idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 309 has weird spacing: '...-length uin...' == Line 319 has weird spacing: '...-length uin...' == Line 330 has weird spacing: '...-offset uin...' == Line 339 has weird spacing: '...pv4-ttl uin...' == Line 355 has weird spacing: '...address inet:...' == (21 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 24, 2019) is 1850 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 4157, but not defined == Unused Reference: 'RFC6991' is defined on line 4214, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim 3 Internet-Draft J. Jeong 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: September 25, 2019 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 March 24, 2019 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-04 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on network security functions. The YANG data model in 19 this document is corresponding to the information model for Network 20 Security Functions (NSF)-Facing Interface in Interface to Network 21 Security Functions (I2NSF). 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 25, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 61 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 62 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 63 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 64 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 65 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 13 66 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 14 67 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 14 68 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 88 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 88 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 89 72 8.2. Informative References . . . . . . . . . . . . . . . . . 90 73 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 91 74 A.1. Security Requirement 1: Block SNS Access during Business 75 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 91 76 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE 77 Packets Coming to the Company . . . . . . . . . . . . . . 94 78 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 79 Attacks on a Company Web Server . . . . . . . . . . . . . 97 80 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- 81 dm-03 . . . . . . . . . . . . . . . . . . . . . . . 100 82 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 100 83 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 100 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 86 1. Introduction 88 This document defines a YANG [RFC6020][RFC7950] data model for 89 security policy rule configuration of network security devices. The 90 YANG data model is corresponding to the information model 91 [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing 92 interface in Interface to Network Security Functions (I2NSF). The 93 YANG data model in this document focuses on security policy 94 configuration for generic network security functions. Note that 95 security policy configuration for advanced network security functions 96 are written in [i2nsf-advanced-nsf-dm]. 98 This YANG data model uses an "Event-Condition-Action" (ECA) policy 99 model that is used as the basis for the design of I2NSF Policy 100 described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. 102 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 103 document provides the following features. 105 o Configuration for general security policy rule of generic network 106 security function. 108 o Configuration for an event clause of generic network security 109 function. 111 o Configuration for a condition clause of generic network security 112 function. 114 o Configuration for an action clause of generic network security 115 function. 117 2. Requirements Language 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 121 document are to be interpreted as described in [RFC2119][RFC8174]. 123 3. Terminology 125 This document uses the terminology described in 126 [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the 127 following terms are from [supa-policy-info-model]: 129 o Data Model: A data model is a representation of concepts of 130 interest to an environment in a form that is dependent on data 131 repository, data definition language, query language, 132 implementation language, and protocol. 134 o Information Model: An information model is a representation of 135 concepts of interest to an environment in a form that is 136 independent of data repository, data definition language, query 137 language, implementation language, and protocol. 139 3.1. Tree Diagrams 141 A simplified graphical representation of the data model is used in 142 this document. The meaning of the symbols in these diagrams 143 [RFC8340] is as follows: 145 o Brackets "[" and "]" enclose list keys. 147 o Abbreviations before data node names: "rw" means configuration 148 (read-write) and "ro" state data (read-only). 150 o Symbols after data node names: "?" means an optional node and "*" 151 denotes a "list" and "leaf-list". 153 o Parentheses enclose choice and case nodes, and case nodes are also 154 marked with a colon (":"). 156 o Ellipsis ("...") stands for contents of subtrees that are not 157 shown. 159 4. YANG Tree Diagram 161 This section shows an YANG tree diagram of generic network security 162 functions. Note that a detailed data model for the configuration of 163 the advanced network security functions is described in 164 [i2nsf-advanced-nsf-dm]. The section describes the following 165 subjects: 167 o General I2NSF security policy rule of generic network security 168 function. 170 o An event clause of generic network security function. 172 o A condition clause of generic network security function. 