idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 296 has weird spacing: '...-length uin...' == Line 306 has weird spacing: '...-length uin...' == Line 317 has weird spacing: '...-offset uin...' == Line 326 has weird spacing: '...pv4-ttl uin...' == Line 342 has weird spacing: '...address inet:...' == (18 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 11, 2019) is 1866 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 3653, but not defined == Unused Reference: 'RFC6991' is defined on line 3712, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6087 (Obsoleted by RFC 8407) ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 2 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim 3 Internet-Draft J. Jeong 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: September 12, 2019 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 March 11, 2019 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-03 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on network security functions. The YANG data model in 19 this document is corresponding to the information model for Network 20 Security Functions (NSF)-Facing Interface in Interface to Network 21 Security Functions (I2NSF). 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 12, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 61 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 62 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 63 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 64 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 65 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12 66 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 13 67 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 13 68 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 77 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 78 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 78 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 78 72 8.2. Informative References . . . . . . . . . . . . . . . . . 79 73 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 81 74 A.1. Security Requirement 1: Block SNS Access during Business 75 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 81 76 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE 77 Packets Coming to the Company . . . . . . . . . . . . . . 84 78 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 79 Attacks on a Company Web Server . . . . . . . . . . . . . 87 80 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- 81 dm-02 . . . . . . . . . . . . . . . . . . . . . . . 90 82 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 91 83 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 91 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 86 1. Introduction 88 This document defines a YANG [RFC6020][RFC7950] data model for 89 security policy rule configuration of network security devices. The 90 YANG data model is corresponding to the information model 91 [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing 92 interface in Interface to Network Security Functions (I2NSF). The 93 YANG data model in this document focuses on security policy 94 configuration for generic network security functions. Note that 95 security policy configuration for advanced network security functions 96 are written in [i2nsf-advanced-nsf-dm]. 98 This YANG data model uses an "Event-Condition-Action" (ECA) policy 99 model that is used as the basis for the design of I2NSF Policy 100 described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. 102 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 103 document provides the following features. 105 o Configuration for general security policy rule of generic network 106 security function. 108 o Configuration for an event clause of generic network security 109 function. 111 o Configuration for a condition clause of generic network security 112 function. 114 o Configuration for an action clause of generic network security 115 function. 117 2. Requirements Language 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 121 document are to be interpreted as described in [RFC2119][RFC8174]. 123 3. Terminology 125 This document uses the terminology described in 126 [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the 127 following terms are from [supa-policy-info-model]: 129 o Data Model: A data model is a representation of concepts of 130 interest to an environment in a form that is dependent on data 131 repository, data definition language, query language, 132 implementation language, and protocol. 134 o Information Model: An information model is a representation of 135 concepts of interest to an environment in a form that is 136 independent of data repository, data definition language, query 137 language, implementation language, and protocol. 139 3.1. Tree Diagrams 141 A simplified graphical representation of the data model is used in 142 this document. The meaning of the symbols in these diagrams 143 [RFC8340] is as follows: 145 o Brackets "[" and "]" enclose list keys. 147 o Abbreviations before data node names: "rw" means configuration 148 (read-write) and "ro" state data (read-only). 150 o Symbols after data node names: "?" means an optional node and "*" 151 denotes a "list" and "leaf-list". 153 o Parentheses enclose choice and case nodes, and case nodes are also 154 marked with a colon (":"). 156 o Ellipsis ("...") stands for contents of subtrees that are not 157 shown. 159 4. YANG Tree Diagram 161 This section shows an YANG tree diagram of generic network security 162 functions. Note that a detailed data model for the configuration of 163 the advanced network security functions is described in 164 [i2nsf-advanced-nsf-dm]. The section describes the following 165 subjects: 167 o General I2NSF security policy rule of generic network security 168 function. 170 o An event clause of generic network security function. 172 o A condition clause of generic network security function. 174 o An action clause of generic network security function. 176 4.1. General I2NSF Security Policy Rule 178 This section shows YANG tree diagram for general I2NSF security 179 policy rule. 181 module: ietf-i2nsf-policy-rule-for-nsf 182 +--rw i2nsf-security-policy 183 +--rw system-policy* [system-policy-name] 184 +--rw system-policy-name string 185 +--rw priority-usage? identityref 186 +--rw resolution-strategy? identityref 187 +--rw default-action? identityref 188 +--rw rules* [rule-name] 189 +--rw rule-name string 190 +--rw rule-description? string 191 +--rw rule-priority? uint8 192 +--rw rule-enable? boolean 193 +--rw time-zone 194 | +--rw absolute-time-zone 195 | | +--rw start-time? start-time-type 196 | | +--rw end-time? end-time-type 197 | +--rw periodic-time-zone 198 | +--rw day 199 | | +--rw every-day? boolean 200 | | +--rw specific-day* day-type 201 | +--rw month 202 | +--rw every-month? boolean 203 | +--rw specific-month* month-type 204 +--rw event-clause-container 205 | ... 206 +--rw condition-clause-container 207 | ... 208 +--rw action-clause-container 209 ... 211 Figure 1: YANG Tree Diagram for Network Security Policy 213 This YANG tree diagram shows general I2NSF security policy rule for 214 generic network security functions. 216 The system policy represents there could be multiple system policies 217 in one NSF, and each system policy is used by one virtual instance of 218 the NSF/device. The system policy includes system policy name, 219 priority usage, resolutation strategy, default action, and rules. 221 A resolution strategy is used to decide how to resolve conflicts that 222 occur between the actions of the same or different policy rules that 223 are matched and contained in this particular NSF. The resolution 224 strategy is defined as First Matching Rule (FMR), Last Matching Rule 225 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 226 Prioritized Matching Rule with No Errors (PMRN). The resolution 227 strategy can be extended according to specific vendor action 228 features. The resolution strategy is described in detail in 229 [i2nsf-nsf-cap-im]. 231 A default action is used to execute I2NSF policy rule when no rule 232 matches a packet. The default action is defined as pass, drop, 233 reject, alert, and mirror. The default action can be extended 234 according to specific vendor action features. The default action is 235 described in detail in [i2nsf-nsf-cap-im]. 237 The rules include rule name, rule description, rule priority, rule 238 enable, time zone, event clause container, condition clause 239 container, and action clause container. 241 4.2. Event Clause 243 This section shows YANG tree diagram for an event clause of I2NSF 244 security policy rule. 246 module: ietf-i2nsf-policy-rule-for-nsf 247 +--rw i2nsf-security-policy 248 +--rw system-policy* [system-policy-name] 249 ... 250 +--rw rules* [rule-name] 251 ... 252 +--rw event-clause-container 253 | +--rw event-clause-description? string 254 | +--rw event-clauses 255 | +--rw system-event* identityref 256 | +--rw system-alarm* identityref 257 +--rw condition-clause-container 258 | ... 259 +--rw action-clause-container 260 ... 262 Figure 2: YANG Tree Diagram for Network Security Policy 264 This YANG tree diagram shows an event clause of I2NSF security policy 265 rule for generic network security functions. An event clause is any 266 important occurrence in time of a change in the system being managed, 267 and/or in the environment of the system being managed. An event 268 clause is used to trigger the evaluation of the condition clause of 269 the I2NSF Policy Rule. The event clause is defined as system event 270 and system alarm. The event clause can be extended according to 271 specific vendor event features. The event clause is described in 272 detail in [i2nsf-nsf-cap-im]. 274 4.3. Condtion Clause 276 This section shows YANG tree diagram for a condition clause of I2NSF 277 security policy rule. 279 module: ietf-i2nsf-policy-rule-for-nsf 280 +--rw i2nsf-security-policy 281 ... 282 +--rw rules* [rule-name] 283 ... 284 +--rw event-clause-container 285 | ... 286 +--rw condition-clause-container 287 | +--rw condition-clause-description? string 288 | +--rw packet-security-ipv4-condition 289 | | +--rw pkt-sec-ipv4-header-length 290 | | | +--rw (match-type)? 291 | | | +--:(exact-match) 292 | | | | +--rw ipv4-header-length* uint8 293 | | | +--:(range-match) 294 | | | +--rw range-ipv4-header-length* 295 [start-ipv4-header-length end-ipv4-header-length] 296 | | | +--rw start-ipv4-header-length uint8 297 | | | +--rw end-ipv4-header-length uint8 298 | | +--rw pkt-sec-ipv4-tos* identityref 299 | | +--rw pkt-sec-ipv4-total-length 300 | | | +--rw (match-type)? 301 | | | +--:(exact-match) 302 | | | | +--rw ipv4-total-length* uint16 303 | | | +--:(range-match) 304 | | | +--rw range-ipv4-total-length* 305 [start-ipv4-total-length end-ipv4-total-length] 306 | | | +--rw start-ipv4-total-length uint16 307 | | | +--rw end-ipv4-total-length uint16 308 | | +--rw pkt-sec-ipv4-id* uint16 309 | | +--rw pkt-sec-ipv4-fragment-flags* identityref 310 | | +--rw pkt-sec-ipv4-fragment-offset 311 | | | +--rw (match-type)? 312 | | | +--:(exact-match) 313 | | | | +--rw ipv4-fragment-offset* uint16 314 | | | +--:(range-match) 315 | | | +--rw range-ipv4-fragment-offset* 316 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 317 | | | +--rw start-ipv4-fragment-offset uint16 318 | | | +--rw end-ipv4-fragment-offset uint16 319 | | +--rw pkt-sec-ipv4-ttl 320 | | | +--rw (match-type)? 321 | | | +--:(exact-match) 322 | | | | +--rw ipv4-ttl* uint8 323 | | | +--:(range-match) 324 | | | +--rw range-ipv4-ttl* 325 [start-ipv4-ttl end-ipv4-ttl] 326 | | | +--rw start-ipv4-ttl uint8 327 | | | +--rw end-ipv4-ttl uint8 328 | | +--rw pkt-sec-ipv4-protocol* identityref 329 | | +--rw pkt-sec-ipv4-src 330 | | | +--rw (match-type)? 331 | | | +--:(exact-match) 332 | | | | +--rw ipv4-address* [ipv4] 333 | | | | +--rw ipv4 inet:ipv4-address 334 | | | | +--rw (subnet)? 335 | | | | +--:(prefix-length) 336 | | | | | +--rw prefix-length? uint8 337 | | | | +--:(netmask) 338 | | | | +--rw netmask? yang:dotted-quad 339 | | | +--:(range-match) 340 | | | +--rw range-ipv4-address* 341 [start-ipv4-address end-ipv4-address] 342 | | | +--rw start-ipv4-address inet:ipv4-address 343 | | | +--rw end-ipv4-address inet:ipv4-address 344 | | +--rw pkt-sec-ipv4-dest 345 | | | +--rw (match-type)? 346 | | | +--:(exact-match) 347 | | | | +--rw ipv4 348 | | | | +--rw ipv4-address* [ipv4] 349 | | | | +--rw ipv4 inet:ipv4-address 350 | | | | +--rw (subnet)? 351 | | | | +--:(prefix-length) 352 | | | | | +--rw prefix-length? uint8 353 | | | | +--:(netmask) 354 | | | | +--rw netmask? yang:dotted-quad 355 | | | +--:(range-match) 356 | | | +--rw range-ipv4-address* 357 [start-ipv4-address end-ipv4-address] 358 | | | +--rw start-ipv4-address inet:ipv4-address 359 | | | +--rw end-ipv4-address inet:ipv4-address 360 | | +--rw pkt-sec-ipv4-ipopts* identityref 361 | | +--rw pkt-sec-ipv4-sameip? boolean 362 | | +--rw pkt-sec-ipv4-geoip* string 363 | +--rw packet-security-ipv6-condition 364 | | +--rw pkt-sec-ipv6-traffic-class* identityref 365 | | +--rw pkt-sec-ipv6-flow-label 366 | | | +--rw (match-type)? 367 | | | +--:(exact-match) 368 | | | | +--rw ipv6-flow-label* uint32 369 | | | +--:(range-match) 370 | | | +--rw range-ipv6-flow-label* 371 [start-ipv6-flow-label end-ipv6-flow-label] 372 | | | +--rw start-ipv6-flow-label uint32 373 | | | +--rw end-ipv6-flow-label uint32 374 | | +--rw pkt-sec-ipv6-payload-length 375 | | | +--rw (match-type)? 376 | | | +--:(exact-match) 377 | | | | +--rw ipv6-payload-length* uint16 378 | | | +--:(range-match) 379 | | | +--rw range-ipv6-payload-length* 380 [start-ipv6-payload-length end-ipv6-payload-length] 381 | | | +--rw start-ipv6-payload-length uint16 382 | | | +--rw end-ipv6-payload-length uint16 383 | | +--rw pkt-sec-ipv6-next-header* identityref 384 | | +--rw pkt-sec-ipv6-hop-limit 385 | | | +--rw (match-type)? 