendar for 494 periodic enforcement."; 495 } 497 leaf event-map-group { 498 type leafref { 499 path "/threat-feed/event-map-group/event-map-group-id"; 500 } 501 description 502 "This field contains security events or threat 503 map in order to determine when a policy need 504 to be activated. This is a reference to 505 Evnet-Map-Group."; 506 } 508 leaf enable { 509 type boolean; 510 description 511 "This determines whether the condition 512 matches the security event or not."; 513 } 514 } 516 list condition { 517 key "condition-id"; 518 description 519 "This represents the condition of a 520 policy-rule."; 522 leaf condition-id { 523 type string; 524 description 525 "This represents the condition-id."; 526 } 528 leaf source { 529 type string; 530 description 531 "This field identifies the source of 532 the traffic. This could be reference to 533 either 'Policy Endpoint Group' or 534 'Threat-Feed' or 'Custom-List' if Security 535 Admin wants to specify the source; otherwise, 536 the default is to match all traffic."; 537 } 539 leaf destination { 540 type string; 541 description 542 "This field identifies the source of 543 the traffic. This could be reference to 544 either 'Policy Endpoint Group' or 545 'Threat-Feed' or 'Custom-List' if Security 546 Admin wants to specify the source; otherwise, 547 the default is to match all traffic."; 548 } 550 leaf match { 551 type boolean; 552 description 553 "This field identifies the match criteria used to 554 evaluate whether the specified action need to be 555 taken or not. This could be either a Policy- 556 Endpoint-Group identifying a Application set or a 557 set of traffic rules."; 558 } 560 leaf match-direction { 561 type string; 562 description 563 "This field identifies if the match criteria is 564 to evaluated for both direction of the traffic or 565 only in one direction with default of allowing in 566 the other direction for stateful match conditions. 567 This is optional and by default rule should apply 568 in both directions."; 569 } 571 leaf exception { 572 type string; 573 description 574 "This field identifies the exception 575 consideration when a rule is evaluated for a 576 given communication. This could be reference to 577 Policy-Endpoint-Group object or set of traffic 578 matching criteria."; 579 } 580 } 582 list policy-action { 583 key "policy-action-id"; 585 leaf policy-action-id { 586 type string; 587 mandatory true; 588 description 589 "this represents the policy-action-id."; 590 } 591 description 592 "This object represents actions that a 593 Security Admin wants to perform based on 594 a certain traffic class."; 596 leaf name { 597 type string; 598 description 599 "The name of the policy-action object."; 600 } 602 leaf date { 603 type yang:date-and-time; 604 description 605 "When the object was created or last 606 modified."; 607 } 609 leaf primary-action { 610 type string; 611 description 612 "This field identifies the action when a rule 613 is matched by NSF. The action could be one of 614 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 615 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc."; 616 } 618 leaf secondary-action { 619 type string; 620 description 621 "This field identifies additional actions if 622 a rule is matched. This could be one of 'LOG', 623 'SYSLOG', 'SESSION-LOG', etc."; 624 } 626 leaf owner { 627 type string; 628 description 629 "This field defines the owner of this 630 policy. Only the owner is authorized to 631 modify the contents of the policy."; 632 } 633 } 634 } 635 } 637 container multi-tenancy { 638 description 639 "The descriptions of multi-tenancy."; 641 list policy-domain { 642 key "policy-domain-id"; 644 leaf policy-domain-id { 645 type uint16; 646 description 647 "This represents the list of domains."; 648 } 649 description 650 "this represent the list of policy domains"; 651 leaf name { 652 type string; 653 mandatory true; 654 description 655 "Name of the organization or customer representing 656 this domain."; 657 } 659 leaf address { 660 type string; 661 description 662 "address of an organization or customer."; 663 } 665 leaf contact { 666 type string; 667 mandatory true; 668 description 669 "contact information of the organization 670 or customer."; 671 } 673 leaf date { 674 type yang:date-and-time; 675 mandatory true; 676 description 677 "The date when this account was created 678 or last modified."; 679 } 680 list policy-tenant { 681 key "policy-tenant-id"; 682 leaf policy-tenant-id { 683 type uint16; 684 description 685 "The policy tenant id."; 686 } 687 description 688 "This represents the list of tenants"; 690 leaf name { 691 type string; 692 mandatory true; 693 description 694 "Name of the Department or Division within 695 an organization."; 696 } 698 leaf date { 699 type yang:date-and-time; 700 mandatory true; 701 description 702 "Date this account was created or last modified."; 703 } 705 leaf domain { 706 type leafref { 707 path "/multi-tenancy/policy-domain/policy-domain-id"; 708 } 709 description 710 "This field identifies the domain to which this 711 tenant belongs. This should be reference to a 712 'Policy-Domain' object."; 713 } 714 } 715 leaf authentication-method { 716 type leafref { 717 path "/multi-tenancy/policy-mgnt-auth-method/policy-mgnt-auth-method-id"; 718 } 720 description 721 "Authentication method to be used for this domain. 