174 o An action clause of generic network security function. 176 4.1. General I2NSF Security Policy Rule 178 This section shows YANG tree diagram for general I2NSF security 179 policy rule. 181 module: ietf-i2nsf-policy-rule-for-nsf 182 +--rw i2nsf-security-policy 183 +--rw system-policy* [system-policy-name] 184 +--rw system-policy-name string 185 +--rw priority-usage? identityref 186 +--rw resolution-strategy? identityref 187 +--rw default-action? identityref 188 +--rw rules* [rule-name] 189 | +--rw rule-name string 190 | +--rw rule-description? string 191 | +--rw rule-priority? uint8 192 | +--rw rule-enable? boolean 193 | +--rw rule-session-aging-time? uint16 194 | +--rw rule-long-connection 195 | | +--rw enable? boolean 196 | | +--rw during? uint16 197 | +--rw time-zone 198 | | +--rw absolute-time-zone 199 | | | +--rw start-time? start-time-type 200 | | | +--rw end-time? end-time-type 201 | | +--rw periodic-time-zone 202 | | +--rw day 203 | | | +--rw every-day? boolean 204 | | | +--rw specific-day* day-type 205 | | +--rw month 206 | | +--rw every-month? boolean 207 | | +--rw specific-month* month-type 208 | +--rw event-clause-container 209 | | ... 210 | +--rw condition-clause-container 211 | | ... 212 | +--rw action-clause-container 213 | ... 214 +--rw rule-group 215 +--rw groups* [group-name] 216 +--rw group-name string 217 +--rw rule-range 218 | +--rw start-rule? string 219 | +--rw end-rule? string 220 +--rw enable? boolean 222 Figure 1: YANG Tree Diagram for Network Security Policy 224 This YANG tree diagram shows general I2NSF security policy rule for 225 generic network security functions. 227 The system policy represents there could be multiple system policies 228 in one NSF, and each system policy is used by one virtual instance of 229 the NSF/device. The system policy includes system policy name, 230 priority usage, resolutation strategy, default action, and rules. 232 A resolution strategy is used to decide how to resolve conflicts that 233 occur between the actions of the same or different policy rules that 234 are matched and contained in this particular NSF. The resolution 235 strategy is defined as First Matching Rule (FMR), Last Matching Rule 236 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 237 Prioritized Matching Rule with No Errors (PMRN). The resolution 238 strategy can be extended according to specific vendor action 239 features. The resolution strategy is described in detail in 240 [i2nsf-nsf-cap-im]. 242 A default action is used to execute I2NSF policy rule when no rule 243 matches a packet. The default action is defined as pass, drop, 244 reject, alert, and mirror. The default action can be extended 245 according to specific vendor action features. The default action is 246 described in detail in [i2nsf-nsf-cap-im]. 248 The rules include rule name, rule description, rule priority, rule 249 enable, time zone, event clause container, condition clause 250 container, and action clause container. 252 4.2. Event Clause 254 This section shows YANG tree diagram for an event clause of I2NSF 255 security policy rule. 257 module: ietf-i2nsf-policy-rule-for-nsf 258 +--rw i2nsf-security-policy 259 +--rw system-policy* [system-policy-name] 260 ... 261 +--rw rules* [rule-name] 262 | ... 263 | +--rw event-clause-container 264 | | +--rw event-clause-description? string 265 | | +--rw event-clauses 266 | | +--rw system-event* identityref 267 | | +--rw system-alarm* identityref 268 | +--rw condition-clause-container 269 | | ... 270 | +--rw action-clause-container 271 | ... 272 +--rw rule-group 273 ... 275 Figure 2: YANG Tree Diagram for Network Security Policy 277 This YANG tree diagram shows an event clause of I2NSF security policy 278 rule for generic network security functions. An event clause is any 279 important occurrence in time of a change in the system being managed, 280 and/or in the environment of the system being managed. An event 281 clause is used to trigger the evaluation of the condition clause of 282 the I2NSF Policy Rule. The event clause is defined as system event 283 and system alarm. The event clause can be extended according to 284 specific vendor event features. The event clause is described in 285 detail in [i2nsf-nsf-cap-im]. 287 4.3. Condtion Clause 289 This section shows YANG tree diagram for a condition clause of I2NSF 290 security policy rule. 292 module: ietf-i2nsf-policy-rule-for-nsf 293 +--rw i2nsf-security-policy 294 ... 295 +--rw rules* [rule-name] 296 ... 297 +--rw event-clause-container 298 | ... 299 +--rw condition-clause-container 300 | +--rw condition-clause-description? string 301 | +--rw packet-security-ipv4-condition 302 | | +--rw pkt-sec-ipv4-header-length 303 | | | +--rw (match-type)? 304 | | | +--:(exact-match) 305 | | | | +--rw ipv4-header-length* uint8 306 | | | +--:(range-match) 307 | | | +--rw range-ipv4-header-length* 308 [start-ipv4-header-length end-ipv4-header-length] 309 | | | +--rw start-ipv4-header-length uint8 310 | | | +--rw end-ipv4-header-length uint8 311 | | +--rw pkt-sec-ipv4-tos* identityref 312 | | +--rw pkt-sec-ipv4-total-length 313 | | | +--rw (match-type)? 314 | | | +--:(exact-match) 315 | | | | +--rw ipv4-total-length* uint16 316 | | | +--:(range-match) 317 | | | +--rw range-ipv4-total-length* 318 [start-ipv4-total-length end-ipv4-total-length] 319 | | | +--rw start-ipv4-total-length uint16 320 | | | +--rw end-ipv4-total-length uint16 321 | | +--rw pkt-sec-ipv4-id* uint16 322 | | +--rw pkt-sec-ipv4-fragment-flags* identityref 323 | | +--rw pkt-sec-ipv4-fragment-offset 324 | | | +--rw (match-type)? 