386 | | | +--:(exact-match) 387 | | | | +--rw ipv6-hop-limit* uint8 388 | | | +--:(range-match) 389 | | | +--rw range-ipv6-hop-limit* 390 [start-ipv6-hop-limit end-ipv6-hop-limit] 391 | | | +--rw start-ipv6-hop-limit uint8 392 | | | +--rw end-ipv6-hop-limit uint8 393 | | +--rw pkt-sec-ipv6-src 394 | | | +--rw (match-type)? 395 | | | +--:(exact-match) 396 | | | | +--rw ipv6 397 | | | | +--rw ipv6-address* [ipv6] 398 | | | | +--rw ipv6 inet:ipv6-address 399 | | | | +--rw prefix-length? uint8 400 | | | +--:(range-match) 401 | | | +--rw range-ipv6-address* 402 [start-ipv6-address end-ipv6-address] 403 | | | +--rw start-ipv6-address inet:ipv6-address 404 | | | +--rw end-ipv6-address inet:ipv6-address 405 | | +--rw pkt-sec-ipv6-dest 406 | | +--rw (match-type)? 407 | | +--:(exact-match) 408 | | | +--rw ipv6-address* [ipv6] 409 | | | +--rw ipv6 inet:ipv6-address 410 | | | +--rw prefix-length? uint8 411 | | +--:(range-match) 412 | | +--rw range-ipv6-address* 413 [start-ipv6-address end-ipv6-address] 414 | | +--rw start-ipv6-address inet:ipv6-address 415 | | +--rw end-ipv6-address inet:ipv6-address 416 | +--rw packet-security-tcp-condition 417 | | +--rw pkt-sec-tcp-src-port-num 418 | | | +--rw (match-type)? 419 | | | +--:(exact-match) 420 | | | | +--rw port-num* inet:port-number 421 | | | +--:(range-match) 422 | | | +--rw range-port-num* 423 [start-port-num end-port-num] 424 | | | +--rw start-port-num inet:port-number 425 | | | +--rw end-port-num inet:port-number 426 | | +--rw pkt-sec-tcp-dest-port-num 427 | | | +--rw (match-type)? 428 | | | +--:(exact-match) 429 | | | | +--rw port-num* inet:port-number 430 | | | +--:(range-match) 431 | | | +--rw range-port-num* 432 [start-port-num end-port-num] 433 | | | +--rw start-port-num inet:port-number 434 | | | +--rw end-port-num inet:port-number 435 | | +--rw pkt-sec-tcp-seq-num 436 | | | +--rw (match-type)? 437 | | | +--:(exact-match) 438 | | | | +--rw tcp-seq-num* uint32 439 | | | +--:(range-match) 440 | | | +--rw range-tcp-seq-num* 441 [start-tcp-seq-num end-tcp-seq-num] 442 | | | +--rw start-tcp-seq-num uint32 443 | | | +--rw end-tcp-seq-num uint32 444 | | +--rw pkt-sec-tcp-ack-num 445 | | | +--rw (match-type)? 446 | | | +--:(exact-match) 447 | | | | +--rw tcp-ack-num* uint32 448 | | | +--:(range-match) 449 | | | +--rw range-tcp-ack-num* 450 [start-tcp-ack-num end-tcp-ack-num] 451 | | | +--rw start-tcp-ack-num uint32 452 | | | +--rw end-tcp-ack-num uint32 453 | | +--rw pkt-sec-tcp-window-size 454 | | | +--rw (match-type)? 455 | | | +--:(exact-match) 456 | | | | +--rw tcp-window-size* uint16 457 | | | +--:(range-match) 458 | | | +--rw range-tcp-window-size* 459 [start-tcp-window-size end-tcp-window-size] 460 | | | +--rw start-tcp-window-size uint16 461 | | | +--rw end-tcp-window-size uint16 462 | | +--rw pkt-sec-tcp-flags* identityref 463 | +--rw packet-security-udp-condition 464 | | +--rw pkt-sec-udp-src-port-num 465 | | | +--rw (match-type)? 466 | | | +--:(exact-match) 467 | | | | +--rw port-num* inet:port-number 468 | | | +--:(range-match) 469 | | | +--rw range-port-num* 470 [start-port-num end-port-num] 471 | | | +--rw start-port-num inet:port-number 472 | | | +--rw end-port-num inet:port-number 473 | | +--rw pkt-sec-udp-dest-port-num 474 | | | +--rw (match-type)? 475 | | | +--:(exact-match) 476 | | | | +--rw port-num* inet:port-number 477 | | | +--:(range-match) 478 | | | +--rw range-port-num* 479 [start-port-num end-port-num] 480 | | | +--rw start-port-num inet:port-number 481 | | | +--rw end-port-num inet:port-number 482 | | +--rw pkt-sec-udp-total-length 483 | | +--rw (match-type)? 484 | | +--:(exact-match) 485 | | | +--rw udp-total-length* uint32 486 | | +--:(range-match) 487 | | +--rw range-udp-total-length* 488 [start-udp-total-length end-udp-total-length] 489 | | +--rw start-udp-total-length uint32 490 | | +--rw end-udp-total-length uint32 491 | +--rw packet-security-icmp-condition 492 | | +--rw pkt-sec-icmp-type* identityref 493 | +--rw packet-security-http-condition 494 | | +--rw pkt-sec-uri-content* string 495 | | +--rw pkt-sec-url-content* string 496 | +--rw packet-security-voice-condition 497 | | +--rw pkt-sec-src-voice-id* string 498 | | +--rw pkt-sec-dest-voice-id* string 499 | | +--rw pkt-sec-user-agent* string 500 | +--rw packet-security-ddos-condition 501 | +--rw pkt-sec-alert-rate? uint32 502 +--rw action-clause-container 503 ... 505 Figure 3: YANG Tree Diagram for Network Security Policy 507 This YANG tree diagram shows an condition clause of I2NSF security 508 policy rule for generic network security functions. A condition 509 clause is defined as a set of attributes, features, and/or values 510 that are to be compared with a set of known attributes, features, 511 and/or values in order to determine whether or not the set of actions 512 in that (imperative) I2NSF policy rule can be executed or not. The 513 condition clause is classified as conditions of generic network 514 security functions and advanced network security functions. The 515 condition clause of generic network security functions is defined as 516 packet security IPv4 condition, packet security IPv6 condition, 517 packet security tcp condition, and packet security icmp condition. 518 The condition clause of advanced network security functions is 519 defined as packet security http condition, packet security voice 520 condition, and packet security ddos condition. Note that this 521 document deals only with simple conditions of advanced network 522 security functions. The condition clauses of advanced network 523 security functions are described in detail in 524 [i2nsf-advanced-nsf-dm]. The condition clause can be extended 525 according to specific vendor condition features. The condition 526 clause is described in detail in [i2nsf-nsf-cap-im]. 528 4.4. Action Clause 530 This section shows YANG tree diagram for an action clause of I2NSF 531 security policy rule. 533 module: ietf-i2nsf-policy-rule-for-nsf 534 +--rw i2nsf-security-policy 535 ... 536 +--rw rules* [rule-name] 537 ... 538 +--rw event-clause-container 539 | ... 540 +--rw condition-clause-container 541 | ... 542 +--rw action-clause-container 543 +--rw action-clause-description? string 544 +--rw packet-action 545 | +--rw ingress-action? identityref 546 | +--rw egress-action? identityref 547 | +--rw log-action? identityref 548 +--rw advanced-action 549 +--rw content-security-control* identityref 550 +--rw attack-mitigation-control* identityref 552 Figure 4: YANG Tree Diagram for Network Security Policy 554 This YANG tree diagram shows an action clause of I2NSF security 555 policy rule for generic network security functions. An action is 556 used to control and monitor aspects of flow-based NSFs when the event 557 and condition clauses are satisfied. NSFs provide security services 558 by executing various actions. The action clause is defined as 559 ingress action, egress action, log action, and advanced action for 560 additional inspection. The advanced action is described in detail in 561 [RFC8329] and [i2nsf-nsf-cap-im]. The action clause can be extended 562 according to specific vendor action features. The action clause is 563 described in detail in [i2nsf-nsf-cap-im]. 565 5. YANG Data Module 567 5.1. I2NSF NSF-Facing Interface YANG Data Module 569 This section introduces an YANG data module for configuration of 570 security policy rules on network security functions. 572 file "ietf-i2nsf-policy-rule-for-nsf@2019-03-11.yang" 574 module ietf-i2nsf-policy-rule-for-nsf { 575 yang-version 1.1; 576 namespace 577 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 578 prefix 579 iiprfn; 581 import ietf-inet-types{ 582 prefix inet; 583 reference "RFC 6991"; 584 } 585 import ietf-yang-types{ 586 prefix yang; 587 reference "RFC 6991"; 588 } 590 organization 591 "IETF I2NSF (Interface to Network Security Functions) 592 Working Group"; 594 contact 595 "WG Web: 596 WG List: 598 WG Chair: Adrian Farrel 599 601 WG Chair: Linda Dunbar 602 604 Editor: Jingyong Tim Kim 605 607 Editor: Jaehoon Paul Jeong 608 610 Editor: Susan Hares 611 "; 613 description 614 "This module defines a YANG data module for network security 615 functions. 617 Copyright (c) 2018 IETF Trust and the persons 618 identified as authors of the code. All rights reserved. 620 Redistribution and use in source and binary forms, with or 621 without modification, is permitted pursuant to, and subject 622 to the license terms contained in, the Simplified BSD License 623 set forth in Section 4.c of the IETF Trust's Legal Provisions 624 Relating to IETF Documents 625 (http://trustee.ietf.org/license-info). 627 This version of this YANG module is part of RFC 8341; see 628 the RFC itself for full legal notices."; 630 revision "2019-03-11"{ 631 description "Initial revision."; 632 reference 633 "RFC XXXX: I2NSF Network Security Function-Facing Interface 634 YANG Data Model"; 635 } 637 /* 638 * Identities 639 */ 641 identity priority-usage-type { 642 description 643 "Base identity for priority usage type."; 644 } 646 identity priority-by-order { 647 base priority-usage-type; 648 description 649 "Identity for priority by order"; 650 } 652 identity priority-by-number { 653 base priority-usage-type; 654 description 655 "Identity for priority by number"; 656 } 658 identity event { 659 description 660 "Base identity for event of policy."; 661 reference 662 "draft-hong-i2nsf-nsf-monitoring-data-model-06 663 - Event"; 664 } 666 identity system-event { 667 base event; 668 description 669 "Identity for system event"; 670 reference 671 "draft-hong-i2nsf-nsf-monitoring-data-model-06 672 - System event"; 673 } 675 identity system-alarm { 676 base event; 677 description 678 "Identity for system alarm"; 679 reference 680 "draft-hong-i2nsf-nsf-monitoring-data-model-06 681 - System alarm"; 682 } 684 identity access-violation { 685 base system-event; 686 description 687 "Identity for access violation 688 among system events"; 689 reference 690 "draft-hong-i2nsf-nsf-monitoring-data-model-06 691 - System event"; 692 } 694 identity configuration-change { 695 base system-event; 696 description 697 "Identity for configuration change 698 among system events"; 699 reference 700 "draft-hong-i2nsf-nsf-monitoring-data-model-06 701 - System event"; 702 } 703 identity memory-alarm { 704 base system-alarm; 705 description 706 "Identity for memory alarm 707 among system alarms"; 708 reference 709 "draft-hong-i2nsf-nsf-monitoring-data-model-06 710 - System alarm"; 711 } 713 identity cpu-alarm { 714 base system-alarm; 715 description 716 "Identity for cpu alarm 717 among system alarms"; 718 reference 719 "draft-hong-i2nsf-nsf-monitoring-data-model-06 720 - System alarm"; 721 } 723 identity disk-alarm { 724 base system-alarm; 725 description 726 "Identity for disk alarm 727 among system alarms"; 728 reference 729 "draft-hong-i2nsf-nsf-monitoring-data-model-06 730 - System alarm"; 731 } 733 identity hardware-alarm { 734 base system-alarm; 735 description 736 "Identity for hardware alarm 737 among system alarms"; 738 reference 739 "draft-hong-i2nsf-nsf-monitoring-data-model-06 740 - System alarm"; 741 } 743 identity interface-alarm { 744 base system-alarm; 745 description 746 "Identity for interface alarm 747 among system alarms"; 748 reference 749 "draft-hong-i2nsf-nsf-monitoring-data-model-06 750 - System alarm"; 752 } 754 identity type-of-service { 755 description 756 "Base identity for type of service of IPv4"; 757 reference 758 "RFC 791: Internet Protocol - Type of Service"; 759 } 761 identity traffic-class { 762 description 763 "Base identity for traffic-class of IPv6"; 764 reference 765 "RFC 2460: Internet Protocol, Version 6 (IPv6) 766 Specification - Traffic Class"; 767 } 769 identity normal { 770 base type-of-service; 771 base traffic-class; 772 description 773 "Identity for normal"; 774 reference 775 "RFC 791: Internet Protocol - Type of Service 776 RFC 2460: Internet Protocol, Version 6 (IPv6) 777 Specification - Traffic Class"; 778 } 780 identity minimize-cost { 781 base type-of-service; 782 base traffic-class; 783 description 784 "Identity for minimize cost"; 785 reference 786 "RFC 791: Internet Protocol - Type of Service 787 RFC 2460: Internet Protocol, Version 6 (IPv6) 788 Specification - Traffic Class"; 789 } 791 identity maximize-reliability { 792 base type-of-service; 793 base traffic-class; 794 description 795 "Identity for maximize reliability"; 796 reference 797 "RFC 791: Internet Protocol - Type of Service 798 RFC 2460: Internet Protocol, Version 6 (IPv6) 799 Specification - Traffic Class"; 801 } 803 identity maximize-throughput { 804 base type-of-service; 805 base traffic-class; 806 description 807 "Identity for maximize throughput"; 808 reference 809 "RFC 791: Internet Protocol - Type of Service 810 RFC 2460: Internet Protocol, Version 6 (IPv6) 811 Specification - Traffic Class"; 812 } 814 identity minimize-delay { 815 base type-of-service; 816 base traffic-class; 817 description 818 "Identity for minimize delay"; 819 reference 820 "RFC 791: Internet Protocol - Type of Service 821 RFC 2460: Internet Protocol, Version 6 (IPv6) 822 Specification - Traffic Class"; 823 } 825 identity maximize-security { 826 base type-of-service; 827 base traffic-class; 828 description 829 "Identity for maximize security"; 830 reference 831 "RFC 791: Internet Protocol - Type of Service 832 RFC 2460: Internet Protocol, Version 6 (IPv6) 833 Specification - Traffic Class"; 834 } 836 identity fragmentation-flags-type { 837 description 838 "Base identity for fragmentation flags type"; 839 reference 840 "RFC 791: Internet Protocol - Fragmentation Flags"; 841 } 843 identity fragment { 844 base fragmentation-flags-type; 845 description 846 "Identity for fragment"; 847 reference 848 "RFC 791: Internet Protocol - Fragmentation Flags"; 850 } 852 identity no-fragment { 853 base fragmentation-flags-type; 854 description 855 "Identity for no fragment"; 856 reference 857 "RFC 791: Internet Protocol - Fragmentation Flags"; 858 } 860 identity reserved { 861 base fragmentation-flags-type; 862 description 863 "Identity for reserved"; 864 reference 865 "RFC 791: Internet Protocol - Fragmentation Flags"; 866 } 868 identity protocol { 869 description 870 "Base identity for protocol of IPv4"; 871 reference 872 "RFC 790: Assigned numbers - Assigned Internet 873 Protocol Number 874 RFC 791: Internet Protocol - Protocol"; 875 } 877 identity next-header { 878 description 879 "Base identity for next header of IPv6"; 880 reference 881 "RFC 2460: Internet Protocol, Version 6 (IPv6) 882 Specification - Next Header"; 883 } 885 identity icmp { 886 base protocol; 887 base next-header; 888 description 889 "Identity for icmp"; 890 reference 891 "RFC 790: - Assigned numbers - Assigned Internet 892 Protocol Number 893 RFC 791: Internet Protocol - Type of Service 894 RFC 2460: Internet Protocol, Version 6 (IPv6) 895 Specification - Next Header"; 896 } 897 identity igmp { 898 base protocol; 899 base next-header; 900 description 901 "Identity for igmp"; 902 reference 903 "RFC 790: - Assigned numbers - Assigned Internet 904 Protocol Number 905 RFC 791: Internet Protocol - Type of Service 906 RFC 2460: Internet Protocol, Version 6 (IPv6) 907 Specification - Next Header"; 908 } 910 identity tcp { 911 base protocol; 912 base next-header; 913 description 914 "Identity for tcp"; 915 reference 916 "RFC 790: - Assigned numbers - Assigned Internet 917 Protocol Number 918 RFC 791: Internet Protocol - Type of Service 919 RFC 2460: Internet Protocol, Version 6 (IPv6) 920 Specification - Next Header"; 921 } 923 identity igrp { 924 base protocol; 925 base next-header; 926 description 927 "Identity for igrp"; 928 reference 929 "RFC 790: - Assigned numbers - Assigned Internet 930 Protocol Number 931 RFC 791: Internet Protocol - Type of Service 932 RFC 2460: Internet Protocol, Version 6 (IPv6) 933 Specification - Next Header"; 934 } 936 identity udp { 937 base protocol; 938 base next-header; 939 description 940 "Identity for udp"; 941 reference 942 "RFC 790: - Assigned numbers - Assigned Internet 943 Protocol Number 944 RFC 791: Internet Protocol - Type of Service 945 RFC 2460: Internet Protocol, Version 6 (IPv6) 946 Specification - Next Header"; 947 } 949 identity gre { 950 base protocol; 951 base next-header; 952 description 953 "Identity for gre"; 954 reference 955 "RFC 790: - Assigned numbers - Assigned Internet 956 Protocol Number 957 RFC 791: Internet Protocol - Type of Service 958 RFC 2460: Internet Protocol, Version 6 (IPv6) 959 Specification - Next Header"; 960 } 962 identity esp { 963 base protocol; 964 base next-header; 965 description 966 "Identity for esp"; 967 reference 968 "RFC 790: - Assigned numbers - Assigned Internet 969 Protocol Number 970 RFC 791: Internet Protocol - Type of Service 971 RFC 2460: Internet Protocol, Version 6 (IPv6) 972 Specification - Next Header"; 973 } 975 identity ah { 976 base protocol; 977 base next-header; 978 description 979 "Identity for ah"; 980 reference 981 "RFC 790: - Assigned numbers - Assigned Internet 982 Protocol Number 983 RFC 791: Internet Protocol - Type of Service 984 RFC 2460: Internet Protocol, Version 6 (IPv6) 985 Specification - Next Header"; 986 } 988 identity mobile { 989 base protocol; 990 base next-header; 991 description 992 "Identity for mobile"; 994 reference 995 "RFC 790: - Assigned numbers - Assigned Internet 996 Protocol Number 997 RFC 791: Internet Protocol - Type of Service 998 RFC 2460: Internet Protocol, Version 6 (IPv6) 999 Specification - Next Header"; 1000 } 1002 identity tlsp { 1003 base protocol; 1004 base next-header; 1005 description 1006 "Identity for tlsp"; 1007 reference 1008 "RFC 790: - Assigned numbers - Assigned Internet 1009 Protocol Number 1010 RFC 791: Internet Protocol - Type of Service 1011 RFC 2460: Internet Protocol, Version 6 (IPv6) 1012 Specification - Next Header"; 1013 } 1015 identity skip { 1016 base protocol; 1017 base next-header; 1018 description 1019 "Identity for skip"; 1020 reference 1021 "RFC 790: - Assigned numbers - Assigned Internet 1022 Protocol Number 1023 RFC 791: Internet Protocol - Type of Service 1024 RFC 2460: Internet Protocol, Version 6 (IPv6) 1025 Specification - Next Header"; 1026 } 1028 identity ipv6-icmp { 1029 base protocol; 1030 base next-header; 1031 description 1032 "Identity for IPv6 icmp "; 1033 reference 1034 "RFC 790: - Assigned numbers - Assigned Internet 1035 Protocol Number 1036 RFC 791: Internet Protocol - Type of Service 1037 RFC 2460: Internet Protocol, Version 6 (IPv6) 1038 Specification - Next Header"; 1039 } 1040 identity eigrp { 1041 base protocol; 1042 base next-header; 1043 description 1044 "Identity for eigrp"; 1045 reference 1046 "RFC 790: - Assigned numbers - Assigned Internet 1047 Protocol Number 1048 RFC 791: Internet Protocol - Type of Service 1049 RFC 2460: Internet Protocol, Version 6 (IPv6) 1050 Specification - Next Header"; 1051 } 1053 identity ospf { 1054 base protocol; 1055 base next-header; 1056 description 1057 "Identity for ospf"; 1058 reference 1059 "RFC 790: - Assigned numbers - Assigned Internet 1060 Protocol Number 1061 RFC 791: Internet Protocol - Type of Service 1062 RFC 2460: Internet Protocol, Version 6 (IPv6) 1063 Specification - Next Header"; 1064 } 1066 identity l2tp { 1067 base protocol; 1068 base next-header; 1069 description 1070 "Identity for l2tp"; 1071 reference 1072 "RFC 790: - Assigned numbers - Assigned Internet 1073 Protocol Number 1074 RFC 791: Internet Protocol - Type of Service 1075 RFC 2460: Internet Protocol, Version 6 (IPv6) 1076 Specification - Next Header"; 1077 } 1079 identity ipopts { 1080 description 1081 "Base identity for IP options"; 1082 reference 1083 "RFC 791: Internet Protocol - Options"; 1084 } 1086 identity rr { 1087 base ipopts; 1088 description 1089 "Identity for record route"; 1090 reference 1091 "RFC 791: Internet Protocol - Options"; 1092 } 1094 identity eol { 1095 base ipopts; 1096 description 1097 "Identity for end of list"; 1098 reference 1099 "RFC 791: Internet Protocol - Options"; 1100 } 1102 identity nop { 1103 base ipopts; 1104 description 1105 "Identity for no operation"; 1106 reference 1107 "RFC 791: Internet Protocol - Options"; 1108 } 1110 identity ts { 1111 base ipopts; 1112 description 1113 "Identity for time stamp"; 1114 reference 1115 "RFC 791: Internet Protocol - Options"; 1116 } 1118 identity sec { 1119 base ipopts; 1120 description 1121 "Identity for IP security"; 1122 reference 1123 "RFC 791: Internet Protocol - Options"; 1124 } 1126 identity esec { 1127 base ipopts; 1128 description 1129 "Identity for IP extended security"; 1130 reference 1131 "RFC 791: Internet Protocol - Options"; 1132 } 1134 identity lsrr { 1135 base ipopts; 1136 description 1137 "Identity for loose source routing"; 1138 reference 1139 "RFC 791: Internet Protocol - Options"; 1140 } 1142 identity ssrr { 1143 base ipopts; 1144 description 1145 "Identity for strict source routing"; 1146 reference 1147 "RFC 791: Internet Protocol - Options"; 1148 } 1150 identity satid { 1151 base ipopts; 1152 description 1153 "Identity for stream identifier"; 1154 reference 1155 "RFC 791: Internet Protocol - Options"; 1156 } 1158 identity any { 1159 base ipopts; 1160 description 1161 "Identity for which any IP options are set"; 1162 reference 1163 "RFC 791: Internet Protocol - Options"; 1164 } 1166 identity tcp-flags { 1167 description 1168 "Base identity for tcp flags"; 1169 reference 1170 "RFC 793: Transmission Control Protocol - Flags"; 1171 } 1173 identity cwr { 1174 base tcp-flags; 1175 description 1176 "Identity for congestion window reduced"; 1177 reference 1178 "RFC 793: Transmission Control Protocol - Flags"; 1179 } 1181 identity ecn { 1182 base tcp-flags; 1183 description 1184 "Identity for explicit congestion notification"; 1185 reference 1186 "RFC 793: Transmission Control Protocol - Flags"; 1187 } 1189 identity urg { 1190 base tcp-flags; 1191 description 1192 "Identity for urgent"; 1193 reference 1194 "RFC 793: Transmission Control Protocol - Flags"; 1195 } 1197 identity ack { 1198 base tcp-flags; 1199 description 1200 "Identity for acknowledgement"; 1201 reference 1202 "RFC 793: Transmission Control Protocol - Flags"; 1203 } 1205 identity psh { 1206 base tcp-flags; 1207 description 1208 "Identity for push"; 1209 reference 1210 "RFC 793: Transmission Control Protocol - Flags"; 1211 } 1213 identity rst { 1214 base tcp-flags; 1215 description 1216 "Identity for reset"; 1217 reference 1218 "RFC 793: Transmission Control Protocol - Flags"; 1219 } 1221 identity syn { 1222 base tcp-flags; 1223 description 1224 "Identity for synchronize"; 1225 reference 1226 "RFC 793: Transmission Control Protocol - Flags"; 1227 } 1229 identity fin { 1230 base tcp-flags; 1231 description 1232 "Identity for finish"; 1233 reference 1234 "RFC 793: Transmission Control Protocol - Flags"; 1235 } 1237 identity icmp-type { 1238 description 1239 "Base identity for icmp types"; 1240 reference 1241 "RFC 792: Internet Control Message Protocol"; 1242 } 1244 identity echo-reply { 1245 base icmp-type; 1246 description 1247 "Identity for echo reply"; 1248 reference 1249 "RFC 792: Internet Control Message Protocol"; 1250 } 1252 identity destination-unreachable { 1253 base icmp-type; 1254 description 1255 "Identity for destination unreachable"; 1256 reference 1257 "RFC 792: Internet Control Message Protocol"; 1258 } 1260 identity source-quench { 1261 base icmp-type; 1262 description 1263 "Identity for source quench"; 1264 reference 1265 "RFC 792: Internet Control Message Protocol"; 1266 } 1268 identity redirect { 1269 base icmp-type; 1270 description 1271 "Identity for redirect"; 1272 reference 1273 "RFC 792: Internet Control Message Protocol"; 1274 } 1276 identity alternate-host-address { 1277 base icmp-type; 1278 description 1279 "Identity for alternate host address"; 1280 reference 1281 "RFC 792: Internet Control Message Protocol"; 1282 } 1284 identity echo { 1285 base icmp-type; 1286 description 1287 "Identity for echo"; 1288 reference 1289 "RFC 792: Internet Control Message Protocol"; 1290 } 1292 identity router-advertisement { 1293 base icmp-type; 1294 description 1295 "Identity for router advertisement"; 1296 reference 1297 "RFC 792: Internet Control Message Protocol"; 1298 } 1300 identity router-solicitation { 1301 base icmp-type; 1302 description 1303 "Identity for router solicitation"; 1304 reference 1305 "RFC 792: Internet Control Message Protocol"; 1306 } 1308 identity time-exceeded { 1309 base icmp-type; 1310 description 1311 "Identity for time exceeded"; 1312 reference 1313 "RFC 792: Internet Control Message Protocol"; 1314 } 1316 identity parameter-problem { 1317 base icmp-type; 1318 description 1319 "Identity for parameter problem"; 1320 reference 1321 "RFC 792: Internet Control Message Protocol"; 1322 } 1324 identity timestamp { 1325 base icmp-type; 1326 description 1327 "Identity for timestamp"; 1328 reference 1329 "RFC 792: Internet Control Message Protocol"; 1330 } 1332 identity timestamp-reply { 1333 base icmp-type; 1334 description 1335 "Identity for timestamp reply"; 1336 reference 1337 "RFC 792: Internet Control Message Protocol"; 1338 } 1340 identity information-request { 1341 base icmp-type; 1342 description 1343 "Identity for information request"; 1344 reference 1345 "RFC 792: Internet Control Message Protocol"; 1346 } 1348 identity information-reply { 1349 base icmp-type; 1350 description 1351 "Identity for information reply"; 1352 reference 1353 "RFC 792: Internet Control Message Protocol"; 1354 } 1356 identity address-mask-request { 1357 base icmp-type; 1358 description 1359 "Identity for address mask request"; 1360 reference 1361 "RFC 792: Internet Control Message Protocol"; 1362 } 1364 identity address-mask-reply { 1365 base icmp-type; 1366 description 1367 "Identity for address mask reply"; 1368 reference 1369 "RFC 792: Internet Control Message Protocol"; 1370 } 1372 identity traceroute { 1373 base icmp-type; 1374 description 1375 "Identity for traceroute"; 1376 reference 1377 "RFC 792: Internet Control Message Protocol"; 1378 } 1380 identity datagram-conversion-error { 1381 base icmp-type; 1382 description 1383 "Identity for datagram conversion error"; 1384 reference 1385 "RFC 792: Internet Control Message Protocol"; 1386 } 1388 identity mobile-host-redirect { 1389 base icmp-type; 1390 description 1391 "Identity for mobile host redirect"; 1392 reference 1393 "RFC 792: Internet Control Message Protocol"; 1394 } 1396 identity ipv6-where-are-you { 1397 base icmp-type; 1398 description 1399 "Identity for IPv6 where are you"; 1400 reference 1401 "RFC 792: Internet Control Message Protocol"; 1402 } 1404 identity ipv6-i-am-here { 1405 base icmp-type ; 1406 description 1407 "Identity for IPv6 i am here"; 1408 reference 1409 "RFC 792: Internet Control Message Protocol"; 1410 } 1412 identity mobile-registration-request { 1413 base icmp-type; 1414 description 1415 "Identity for mobile registration request"; 1416 reference 1417 "RFC 792: Internet Control Message Protocol"; 1418 } 1420 identity mobile-registration-reply { 1421 base icmp-type; 1422 description 1423 "Identity for mobile registration reply"; 1424 reference 1425 "RFC 792: Internet Control Message Protocol"; 1426 } 1428 identity domain-name-request { 1429 base icmp-type; 1430 description 1431 "Identity for domain name request"; 1432 reference 1433 "RFC 792: Internet Control Message Protocol"; 1434 } 1436 identity domain-name-reply { 1437 base icmp-type; 1438 description 1439 "Identity for domain name reply"; 1440 reference 1441 "RFC 792: Internet Control Message Protocol"; 1442 } 1444 identity iskip { 1445 base icmp-type; 1446 description 1447 "Identity for icmp skip"; 1448 reference 1449 "RFC 792: Internet Control Message Protocol"; 1450 } 1452 identity photuris { 1453 base icmp-type; 1454 description 1455 "Identity for photuris"; 1456 reference 1457 "RFC 792: Internet