722 It should be a reference to a 'policy-mgmt-auth-method' 723 object."; 724 } 725 } 727 list policy-role { 728 key "policy-role-id"; 730 leaf policy-role-id { 731 type uint16; 732 mandatory true; 733 description 734 "This defines a set of permissions assigned 735 to a user in an organization that want to manage 736 its own Security Policies."; 737 } 738 description 739 "This represents the list of policy roles."; 741 leaf name { 742 type string; 743 mandatory true; 744 description 745 "This field identifies name of the role."; 746 } 748 leaf date { 749 type yang:date-and-time; 750 mandatory true; 751 description 752 "Date this role was created or last modified."; 753 } 755 leaf access-profile { 756 type string; 757 mandatory true; 758 description 759 "This field identifies the access profile for the 760 role. The profile grants or denies access to policy 761 objects. Multiple access profiles can be 762 concatenated together."; 764 } 765 } 767 list policy-user { 768 key "policy-user-id"; 770 leaf policy-user-id { 771 type uint16; 772 description 773 "This represents the policy-user-id."; 774 } 775 description 776 "This represents the list of policy users."; 777 leaf name { 778 type string; 779 mandatory true; 780 description 781 "The name of a user."; 782 } 784 leaf date { 785 type yang:date-and-time; 786 mandatory true; 787 description 788 "Date this user was created or last modified"; 789 } 791 leaf password { 792 type string; 793 mandatory true; 794 description 795 "User password for basic authentication"; 796 } 798 leaf email { 799 type string; 800 mandatory true; 801 description 802 "The email account of a user"; 803 } 805 leaf scope-type { 806 type string; 807 description 808 "identifies whether a user has domain-wide 809 or tenant-wide privileges"; 810 } 811 leaf scope-reference { 812 type string; 813 description 814 "This references policy-domain or policy-tenant 815 to identify the scope."; 816 } 818 leaf role { 819 type string; 820 mandatory true; 821 description 822 "This references policy-role to define specific 823 permissions"; 824 } 825 } 827 list policy-mgnt-auth-method { 828 key "policy-mgnt-auth-method-id"; 830 leaf policy-mgnt-auth-method-id { 831 type uint16; 832 description 833 "This represents the authentication method id."; 834 } 835 description 836 "The descriptions of policy management 837 authentication methods."; 838 leaf name { 839 type string; 840 mandatory true; 841 description 842 "name of the authentication method"; 843 } 845 leaf date { 846 type yang:date-and-time; 847 mandatory true; 848 description 849 "date when the authentication method 850 was created"; 851 } 853 leaf authentication-method { 854 type enumeration{ 855 enum password{ 856 description 857 "password-based authentication."; 858 } 859 enum token{ 860 description 861 "token-based authentication."; 862 } 863 enum certificate{ 864 description 865 "certificate-based authentication."; 866 } 867 } 868 mandatory true; 869 description 870 "The description of authentication method; 871 token-based, password, certificate, 872 single-sign-on"; 873 } 875 leaf mutual-authentication { 876 type boolean; 877 mandatory true; 878 description 879 "To identify whether the authentication 880 is mutual"; 881 } 883 leaf token-server { 884 type inet:ipv4-address; 885 mandatory true; 886 description 887 "The token-server information if the 888 authentication method is token-based"; 889 } 891 leaf certificate-server { 892 type inet:ipv4-address; 893 mandatory true; 894 description 895 "The certificate-server information if 896 the authentication method is certificate-based"; 897 } 899 leaf single-sing-on-server { 900 type inet:ipv4-address; 901 mandatory true; 902 description 903 "The single-sign-on-server information 904 if the authentication method is 905 single-sign-on-based"; 906 } 908 } 909 } 910 container endpoint-group { 911 description 912 "A logical entity in their business 913 environment, where a security policy 914 is to be applied."; 916 list meta-data-source { 917 key "meta-data-source-id"; 918 leaf meta-data-source-id { 919 type uint16; 920 mandatory true; 921 description 922 "This represents the meta-data source id."; 923 } 924 description 925 "This represents the meta-data source."; 927 leaf name { 928 type string; 929 mandatory true; 930 description 931 "This identifies the name of the 932 meta-datas-ource."; 933 } 935 leaf date { 936 type yang:date-and-time; 937 mandatory true; 938 description 939 "This identifies the date this object was 940 created or last modified."; 941 } 943 leaf tag-type { 944 type boolean; 945 description 946 "This identifies the group type; user group, 947 app group or device group."; 948 } 950 leaf tag-server-information { 951 type inet:ipv4-address; 952 description 953 "The description of suthentication method; 954 token-based, password, certificate, 955 single-sign-on"; 957 } 959 leaf tag-application-protocol { 960 type string; 961 description 962 "This filed identifies the protocol e.g. LDAP, 963 Active Directory, or CMDB"; 964 } 966 leaf tag-server-credential { 967 type string; 968 description 969 "This field identifies the credential 970 information needed to access the tag server"; 971 } 972 } 974 list user-group{ 975 key "user-group-id"; 977 leaf user-group-id { 978 type uint16; 979 mandatory true; 980 description 981 "This represents the the user group id."; 982 } 983 description 984 "This represents the user group."; 986 leaf name { 987 type string; 988 description 989 "This field identifies the name of user-group."; 990 } 992 leaf date { 993 type yang:date-and-time; 994 description 995 "when this user-group was created or last modified."; 996 } 998 leaf group-type { 999 type enumeration{ 1000 enum user-tag{ 1001 description 1002 "The user group is based on user-tag."; 1003 } 1004 enum user-name{ 1005 description 1006 "The user group is based on user-name."; 1007 } 1008 enum ip-address{ 1009 description 1010 "The user group is based on ip-address."; 1011 } 1012 } 1014 description 1015 "This describes the group type; User-tag, 1016 User-name or IP-address."; 1017 } 1019 leaf meta-data-server { 1020 type inet:ipv4-address; 1021 description 1022 "This references metadata source"; 1023 } 1025 leaf group-member { 1026 type string; 1027 description 1028 "This describes the user-tag information"; 