325 | | | +--:(exact-match) 326 | | | | +--rw ipv4-fragment-offset* uint16 327 | | | +--:(range-match) 328 | | | +--rw range-ipv4-fragment-offset* 329 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 330 | | | +--rw start-ipv4-fragment-offset uint16 331 | | | +--rw end-ipv4-fragment-offset uint16 332 | | +--rw pkt-sec-ipv4-ttl 333 | | | +--rw (match-type)? 334 | | | +--:(exact-match) 335 | | | | +--rw ipv4-ttl* uint8 336 | | | +--:(range-match) 337 | | | +--rw range-ipv4-ttl* 338 [start-ipv4-ttl end-ipv4-ttl] 339 | | | +--rw start-ipv4-ttl uint8 340 | | | +--rw end-ipv4-ttl uint8 341 | | +--rw pkt-sec-ipv4-protocol* identityref 342 | | +--rw pkt-sec-ipv4-src 343 | | | +--rw (match-type)? 344 | | | +--:(exact-match) 345 | | | | +--rw ipv4-address* [ipv4] 346 | | | | +--rw ipv4 inet:ipv4-address 347 | | | | +--rw (subnet)? 348 | | | | +--:(prefix-length) 349 | | | | | +--rw prefix-length? uint8 350 | | | | +--:(netmask) 351 | | | | +--rw netmask? yang:dotted-quad 352 | | | +--:(range-match) 353 | | | +--rw range-ipv4-address* 354 [start-ipv4-address end-ipv4-address] 355 | | | +--rw start-ipv4-address inet:ipv4-address 356 | | | +--rw end-ipv4-address inet:ipv4-address 357 | | +--rw pkt-sec-ipv4-dest 358 | | | +--rw (match-type)? 359 | | | +--:(exact-match) 360 | | | | +--rw ipv4 361 | | | | +--rw ipv4-address* [ipv4] 362 | | | | +--rw ipv4 inet:ipv4-address 363 | | | | +--rw (subnet)? 364 | | | | +--:(prefix-length) 365 | | | | | +--rw prefix-length? uint8 366 | | | | +--:(netmask) 367 | | | | +--rw netmask? yang:dotted-quad 368 | | | +--:(range-match) 369 | | | +--rw range-ipv4-address* 370 [start-ipv4-address end-ipv4-address] 371 | | | +--rw start-ipv4-address inet:ipv4-address 372 | | | +--rw end-ipv4-address inet:ipv4-address 373 | | +--rw pkt-sec-ipv4-ipopts* identityref 374 | | +--rw pkt-sec-ipv4-sameip? boolean 375 | | +--rw pkt-sec-ipv4-geoip* string 376 | +--rw packet-security-ipv6-condition 377 | | +--rw pkt-sec-ipv6-traffic-class* identityref 378 | | +--rw pkt-sec-ipv6-flow-label 379 | | | +--rw (match-type)? 380 | | | +--:(exact-match) 381 | | | | +--rw ipv6-flow-label* uint32 382 | | | +--:(range-match) 383 | | | +--rw range-ipv6-flow-label* 384 [start-ipv6-flow-label end-ipv6-flow-label] 385 | | | +--rw start-ipv6-flow-label uint32 386 | | | +--rw end-ipv6-flow-label uint32 387 | | +--rw pkt-sec-ipv6-payload-length 388 | | | +--rw (match-type)? 389 | | | +--:(exact-match) 390 | | | | +--rw ipv6-payload-length* uint16 391 | | | +--:(range-match) 392 | | | +--rw range-ipv6-payload-length* 393 [start-ipv6-payload-length end-ipv6-payload-length] 394 | | | +--rw start-ipv6-payload-length uint16 395 | | | +--rw end-ipv6-payload-length uint16 396 | | +--rw pkt-sec-ipv6-next-header* identityref 397 | | +--rw pkt-sec-ipv6-hop-limit 398 | | | +--rw (match-type)? 399 | | | +--:(exact-match) 400 | | | | +--rw ipv6-hop-limit* uint8 401 | | | +--:(range-match) 402 | | | +--rw range-ipv6-hop-limit* 403 [start-ipv6-hop-limit end-ipv6-hop-limit] 404 | | | +--rw start-ipv6-hop-limit uint8 405 | | | +--rw end-ipv6-hop-limit uint8 406 | | +--rw pkt-sec-ipv6-src 407 | | | +--rw (match-type)? 408 | | | +--:(exact-match) 409 | | | | +--rw ipv6 410 | | | | +--rw ipv6-address* [ipv6] 411 | | | | +--rw ipv6 inet:ipv6-address 412 | | | | +--rw prefix-length? uint8 413 | | | +--:(range-match) 414 | | | +--rw range-ipv6-address* 415 [start-ipv6-address end-ipv6-address] 416 | | | +--rw start-ipv6-address inet:ipv6-address 417 | | | +--rw end-ipv6-address inet:ipv6-address 418 | | +--rw pkt-sec-ipv6-dest 419 | | +--rw (match-type)? 420 | | +--:(exact-match) 421 | | | +--rw ipv6-address* [ipv6] 422 | | | +--rw ipv6 inet:ipv6-address 423 | | | +--rw prefix-length? uint8 424 | | +--:(range-match) 425 | | +--rw range-ipv6-address* 426 [start-ipv6-address end-ipv6-address] 427 | | +--rw start-ipv6-address inet:ipv6-address 428 | | +--rw end-ipv6-address inet:ipv6-address 429 | +--rw packet-security-tcp-condition 430 | | +--rw pkt-sec-tcp-src-port-num 431 | | | +--rw (match-type)? 432 | | | +--:(exact-match) 433 | | | | +--rw port-num* inet:port-number 434 | | | +--:(range-match) 435 | | | +--rw range-port-num* 436 [start-port-num end-port-num] 437 | | | +--rw start-port-num inet:port-number 438 | | | +--rw end-port-num inet:port-number 439 | | +--rw pkt-sec-tcp-dest-port-num 440 | | | +--rw (match-type)? 441 | | | +--:(exact-match) 442 | | | | +--rw port-num* inet:port-number 443 | | | +--:(range-match) 444 | | | +--rw range-port-num* 445 [start-port-num end-port-num] 446 | | | +--rw start-port-num inet:port-number 447 | | | +--rw end-port-num inet:port-number 448 | | +--rw pkt-sec-tcp-seq-num 449 | | | +--rw (match-type)? 450 | | | +--:(exact-match) 451 | | | | +--rw tcp-seq-num* uint32 452 | | | +--:(range-match) 453 | | | +--rw range-tcp-seq-num* 454 [start-tcp-seq-num end-tcp-seq-num] 455 | | | +--rw start-tcp-seq-num uint32 456 | | | +--rw end-tcp-seq-num uint32 457 | | +--rw pkt-sec-tcp-ack-num 458 | | | +--rw (match-type)? 459 | | | +--:(exact-match) 460 | | | | +--rw tcp-ack-num* uint32 461 | | | +--:(range-match) 462 | | | +--rw range-tcp-ack-num* 463 [start-tcp-ack-num end-tcp-ack-num] 464 | | | +--rw start-tcp-ack-num uint32 465 | | | +--rw end-tcp-ack-num uint32 466 | | +--rw pkt-sec-tcp-window-size 467 | | | +--rw (match-type)? 468 | | | +--:(exact-match) 469 | | | | +--rw tcp-window-size* uint16 470 | | | +--:(range-match) 471 | | | +--rw range-tcp-window-size* 472 [start-tcp-window-size end-tcp-window-size] 473 | | | +--rw start-tcp-window-size uint16 474 | | | +--rw end-tcp-window-size uint16 475 | | +--rw pkt-sec-tcp-flags* identityref 476 | +--rw packet-security-udp-condition 477 | | +--rw pkt-sec-udp-src-port-num 478 | | | +--rw (match-type)? 