Control Message Protocol"; 1458 } 1460 identity experimental-mobility-protocols { 1461 base icmp-type; 1462 description 1463 "Identity for experimental mobility protocols"; 1464 reference 1465 "RFC 792: Internet Control Message Protocol"; 1466 } 1468 identity extended-echo-request { 1469 base icmp-type; 1470 description 1471 "Identity for extended echo request"; 1472 reference 1473 "RFC 792: Internet Control Message Protocol 1474 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1475 } 1477 identity extended-echo-reply { 1478 base icmp-type; 1479 description 1480 "Identity for extended echo reply"; 1481 reference 1482 "RFC 792: Internet Control Message Protocol 1483 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1484 } 1486 identity net-unreachable { 1487 base icmp-type; 1488 description 1489 "Identity for net unreachable 1490 in destination unreachable types"; 1491 reference 1492 "RFC 792: Internet Control Message Protocol"; 1493 } 1495 identity host-unreachable { 1496 base icmp-type; 1497 description 1498 "Identity for host unreachable 1499 in destination unreachable types"; 1500 reference 1501 "RFC 792: Internet Control Message Protocol"; 1502 } 1504 identity protocol-unreachable { 1505 base icmp-type; 1506 description 1507 "Identity for protocol unreachable 1508 in destination unreachable types"; 1509 reference 1510 "RFC 792: Internet Control Message Protocol"; 1511 } 1513 identity port-unreachable { 1514 base icmp-type; 1515 description 1516 "Identity for port unreachable 1517 in destination unreachable types"; 1518 reference 1519 "RFC 792: Internet Control Message Protocol"; 1520 } 1522 identity fragment-set { 1523 base icmp-type; 1524 description 1525 "Identity for fragmentation set 1526 in destination unreachable types"; 1527 reference 1528 "RFC 792: Internet Control Message Protocol"; 1529 } 1531 identity source-route-failed { 1532 base icmp-type; 1533 description 1534 "Identity for source route failed 1535 in destination unreachable types"; 1536 reference 1537 "RFC 792: Internet Control Message Protocol"; 1538 } 1540 identity destination-network-unknown { 1541 base icmp-type; 1542 description 1543 "Identity for destination network unknown 1544 in destination unreachable types"; 1545 reference 1546 "RFC 792: Internet Control Message Protocol"; 1547 } 1549 identity destination-host-unknown { 1550 base icmp-type; 1551 description 1552 "Identity for destination host unknown 1553 in destination unreachable types"; 1554 reference 1555 "RFC 792: Internet Control Message Protocol"; 1556 } 1558 identity source-host-isolated { 1559 base icmp-type; 1560 description 1561 "Identity for source host isolated 1562 in destination unreachable types"; 1563 reference 1564 "RFC 792: Internet Control Message Protocol"; 1565 } 1566 identity communication-prohibited-with-destination-network { 1567 base icmp-type; 1568 description 1569 "Identity for which communication with destination network 1570 is administratively prohibited in destination unreachable 1571 types"; 1572 reference 1573 "RFC 792: Internet Control Message Protocol"; 1574 } 1576 identity communication-prohibited-with-destination-host { 1577 base icmp-type; 1578 description 1579 "Identity for which communication with destination host 1580 is administratively prohibited in destination unreachable 1581 types"; 1582 reference 1583 "RFC 792: Internet Control Message Protocol"; 1584 } 1586 identity destination-network-unreachable-for-tos { 1587 base icmp-type; 1588 description 1589 "Identity for destination network unreachable 1590 for type of service in destination unreachable types"; 1591 reference 1592 "RFC 792: Internet Control Message Protocol"; 1593 } 1595 identity destination-host-unreachable-for-tos { 1596 base icmp-type; 1597 description 1598 "Identity for destination host unreachable 1599 for type of service in destination unreachable types"; 1600 reference 1601 "RFC 792: Internet Control Message Protocol"; 1602 } 1604 identity communication-prohibited { 1605 base icmp-type; 1606 description 1607 "Identity for communication administratively prohibited 1608 in destination unreachable types"; 1609 reference 1610 "RFC 792: Internet Control Message Protocol"; 1611 } 1613 identity host-precedence-violation { 1614 base icmp-type; 1615 description 1616 "Identity for host precedence violation 1617 in destination unreachable types"; 1618 reference 1619 "RFC 792: Internet Control Message Protocol"; 1620 } 1622 identity precedence-cutoff-in-effect { 1623 base icmp-type; 1624 description 1625 "Identity for precedence cutoff in effect 1626 in destination unreachable types"; 1627 reference 1628 "RFC 792: Internet Control Message Protocol"; 1629 } 1631 identity redirect-datagram-for-the-network { 1632 base icmp-type; 1633 description 1634 "Identity for redirect datagram for the network 1635 (or subnet) in redirect types"; 1636 reference 1637 "RFC 792: Internet Control Message Protocol"; 1638 } 1640 identity redirect-datagram-for-the-host { 1641 base icmp-type; 1642 description 1643 "Identity for redirect datagram for the host 1644 in redirect types"; 1645 reference 1646 "RFC 792: Internet Control Message Protocol"; 1647 } 1649 identity redirect-datagram-for-the-tos-and-network { 1650 base icmp-type; 1651 description 1652 "Identity for redirect datagram for the type of 1653 service and network in redirect types"; 1654 reference 1655 "RFC 792: Internet Control Message Protocol"; 1656 } 1658 identity redirect-datagram-for-the-tos-and-host { 1659 base icmp-type; 1660 description 1661 "Identity for redirect datagram for the type of 1662 service and host in redirect types"; 1663 reference 1664 "RFC 792: Internet Control Message Protocol"; 1665 } 1667 identity normal-router-advertisement { 1668 base icmp-type; 1669 description 1670 "Identity for normal router advertisement 1671 in router advertisement types"; 1672 reference 1673 "RFC 792: Internet Control Message Protocol"; 1674 } 1676 identity does-not-route-common-traffic { 1677 base icmp-type; 1678 description 1679 "Identity for does not route common traffic 1680 in router advertisement types"; 1681 reference 1682 "RFC 792: Internet Control Message Protocol"; 1683 } 1685 identity time-to-live-exceeded-in-transit { 1686 base icmp-type; 1687 description 1688 "Identity for time to live exceeded in transit 1689 in time exceeded types"; 1690 reference 1691 "RFC 792: Internet Control Message Protocol"; 1692 } 1694 identity fragment-reassembly-time-exceeded { 1695 base icmp-type; 1696 description 1697 "Identity for fragment reassembly time exceeded 1698 in time exceeded types"; 1699 reference 1700 "RFC 792: Internet Control Message Protocol"; 1701 } 1703 identity pointer-indicates-the-error { 1704 base icmp-type; 1705 description 1706 "Identity for pointer indicates the error 1707 in parameter problem types"; 1708 reference 1709 "RFC 792: Internet Control Message Protocol"; 1711 } 1713 identity missing-a-required-option { 1714 base icmp-type; 1715 description 1716 "Identity for missing a required option 1717 in parameter problem types"; 1718 reference 1719 "RFC 792: Internet Control Message Protocol"; 1720 } 1722 identity bad-length { 1723 base icmp-type; 1724 description 1725 "Identity for bad length 1726 in parameter problem types"; 1727 reference 1728 "RFC 792: Internet Control Message Protocol"; 1729 } 1731 identity bad-spi { 1732 base icmp-type; 1733 description 1734 "Identity for bad spi 1735 in photuris types"; 1736 reference 1737 "RFC 792: Internet Control Message Protocol"; 1738 } 1740 identity authentication-failed { 1741 base icmp-type; 1742 description 1743 "Identity for authentication failed 1744 in photuris types"; 1745 reference 1746 "RFC 792: Internet Control Message Protocol"; 1747 } 1749 identity decompression-failed { 1750 base icmp-type; 1751 description 1752 "Identity for decompression failed 1753 in photuris types"; 1754 reference 1755 "RFC 792: Internet Control Message Protocol"; 1756 } 1758 identity decryption-failed { 1759 base icmp-type; 1760 description 1761 "Identity for decryption failed 1762 in photuris types"; 1763 reference 1764 "RFC 792: Internet Control Message Protocol"; 1765 } 1767 identity need-authentication { 1768 base icmp-type; 1769 description 1770 "Identity for need authentication 1771 in photuris types"; 1772 reference 1773 "RFC 792: Internet Control Message Protocol"; 1774 } 1776 identity need-authorization { 1777 base icmp-type; 1778 description 1779 "Identity for need authorization 1780 in photuris types"; 1781 reference 1782 "RFC 792: Internet Control Message Protocol"; 1783 } 1785 identity req-no-error { 1786 base icmp-type; 1787 description 1788 "Identity for request with no error 1789 in extended echo request types"; 1790 reference 1791 "RFC 792: Internet Control Message Protocol 1792 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1793 } 1795 identity rep-no-error { 1796 base icmp-type; 1797 description 1798 "Identity for reply with no error 1799 in extended echo reply types"; 1800 reference 1801 "RFC 792: Internet Control Message Protocol 1802 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1803 } 1805 identity malformed-query { 1806 base icmp-type; 1807 description 1808 "Identity for malformed query 1809 in extended echo reply types"; 1810 reference 1811 "RFC 792: Internet Control Message Protocol 1812 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1813 } 1815 identity no-such-interface { 1816 base icmp-type; 1817 description 1818 "Identity for no such interface 1819 in extended echo reply types"; 1820 reference 1821 "RFC 792: Internet Control Message Protocol 1822 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1823 } 1825 identity no-such-table-entry { 1826 base icmp-type; 1827 description 1828 "Identity for no such table entry 1829 in extended echo reply types"; 1830 reference 1831 "RFC 792: Internet Control Message Protocol 1832 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1833 } 1835 identity multiple-interfaces-satisfy-query { 1836 base icmp-type; 1837 description 1838 "Identity for multiple interfaces satisfy query 1839 in extended echo reply types"; 1840 reference 1841 "RFC 792: Internet Control Message Protocol 1842 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1843 } 1845 identity content-security-control { 1846 description 1847 "Base identity for content security control"; 1848 reference 1849 "RFC 8329: Framework for Interface to 1850 Network Security Functions - Differences 1851 from ACL Data Models 1852 draft-ietf-i2nsf-capability-04: Information Model 1853 of NSFs Capabilities"; 1854 } 1855 identity antivirus { 1856 base content-security-control; 1857 description 1858 "Identity for antivirus"; 1859 } 1861 identity ips { 1862 base content-security-control; 1863 description 1864 "Identity for ips"; 1865 } 1867 identity ids { 1868 base content-security-control; 1869 description 1870 "Identity for ids"; 1871 } 1873 identity url-filtering { 1874 base content-security-control; 1875 description 1876 "Identity for url filtering"; 1877 } 1879 identity mail-filtering { 1880 base content-security-control; 1881 description 1882 "Identity for mail filtering"; 1883 } 1885 identity file-blocking { 1886 base content-security-control; 1887 description 1888 "Identity for file blocking"; 1889 } 1891 identity file-isolate { 1892 base content-security-control; 1893 description 1894 "Identity for file isolate"; 1895 } 1897 identity pkt-capture { 1898 base content-security-control; 1899 description 1900 "Identity for packet capture"; 1901 } 1902 identity application-control { 1903 base content-security-control; 1904 description 1905 "Identity for application control"; 1906 } 1908 identity voip-volte { 1909 base content-security-control; 1910 description 1911 "Identity for voip and volte"; 1912 } 1914 identity attack-mitigation-control { 1915 description 1916 "Base identity for attack mitigation control"; 1917 reference 1918 "RFC 8329: Framework for Interface to 1919 Network Security Functions - Differences 1920 from ACL Data Models 1921 draft-ietf-i2nsf-capability-04: Information Model 1922 of NSFs Capabilities"; 1923 } 1925 identity syn-flood { 1926 base attack-mitigation-control; 1927 description 1928 "Identity for syn flood"; 1929 } 1931 identity udp-flood { 1932 base attack-mitigation-control; 1933 description 1934 "Identity for udp flood"; 1935 } 1937 identity icmp-flood { 1938 base attack-mitigation-control; 1939 description 1940 "Identity for icmp flood"; 1941 } 1943 identity ip-frag-flood { 1944 base attack-mitigation-control; 1945 description 1946 "Identity for ip frag flood"; 1947 } 1949 identity ipv6-related { 1950 base attack-mitigation-control; 1951 description 1952 "Identity for ipv6 related"; 1953 } 1955 identity http-and-https-flood { 1956 base attack-mitigation-control; 1957 description 1958 "Identity for http and https flood"; 1959 } 1961 identity dns-flood { 1962 base attack-mitigation-control; 1963 description 1964 "Identity for dns flood"; 1965 } 1967 identity dns-amp-flood { 1968 base attack-mitigation-control; 1969 description 1970 "Identity for dns amp flood"; 1971 } 1973 identity ssl-ddos { 1974 base attack-mitigation-control; 1975 description 1976 "Identity for ssl ddos"; 1977 } 1979 identity ip-sweep { 1980 base attack-mitigation-control; 1981 description 1982 "Identity for ip sweep"; 1983 } 1985 identity port-scanning { 1986 base attack-mitigation-control; 1987 description 1988 "Identity for port scanning"; 1989 } 1991 identity ping-of-death { 1992 base attack-mitigation-control; 1993 description 1994 "Identity for ping of death"; 1995 } 1997 identity teardrop { 1998 base attack-mitigation-control; 1999 description 2000 "Identity for teardrop"; 2001 } 2003 identity oversized-icmp { 2004 base attack-mitigation-control; 2005 description 2006 "Identity for oversized icmp"; 2007 } 2009 identity tracert { 2010 base attack-mitigation-control; 2011 description 2012 "Identity for tracert"; 2013 } 