1029 } 1031 leaf risk-level { 1032 type uint16; 1033 description 1034 "This represents the threat level; valid range 1035 may be 0 to 9."; 1036 } 1037 } 1039 list device-group { 1040 key "device-group-id"; 1041 leaf device-group-id { 1042 type uint16; 1043 description 1044 "This represents a device group id."; 1045 } 1046 description 1047 "This represents a device group."; 1048 leaf name { 1049 type string; 1050 description 1051 "This field identifies the name of 1052 a device-group."; 1054 } 1055 leaf date { 1056 type yang:date-and-time; 1057 description 1058 "The date when this group was create or 1059 last modified."; 1060 } 1062 leaf group-type { 1063 type enumeration{ 1064 enum device-tag{ 1065 description 1066 "The device group is based on device-tag."; 1067 } 1068 enum device-name{ 1069 description 1070 "The device group is based on device-name."; 1071 } 1072 enum ip-address{ 1073 description 1074 "The device group is based on ip-address."; 1075 } 1076 } 1077 description 1078 "This describes the group type; device-tag, 1079 device-name or IP-address."; 1080 } 1082 leaf meta-data-server { 1083 type inet:ipv4-address; 1084 description 1085 "This references meta-data-source 1086 object."; 1087 } 1089 leaf group-member { 1090 type string; 1091 description 1092 "This describes the device-tag, device-name or 1093 IP-address information"; 1094 } 1096 leaf risk-level { 1097 type uint16; 1098 description 1099 "This represents the threat level; valid range 1100 may be 0 to 9."; 1101 } 1103 } 1105 list application-group{ 1106 key "application-group-id"; 1107 leaf application-group-id { 1108 type uint16; 1109 description 1110 "This represents an application group id."; 1111 } 1112 description 1113 "This represents an application group."; 1114 leaf name { 1115 type string; 1116 description 1117 "This field identifies the name of 1118 an application group"; 1119 } 1121 leaf date { 1122 type yang:date-and-time; 1123 description 1124 "The date when this group was created or 1125 last modified."; 1126 } 1128 leaf group-type { 1129 type enumeration{ 1130 enum application-tag{ 1131 description 1132 "The application group is based on application-tag."; 1133 } 1134 enum device-name{ 1135 description 1136 "The application group is based on application-name."; 1137 } 1138 enum ip-address{ 1139 description 1140 "The application group is based on ip-address."; 1141 } 1142 } 1143 description 1144 "This identifies the group type; 1145 application-tag, application-name or 1146 IP-address."; 1147 } 1149 leaf meta-data-server { 1150 type inet:ipv4-address; 1151 description 1152 "This references meta-data-source 1153 object."; 1154 } 1156 leaf group-member { 1157 type string; 1158 description 1159 "This describes the application-tag, 1160 application-name or IP-address information"; 1161 } 1163 leaf risk-level { 1164 type uint16; 1165 description 1166 "This represents the threat level; valid range 1167 may be 0 to 9."; 1168 } 1169 } 1171 list location-group{ 1172 key "location-group-id"; 1173 leaf location-group-id { 1174 type uint16; 1175 description 1176 "This represents a location group id."; 1177 } 1178 description 1179 "This represents a location group."; 1181 leaf name { 1182 type string; 1183 description 1184 "This field identifies the name of 1185 a location group"; 1187 } 1189 leaf date { 1190 type yang:date-and-time; 1191 description 1192 "The date when this group was created or 1193 last modified."; 1194 } 1196 leaf group-type { 1197 type enumeration{ 1198 enum location-tag{ 1199 description 1200 "The location group is based on location-tag."; 1201 } 1202 enum location-name{ 1203 description 1204 "The location group is based on location-name."; 1205 } 1206 enum ip-address{ 1207 description 1208 "The location group is based on ip-address."; 1209 } 1210 } 1211 description 1212 "This identifies the group type; 1213 location-tag, location-name or 1214 IP-address."; 1215 } 1217 leaf meta-data-server { 1218 type inet:ipv4-address; 1219 description 1220 "This references meta-data-source 1221 object."; 1222 } 1224 leaf group-member { 1225 type string; 1226 description 1227 "This describes the location-tag, 1228 location-name or IP-address information"; 1229 } 1231 leaf risk-level { 1232 type uint16; 1233 description 1234 "This represents the threat level; valid range 1235 may be 0 to 9."; 1236 } 1237 } 1238 } 1240 container threat-feed { 1241 description 1242 "this describes the list of threat-feed."; 1244 list threat-feed { 1245 key "threat-feed-id"; 1246 leaf threat-feed-id { 1247 type uint16; 1248 mandatory true; 1249 description 1250 "This represents the threat-feed-id."; 1251 } 1252 description 1253 "This represents the threat feed within the 1254 threat-prevention-list."; 1255 leaf name { 1256 type string; 1257 description 1258 "Name of the theat feed."; 1259 } 1261 leaf date { 1262 type yang:date-and-time; 1263 description 1264 "when the threat-feed was created."; 1265 } 1267 leaf feed-type { 1268 type enumeration { 1269 enum unknown { 1270 description 1271 "feed-type is unknown."; 1272 } 1273 enum ip-address { 1274 description 1275 "feed-type is IP address."; 1276 } 1277 enum url { 1278 description 1279 "feed-type is URL."; 1280 } 1281 } 1282 mandatory true; 1283 description 1284 "This determined whether the feed-type is IP address 1285 based or URL based."; 1286 } 1288 leaf feed-server { 1289 type inet:ipv4-address; 1290 description 1291 "this contains threat feed server information."; 1292 } 1294 leaf feed-priority { 1295 type uint16; 1296 description 1297 "this describes the priority of the threat from 1298 0 to 5, where 0 means the threat is minimum and 1299 5 meaning the maximum."; 1300 } 1301 } 1303 list custom-list { 1304 key "custom-list-id"; 1305 leaf custom-list-id { 1306 type uint16; 1307 description 1308 "this describes the custom-list-id."; 