479 | | | +--:(exact-match) 480 | | | | +--rw port-num* inet:port-number 481 | | | +--:(range-match) 482 | | | +--rw range-port-num* 483 [start-port-num end-port-num] 484 | | | +--rw start-port-num inet:port-number 485 | | | +--rw end-port-num inet:port-number 486 | | +--rw pkt-sec-udp-dest-port-num 487 | | | +--rw (match-type)? 488 | | | +--:(exact-match) 489 | | | | +--rw port-num* inet:port-number 490 | | | +--:(range-match) 491 | | | +--rw range-port-num* 492 [start-port-num end-port-num] 493 | | | +--rw start-port-num inet:port-number 494 | | | +--rw end-port-num inet:port-number 495 | | +--rw pkt-sec-udp-total-length 496 | | +--rw (match-type)? 497 | | +--:(exact-match) 498 | | | +--rw udp-total-length* uint32 499 | | +--:(range-match) 500 | | +--rw range-udp-total-length* 501 [start-udp-total-length end-udp-total-length] 502 | | +--rw start-udp-total-length uint32 503 | | +--rw end-udp-total-length uint32 504 | +--rw packet-security-icmp-condition 505 | | +--rw pkt-sec-icmp-type* identityref 506 | +--rw packet-security-http-condition 507 | | +--rw pkt-sec-uri-content* string 508 | | +--rw pkt-sec-url-content* string 509 | +--rw packet-security-voice-condition 510 | | +--rw pkt-sec-src-voice-id* string 511 | | +--rw pkt-sec-dest-voice-id* string 512 | | +--rw pkt-sec-user-agent* string 513 | +--rw packet-security-ddos-condition 514 | +--rw pkt-sec-alert-rate? uint32 515 | | +--rw packet-payload-condition 516 | | | +--rw packet-payload-description? string 517 | | | +--rw pkt-payload-content* string 518 | | +--rw acl-number* uint32 519 | | +--rw application-condition 520 | | | +--rw application-description? string 521 | | | +--rw application-object* string 522 | | | +--rw application-group* string 523 | | | +--rw application-label* string 524 | | | +--rw category 525 | | | +--rw application-category* 526 [name application-subcategory] 527 | | | +--rw name string 528 | | | +--rw application-subcategory string 529 | | +--rw target-condition 530 | | | +--rw target-description? string 531 | | | +--rw device-sec-context-cond 532 | | | +--rw target-device* identityref 533 | | +--rw users-condition 534 | | | +--rw users-description? string 535 | | | +--rw user 536 | | | | +--rw (user-name)? 537 | | | | +--:(tenant) 538 | | | | | +--rw tenant uint8 539 | | | | +--:(vn-id) 540 | | | | +--rw vn-id uint8 541 | | | +--rw group 542 | | | | +--rw (group-name)? 543 | | | | +--:(tenant) 544 | | | | | +--rw tenant uint8 545 | | | | +--:(vn-id) 546 | | | | +--rw vn-id uint8 547 | | | +--rw security-grup string 548 | | +--rw url-category-condition 549 | | | +--rw url-category-description? string 550 | | | +--rw pre-defined-category* string 551 | | | +--rw user-defined-category* string 552 | | +--rw context-condition 553 | | | +--rw context-description? string 554 | | +--rw gen-context-condition 555 | | +--rw gen-context-description? string 556 | | +--rw geographic-location 557 | | +--rw src-geographic-location* uint32 558 | | +--rw dest-geographic-location* uint32 559 +--rw action-clause-container 560 ... 562 Figure 3: YANG Tree Diagram for Network Security Policy 564 This YANG tree diagram shows an condition clause of I2NSF security 565 policy rule for generic network security functions. A condition 566 clause is defined as a set of attributes, features, and/or values 567 that are to be compared with a set of known attributes, features, 568 and/or values in order to determine whether or not the set of actions 569 in that (imperative) I2NSF policy rule can be executed or not. The 570 condition clause is classified as conditions of generic network 571 security functions and advanced network security functions. The 572 condition clause of generic network security functions is defined as 573 packet security IPv4 condition, packet security IPv6 condition, 574 packet security tcp condition, and packet security icmp condition. 575 The condition clause of advanced network security functions is 576 defined as packet security http condition, packet security voice 577 condition, and packet security ddos condition. Note that this 578 document deals only with simple conditions of advanced network 579 security functions. The condition clauses of advanced network 580 security functions are described in detail in 581 [i2nsf-advanced-nsf-dm]. The condition clause can be extended 582 according to specific vendor condition features. The condition 583 clause is described in detail in [i2nsf-nsf-cap-im]. 585 4.4. Action Clause 587 This section shows YANG tree diagram for an action clause of I2NSF 588 security policy rule. 590 module: ietf-i2nsf-policy-rule-for-nsf 591 +--rw i2nsf-security-policy 592 ... 593 +--rw rules* [rule-name] 594 ... 595 +--rw event-clause-container 596 | ... 597 +--rw condition-clause-container 598 | ... 599 +--rw action-clause-container 600 +--rw action-clause-description? string 601 +--rw packet-action 602 | +--rw ingress-action? identityref 603 | +--rw egress-action? identityref 604 | +--rw log-action? identityref 605 +--rw advanced-action 606 +--rw content-security-control* identityref 607 +--rw attack-mitigation-control* identityref 609 Figure 4: YANG Tree Diagram for Network Security Policy 611 This YANG tree diagram shows an action clause of I2NSF security 612 policy rule for generic network security functions. An action is 613 used to control and monitor aspects of flow-based NSFs when the event 614 and condition clauses are satisfied. NSFs provide security services 615 by executing various actions. The action clause is defined as 616 ingress action, egress action, log action, and advanced action for 617 additional inspection. The advanced action is described in detail in 618 [RFC8329] and [i2nsf-nsf-cap-im]. The action clause can be extended 619 according to specific vendor action features. The action clause is 620 described in detail in [i2nsf-nsf-cap-im]. 