2015 identity ingress-action { 2016 description 2017 "Base identity for action"; 2018 reference 2019 "draft-ietf-i2nsf-capability-04: Information Model 2020 of NSFs Capabilities - Ingress Action"; 2021 } 2023 identity egress-action { 2024 description 2025 "Base identity for egress action"; 2026 reference 2027 "draft-ietf-i2nsf-capability-04: Information Model 2028 of NSFs Capabilities - Egress action"; 2029 } 2031 identity default-action { 2032 description 2033 "Base identity for default action"; 2034 reference 2035 "draft-ietf-i2nsf-capability-04: Information Model 2036 of NSFs Capabilities - Default action"; 2037 } 2039 identity pass { 2040 base ingress-action; 2041 base egress-action; 2042 base default-action; 2043 description 2044 "Identity for pass"; 2045 reference 2046 "draft-ietf-i2nsf-capability-04: Information Model 2047 of NSFs Capabilities - Actions and 2048 default action"; 2049 } 2051 identity drop { 2052 base ingress-action; 2053 base egress-action; 2054 base default-action; 2055 description 2056 "Identity for drop"; 2057 reference 2058 "draft-ietf-i2nsf-capability-04: Information Model 2059 of NSFs Capabilities - Actions and 2060 default action"; 2061 } 2063 identity reject { 2064 base ingress-action; 2065 base egress-action; 2066 base default-action; 2067 description 2068 "Identity for reject"; 2069 reference 2070 "draft-ietf-i2nsf-capability-04: Information Model 2071 of NSFs Capabilities - Actions and 2072 default action"; 2073 } 2075 identity alert { 2076 base ingress-action; 2077 base egress-action; 2078 base default-action; 2079 description 2080 "Identity for alert"; 2081 reference 2082 "draft-ietf-i2nsf-capability-04: Information Model 2083 of NSFs Capabilities - Actions and 2084 default action"; 2085 } 2087 identity mirror { 2088 base ingress-action; 2089 base egress-action; 2090 base default-action; 2091 description 2092 "Identity for mirror"; 2093 reference 2094 "draft-ietf-i2nsf-capability-04: Information Model 2095 of NSFs Capabilities - Actions and 2096 default action"; 2097 } 2099 identity log-action { 2100 description 2101 "Base identity for log action"; 2102 } 2104 identity rule-log { 2105 base log-action; 2106 description 2107 "Identity for rule log"; 2108 } 2110 identity session-log { 2111 base log-action; 2112 description 2113 "Identity for session log"; 2114 } 2116 identity invoke-signaling { 2117 base egress-action; 2118 description 2119 "Identity for invoke signaling"; 2120 } 2122 identity tunnel-encapsulation { 2123 base egress-action; 2124 description 2125 "Identity for tunnel encapsulation"; 2126 } 2128 identity forwarding { 2129 base egress-action; 2130 description 2131 "Identity for forwarding"; 2132 } 2134 identity redirection { 2135 base egress-action; 2136 description 2137 "Identity for redirection"; 2139 } 2141 identity resolution-strategy { 2142 description 2143 "Base identity for resolution strategy"; 2144 reference 2145 "draft-ietf-i2nsf-capability-04: Information Model 2146 of NSFs Capabilities - Resolution Strategy"; 2147 } 2149 identity fmr { 2150 base resolution-strategy; 2151 description 2152 "Identity for First Matching Rule (FMR)"; 2153 reference 2154 "draft-ietf-i2nsf-capability-04: Information Model 2155 of NSFs Capabilities - Resolution Strategy"; 2156 } 2158 identity lmr { 2159 base resolution-strategy; 2160 description 2161 "Identity for Last Matching Rule (LMR)"; 2162 reference 2163 "draft-ietf-i2nsf-capability-04: Information Model 2164 of NSFs Capabilities - Resolution Strategy"; 2165 } 2167 identity pmr { 2168 base resolution-strategy; 2169 description 2170 "Identity for Prioritized Matching Rule (PMR)"; 2171 reference 2172 "draft-ietf-i2nsf-capability-04: Information Model 2173 of NSFs Capabilities - Resolution Strategy"; 2174 } 2176 identity pmre { 2177 base resolution-strategy; 2178 description 2179 "Identity for Prioritized Matching Rule 2180 with Errors (PMRE)"; 2181 reference 2182 "draft-ietf-i2nsf-capability-04: Information Model 2183 of NSFs Capabilities - Resolution Strategy"; 2184 } 2186 identity pmrn { 2187 base resolution-strategy; 2188 description 2189 "Identity for Prioritized Matching Rule 2190 with No Errors (PMRN)"; 2191 reference 2192 "draft-ietf-i2nsf-capability-04: Information Model 2193 of NSFs Capabilities - Resolution Strategy"; 2194 } 2196 /* 2197 * Typedefs 2198 */ 2200 typedef start-time-type { 2201 type union { 2202 type string { 2203 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2204 + '(Z|[\+\-]\d{2}:\d{2})'; 2205 } 2207 type enumeration { 2208 enum right-away { 2209 description 2210 "Immediate rule execution 2211 in the system."; 2212 } 2213 } 2214 } 2216 description 2217 "Start time when the rules are applied."; 2218 } 2220 typedef end-time-type { 2221 type union { 2222 type string { 2223 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2224 + '(Z|[\+\-]\d{2}:\d{2})'; 2225 } 2227 type enumeration { 2228 enum infinitely { 2229 description 2230 "Infinite rule execution 2231 in the system."; 2232 } 2233 } 2234 } 2235 description 2236 "End time when the rules are applied."; 2237 } 2238 typedef day-type { 2239 type enumeration { 2240 enum sunday { 2241 description 2242 "Sunday for periodic day"; 2243 } 2244 enum monday { 2245 description 2246 "Monday for periodic day"; 2247 } 2248 enum tuesday { 2249 description 2250 "Tuesday for periodic day"; 2251 } 2252 enum wednesday { 2253 description 2254 "Wednesday for periodic day"; 2255 } 2256 enum thursday { 2257 description 2258 "Thursday for periodic day"; 2259 } 2260 enum friday { 2261 description 2262 "Friday for periodic day"; 2263 } 2264 enum saturday { 2265 description 2266 "Saturday for periodic day"; 2267 } 2268 } 2269 description 2270 "This can be used for the rules to be applied 2271 according to periodic day"; 2272 } 2274 typedef month-type { 2275 type enumeration { 2276 enum january { 2277 description 2278 "January for periodic month"; 2279 } 2280 enum february { 2281 description 2282 "February for periodic month"; 2283 } 2284 enum march { 2285 description 2286 "March for periodic month"; 2287 } 2288 enum april { 2289 description 2290 "April for periodic month"; 2291 } 2292 enum may { 2293 description 2294 "May for periodic month"; 2295 } 2296 enum june { 2297 description 2298 "June for periodic month"; 2299 } 2300 enum july { 2301 description 2302 "July for periodic month"; 2303 } 2304 enum august { 2305 description 2306 "August for periodic month"; 2307 } 2308 enum september { 2309 description 2310 "September for periodic month"; 2311 } 2312 enum october { 2313 description 2314 "October for periodic month"; 2315 } 2316 enum november { 2317 description 2318 "November for periodic month"; 2319 } 2320 enum december { 2321 description 2322 "December for periodic month"; 2323 } 2324 } 2325 description 2326 "This can be used for the rules to be applied 2327 according to periodic month"; 2328 } 2330 /* 2331 * Groupings 2332 */ 2334 grouping ipv4 { 2335 list ipv4-address { 2336 key "ipv4"; 2337 description 2338 "The list of IPv4 address."; 2340 leaf ipv4 { 2341 type inet:ipv4-address; 2342 description 2343 "The value of IPv4 address."; 2344 } 2345 choice subnet { 2346 description 2347 "The subnet can be specified as a prefix length or 2348 netmask."; 2349 leaf prefix-length { 2350 type uint8 { 2351 range "0..32"; 2352 } 2353 description 2354 "The length of the subnet prefix."; 2355 } 2356 leaf netmask { 2357 type yang:dotted-quad; 2358 description 2359 "The subnet specified as a netmask."; 2360 } 2361 } 2362 } 2363 description 2364 "Grouping for an IPv4 address"; 2366 reference 2367 "RFC 791: Internet Protocol - IPv4 address 2368 RFC 8344: A YANG Data Model for IP Management"; 2369 } 2371 grouping ipv6 { 2372 list ipv6-address { 2373 key "ipv6"; 2374 description 2375 "The list of IPv6 address."; 2377 leaf ipv6 { 2378 type inet:ipv6-address; 2379 description 2380 "The value of IPv6 address."; 2381 } 2382 leaf prefix-length { 2383 type uint8 { 2384 range "0..128"; 2385 } 2386 description 2387 "The length of the subnet prefix."; 2388 } 2389 } 2390 description 2391 "Grouping for an IPv6 address"; 2393 reference 2394 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2395 Specification - IPv6 address 2396 RFC 8344: A YANG Data Model for IP Management"; 2397 } 2399 grouping pkt-sec-ipv4 { 2400 choice match-type { 2401 description 2402 "There are two types to configure a security policy 2403 for IPv4 address, such as exact match and range match."; 2404 case exact-match { 2405 uses ipv4; 2406 description 2407 "Exact match for an IPv4 address."; 2408 } 2409 case range-match { 2410 list range-ipv4-address { 2411 key "start-ipv4-address end-ipv4-address"; 2412 leaf start-ipv4-address { 2413 type inet:ipv4-address; 2414 description 2415 "Start IPv4 address for a range match."; 2416 } 2418 leaf end-ipv4-address { 2419 type inet:ipv4-address; 2420 description 2421 "End IPv4 address for a range match."; 2422 } 2423 description 2424 "Range match for an IPv4 address."; 2425 } 2426 } 2427 } 2428 description 2429 "Grouping for an IPv4 address."; 2431 reference 2432 "RFC 791: Internet Protocol - IPv4 address"; 2433 } 2435 grouping pkt-sec-ipv6 { 2436 choice match-type { 2437 description 2438 "There are two types to configure a security policy 2439 for IPv6 address, such as exact match and range match."; 2440 case exact-match { 2441 uses ipv6; 2442 description 2443 "Exact match for an IPv6 address."; 2444 } 2445 case range-match { 2446 list range-ipv6-address { 2447 key "start-ipv6-address end-ipv6-address"; 2448 leaf start-ipv6-address { 2449 type inet:ipv6-address; 2450 description 2451 "Start IPv6 address for a range match."; 2452 } 2454 leaf end-ipv6-address { 2455 type inet:ipv6-address; 2456 description 2457 "End IPv6 address for a range match."; 2458 } 2459 description 2460 "Range match for an IPv6 address."; 2461 } 2462 } 2463 } 2464 description 2465 "Grouping for IPv6 address."; 2467 reference 2468 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2469 Specification - IPv6 address"; 2470 } 2472 grouping pkt-sec-port-number { 2473 choice match-type { 2474 description 2475 "There are two types to configure a security policy 2476 for a port number, such as exact match and range match."; 2477 case exact-match { 2478 leaf-list port-num { 2479 type inet:port-number; 2480 description 2481 "Exact match for a port number."; 2482 } 2483 } 2484 case range-match { 2485 list range-port-num { 2486 key "start-port-num end-port-num"; 2487 leaf start-port-num { 2488 type inet:port-number; 2489 description 2490 "Start port number for a range match."; 2491 } 2492 leaf end-port-num { 2493 type inet:port-number; 2494 description 2495 "Start port number for a range match."; 2496 } 2497 description 2498 "Range match for a port number."; 2499 } 2500 } 2501 } 2502 description 2503 "Grouping for port number."; 2505 reference 2506 "RFC 793: Transmission Control Protocol - Port number 2507 RFC 768: User Datagram Protocol - Port Number"; 2508 } 2510 /* 2511 * Data nodes 2512 */ 2514 container i2nsf-security-policy { 2515 description 2516 "Container for security policy 2517 including a set of security rules according to certain logic, 2518 i.e., their similarity or mutual relations, etc. The network 2519 security policy is able to apply over both the unidirectional 2520 and bidirectional traffic across the NSF. 2521 The I2NSF security policies use the Event-Condition-Action 2522 (ECA) policy model "; 2524 reference 2525 "RFC 8329: Framework for Interface to Network Security 2526 Functions - I2NSF Flow Security Policy Structure 2527 draft-ietf-i2nsf-capability-04: Information Model 2528 of NSFs Capabilities - Design Principles and ECA Policy Model 2529 Overview"; 2531 list system-policy { 2532 key "system-policy-name"; 2533 description 2534 "The system-policy represents there could be multiple system 2535 policies in one NSF, and each system policy is used by 2536 one virtual instance of the NSF/device."; 2538 leaf system-policy-name { 2539 type string; 2540 mandatory true; 2541 description 2542 "The name of the policy. 2543 This must be unique."; 2544 } 2546 leaf priority-usage { 2547 type identityref { 2548 base priority-usage-type; 2549 } 2550 default priority-by-order; 2551 description 2552 "Priority usage type for security policy rule: 2553 priority by order and priority by number"; 2554 } 2556 leaf resolution-strategy { 2557 type identityref { 2558 base resolution-strategy; 2559 } 2560 default fmr; 2561 description 2562 "The resolution strategies can be used to 2563 specify how to resolve conflicts that occur between 2564 the actions of the same or different policy rules that 2565 are matched and contained in this particular NSF"; 2567 reference 2568 "draft-ietf-i2nsf-capability-04: Information Model 2569 of NSFs Capabilities - Resolution strategy"; 2570 } 2572 leaf default-action { 2573 type identityref { 2574 base default-action; 2575 } 2576 default alert; 2577 description 2578 "This default action can be used to specify a predefined 2579 action when no other alternative action was matched 2580 by the currently executing I2NSF Policy Rule. An analogy 2581 is the use of a default statement in a C switch statement."; 2583 reference 2584 "draft-ietf-i2nsf-capability-04: Information Model 2585 of NSFs Capabilities - Default action"; 2586 } 2588 list rules { 2589 key "rule-name"; 2590 description 2591 "This is a rule for network security functions."; 2593 leaf rule-name { 2594 type string; 2595 mandatory true; 2596 description 2597 "The name of the rule. 2598 This must be unique."; 2599 } 2601 leaf rule-description { 2602 type string; 2603 description 2604 "This description gives more information about 2605 rules."; 2606 } 2608 leaf rule-priority { 2609 type uint8 { 2610 range "1..255"; 2611 } 2612 description 2613 "The priority keyword comes with a mandatory 2614 numeric value which can range from 1 till 255."; 2615 } 2617 leaf rule-enable { 2618 type boolean; 2619 description 2620 "True is enable. 