1309 } 1310 description 1311 "this describes the threat-prevention custom list."; 1312 leaf name { 1313 type string; 1314 description 1315 "Name of the custom-list."; 1316 } 1318 leaf date { 1319 type yang:date-and-time; 1320 description 1321 "when the custom list was created."; 1322 } 1324 leaf list-type { 1325 type enumeration { 1326 enum unknown { 1327 description 1328 "list-type is unknown."; 1329 } 1330 enum ip-address { 1331 description 1332 "list-type is IP address."; 1333 } 1334 enum mac-address { 1335 description 1336 "list-type is MAC address."; 1337 } 1338 enum url { 1339 description 1340 "list-type is URL."; 1341 } 1342 } 1343 mandatory true; 1344 description 1345 "This determined whether the feed-type is IP address 1346 based or URL based."; 1347 } 1349 leaf list-property { 1350 type enumeration { 1351 enum unknown { 1352 description 1353 "list-property is unknown."; 1354 } 1355 enum blacklist { 1356 description 1357 "list-property is blacklist."; 1358 } 1359 enum whitelist { 1360 description 1361 "list-property is whitelist."; 1362 } 1363 } 1364 mandatory true; 1365 description 1366 "This determined whether the list-type is blacklist 1367 or whitelist."; 1368 } 1370 leaf list-content { 1371 type string; 1372 description 1373 "This describes the contents of the custom-list."; 1374 } 1375 } 1377 list malware-scan-group { 1378 key "malware-scan-group-id"; 1379 leaf malware-scan-group-id { 1380 type uint16; 1381 mandatory true; 1382 description 1383 "This is the malware-scan-group-id."; 1384 } 1385 description 1386 "This represents the malware-scan-group."; 1387 leaf name { 1388 type string; 1389 description 1390 "Name of the malware-scan-group."; 1392 } 1394 leaf date { 1395 type yang:date-and-time; 1396 description 1397 "when the malware-scan-group was created."; 1398 } 1400 leaf signature-server { 1401 type inet:ipv4-address; 1402 description 1403 "This describes the signature server of the 1404 malware-scan-group."; 1405 } 1407 leaf file-types { 1408 type string; 1409 description 1410 "This contains a list of file types needed to 1411 be scanned for the virus."; 1412 } 1414 leaf malware-signatures { 1415 type string; 1416 description 1417 "This contains a list of malware signatures or hash."; 1418 } 1419 } 1421 list event-map-group { 1422 key "event-map-group-id"; 1423 leaf event-map-group-id { 1424 type uint16; 1425 mandatory true; 1426 description 1427 "This is the event-map-group-id."; 1428 } 1429 description 1430 "This represents the event map group."; 1432 leaf name { 1433 type string; 1434 description 1435 "Name of the event-map."; 1436 } 1438 leaf date { 1439 type yang:date-and-time; 1440 description 1441 "when the event-map was created."; 1442 } 1444 leaf security-events { 1445 type string; 1446 description 1447 "This contains a list of security events."; 1448 } 1450 leaf threat-map { 1451 type string; 1452 description 1453 "This contains a list of threat levels."; 1454 } 1455 } 1456 } 1458 container telemetry-data { 1459 description 1460 "Telemetry provides visibility into the network 1461 activities which can be tapped for further 1462 security analytics, e.g., detecting potential 1463 vulnerabilities, malicious activities, etc."; 1465 list telemetry-data { 1466 key "telemetry-data-id"; 1468 leaf telemetry-data-id { 1469 type uint16; 1470 mandatory true; 1471 description 1472 "This is ID for telemetry-data-id."; 1473 } 1474 description 1475 "This is ID for telemetry-data."; 1477 leaf name { 1478 type string; 1479 description 1480 "Name of the telemetry-data object."; 1481 } 1483 leaf date { 1484 type yang:date-and-time; 1485 description 1486 "This field states when the telemery-data 1487 object was created."; 1489 } 1491 leaf logs { 1492 type boolean; 1493 description 1494 "This field identifies whether logs 1495 need to be collected."; 1496 } 1498 leaf syslogs { 1499 type boolean; 1500 description 1501 "This field identifies whether System logs 1502 need to be collected."; 1503 } 1505 leaf snmp { 1506 type boolean; 1507 description 1508 "This field identifies whether 'SNMP traps' and 1509 'SNMP alarms' need to be collected."; 1510 } 1512 leaf sflow { 1513 type boolean; 1514 description 1515 "This field identifies whether 'sFlow' data 1516 need to be collected."; 1517 } 1519 leaf netflow { 1520 type boolean; 1521 description 1522 "This field identifies whether 'NetFlow' data 1523 need to be collected."; 1524 } 1526 leaf interface-stats { 1527 type boolean; 1528 description 1529 "This field identifies whether 'Interface' data 1530 such as packet bytes and counts need to be 1531 collected."; 1532 } 1533 } 1535 list telemetry-source { 1536 key "telemetry-source-id"; 1537 leaf telemetry-source-id { 1538 type uint16; 1539 mandatory true; 1540 description 1541 "This is ID for telemetry-source-id."; 1542 } 1543 description 1544 "This is ID for telemetry-source."; 1546 leaf name { 1547 type string; 1548 description 1549 "This identifies the name of this object."; 1550 } 1552 leaf date { 1553 type yang:date-and-time; 1554 description 1555 "Date this object was created or last modified"; 1556 } 1558 leaf source-type { 1559 type enumeration { 1560 enum network-nsf { 1561 description 1562 "NSF telemetry source type is network-nsf."; 1563 } 1565 enum firewall-nsf { 1566 description 1567 "NSF telemetry source type is firewall-nsf."; 1568 } 1569 enum ids-nsf { 1570 description 1571 "NSF telemetry source type is ids-nsf."; 1572 } 1573 enum ips-nsf { 1574 description 1575 "NSF telemetry source type is ips-nsf."; 1576 } 1577 enum proxy-nsf { 1578 description 1579 "NSF telemetry source type is proxy-nsf."; 1580 } 1581 enum other-nsf { 1582 description 1583 "NSF telemetry source type is other-nsf."; 1584 } 1586 } 1587 description 1588 "This should have one of the following type of 1589 the NSF telemetry source: NETWORK-NSF, 1590 