622 5. YANG Data Module 624 5.1. I2NSF NSF-Facing Interface YANG Data Module 626 This section introduces an YANG data module for configuration of 627 security policy rules on network security functions. 629 file "ietf-i2nsf-policy-rule-for-nsf@2019-03-24.yang" 631 module ietf-i2nsf-policy-rule-for-nsf { 632 yang-version 1.1; 633 namespace 634 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 635 prefix 636 iiprfn; 638 import ietf-inet-types{ 639 prefix inet; 640 reference "RFC 6991"; 641 } 642 import ietf-yang-types{ 643 prefix yang; 644 reference "RFC 6991"; 645 } 647 organization 648 "IETF I2NSF (Interface to Network Security Functions) 649 Working Group"; 651 contact 652 "WG Web: 653 WG List: 655 WG Chair: Adrian Farrel 656 658 WG Chair: Linda Dunbar 659 661 Editor: Jingyong Tim Kim 662 664 Editor: Jaehoon Paul Jeong 665 667 Editor: Susan Hares 668 "; 670 description 671 "This module defines a YANG data module for network security 672 functions. 674 Copyright (c) 2018 IETF Trust and the persons 675 identified as authors of the code. All rights reserved. 677 Redistribution and use in source and binary forms, with or 678 without modification, is permitted pursuant to, and subject 679 to the license terms contained in, the Simplified BSD License 680 set forth in Section 4.c of the IETF Trust's Legal Provisions 681 Relating to IETF Documents 682 (http://trustee.ietf.org/license-info). 684 This version of this YANG module is part of RFC 8341; see 685 the RFC itself for full legal notices."; 687 revision "2019-03-24"{ 688 description "Initial revision."; 689 reference 690 "RFC XXXX: I2NSF Network Security Function-Facing Interface 691 YANG Data Model"; 692 } 694 /* 695 * Identities 696 */ 698 identity priority-usage-type { 699 description 700 "Base identity for priority usage type."; 701 } 703 identity priority-by-order { 704 base priority-usage-type; 705 description 706 "Identity for priority by order"; 707 } 709 identity priority-by-number { 710 base priority-usage-type; 711 description 712 "Identity for priority by number"; 713 } 715 identity event { 716 description 717 "Base identity for event of policy."; 718 reference 719 "draft-hong-i2nsf-nsf-monitoring-data-model-06 720 - Event"; 721 } 723 identity system-event { 724 base event; 725 description 726 "Identity for system event"; 727 reference 728 "draft-hong-i2nsf-nsf-monitoring-data-model-06 729 - System event"; 730 } 732 identity system-alarm { 733 base event; 734 description 735 "Identity for system alarm"; 736 reference 737 "draft-hong-i2nsf-nsf-monitoring-data-model-06 738 - System alarm"; 739 } 741 identity access-violation { 742 base system-event; 743 description 744 "Identity for access violation 745 among system events"; 746 reference 747 "draft-hong-i2nsf-nsf-monitoring-data-model-06 748 - System event"; 749 } 751 identity configuration-change { 752 base system-event; 753 description 754 "Identity for configuration change 755 among system events"; 756 reference 757 "draft-hong-i2nsf-nsf-monitoring-data-model-06 758 - System event"; 759 } 761 identity memory-alarm { 762 base system-alarm; 763 description 764 "Identity for memory alarm 765 among system alarms"; 766 reference 767 "draft-hong-i2nsf-nsf-monitoring-data-model-06 768 - System alarm"; 769 } 771 identity cpu-alarm { 772 base system-alarm; 773 description 774 "Identity for cpu alarm 775 among system alarms"; 776 reference 777 "draft-hong-i2nsf-nsf-monitoring-data-model-06 778 - System alarm"; 779 } 781 identity disk-alarm { 782 base system-alarm; 783 description 784 "Identity for disk alarm 785 among system alarms"; 786 reference 787 "draft-hong-i2nsf-nsf-monitoring-data-model-06 788 - System alarm"; 789 } 791 identity hardware-alarm { 792 base system-alarm; 793 description 794 "Identity for hardware alarm 795 among system alarms"; 796 reference 797 "draft-hong-i2nsf-nsf-monitoring-data-model-06 798 - System alarm"; 799 } 801 identity interface-alarm { 802 base system-alarm; 803 description 804 "Identity for interface alarm 805 among system alarms"; 806 reference 807 "draft-hong-i2nsf-nsf-monitoring-data-model-06 808 - System alarm"; 809 } 811 identity type-of-service { 812 description 813 "Base identity for type of service of IPv4"; 814 reference 815 "RFC 791: Internet Protocol - Type of Service"; 816 } 818 identity traffic-class { 819 description 820 "Base identity for traffic-class of IPv6"; 821 reference 822 "RFC 2460: Internet Protocol, Version 6 (IPv6) 823 Specification - Traffic Class"; 824 } 826 identity normal { 827 base type-of-service; 828 base traffic-class; 829 description 830 "Identity for normal"; 832 reference 833 "RFC 791: Internet Protocol - Type of Service 834 RFC 2460: Internet Protocol, Version 6 (IPv6) 835 Specification - Traffic Class"; 836 } 838 identity minimize-cost { 839 base type-of-service; 840 base traffic-class; 841 description 842 "Identity for minimize cost"; 843 reference 844 "RFC 791: Internet Protocol - Type of Service 845 RFC 2460: Internet Protocol, Version 6 (IPv6) 846 Specification - Traffic Class"; 847 } 849 identity maximize-reliability { 850 base type-of-service; 851 base traffic-class; 852 description 853 "Identity for maximize reliability"; 854 reference 855 "RFC 791: Internet Protocol - Type of Service 856 RFC 2460: Internet Protocol, Version 6 (IPv6) 857 Specification - Traffic Class"; 858 } 860 identity maximize-throughput { 861 base type-of-service; 862 base traffic-class; 863 description 864 "Identity for maximize throughput"; 865 reference 866 "RFC 791: Internet Protocol - Type of Service 867 RFC 2460: Internet Protocol, Version 6 (IPv6) 868 Specification - Traffic Class"; 869 } 871 identity minimize-delay { 872 base type-of-service; 873 base traffic-class; 874 description 875 "Identity for minimize delay"; 876 reference 877 "RFC 791: Internet Protocol - Type of Service 878 RFC 2460: Internet Protocol, Version 6 (IPv6) 879 Specification - Traffic Class"; 881 } 883 identity maximize-security { 884 base type-of-service; 885 base traffic-class; 886 description 887 "Identity for maximize security"; 888 reference 889 "RFC 791: Internet Protocol - Type of Service 890 RFC 2460: Internet Protocol, Version 6 (IPv6) 891 Specification - Traffic Class"; 892 } 894 identity fragmentation-flags-type { 895 description 896 "Base identity for fragmentation flags type"; 897 reference 898 "RFC 791: Internet Protocol - Fragmentation Flags"; 899 } 901 identity fragment { 902 base fragmentation-flags-type; 903 description 904 "Identity for fragment"; 905 reference 906 "RFC 791: Internet Protocol - Fragmentation Flags"; 907 } 909 identity no-fragment { 910 base fragmentation-flags-type; 911 description 912 "Identity for no fragment"; 913 reference 914 "RFC 791: Internet Protocol - Fragmentation Flags"; 915 } 917 identity reserved { 918 base fragmentation-flags-type; 919 description 920 "Identity for reserved"; 921 reference 922 "RFC 791: Internet Protocol - Fragmentation Flags"; 923 } 925 identity protocol { 926 description 927 "Base identity for protocol of IPv4"; 928 reference 929 "RFC 790: Assigned numbers - Assigned Internet 930 Protocol Number 931 RFC 791: Internet Protocol - Protocol"; 932 } 934 identity next-header { 935 description 936 "Base identity for next header of IPv6"; 937 reference 938 "RFC 2460: Internet Protocol, Version 6 (IPv6) 939 Specification - Next Header"; 940 } 942 identity icmp { 943 base protocol; 944 base next-header; 945 description 946 "Identity for icmp"; 947 reference 948 "RFC 790: - Assigned numbers - Assigned Internet 949 Protocol Number 950 RFC 791: Internet Protocol - Type of Service 951 RFC 2460: Internet Protocol, Version 6 (IPv6) 952 Specification - Next Header"; 953 } 955 identity igmp { 956 base protocol; 957 base next-header; 958 description 959 "Identity for igmp"; 960 reference 961 "RFC 790: - Assigned numbers - Assigned Internet 962 Protocol Number 963 RFC 791: Internet Protocol - Type of Service 964 RFC 2460: Internet Protocol, Version 6 (IPv6) 965 Specification - Next Header"; 966 } 968 identity tcp { 969 base protocol; 970 base next-header; 971 description 972 "Identity for tcp"; 973 reference 974 "RFC 790: - Assigned numbers - Assigned Internet 975 Protocol Number 976 RFC 791: Internet Protocol - Type of Service 977 RFC 2460: Internet Protocol, Version 6 (IPv6) 978 Specification - Next Header"; 979 } 981 identity igrp { 982 base protocol; 983 base next-header; 984 description 985 "Identity for igrp"; 986 reference 987 "RFC 790: - Assigned numbers - Assigned Internet 988 Protocol Number 989 RFC 791: Internet Protocol - Type of Service 990 RFC 2460: Internet Protocol, Version 6 (IPv6) 991 Specification - Next Header"; 992 } 994 identity udp { 995 base protocol; 996 base next-header; 997 description 998 "Identity for udp"; 999 reference 1000 "RFC 790: - Assigned numbers - Assigned Internet 1001 Protocol Number 1002 RFC 791: Internet Protocol - Type of Service 1003 RFC 2460: Internet Protocol, Version 6 (IPv6) 1004 Specification - Next Header"; 1005 } 1007 identity gre { 1008 base protocol; 1009 base next-header; 1010 description 1011 "Identity for gre"; 1012 reference 1013 "RFC 790: - Assigned numbers - Assigned Internet 1014 Protocol Number 1015 RFC 791: Internet Protocol - Type of Service 1016 RFC 2460: Internet Protocol, Version 6 (IPv6) 1017 Specification - Next Header"; 1018 } 1020 identity esp { 1021 base protocol; 1022 base next-header; 1023 description 1024 "Identity for esp"; 1026 reference 1027 "RFC 790: - Assigned numbers - Assigned Internet 1028 Protocol Number 1029 RFC 791: Internet Protocol - Type of Service 1030 RFC 2460: Internet Protocol, Version 6 (IPv6) 1031 Specification - Next Header"; 1032 } 1034 identity ah { 1035 base protocol; 1036 base next-header; 1037 description 1038 "Identity for ah"; 1039 reference 1040 "RFC 790: - Assigned numbers - Assigned Internet 1041 Protocol Number 1042 RFC 791: Internet Protocol - Type of Service 1043 RFC 2460: Internet Protocol, Version 6 (IPv6) 1044 Specification - Next Header"; 1045 } 1047 identity mobile { 1048 base protocol; 1049 base next-header; 1050 description 1051 "Identity for mobile"; 1052 reference 1053 "RFC 790: - Assigned numbers - Assigned Internet 1054 Protocol Number 1055 RFC 791: Internet Protocol - Type of Service 1056 RFC 2460: Internet Protocol, Version 6 (IPv6) 1057 Specification - Next Header"; 1058 } 1060 identity tlsp { 1061 base protocol; 1062 base next-header; 1063 description 1064 "Identity for tlsp"; 1065 reference 1066 "RFC 790: - Assigned numbers - Assigned Internet 1067 Protocol Number 1068 RFC 791: Internet Protocol - Type of Service 1069 RFC 2460: Internet Protocol, Version 6 (IPv6) 1070 Specification - Next Header"; 1071 } 1073 identity skip { 1074 base protocol; 1075 base next-header; 1076 description 1077 "Identity for skip"; 1078 reference 1079 "RFC 790: - Assigned numbers - Assigned Internet 1080 Protocol Number 1081 RFC 791: Internet Protocol - Type of Service 1082 RFC 2460: Internet Protocol, Version 6 (IPv6) 1083 Specification - Next Header"; 1084 } 1086 identity ipv6-icmp { 1087 base protocol; 1088 base next-header; 1089 description 1090 "Identity for IPv6 icmp "; 1091 reference 1092 "RFC 790: - Assigned numbers - Assigned Internet 1093 Protocol Number 1094 RFC 791: Internet Protocol - Type of Service 1095 RFC 2460: Internet Protocol, Version 6 (IPv6) 1096 Specification - Next Header"; 1097 } 1099 identity eigrp { 1100 base protocol; 1101 base next-header; 1102 description 1103 "Identity for eigrp"; 1104 reference 1105 "RFC 790: - Assigned numbers - Assigned Internet 