2621 False is not enbale."; 2622 } 2624 container time-zone { 2625 description 2626 "Time zone when the rules are applied"; 2627 container absolute-time-zone { 2628 description 2629 "Rule execution according to absolute time"; 2631 leaf start-time { 2632 type start-time-type; 2633 default right-away; 2634 description 2635 "Start time when the rules are applied"; 2636 } 2637 leaf end-time { 2638 type end-time-type; 2639 default infinitely; 2640 description 2641 "End time when the rules are applied"; 2642 } 2643 } 2645 container periodic-time-zone { 2646 description 2647 "Rule execution according to periodic time"; 2649 container day { 2650 description 2651 "Rule execution according to day."; 2652 leaf every-day { 2653 type boolean; 2654 default true; 2655 description 2656 "Rule execution every day"; 2657 } 2659 leaf-list specific-day { 2660 when "../every-day = 'false'"; 2661 type day-type; 2662 description 2663 "Rule execution according 2664 to specific day"; 2665 } 2666 } 2667 container month { 2668 description 2669 "Rule execution according to month."; 2670 leaf every-month { 2671 type boolean; 2672 default true; 2673 description 2674 "Rule execution every day"; 2675 } 2677 leaf-list specific-month { 2678 when "../every-month = 'false'"; 2679 type month-type; 2680 description 2681 "Rule execution according 2682 to month day"; 2683 } 2684 } 2685 } 2686 } 2688 container event-clause-container { 2689 description 2690 "An event is defined as any important 2691 occurrence in time of a change in the system being 2692 managed, and/or in the environment of the system being 2693 managed. When used in the context of policy rules for 2694 a flow-based NSF, it is used to determine whether the 2695 Condition clause of the Policy Rule can be evaluated 2696 or not. Examples of an I2NSF event include time and 2697 user actions (e.g., logon, logoff, and actions that 2698 violate any ACL.)."; 2700 reference 2701 "RFC 8329: Framework for Interface to Network Security 2702 Functions - I2NSF Flow Security Policy Structure 2703 draft-ietf-i2nsf-capability-04: Information Model 2704 of NSFs Capabilities - Design Principles and ECA 2705 Policy Model Overview 2706 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2707 Data Model for Monitoring I2NSF Network Security 2708 Functions - System Alarm and System Events"; 2710 leaf event-clause-description { 2711 type string; 2712 description 2713 "Description for an event clause"; 2714 } 2715 container event-clauses { 2716 description 2717 "It has two event types such as 2718 system event and system alarm."; 2719 reference 2720 "RFC 8329: Framework for Interface to Network Security 2721 Functions - I2NSF Flow Security Policy Structure 2722 draft-ietf-i2nsf-capability-04: Information Model 2723 of NSFs Capabilities - Design Principles and ECA Policy 2724 Model Overview 2725 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2726 Data Model for Monitoring I2NSF Network Security 2727 Functions - System Alarm and System Events"; 2729 leaf-list system-event { 2730 type identityref { 2731 base system-event; 2732 } 2733 description 2734 "The security policy rule according to 2735 system events."; 2736 } 2738 leaf-list system-alarm { 2739 type identityref { 2740 base system-alarm; 2741 } 2742 description 2743 "The security policy rule according to 2744 system alarms."; 2745 } 2746 } 2747 } 2749 container condition-clause-container { 2750 description 2751 "A condition is defined as a set 2752 of attributes, features, and/or values that are to be 2753 compared with a set of known attributes, features, 2754 and/or values in order to determine whether or not the 2755 set of Actions in that (imperative) I2NSF Policy Rule 2756 can be executed or not. Examples of I2NSF Conditions 2757 include matching attributes of a packet or flow, and 2758 comparing the internal state of an NSF to a desired 2759 state."; 2760 reference 2761 "RFC 8329: Framework for Interface to Network Security 2762 Functions - I2NSF Flow Security Policy Structure 2763 draft-ietf-i2nsf-capability-04: Information Model 2764 of NSFs Capabilities - Design Principles and ECA Policy 2765 Model Overview"; 2767 leaf condition-clause-description { 2768 type string; 2769 description 2770 "Description for a condition clause."; 2771 } 2773 container packet-security-ipv4-condition { 2774 description 2775 "The purpose of this container is to represent IPv4 2776 packet header information to determine if the set 2777 of policy actions in this ECA policy rule should be 2778 executed or not."; 2779 reference 2780 "RFC 791: Internet Protocol"; 2782 container pkt-sec-ipv4-header-length { 2783 choice match-type { 2784 description 2785 "There are two types to configure a security 2786 policy for IPv4 header length, such as exact match 2787 and range match."; 2788 case exact-match { 2789 leaf-list ipv4-header-length { 2790 type uint8 { 2791 range "5..15"; 2792 } 2793 description 2794 "Exact match for an IPv4 header length."; 2795 } 2796 } 2797 case range-match { 2798 list range-ipv4-header-length { 2799 key "start-ipv4-header-length 2800 end-ipv4-header-length"; 2801 leaf start-ipv4-header-length { 2802 type uint8 { 2803 range "5..15"; 2804 } 2805 description 2806 "Start IPv4 header length for a range match."; 2807 } 2809 leaf end-ipv4-header-length { 2810 type uint8 { 2811 range "5..15"; 2812 } 2813 description 2814 "End IPv4 header length for a range match."; 2815 } 2816 description 2817 "Range match for an IPv4 header length."; 2818 } 2819 } 2820 } 2821 description 2822 "The security policy rule according to 2823 IPv4 header length."; 2824 reference 2825 "RFC 791: Internet Protocol - Header length"; 2826 } 2828 leaf-list pkt-sec-ipv4-tos { 2829 type identityref { 2830 base type-of-service; 2831 } 2832 description 2833 "The security policy rule according to 2834 IPv4 type of service."; 2835 reference 2836 "RFC 791: Internet Protocol - Type of service"; 2837 } 2839 container pkt-sec-ipv4-total-length { 2840 choice match-type { 2841 description 2842 "There are two types to configure a security 2843 policy for IPv4 total length, such as exact match 2844 and range match."; 2845 case exact-match { 2846 leaf-list ipv4-total-length { 2847 type uint16; 2848 description 2849 "Exact match for an IPv4 total length."; 2850 } 2851 } 2852 case range-match { 2853 list range-ipv4-total-length { 2854 key "start-ipv4-total-length end-ipv4-total-length"; 2855 leaf start-ipv4-total-length { 2856 type uint16; 2857 description 2858 "Start IPv4 total length for a range match."; 2860 } 2861 leaf end-ipv4-total-length { 2862 type uint16; 2863 description 2864 "End IPv4 total length for a range match."; 2865 } 2866 description 2867 "Range match for an IPv4 total length."; 2868 } 2869 } 2870 } 2871 description 2872 "The security policy rule according to 2873 IPv4 total length."; 2874 reference 2875 "RFC 791: Internet Protocol - Total length"; 2876 } 2878 leaf-list pkt-sec-ipv4-id { 2879 type uint16; 2880 description 2881 "The security policy rule according to 2882 IPv4 identification."; 2883 reference 2884 "RFC 791: Internet Protocol - Identification"; 2885 } 2887 leaf-list pkt-sec-ipv4-fragment-flags { 2888 type identityref { 2889 base fragmentation-flags-type; 2890 } 2891 description 2892 "The security policy rule according to 2893 IPv4 fragment flags."; 2894 reference 2895 "RFC 791: Internet Protocol - Fragment flags"; 2896 } 2898 container pkt-sec-ipv4-fragment-offset { 2899 choice match-type { 2900 description 2901 "There are two types to configure a security 2902 policy for IPv4 fragment offset, such as exact match 2903 and range match."; 2904 case exact-match { 2905 leaf-list ipv4-fragment-offset { 2906 type uint16 { 2907 range "0..16383"; 2909 } 2910 description 2911 "Exact match for an IPv4 fragment offset."; 2912 } 2913 } 2914 case range-match { 2915 list range-ipv4-fragment-offset { 2916 key "start-ipv4-fragment-offset 2917 end-ipv4-fragment-offset"; 2918 leaf start-ipv4-fragment-offset { 2919 type uint16 { 2920 range "0..16383"; 2921 } 2922 description 2923 "Start IPv4 fragment offset for a range match."; 2924 } 2925 leaf end-ipv4-fragment-offset { 2926 type uint16 { 2927 range "0..16383"; 2928 } 2929 description 2930 "End IPv4 fragment offset for a range match."; 2931 } 2932 description 2933 "Range match for an IPv4 fragment offset."; 2934 } 2935 } 2936 } 2937 description 2938 "The security policy rule according to 2939 IPv4 fragment offset."; 2940 reference 2941 "RFC 791: Internet Protocol - Fragment offset"; 2942 } 2944 container pkt-sec-ipv4-ttl { 2945 choice match-type { 2946 description 2947 "There are two types to configure a security 2948 policy for IPv4 TTL, such as exact match 2949 and range match."; 2950 case exact-match { 2951 leaf-list ipv4-ttl { 2952 type uint8; 2953 description 2954 "Exact match for an IPv4 TTL."; 2955 } 2956 } 2957 case range-match { 2958 list range-ipv4-ttl { 2959 key "start-ipv4-ttl end-ipv4-ttl"; 2960 leaf start-ipv4-ttl { 2961 type uint8; 2962 description 2963 "Start IPv4 TTL for a range match."; 2964 } 2965 leaf end-ipv4-ttl { 2966 type uint8; 2967 description 2968 "End IPv4 TTL for a range match."; 2969 } 2970 description 2971 "Range match for an IPv4 TTL."; 2972 } 2973 } 2974 } 2975 description 2976 "The security policy rule according to 2977 IPv4 time-to-live (TTL)."; 2978 reference 2979 "RFC 791: Internet Protocol - Time to live"; 2980 } 2982 leaf-list pkt-sec-ipv4-protocol { 2983 type identityref { 2984 base protocol; 2985 } 2986 description 2987 "The security policy rule according to 2988 IPv4 protocol."; 2989 reference 2990 "RFC 791: Internet Protocol - Protocol"; 2991 } 2993 container pkt-sec-ipv4-src { 2994 uses pkt-sec-ipv4; 2995 description 2996 "The security policy rule according to 2997 IPv4 source address."; 2998 reference 2999 "RFC 791: Internet Protocol - IPv4 Address"; 3000 } 3002 container pkt-sec-ipv4-dest { 3003 uses pkt-sec-ipv4; 3004 description 3005 "The security policy rule according to 3006 IPv4 destination address."; 3007 reference 3008 "RFC 791: Internet Protocol - IPv4 Address"; 3009 } 3011 leaf-list pkt-sec-ipv4-ipopts { 3012 type identityref { 3013 base ipopts; 3014 } 3015 description 3016 "The security policy rule according to 3017 IPv4 options."; 3018 reference 3019 "RFC 791: Internet Protocol - Options"; 3020 } 3022 leaf pkt-sec-ipv4-sameip { 3023 type boolean; 3024 description 3025 "Every packet has a source IP-address and 3026 a destination IP-address. It can be that 3027 the source IP is the same as 3028 the destination IP."; 3029 } 3031 leaf-list pkt-sec-ipv4-geoip { 3032 type string; 3033 description 3034 "The geoip keyword enables you to match on 3035 the source, destination or source and destination 3036 IP addresses of network traffic and to see to 3037 which country it belongs. To do this, Suricata 3038 uses GeoIP API with MaxMind database format."; 3039 } 3040 } 3042 container packet-security-ipv6-condition { 3043 description 3044 "The purpose of this container is to represent 3045 IPv6 packet header information to determine 3046 if the set of policy actions in this ECA policy 3047 rule should be executed or not."; 3048 reference 3049 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3050 Specification"; 3052 leaf-list pkt-sec-ipv6-traffic-class { 3053 type identityref { 3054 base traffic-class; 3055 } 3056 description 3057 "The security policy rule according to 3058 IPv6 traffic class."; 3059 reference 3060 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3061 Specification - Traffic class"; 3062 } 3064 container pkt-sec-ipv6-flow-label { 3065 choice match-type { 3066 description 3067 "There are two types to configure a security 3068 policy for IPv6 flow label, such as exact match 3069 and range match."; 3070 case exact-match { 3071 leaf-list ipv6-flow-label { 3072 type uint32 { 3073 range "0..1048575"; 3074 } 3075 description 3076 "Exact match for an IPv6 flow label."; 3077 } 3078 } 3079 case range-match { 3080 list range-ipv6-flow-label { 3081 key "start-ipv6-flow-label end-ipv6-flow-label"; 3082 leaf start-ipv6-flow-label { 3083 type uint32 { 3084 range "0..1048575"; 3085 } 3086 description 3087 "Start IPv6 flow label for a range match."; 3088 } 3089 leaf end-ipv6-flow-label { 3090 type uint32 { 3091 range "0..1048575"; 3092 } 3093 description 3094 "End IPv6 flow label for a range match."; 3095 } 3096 description 3097 "Range match for an IPv6 flow label."; 3098 } 3099 } 3101 } 3102 description 3103 "The security policy rule according to 3104 IPv6 flow label."; 3105 reference 3106 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3107 Specification - Flow label"; 3108 } 3110 container pkt-sec-ipv6-payload-length { 3111 choice match-type { 3112 description 3113 "There are two types to configure a security 3114 policy for IPv6 payload length, such as 3115 exact match and range match."; 3116 case exact-match { 3117 leaf-list ipv6-payload-length { 3118 type uint16; 3119 description 3120 "Exact match for an IPv6 payload length."; 3121 } 3122 } 3123 case range-match { 3124 list range-ipv6-payload-length { 3125 key "start-ipv6-payload-length 3126 end-ipv6-payload-length"; 3127 leaf start-ipv6-payload-length { 3128 type uint16; 3129 description 3130 "Start IPv6 payload length for a range match."; 3131 } 3132 leaf end-ipv6-payload-length { 3133 type uint16; 3134 description 3135 "End IPv6 payload length for a range match."; 3136 } 3137 description 3138 "Range match for an IPv6 payload length."; 3139 } 3140 } 3141 } 3142 description 3143 "The security policy rule according to 3144 IPv6 payload length."; 3145 reference 3146 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3147 Specification - Payload length"; 3148 } 3149 leaf-list pkt-sec-ipv6-next-header { 3150 type identityref { 3151 base next-header; 3152 } 3153 description 3154 "The security policy rule according to 3155 IPv6 next header."; 3156 reference 3157 