FIREWALL-NSF, IDS-NSF, IPS-NSF, 1591 PROXY-NSF, VPN-NSF, DNS, ACTIVE-DIRECTORY, 1592 IP Reputation Authority, Web Reputation 1593 Authority, Anti-Malware Sandbox, Honey Pot, 1594 DHCP, Other Third Party, ENDPOINT"; 1595 } 1597 leaf nsf-source { 1598 type inet:ipv4-address; 1599 description 1600 "This field contains information such as 1601 IP address and protocol (UDP or TCP) port 1602 number of the NSF providing telemetry data."; 1603 } 1605 leaf nsf-credentials { 1606 type string; 1607 description 1608 "This field contains username and password 1609 to authenticate with the NSF."; 1610 } 1612 leaf collection-interval { 1613 type uint16; 1614 units seconds; 1615 default 5000; 1616 description 1617 "This field contains time in milliseconds 1618 between each data collection. For example, 1619 a value of 5000 means data is streamed to 1620 collector every 5 seconds. Value of 0 means 1621 data streaming is event-based"; 1622 } 1624 leaf collection-method { 1625 type enumeration { 1626 enum unknown { 1627 description 1628 "collection-method is unknown."; 1629 } 1630 enum push-based { 1631 description 1632 "collection-method is PUSH-based."; 1633 } 1634 enum pull-based { 1635 description 1636 "collection-method is PULL-based."; 1637 } 1638 } 1639 description 1640 "This field contains a method of collection, 1641 i.e., whether it is PUSH-based or PULL-based."; 1642 } 1643 leaf heartbeat-interval { 1644 type uint16; 1645 units seconds; 1646 description 1647 "time in seconds the source sends telemetry 1648 heartbeat."; 1649 } 1651 leaf qos-marking { 1652 type uint16; 1653 description 1654 "DSCP value must be contained in this field."; 1655 } 1656 } 1658 list telemetry-destination { 1659 key "telemetry-destination-id"; 1661 leaf telemetry-destination-id { 1662 type uint16; 1663 description 1664 "this represents the telemetry-destination-id"; 1665 } 1666 description 1667 "This object contains information related to 1668 telemetry destination. The destination is 1669 usually a collector which is either a part of 1670 Security Controller or external system 1671 such as Security Information and Event 1672 Management (SIEM)."; 1674 leaf name { 1675 type string; 1676 description 1677 "This identifies the name of this object."; 1678 } 1680 leaf date { 1681 type yang:date-and-time; 1682 description 1683 "Date this object was created or last 1684 modified"; 1685 } 1687 leaf collector-source { 1688 type inet:ipv4-address; 1689 description 1690 "This field contains information such as 1691 IP address and protocol (UDP or TCP) port 1692 number for the collector's destination."; 1693 } 1695 leaf collector-credentials { 1696 type string; 1697 description 1698 "This field contains the username and 1699 password for the collector."; 1700 } 1702 leaf data-encoding { 1703 type string; 1704 description 1705 "This field contains the telemetry data encoding 1706 in the form of schema."; 1707 } 1709 leaf data-transport { 1710 type enumeration{ 1711 enum grpc { 1712 description 1713 "telemetry data protocol is grpc."; 1714 } 1715 enum buffer-over-udp{ 1716 description 1717 "telemetry data protocol is buffer over UDP."; 1718 } 1719 } 1720 description 1721 "This field contains streaming telemetry data 1722 protocols. This could be gRPC, protocol 1723 buffer over UDP, etc."; 1724 } 1725 } 1726 } 1727 } 1728 1729 Figure 3: YANG for policy-general 1731 6. Security Considerations 1733 The data model for the I2NSF Consumer-Facing Interface is derived 1734 from the I2NSF Consumer-Facing Interface Information Model 1735 [client-facing-inf-im], so the same security considerations with the 1736 information model should be included in this document. The data 1737 model needs to support a mechanism to protect Consumer-Facing 1738 Interface to Security Controller. 1740 7. Acknowledgments 1742 This work was supported by Institute for Information & communications 1743 Technology Promotion(IITP) grant funded by the Korea government(MSIP) 1744 (No.R-20160222-002755, Cloud based Security Intelligence Technology 1745 Development for the Customized Security Service Provisioning). 1747 This document has greatly benefited from inputs by Hyoungshick Kim, 1748 Mahdi F. Dachmehchi, Seungjin Lee, Jinyong Tim Kim, and Daeyoung 1749 Hyun. 1751 8. Contributors 1753 I2NSF is a group effort. The following people actively contributed 1754 to the consumer facing interface data model, and are considered co- 1755 authors: o Hyoungshick Kim (Sungkyunkwan University) o Seungjin Lee 1756 (Sungkyunkwan University) 1758 9. References 1760 9.1. Normative References 1762 [RFC3444] Pras, A., "On the Difference between Information Models 1763 and Data Models", RFC 3444, January 2003. 1765 9.2. Informative References 1767 [client-facing-inf-im] 1768 Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, 1769 S., and L. Xia, "Information model for Client-Facing 1770 Interface to Security Controller", draft-kumar-i2nsf- 1771 client-facing-interface-im-04 (work in progress), July 1772 2017. 1774 [client-facing-inf-req] 1775 Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, 1776 S., and L. Xia, "Requirements for Client-Facing Interface 1777 to Security Controller", draft-ietf-i2nsf-client-facing- 1778 interface-req-03 (work in progress), July 2017. 1780 [i2nsf-framework] 1781 Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1782 Kumar, "Framework for Interface to Network Security 1783 Functions", draft-ietf-i2nsf-framework-08 (work in 1784 progress), October 2017. 1786 [i2nsf-terminology] 1787 Hares, S., Strassner, J., Lopez, D., Birkholz, H., and L. 1788 Xia, "Information model for Client-Facing Interface to 1789 Security Controller", draft-ietf-i2nsf-terminology-04 1790 (work in progress), July 2017. 1792 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1793 Network Configuration Protocol (NETCONF)", RFC 6020, 1794 October 2010. 