1106 Protocol Number 1107 RFC 791: Internet Protocol - Type of Service 1108 RFC 2460: Internet Protocol, Version 6 (IPv6) 1109 Specification - Next Header"; 1110 } 1112 identity ospf { 1113 base protocol; 1114 base next-header; 1115 description 1116 "Identity for ospf"; 1117 reference 1118 "RFC 790: - Assigned numbers - Assigned Internet 1119 Protocol Number 1120 RFC 791: Internet Protocol - Type of Service 1121 RFC 2460: Internet Protocol, Version 6 (IPv6) 1122 Specification - Next Header"; 1123 } 1125 identity l2tp { 1126 base protocol; 1127 base next-header; 1128 description 1129 "Identity for l2tp"; 1130 reference 1131 "RFC 790: - Assigned numbers - Assigned Internet 1132 Protocol Number 1133 RFC 791: Internet Protocol - Type of Service 1134 RFC 2460: Internet Protocol, Version 6 (IPv6) 1135 Specification - Next Header"; 1136 } 1138 identity ipopts { 1139 description 1140 "Base identity for IP options"; 1141 reference 1142 "RFC 791: Internet Protocol - Options"; 1143 } 1145 identity rr { 1146 base ipopts; 1147 description 1148 "Identity for record route"; 1149 reference 1150 "RFC 791: Internet Protocol - Options"; 1151 } 1153 identity eol { 1154 base ipopts; 1155 description 1156 "Identity for end of list"; 1157 reference 1158 "RFC 791: Internet Protocol - Options"; 1159 } 1161 identity nop { 1162 base ipopts; 1163 description 1164 "Identity for no operation"; 1165 reference 1166 "RFC 791: Internet Protocol - Options"; 1167 } 1168 identity ts { 1169 base ipopts; 1170 description 1171 "Identity for time stamp"; 1172 reference 1173 "RFC 791: Internet Protocol - Options"; 1174 } 1176 identity sec { 1177 base ipopts; 1178 description 1179 "Identity for IP security"; 1180 reference 1181 "RFC 791: Internet Protocol - Options"; 1182 } 1184 identity esec { 1185 base ipopts; 1186 description 1187 "Identity for IP extended security"; 1188 reference 1189 "RFC 791: Internet Protocol - Options"; 1190 } 1192 identity lsrr { 1193 base ipopts; 1194 description 1195 "Identity for loose source routing"; 1196 reference 1197 "RFC 791: Internet Protocol - Options"; 1198 } 1200 identity ssrr { 1201 base ipopts; 1202 description 1203 "Identity for strict source routing"; 1204 reference 1205 "RFC 791: Internet Protocol - Options"; 1206 } 1208 identity satid { 1209 base ipopts; 1210 description 1211 "Identity for stream identifier"; 1212 reference 1213 "RFC 791: Internet Protocol - Options"; 1214 } 1215 identity any { 1216 base ipopts; 1217 description 1218 "Identity for which any IP options are set"; 1219 reference 1220 "RFC 791: Internet Protocol - Options"; 1221 } 1223 identity tcp-flags { 1224 description 1225 "Base identity for tcp flags"; 1226 reference 1227 "RFC 793: Transmission Control Protocol - Flags"; 1228 } 1230 identity cwr { 1231 base tcp-flags; 1232 description 1233 "Identity for congestion window reduced"; 1234 reference 1235 "RFC 793: Transmission Control Protocol - Flags"; 1236 } 1238 identity ecn { 1239 base tcp-flags; 1240 description 1241 "Identity for explicit congestion notification"; 1242 reference 1243 "RFC 793: Transmission Control Protocol - Flags"; 1244 } 1246 identity urg { 1247 base tcp-flags; 1248 description 1249 "Identity for urgent"; 1250 reference 1251 "RFC 793: Transmission Control Protocol - Flags"; 1252 } 1254 identity ack { 1255 base tcp-flags; 1256 description 1257 "Identity for acknowledgement"; 1258 reference 1259 "RFC 793: Transmission Control Protocol - Flags"; 1260 } 1262 identity psh { 1263 base tcp-flags; 1264 description 1265 "Identity for push"; 1266 reference 1267 "RFC 793: Transmission Control Protocol - Flags"; 1268 } 1270 identity rst { 1271 base tcp-flags; 1272 description 1273 "Identity for reset"; 1274 reference 1275 "RFC 793: Transmission Control Protocol - Flags"; 1276 } 1278 identity syn { 1279 base tcp-flags; 1280 description 1281 "Identity for synchronize"; 1282 reference 1283 "RFC 793: Transmission Control Protocol - Flags"; 1284 } 1286 identity fin { 1287 base tcp-flags; 1288 description 1289 "Identity for finish"; 1290 reference 1291 "RFC 793: Transmission Control Protocol - Flags"; 1292 } 1294 identity icmp-type { 1295 description 1296 "Base identity for icmp types"; 1297 reference 1298 "RFC 792: Internet Control Message Protocol"; 1299 } 1301 identity echo-reply { 1302 base icmp-type; 1303 description 1304 "Identity for echo reply"; 1305 reference 1306 "RFC 792: Internet Control Message Protocol"; 1307 } 1309 identity destination-unreachable { 1310 base icmp-type; 1311 description 1312 "Identity for destination unreachable"; 1313 reference 1314 "RFC 792: Internet Control Message Protocol"; 1315 } 1317 identity source-quench { 1318 base icmp-type; 1319 description 1320 "Identity for source quench"; 1321 reference 1322 "RFC 792: Internet Control Message Protocol"; 1323 } 1325 identity redirect { 1326 base icmp-type; 1327 description 1328 "Identity for redirect"; 1329 reference 1330 "RFC 792: Internet Control Message Protocol"; 1331 } 1333 identity alternate-host-address { 1334 base icmp-type; 1335 description 1336 "Identity for alternate host address"; 1337 reference 1338 "RFC 792: Internet Control Message Protocol"; 1339 } 1341 identity echo { 1342 base icmp-type; 1343 description 1344 "Identity for echo"; 1345 reference 1346 "RFC 792: Internet Control Message Protocol"; 1347 } 1349 identity router-advertisement { 1350 base icmp-type; 1351 description 1352 "Identity for router advertisement"; 1353 reference 1354 "RFC 792: Internet Control Message Protocol"; 1355 } 1357 identity router-solicitation { 1358 base icmp-type; 1359 description 1360 "Identity for router solicitation"; 1361 reference 1362 "RFC 792: Internet Control Message Protocol"; 1363 } 1365 identity time-exceeded { 1366 base icmp-type; 1367 description 