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3158 Specification - Next header"; 3159 } 3161 container pkt-sec-ipv6-hop-limit { 3162 choice match-type { 3163 description 3164 "There are two types to configure a security 3165 policy for IPv6 hop limit, such as exact match 3166 and range match."; 3167 case exact-match { 3168 leaf-list ipv6-hop-limit { 3169 type uint8; 3170 description 3171 "Exact match for an IPv6 hop limit."; 3172 } 3173 } 3174 case range-match { 3175 list range-ipv6-hop-limit { 3176 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3177 leaf start-ipv6-hop-limit { 3178 type uint8; 3179 description 3180 "Start IPv6 hop limit for a range match."; 3181 } 3182 leaf end-ipv6-hop-limit { 3183 type uint8; 3184 description 3185 "End IPv6 hop limit for a range match."; 3186 } 3187 description 3188 "Range match for an IPv6 hop limit."; 3189 } 3190 } 3191 } 3192 description 3193 "The security policy rule according to 3194 IPv6 hop limit."; 3195 reference 3196 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3197 Specification - Hop limit"; 3198 } 3200 container pkt-sec-ipv6-src { 3201 uses pkt-sec-ipv6; 3202 description 3203 "The security policy rule according to 3204 IPv6 source address."; 3205 reference 3206 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3207 Specification - IPv6 address"; 3208 } 3210 container pkt-sec-ipv6-dest { 3211 uses pkt-sec-ipv6; 3212 description 3213 "The security policy rule according to 3214 IPv6 destination address."; 3215 reference 3216 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3217 Specification - IPv6 address"; 3218 } 3220 } 3222 container packet-security-tcp-condition { 3223 description 3224 "The purpose of this container is to represent 3225 TCP packet header information to determine 3226 if the set of policy actions in this ECA policy 3227 rule should be executed or not."; 3228 reference 3229 "RFC 793: Transmission Control Protocol"; 3231 container pkt-sec-tcp-src-port-num { 3232 uses pkt-sec-port-number; 3233 description 3234 "The security policy rule according to 3235 tcp source port number."; 3236 reference 3237 "RFC 793: Transmission Control Protocol 3238 - Port number"; 3239 } 3241 container pkt-sec-tcp-dest-port-num { 3242 uses pkt-sec-port-number; 3243 description 3244 "The security policy rule according to 3245 tcp destination port number."; 3246 reference 3247 "RFC 793: Transmission Control Protocol 3248 - Port number"; 3249 } 3251 container pkt-sec-tcp-seq-num { 3252 choice match-type { 3253 description 3254 "There are two types to configure a security 3255 policy for tcp sequence number, 3256 such as exact match and range match."; 3257 case exact-match { 3258 leaf-list tcp-seq-num { 3259 type uint32; 3260 description 3261 "Exact match for an tcp sequence number."; 3262 } 3263 } 3264 case range-match { 3265 list range-tcp-seq-num { 3266 key "start-tcp-seq-num end-tcp-seq-num"; 3267 leaf start-tcp-seq-num { 3268 type uint32; 3269 description 3270 "Start tcp sequence number for a range match."; 3271 } 3272 leaf end-tcp-seq-num { 3273 type uint32; 3274 description 3275 "End tcp sequence number for a range match."; 3276 } 3277 description 3278 "Range match for a tcp sequence number."; 3279 } 3280 } 3281 } 3282 description 3283 "The security policy rule according to 3284 tcp sequence number."; 3285 reference 3286 "RFC 793: Transmission Control Protocol 3287 - Sequence number"; 3288 } 3290 container pkt-sec-tcp-ack-num { 3291 choice match-type { 3292 description 3293 "There are two types to configure a security 3294 policy for tcp acknowledgement number, 3295 such as exact match and range match."; 3296 case exact-match { 3297 leaf-list tcp-ack-num { 3298 type uint32; 3299 description 3300 "Exact match for an tcp acknowledgement number."; 3301 } 3302 } 3303 case range-match { 3304 list range-tcp-ack-num { 3305 key "start-tcp-ack-num end-tcp-ack-num"; 3306 leaf start-tcp-ack-num { 3307 type uint32; 3308 description 3309 "Start tcp acknowledgement number 3310 for a range match."; 3311 } 3312 leaf end-tcp-ack-num { 3313 type uint32; 3314 description 3315 "End tcp acknowledgement number 3316 for a range match."; 3317 } 3318 description 3319 "Range match for a tcp acknowledgement number."; 3320 } 3321 } 3322 } 3323 description 3324 "The security policy rule according to 3325 tcp acknowledgement number."; 3326 reference 3327 "RFC 793: Transmission Control Protocol 3328 - Acknowledgement number"; 3329 } 3331 container pkt-sec-tcp-window-size { 3332 choice match-type { 3333 description 3334 "There are two types to configure a security 3335 policy for tcp window size, 3336 such as exact match and range match."; 3337 case exact-match { 3338 leaf-list tcp-window-size { 3339 type uint16; 3340 description 3341 "Exact match for an tcp window size."; 3342 } 3343 } 3344 case range-match { 3345 list range-tcp-window-size { 3346 key "start-tcp-window-size end-tcp-window-size"; 3347 leaf start-tcp-window-size { 3348 type uint16; 3349 description 3350 "Start tcp window size for a range match."; 3351 } 3352 leaf end-tcp-window-size { 3353 type uint16; 3354 description 3355 "End tcp window size for a range match."; 3356 } 3357 description 3358 "Range match for a tcp window size."; 3359 } 3360 } 3361 } 3362 description 3363 "The security policy rule according to 3364 tcp window size."; 3365 reference 3366 "RFC 793: Transmission Control Protocol 3367 - Window size"; 3368 } 3370 leaf-list pkt-sec-tcp-flags { 3371 type identityref { 3372 base tcp-flags; 3373 } 3374 description 3375 "The security policy rule according to 3376 tcp flags."; 3377 reference 3378 "RFC 793: Transmission Control Protocol 3379 - Flags"; 3380 } 3381 } 3383 container packet-security-udp-condition { 3384 description 3385 "The purpose of this container is to represent 3386 UDP packet header information to determine 3387 if the set of policy actions in this ECA policy 3388 rule should be executed or not."; 3389 reference 3390 "RFC 793: Transmission Control Protocol"; 3392 container pkt-sec-udp-src-port-num { 3393 uses pkt-sec-port-number; 3394 description 3395 "The security policy rule according to 3396 udp source port number."; 3397 reference 3398 "RFC 793: Transmission Control Protocol 3399 - Port number"; 3400 } 3402 container pkt-sec-udp-dest-port-num { 3403 uses pkt-sec-port-number; 3404 description 3405 "The security policy rule according to 3406 udp destination port number."; 3407 reference 3408 "RFC 768: User Datagram Protocol 3409 - Total Length"; 3410 } 3412 container pkt-sec-udp-total-length { 3413 choice match-type { 3414 description 3415 "There are two types to configure a security 3416 policy for udp sequence number, 3417 such as exact match and range match."; 3418 case exact-match { 3419 leaf-list udp-total-length { 3420 type uint32; 3421 description 3422 "Exact match for an udp-total-length."; 3423 } 3424 } 3425 case range-match { 3426 list range-udp-total-length { 3427 key "start-udp-total-length end-udp-total-length"; 3428 leaf start-udp-total-length { 3429 type uint32; 3430 description 3431 "Start udp total length for a range match."; 3432 } 3433 leaf end-udp-total-length { 3434 type uint32; 3435 description 3436 "End udp total length for a range match."; 3437 } 3438 description 3439 "Range match for a udp total length."; 3440 } 3441 } 3442 } 3443 description 3444 "The security policy rule according to 3445 udp total length."; 3446 reference 3447 "RFC 768: User Datagram Protocol 3448 - Total Length"; 3449 } 3450 } 3452 container packet-security-icmp-condition { 3453 description 3454 "The purpose of this container is to represent 3455 ICMP packet header information to determine 3456 if the set of policy actions in this ECA policy 3457 rule should be executed or not."; 3458 reference 3459 "RFC 792: Internet Control Message Protocol 3460 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3462 leaf-list pkt-sec-icmp-type-and-code { 3463 type identityref { 3464 base icmp-type; 3465 } 3466 description 3467 "The security policy rule according to 3468 ICMP parameters."; 3469 reference 3470 "RFC 792: Internet Control Message Protocol 3471 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3472 } 3473 } 3475 container packet-security-http-condition { 3476 description 3477 "Condition for http."; 3479 leaf-list pkt-sec-uri-content { 3480 type string; 3481 description 3482 "The security policy rule according to 3483 uri content."; 3484 } 3486 leaf-list pkt-sec-url-content { 3487 type string; 3488 description 3489 "The security policy rule according to 3490 url content."; 3491 } 3492 } 3494 container packet-security-voice-condition { 3495 description 3496 "For the VoIP/VoLTE security system, a VoIP/ 3497 VoLTE security system can monitor each 3498 VoIP/VoLTE flow and manage VoIP/VoLTE 3499 security rules controlled by a centralized 3500 server for VoIP/VoLTE security service 3501 (called VoIP IPS). The VoIP/VoLTE security 3502 system controls each switch for the 3503 VoIP/VoLTE call flow management by 3504 manipulating the rules that can be added, 3505 deleted, or modified dynamically."; 3506 reference 3507 "RFC 3261: SIP: Session Initiation Protocol"; 3509 leaf-list pkt-sec-src-voice-id { 3510 type string; 3511 description 3512 "The security policy rule according to 3513 a source voice ID for VoIP and VoLTE."; 3514 } 3516 leaf-list pkt-sec-dest-voice-id { 3517 type string; 3518 description 3519 "The security policy rule according to 3520 a destination voice ID for VoIP and VoLTE."; 3521 } 3523 leaf-list pkt-sec-user-agent { 3524 type string; 3525 description 3526 "The security policy rule according to 3527 an user agent for VoIP and VoLTE."; 3528 } 3530 } 3532 container packet-security-ddos-condition { 3533 description 3534 "Condition for DDoS attack."; 3536 leaf pkt-sec-alert-rate { 3537 type uint32; 3538 description 3539 "The alert rate of flood detect for 3540 same packets."; 3541 } 3542 } 3543 } 3545 container action-clause-container { 3546 description 3547 "An action is used to control and monitor aspects of 3548 flow-based NSFs when the event and condition clauses 3549 are satisfied. NSFs provide security functions by 3550 executing various Actions. Examples of I2NSF Actions 3551 include providing intrusion detection and/or protection, 3552 web and flow filtering, and deep packet inspection 3553 for packets and flows."; 3554 reference 3555 "RFC 8329: Framework for Interface to Network Security 3556 Functions - I2NSF Flow Security Policy Structure 3557 draft-ietf-i2nsf-capability-04: Information Model 3558 of NSFs Capabilities - Design Principles and ECA Policy 3559 Model Overview"; 3561 leaf action-clause-description { 3562 type string; 3563 description 3564 "Description for an action clause."; 3565 } 3567 container packet-action { 3568 description 3569 "Action for packets"; 3570 reference 3571 "RFC 8329: Framework for Interface to Network Security 3572 Functions - I2NSF Flow Security Policy Structure 3573 draft-ietf-i2nsf-capability-04: Information Model 3574 of NSFs Capabilities - Design Principles and ECA 3575 Policy Model Overview"; 3577 leaf ingress-action { 3578 type identityref { 3579 base ingress-action; 3580 } 3581 description 3582 "Action: pass, drop, reject, alert, and mirror."; 3583 } 3585 leaf egress-action { 3586 type identityref { 3587 base egress-action; 3588 } 3589 description 3590 "Egress action: pass, drop, reject, alert, mirror, 3591 invoke-signaling, tunnel-encapsulation, 3592 forwarding, and redirection."; 3593 } 3595 leaf log-action { 3596 type identityref { 3597 base log-action; 3598 } 3599 description 3600 "Log action: rule log and session log"; 3601 } 3603 } 3605 container advanced-action { 3606 description 3607 "If the packet need be additionally inspected, 3608 the packet are passed to advanced network 3609 security functions according to the profile."; 3610 reference 3611 "RFC 8329: Framework for Interface to Network Security 3612 Functions - Differences from ACL Data Models"; 3614 leaf-list content-security-control { 3615 type identityref { 3616 base content-security-control; 3617 } 3618 description 3619 "The Profile is divided into content security 3620 control and attack-mitigation-control. 3621 Content security control: antivirus, ips, ids, 3622 url filtering, mail filtering, file blocking, 3623 file isolate, packet capture, application control, 3624 voip and volte."; 3625 } 3626 leaf-list attack-mitigation-control { 3627 type identityref { 3628 base attack-mitigation-control; 3629 } 3630 description 3631 "The Profile is divided into content security 3632 control and attack-mitigation-control. 3633 Attack mitigation control: syn flood, udp flood, 3634 icmp flood, ip frag flood, ipv6 related, http flood, 3635 https flood, dns flood, dns amp flood, ssl ddos, 3636 ip sweep, port scanning, ping of death, teardrop, 3637 oversized icmp, tracert."; 3638 } 3639 } 3640 } 3641 } 3642 } 3643 } 3644 } 3646 3648 Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 3650 6. IANA Considerations 3652 This document requests IANA to register the following URI in the 3653 "IETF XML Registry" [RFC3688]: 3655 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 3657 Registrant Contact: The IESG. 3659 XML: N/A; the requested URI is an XML namespace. 3661 This document requests IANA to register the following YANG module in 3662 the "YANG Module Names" registry [RFC7950]. 3664 name: ietf-i2nsf-policy-rule-for-nsf 3666 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- 3667 nsf 3669 prefix: iiprfn 3671 reference: RFC XXXX 3673 7. Security Considerations 3675 The YANG module specified in this document defines a data schema 3676 designed to be accessed through network management protocols such as 3677 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 3678 the secure transport layer, and the required transport secure 3679 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 3680 is HTTPS, and the required transport secure transport is TLS 3681 [RFC8446]. 