1796 Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-interface- 1797 dm-00 1799 The following changes have been made from draft-jeong-i2nsf-consumer- 1800 facing-interface-dm-05: 1802 o In Section 3, the high-level abstraction of the consumer facing 1803 interface has been added. 1805 o The overall organization of the YANG data model and its data types 1806 have also been reviewed and corrected, and produced the 1807 corresponding data tree as shown in the Section 5. 1809 o Overall editorial errors have been corrected. 1811 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE Security 1812 Services 1814 A common scenario for VoIP/VoLTE policy enforcement could be that a 1815 malicious call is made to a benign user of any telecommunication 1816 company. For example, imagine a case wherea company "A" employs a 1817 hacker with a malicious attempt to hack a user's phone with malware. 1818 The company "A" is located in a country, such as Africa, and uses the 1819 user's hacked phone to call the company. The hacked user is unaware 1820 of the company "A" so complains about the international call that was 1821 made to the company "B", which is the user's telecommunications 1822 company. The company "A" charges the company "B" for the 1823 international call. The company "B" cannot charge the user for the 1824 call, and has no choice but to pay the company "A". The following 1825 shows the example data tree model for the VoIP/VoLTE services. 1826 Multi-tenancy, endpoint groups, threat prevention, and telemetry data 1827 components are general part of the tree model, so we can just modify 1828 the policy instance in order to generate and enforce high-level 1829 policies. The policy-calendar can act as a scheduler to set the star 1830 and end time to block calls which uses suspicious ids, or calls from 1831 other countries. 1833 module: policy-voip 1834 +--rw policy-voip 1835 | +--rw rule-voip* [rule-voip-id] 1836 | | +--rw rule-voip-id uint16 1837 | | +--rw name? string 1838 | | +--rw date? yang:date-and-time 1839 | | +--rw event* [event-id] 1840 | | | +--rw event-id string 1841 | | | +--rw name? string 1842 | | | +--rw date? yang:date-and-time 1843 | | | +--rw event-type? string 1844 | | | +--rw Time-Information? string 1845 | | | +--rw event-map-group? -> /threat-feed/event-map-group 1846 | | | /event-map-group-id 1847 | | | +--rw enable? boolean 1848 | | +--rw condition* [condition-id] 1849 | | | +--rw condition-id string 1850 | | | +--rw source-caller? -> /threat-feed/threat-feed 1851 | | | /threat-feed-id 1852 | | | +--rw destination-callee? -> /threat-feed/custom-list 1853 | | | /custom-list-id 1854 | | | +--rw match? boolean 1855 | | | +--rw match-direction? string 1856 | | | +--rw exception? string 1857 | | +--rw action* [action-id] 1858 | | | +--rw action-id string 1859 | | | +--rw name? string 1860 | | | +--rw date? yang:date-and-time 1861 | | | +--rw primary-action? string 1862 | | | +--rw secondary-action? string 1863 | | +--rw precedence? uint16 1864 | +--rw owner* [owner-id] 1865 | +--rw owner-id string 1866 | +--rw name? string 1867 | +--rw date? yang:date-and-time 1868 +--rw threat-feed 1869 +--rw threat-feed* [threat-feed-id] 1870 | +--rw threat-feed-id uint16 1871 | +--rw name? string 1872 | +--rw date? yang:date-and-time 1873 | +--rw feed-type enumeration 1874 | +--rw feed-server? inet:ipv4-address 1875 | +--rw feed-priority? uint16 1876 +--rw custom-list* [custom-list-id] 1877 | +--rw custom-list-id uint16 1878 | +--rw name? string 1879 | +--rw date? yang:date-and-time 1880 | +--rw list-type enumeration 1881 | +--rw list-property enumeration 1882 | +--rw list-content? string 1883 +--rw malware-scan-group* [malware-scan-group-id] 1884 | +--rw malware-scan-group-id uint16 1885 | +--rw name? string 1886 | +--rw date? yang:date-and-time 1887 | +--rw signature-server? inet:ipv4-address 1888 | +--rw file-types? string 1889 | +--rw malware-signatures? string 1890 +--rw event-map-group* [event-map-group-id] 1891 +--rw event-map-group-id uint16 1892 +--rw name? string 1893 +--rw date? yang:date-and-time 1894 +--rw security-events? string 1895 +--rw threat-map? string 1897 Figure 4: Policy Instance Example for VoIP/VoLTE Security Services 1899 Appendix C. Policy Instance YANG Example for VoIP/VoLTE Security 1900 Services 1902 The following YANG data model is a policy instance for VoIP/VoLTE 1903 security services. The policy-calendar can act as a scheduler to set 1904 the start time and end time to block malicious calls which use 1905 suspicious IDs, or calls from other countries. 1907 file "ietf-i2nsf-cf-interface-voip.yang" 1909 module ietf-policy-voip { 1910 namespace 1911 "urn:ietf:params:xml:ns:yang:ietf-policy-voip"; 1912 prefix 1913 "cf-interface"; 1915 import ietf-yang-types{ 1916 prefix yang; 1917 } 1919 import ietf-inet-types{ 1920 prefix inet; 1921 } 1922 organization 1923 "IETF I2NSF (Interface to Network Security Functions) 1924 Working Group"; 1926 contact 1927 "WG Web: 1928 WG List: 1930 WG Chair: Adrian Farrel 1931 1933 WG Chair: Linda Dunbar 1934 1936 Editor: Jaehoon Paul Jeong 1937 "; 1939 description 1940 "This module defines a YANG data module for consumer-facing 1941 interface to security controller."; 1943 revision "2018-07-02"{ 1944 description "sixth revision"; 1945 reference 1946 "draft-kumar-i2nsf-client-facing-interface-im-04"; 1947 } 1949 container policy-voip { 1950 description 1951 "This object is a policy instance to have 1952 complete information such as where and when 1953 a policy need to be applied."; 1954 list rule-voip { 1955 key "rule-voip-id"; 1956 leaf rule-voip-id { 1957 type uint16; 1958 mandatory true; 1959 description 1960 "This is ID for rules."; 1961 } 1962 description 1963 "This is a container for rules."; 1964 leaf name { 1965 type string; 1966 description 1967 "This field idenfifies the name of this object."; 1968 } 1969 leaf date { 1970 type yang:date-and-time; 1971 description 1972 "Date this object was created or last 1973 modified"; 1974 } 1975 list event { 1976 key "event-id"; 1977 description 1978 "This represents the security event of a 1979 policy-rule."; 1980 leaf event-id { 1981 type string; 1982 mandatory true; 1983 description 1984 "This represents the event-id."; 1985 } 1986 leaf name { 1987 type string; 1988 description 1989 "This field idenfifies the name of this object."; 1990 } 1991 leaf date { 1992 type yang:date-and-time; 1993 description 1994 "Date this object was created or last 1995 modified"; 1996 } 1997 leaf event-type { 1998 type string; 1999 description 2000 "This field identifies the event event type 2001 ."; 2002 } 2003 leaf Time-Information { 2004 type string; 2005 description 2006 "This field contains time calendar such as 2007 BEGIN-TIME and END-TIME for one time 2008 enforcement or recurring time calendar for 2009 periodic enforcement."; 2010 } 2011 leaf event-map-group { 2012 type leafref{ 2013 path "/threat-feed/event-map-group/event-map-group-id"; 2014 } 2015 description 2016 "This field contains security events or threat 2017 map in order to determine when a policy need 2018 to be activated. This is a reference to 2019 Evnet-Map-Group."; 2020 } 2021 leaf enable { 2022 type boolean; 2023 description 2024 "This determines whether the condition 2025 matches the security event or not."; 2026 } 2027 } 2028 list condition { 2029 key "condition-id"; 2030 description 2031 "This represents the condition of a 2032 policy-rule."; 2033 leaf condition-id { 2034 type string; 2035 description 2036 "This represents the condition-id."; 2037 } 2038 leaf source-caller { 2039 type leafref { 2040 path "/threat-feed/threat-feed/threat-feed-id"; 2041 } 2042 description 2043 "This field identifies the source of 2044 the traffic. This could be reference to 2045 either 'Policy Endpoint Group' or 2046 'Threat-Feed' or 'Custom-List' if Security 2047 Admin wants to specify the source; otherwise, 2048 the default is to match all traffic."; 2049 } 2050 leaf destination-callee { 2051 type leafref { 2052 path "/threat-feed/custom-list/custom-list-id"; 2053 } 2054 description 2055 "This field identifies the source of 2056 the traffic. This could be reference to 2057 either 'Policy Endpoint Group' or 2058 'Threat-Feed' or 'Custom-List' if Security 2059 Admin wants to specify the source; otherwise, 2060 the default is to match all traffic."; 2061 } 2062 leaf match { 2063 type boolean; 2064 description 2065 "This field identifies the match criteria used to 2066 evaluate whether the specified action need to be 2067 taken or not. This could be either a Policy- 2068 Endpoint-Group identifying a Application set or a 2069 set of traffic rules."; 2070 } 2071 leaf match-direction { 2072 type string; 2073 description 2074 "This field identifies if the match criteria is 2075 to evaluated for both direction of the traffic or 2076 only in one direction with default of allowing in 2077 the other direction for stateful match conditions. 2078 This is optional and by default rule should apply 2079 in both directions."; 2080 } 2081 leaf exception { 2082 type string; 2083 description 2084 "This field identifies the exception 2085 consideration when a rule is evaluated for a 2086 given communication. This could be reference to 2087 Policy-Endpoint-Group object or set of traffic 2088 matching criteria."; 2089 } 2090 } 2091 list action { 2092 key "action-id"; 2093 leaf action-id { 2094 type string; 2095 mandatory true; 2096 description 2097 "this represents the policy-action-id."; 2098 } 2099 description 2100 "This object represents actions that a 2101 Security Admin wants to perform based on 2102 a certain traffic class."; 2103 leaf name { 2104 type string; 2105 description 2106 "The name of the policy-action object."; 2107 } 2109 leaf date { 2110 type yang:date-and-time; 2111 description 2112 "When the object was created or last 2113 modified."; 2114 } 2115 leaf primary-action { 2116 type string; 2117 description 2118 "This field identifies the action when a rule 2119 is matched by NSF. The action could be one of 2120 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 2121 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc."; 2122 } 2123 leaf secondary-action { 2124 type string; 2125 description 2126 "This field identifies additional actions if 2127 a rule is matched. This could be one of 'LOG', 2128 'SYSLOG', 'SESSION-LOG', etc."; 2129 } 2130 } 2131 leaf precedence { 2132 type uint16; 2133 description 2134 "This field identifies the precedence 2135 assigned to this rule by Security Admin. 2136 This is helpful in conflict resolution 2137 when two or more rules match a given 2138 traffic class."; 2139 } 2140 } 2141 list owner { 2142 key "owner-id"; 2143 leaf owner-id { 2144 type string; 2145 mandatory true; 2146 description 2147 "this represents the owner-id."; 2148 } 2149 description 2150 "This field defines the owner of this policy. 