3683 The NETCONF access control model [RFC8341] provides a means of 3684 restricting access to specific NETCONF or RESTCONF users to a 3685 preconfigured subset of all available NETCONF or RESTCONF protocol 3686 operations and content. 3688 8. References 3690 8.1. Normative References 3692 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3693 Requirement Levels", BCP 14, RFC 2119, March 1997. 3695 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3696 Network Configuration Protocol (NETCONF)", RFC 6020, 3697 October 2010. 3699 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 3700 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 3701 January 2011, . 3703 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3704 and A. Bierman, Ed., "Network Configuration Protocol 3705 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3706 . 3708 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3709 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3710 . 3712 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3713 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3714 . 3716 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3717 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3718 . 3720 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3721 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3722 . 3724 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 3725 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 3726 May 2017, . 3728 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3729 Kumar, "Framework for Interface to Network Security 3730 Functions", RFC 8329, February 2018. 3732 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3733 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3734 . 3736 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3737 Access Control Model", STD 91, RFC 8341, 3738 DOI 10.17487/RFC8341, March 2018, 3739 . 3741 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 3742 S., and N. Bahadur, "A YANG Data Model for Routing 3743 Information Base (RIB)", RFC RFC8431, September 2018. 3745 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3746 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3747 . 3749 8.2. Informative References 3751 [i2nsf-advanced-nsf-dm] 3752 Pan, W. and L. Xia, "Configuration of Advanced Security 3753 Functions with I2NSF Security Controller", draft-dong- 3754 i2nsf-asf-config-01 (work in progress), October 2018. 3756 [i2nsf-nsf-cap-dm] 3757 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 3758 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 3759 capability-data-model-02 (work in progress), November 3760 2018. 3762 [i2nsf-nsf-cap-im] 3763 Xia, L., Strassner, J., Basile, C., and D. Lopez, 3764 "Information Model of NSFs Capabilities", draft-ietf- 3765 i2nsf-capability-04 (work in progress), October 2018. 3767 [supa-policy-info-model] 3768 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 3769 Information Model for Simplified Use of Policy 3770 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 3771 model-03 (work in progress), May 2017. 3773 Appendix A. Configuration Examples 3775 This section shows configuration examples of "ietf-i2nsf-policy-rule- 3776 for-nsf" module for security policy rules of network security 3777 devices. For security requirements, we assume that the NSFs (i.e., 3778 General firewall, Time based firewall, Web filter, VoIP/VoLTE filter 3779 http and https flood mitigation ) described in Appendix A. 3780 Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF 3781 framework. With the registed NSFs, we show configuration examples 3782 for security policy rules of network security functions according to 3783 the following three security requirements: (i) Block SNS access 3784 during business hours, (ii) Block malicious VoIP/VoLTE packets coming 3785 to the company, and (iii) Mitigate http and https flood attacks on 3786 company web server. 3788 A.1. Security Requirement 1: Block SNS Access during Business Hours 3790 This section shows a configuration example for blocking SNS access 3791 during business hours. 3793 3795 3796 sns_access 3797 3798 block_sns_access_during_operation_time 3799 3800 3801 09:00:00Z 3802 18:00:00Z 3803 3804 3805 3806 3807 3808 3809 221.159.112.1 3810 221.159.112.90 3811 3812 3813 3814 3815 3816 3817 url-filtering 3818 3819 3820 3821 3822 3824 Figure 6: Configuration XML for Time based Firewall to Block SNS 3825 Access during Business Hours 3827 3829 3830 sns_access 3831 3832 block_facebook_and_instgram 3833 3834 3835 facebook 3836 instagram 3837 3838 3839 3840 3841 drop 3842 3843 3844 3845 3846 3848 Figure 7: Configuration XML for Web Filter to Block SNS Access during 3849 Business Hours 3851 Figure 6 and Figure 7 show the configuration XML documents for time 3852 based firewall and web filter to block SNS access during business 3853 hours. For the security requirement, two NSFs (i.e., a time based 3854 firewall and a web filter) were used because one NSF can not meet the 3855 security requirement. The instances of XML documents for the time 3856 based firewall and the web filter are as follows: Note that a 3857 detailed data model for the configuration of the advanced network 3858 security function (i.e., web filter) is described in 3859 [i2nsf-advanced-nsf-dm]. 3861 Time based Firewall 3863 1. The name of the system policy is sns_access. 3865 2. The name of the rule is block_sns_access_during_operation_time. 3867 3. The rule is operated during the business hours (i.e., from 9 a.m. 3868 to 6 p.m.). 3870 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 3871 to 221.159.112.90) to inspect the outgoing packets of employees. 3873 5. If the outgoing packets match the rules above, the time based 3874 firewall sends the packets to url filtering for additional 3875 inspection because the time based firewall can not inspect 3876 contents of the packets for the SNS URL. 3878 Web Filter 3880 1. The name of the system policy is sns_access. 3882 2. The name of the rule is block_facebook_and_instagram. 3884 3. The rule inspects URL address to block the access packets to the 3885 facebook or the instagram. 3887 4. If the outgoing packets match the rules above, the packets are 3888 blocked. 3890 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 3891 to the Company 3893 This section shows a configuration example for blocking malicious 3894 VoIP/VoLTE packets coming to the company. 3896 3898 3899 voip_volte_inspection 3900 3901 block_malicious_voip_volte_packets 3902 3903 3904 3905 3906 221.159.112.1 3907 221.159.112.90 3908 3909 3910 3911 3912 3913 5060 3914 5061 3915 3916 3917 3918 3919 3920 voip-volte 3921 3922 3923 3924 3925 3927 Figure 8: Configuration XML for General Firewall to Block Malicious 3928 VoIP/VoLTE Packets Coming to the Company 3930 3932 3933 malicious_voice_id 3934 3935 block_malicious_voice_id 3936 3937 3938 11111@voip.black.com 3939 22222@voip.black.com 3940 3941 3942 3943 3944 drop 3945 3946 3947 3948 3949 3951 Figure 9: Configuration XML for VoIP/VoLTE Filter to Block Malicious 3952 VoIP/VoLTE Packets Coming to the Company 3954 Figure 8 and Figure 9 show the configuration XML documents for 3955 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 3956 packets coming to the company. For the security requirement, two 3957 NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used 3958 because one NSF can not meet the security requirement. The instances 3959 of XML documents for the general firewall and the VoIP/VoLTE filter 3960 are as follows: Note that a detailed data model for the configuration 3961 of the advanced network security function (i.e., VoIP/VoLTE filter) 3962 is described in [i2nsf-advanced-nsf-dm]. 3964 General Firewall 3966 1. The name of the system policy is voip_volte_inspection. 3968 2. The name of the rule is block_malicious_voip_volte_packets. 3970 3. The rule inspects a destination IPv4 address (i.e., from 3971 221.159.112.1 to 221.159.112.90) to inspect the packets coming 3972 into the company. 3974 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 3975 VoIP/VoLTE packet. 3977 5. If the incoming packets match the rules above, the general 3978 firewall sends the packets to VoIP/VoLTE filter for additional 3979 inspection because the general firewall can not inspect contents 3980 of the VoIP/VoLTE packets. 3982 VoIP/VoLTE Filter 3984 1. The name of the system policy is malicious_voice_id. 3986 2. The name of the rule is block_malicious_voice_id. 3988 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 3989 the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and 3990 22222@voip.black.com). 3992 4. If the incoming packets match the rules above, the packets are 3993 blocked. 3995 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 3996 Company Web Server 3998 This section shows a configuration example for mitigating http and 3999 https flood attacks on a company web server. 4001 4003 4004 flood_attack_mitigation 4005 4006 mitigate_http_and_https_flood_attack 4007 4008 4009 4010 4011 221.159.112.95 4012 4013 4014 4015 4016 4017 80 4018 443 4019 4020 4021 4022 4023 4024 http-and-https-flood 4025 4026 4027 4028 4029 4030 4032 Figure 10: Configuration XML for General Firewall to Mitigate HTTP 4033 and HTTPS Flood Attacks on a Company Web Server 4035 4037 4038 http_and_https_flood_attack_mitigation 4039 4040 4041 100_per_second 4042 4043 4044 100 4045 4046 4047 4048 4049 drop 4050 4051 4052 4053 4054 4056 Figure 11: Configuration XML for HTTP and HTTPS Flood Attack 4057 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4058 Server 4060 Figure 10 and Figure 11 show the configuration XML documents for 4061 general firewall and http and https flood attack mitigation to 4062 mitigate http and https flood attacks on a company web server. For 4063 the security requirement, two NSFs (i.e., a general firewall and a 4064 http and https flood attack mitigation) were used because one NSF can 4065 not meet the security requirement. The instances of XML documents 4066 for the general firewall and http and https flood attack mitigation 4067 are as follows: Note that a detailed data model for the configuration 4068 of the advanced network security function (i.e., http and https flood 4069 attack mitigation) is described in [i2nsf-advanced-nsf-dm]. 4071 General Firewall 4073 1. The name of the system policy is flood_attack_mitigation. 4075 2. The name of the rule is mitigate_http_and_https_flood_attack. 4077 3. The rule inspects a destination IPv4 address (i.e., 4078 221.159.112.95) to inspect the access packets coming into the 4079 company web server. 4081 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4082 http and https packet. 4084 5. If the packets match the rules above, the general firewall sends 4085 the packets to http and https flood attack mitigation for 4086 additional inspection because the general firewall can not contrl 4087 the amount of packets for http and https packets. 4089 HTTP and HTTPS Flood Attack Mitigation 4091 1. The name of the system policy is 4092 http_and_https_flood_attack_mitigation. 4094 2. The name of the rule is 100_per_second. 4096 3. The rule controls the http and https packets according to the 4097 amount of incoming packets. 4099 4. If the incoming packets match the rules above, the packets are 4100 blocked. 4102 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-02 4104 The following changes are made from draft-ietf-i2nsf-nsf-facing- 4105 interface-dm-03: 4107 o We revised this YANG data module according to guidelines for 4108 authors and reviewers of YANG data model documents [RFC6087]. 4110 o We changed the structure of the overall YANG data model. 4112 o We added exact-range type as well as range-based type for the 4113 range policy rules. 4115 o We changed enumeration type to identity type for scalable 4116 components. 4118 o We added a description for the YANG tree diagram of the YANG data 4119 module. 4121 o We revised overall sentences of this YANG data model document. 4123 o We added configuration examples to make it easier for reviewers to 4124 understand. 4126 Appendix C. Acknowledgments 4128 This work was supported by Institute for Information & communications 4129 Technology Promotion (IITP) grant funded by the Korea government 4130 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 4131 Technology Development for the Customized Security Service 4132 Provisioning). 4134 Appendix D. Contributors 4136 This document is made by the group effort of I2NSF working group. 4137 Many people actively contributed to this document. The following are 4138 considered co-authors: 4140 o Hyoungshick Kim (Sungkyunkwan University) 4142 o Daeyoung Hyun (Sungkyunkwan University) 4144 o Dongjin Hong (Sungkyunkwan University) 4146 o Liang Xia (Huawei) 4148 o Tae-Jin Ahn (Korea Telecom) 4150 o Se-Hui Lee (Korea Telecom) 4152 Authors' Addresses 4154 Jinyong Tim Kim 4155 Department of Computer Engineering 4156 Sungkyunkwan University 4157 2066 Seobu-Ro, Jangan-Gu 4158 Suwon, Gyeonggi-Do 16419 4159 Republic of Korea 4161 Phone: +82 10 8273 0930 4162 EMail: timkim@skku.edu 4163 Jaehoon Paul Jeong 4164 Department of Software 4165 Sungkyunkwan University 4166 2066 Seobu-Ro, Jangan-Gu 4167 Suwon, Gyeonggi-Do 16419 4168 Republic of Korea 4170 Phone: +82 31 299 4957 4171 Fax: +82 31 290 7996 4172 EMail: pauljeong@skku.edu 4173 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4175 Jung-Soo Park 4176 Electronics and Telecommunications Research Institute 4177 218 Gajeong-Ro, Yuseong-Gu 4178 Daejeon 34129 4179 Republic of Korea 4181 Phone: +82 42 860 6514 4182 EMail: pjs@etri.re.kr 4184 Susan Hares 4185 Huawei 4186 7453 Hickory Hill 4187 Saline, MI 48176 4188 USA 4190 Phone: +1-734-604-0332 4191 EMail: shares@ndzh.com 4193 Qiushi Lin 4194 Huawei 4195 Huawei Industrial Base 4196 Shenzhen, Guangdong 518129 4197 China 4199 EMail: linqiushi@huawei.com