2151 Only the owner is authorized to modify the 2152 contents of the policy."; 2153 leaf name { 2154 type string; 2155 description 2156 "The name of the owner."; 2157 } 2158 leaf date { 2159 type yang:date-and-time; 2160 description 2161 "When the object was created or last 2162 modified."; 2163 } 2164 } 2165 } 2166 container threat-feed { 2167 description 2168 "this describes the list of threat-feed."; 2170 list threat-feed { 2171 key "threat-feed-id"; 2172 leaf threat-feed-id { 2173 type uint16; 2174 mandatory true; 2175 description 2176 "This represents the threat-feed-id."; 2177 } 2178 description 2179 "This represents the threat feed within the 2180 threat-prevention-list."; 2181 leaf name { 2182 type string; 2183 description 2184 "Name of the theat feed."; 2185 } 2187 leaf date { 2188 type yang:date-and-time; 2189 description 2190 "when the threat-feed was created."; 2191 } 2193 leaf feed-type { 2194 type enumeration { 2195 enum unknown { 2196 description 2197 "feed-type is unknown."; 2198 } 2199 enum ip-address { 2200 description 2201 "feed-type is IP address."; 2202 } 2203 enum url { 2204 description 2205 "feed-type is URL."; 2206 } 2207 } 2208 mandatory true; 2209 description 2210 "This determined whether the feed-type is IP address 2211 based or URL based."; 2212 } 2214 leaf feed-server { 2215 type inet:ipv4-address; 2216 description 2217 "this contains threat feed server information."; 2218 } 2220 leaf feed-priority { 2221 type uint16; 2222 description 2223 "this describes the priority of the threat from 2224 0 to 5, where 0 means the threat is minimum and 2225 5 meaning the maximum."; 2226 } 2228 } 2230 list custom-list { 2231 key "custom-list-id"; 2232 leaf custom-list-id { 2233 type uint16; 2234 description 2235 "this describes the custom-list-id."; 2236 } 2237 description 2238 "this describes the threat-prevention custom list."; 2239 leaf name { 2240 type string; 2241 description 2242 "Name of the custom-list."; 2243 } 2245 leaf date { 2246 type yang:date-and-time; 2247 description 2248 "when the custom list was created."; 2249 } 2251 leaf list-type { 2252 type enumeration { 2253 enum unknown { 2254 description 2255 "list-type is unknown."; 2256 } 2257 enum ip-address { 2258 description 2259 "list-type is IP address."; 2260 } 2261 enum mac-address { 2262 description 2263 "list-type is MAC address."; 2264 } 2265 enum url { 2266 description 2267 "list-type is URL."; 2268 } 2269 } 2270 mandatory true; 2271 description 2272 "This determined whether the feed-type is IP address 2273 based or URL based."; 2274 } 2276 leaf list-property { 2277 type enumeration { 2278 enum unknown { 2279 description 2280 "list-property is unknown."; 2281 } 2282 enum blacklist { 2283 description 2284 "list-property is blacklist."; 2285 } 2286 enum whitelist { 2287 description 2288 "list-property is whitelist."; 2289 } 2290 } 2291 mandatory true; 2292 description 2293 "This determined whether the list-type is blacklist 2294 or whitelist."; 2295 } 2297 leaf list-content { 2298 type string; 2299 description 2300 "This describes the contents of the custom-list."; 2301 } 2302 } 2304 list malware-scan-group { 2305 key "malware-scan-group-id"; 2306 leaf malware-scan-group-id { 2307 type uint16; 2308 mandatory true; 2309 description 2310 "This is the malware-scan-group-id."; 2311 } 2312 description 2313 "This represents the malware-scan-group."; 2314 leaf name { 2315 type string; 2316 description 2317 "Name of the malware-scan-group."; 2318 } 2320 leaf date { 2321 type yang:date-and-time; 2322 description 2323 "when the malware-scan-group was created."; 2325 } 2327 leaf signature-server { 2328 type inet:ipv4-address; 2329 description 2330 "This describes the signature server of the 2331 malware-scan-group."; 2332 } 2334 leaf file-types { 2335 type string; 2336 description 2337 "This contains a list of file types needed to 2338 be scanned for the virus."; 2339 } 2341 leaf malware-signatures { 2342 type string; 2343 description 2344 "This contains a list of malware signatures or hash."; 2345 } 2346 } 2348 list event-map-group { 2349 key "event-map-group-id"; 2350 leaf event-map-group-id { 2351 type uint16; 2352 mandatory true; 2353 description 2354 "This is the event-map-group-id."; 2355 } 2356 description 2357 "This represents the event map group."; 2359 leaf name { 2360 type string; 2361 description 2362 "Name of the event-map."; 2363 } 2365 leaf date { 2366 type yang:date-and-time; 2367 description 2368 "when the event-map was created."; 2369 } 2371 leaf security-events { 2372 type string; 2373 description 2374 "This contains a list of security events."; 2375 } 2377 leaf threat-map { 2378 type string; 2379 description 2380 "This contains a list of threat levels."; 2381 } 2382 } 2383 } 2384 } 2386 2388 Figure 5: Policy Instance YANG Example for VoIP Security Services 2390 Appendix D. Example XML output for VoIP service 2392 In this section, we present an XML example for VoIP service. Here, 2393 we are going to drop calls commin from a country with an Ip from 2394 South Africa that is classified as malicious. 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 01 2407 voip-policy-example 2408 2017.10.25/20:30:32 2409 2410 01 2411 voip_call 2412 2017.10.25/20:30:32 2413 malicious 2414 2415 22:00 2416 08:00 2417 2418 19 2419 True 2420 2421 2422 01 2423 105.176.0.0 2424 192.168.171.35 2425 default 2426 00 2427 2428 2429 01 2430 action-voip 2431 2017.10.25/20:30:32 2432 DENY 2433 LOG 2434 2435 none 2436 2437 01 2438 i2nsf-admin 2439 2440 2441 2442 2443 2444 2445 2447 Figure 6: An XML example for VoIP service 2449 Authors' Addresses 2451 Jaehoon Paul Jeong 2452 Department of Software 2453 Sungkyunkwan University 2454 2066 Seobu-Ro, Jangan-Gu 2455 Suwon, Gyeonggi-Do 16419 2456 Republic of Korea 2458 Phone: +82 31 299 4957 2459 Fax: +82 31 290 7996 2460 EMail: pauljeong@skku.edu 2461 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2462 Eunsoo Kim 2463 Department of Electrical and Computer Engineering 2464 Sungkyunkwan University 2465 2066 Seobu-Ro, Jangan-Gu 2466 Suwon, Gyeonggi-Do 16419 2467 Republic of Korea 2469 Phone: +82 31 299 4104 2470 EMail: eskim86@skku.edu 2471 URI: http://seclab.skku.edu/people/eunsoo-kim/ 2473 Tae-Jin Ahn 2474 Korea Telecom 2475 70 Yuseong-Ro, Yuseong-Gu 2476 Daejeon 305-811 2477 Republic of Korea 2479 Phone: +82 42 870 8409 2480 EMail: taejin.ahn@kt.com 2482 Rakesh Kumar 2483 Juniper Networks 2484 1133 Innovation Way 2485 Sunnyvale, CA 94089 2486 USA 2488 EMail: rkkumar@juniper.net 2490 Susan Hares 2491 Huawei 2492 7453 Hickory Hill 2493 Saline, MI 48176 2494 USA 2496 Phone: +1-734-604-0332 2497 EMail: shares@ndzh.com