1368 "Identity for time exceeded"; 1369 reference 1370 "RFC 792: Internet Control Message Protocol"; 1371 } 1373 identity parameter-problem { 1374 base icmp-type; 1375 description 1376 "Identity for parameter problem"; 1377 reference 1378 "RFC 792: Internet Control Message Protocol"; 1379 } 1381 identity timestamp { 1382 base icmp-type; 1383 description 1384 "Identity for timestamp"; 1385 reference 1386 "RFC 792: Internet Control Message Protocol"; 1387 } 1389 identity timestamp-reply { 1390 base icmp-type; 1391 description 1392 "Identity for timestamp reply"; 1393 reference 1394 "RFC 792: Internet Control Message Protocol"; 1395 } 1397 identity information-request { 1398 base icmp-type; 1399 description 1400 "Identity for information request"; 1401 reference 1402 "RFC 792: Internet Control Message Protocol"; 1403 } 1405 identity information-reply { 1406 base icmp-type; 1407 description 1408 "Identity for information reply"; 1409 reference 1410 "RFC 792: Internet Control Message Protocol"; 1411 } 1413 identity address-mask-request { 1414 base icmp-type; 1415 description 1416 "Identity for address mask request"; 1417 reference 1418 "RFC 792: Internet Control Message Protocol"; 1419 } 1421 identity address-mask-reply { 1422 base icmp-type; 1423 description 1424 "Identity for address mask reply"; 1425 reference 1426 "RFC 792: Internet Control Message Protocol"; 1427 } 1429 identity traceroute { 1430 base icmp-type; 1431 description 1432 "Identity for traceroute"; 1433 reference 1434 "RFC 792: Internet Control Message Protocol"; 1435 } 1437 identity datagram-conversion-error { 1438 base icmp-type; 1439 description 1440 "Identity for datagram conversion error"; 1441 reference 1442 "RFC 792: Internet Control Message Protocol"; 1443 } 1445 identity mobile-host-redirect { 1446 base icmp-type; 1447 description 1448 "Identity for mobile host redirect"; 1449 reference 1450 "RFC 792: Internet Control Message Protocol"; 1451 } 1453 identity ipv6-where-are-you { 1454 base icmp-type; 1455 description 1456 "Identity for IPv6 where are you"; 1457 reference 1458 "RFC 792: Internet Control Message Protocol"; 1459 } 1461 identity ipv6-i-am-here { 1462 base icmp-type ; 1463 description 1464 "Identity for IPv6 i am here"; 1465 reference 1466 "RFC 792: Internet Control Message Protocol"; 1467 } 1469 identity mobile-registration-request { 1470 base icmp-type; 1471 description 1472 "Identity for mobile registration request"; 1473 reference 1474 "RFC 792: Internet Control Message Protocol"; 1475 } 1477 identity mobile-registration-reply { 1478 base icmp-type; 1479 description 1480 "Identity for mobile registration reply"; 1481 reference 1482 "RFC 792: Internet Control Message Protocol"; 1483 } 1485 identity domain-name-request { 1486 base icmp-type; 1487 description 1488 "Identity for domain name request"; 1489 reference 1490 "RFC 792: Internet Control Message Protocol"; 1491 } 1493 identity domain-name-reply { 1494 base icmp-type; 1495 description 1496 "Identity for domain name reply"; 1497 reference 1498 "RFC 792: Internet Control Message Protocol"; 1499 } 1501 identity iskip { 1502 base icmp-type; 1503 description 1504 "Identity for icmp skip"; 1505 reference 1506 "RFC 792: Internet Control Message Protocol"; 1507 } 1509 identity photuris { 1510 base icmp-type; 1511 description 1512 "Identity for photuris"; 1513 reference 1514 "RFC 792: Internet Control Message Protocol"; 1515 } 1517 identity experimental-mobility-protocols { 1518 base icmp-type; 1519 description 1520 "Identity for experimental mobility protocols"; 1521 reference 1522 "RFC 792: Internet Control Message Protocol"; 1523 } 1525 identity extended-echo-request { 1526 base icmp-type; 1527 description 1528 "Identity for extended echo request"; 1529 reference 1530 "RFC 792: Internet Control Message Protocol 1531 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1532 } 1534 identity extended-echo-reply { 1535 base icmp-type; 1536 description 1537 "Identity for extended echo reply"; 1538 reference 1539 "RFC 792: Internet Control Message Protocol 1540 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1541 } 1543 identity net-unreachable { 1544 base icmp-type; 1545 description 1546 "Identity for net unreachable 1547 in destination unreachable types"; 1548 reference 1549 "RFC 792: Internet Control Message Protocol"; 1550 } 1551 identity host-unreachable { 1552 base icmp-type; 1553 description 1554 "Identity for host unreachable 1555 in destination unreachable types"; 1556 reference 1557 "RFC 792: Internet Control Message Protocol"; 1558 } 1560 identity protocol-unreachable { 1561 base icmp-type; 1562 description 1563 "Identity for protocol unreachable 1564 in destination unreachable types"; 1565 reference 1566 "RFC 792: Internet Control Message Protocol"; 1567 } 1569 identity port-unreachable { 1570 base icmp-type; 1571 description 1572 "Identity for port unreachable 1573 in destination unreachable types"; 1574 reference 1575 "RFC 792: Internet Control Message Protocol"; 1576 } 1578 identity fragment-set { 1579 base icmp-type; 1580 description 1581 "Identity for fragmentation set 1582 in destination unreachable types"; 1583 reference 1584 "RFC 792: Internet Control Message Protocol"; 1585 } 1587 identity source-route-failed { 1588 base icmp-type; 1589 description 1590 "Identity for source route failed 1591 in destination unreachable types"; 1592 reference 1593 "RFC 792: Internet Control Message Protocol"; 1594 } 1596 identity destination-network-unknown { 1597 base icmp-type; 1598 description 1599 "Identity for destination network unknown 1600 in destination unreachable types"; 1601 reference 1602 "RFC 792: Internet Control Message Protocol"; 1603 } 1605 identity destination-host-unknown { 1606 base icmp-type; 1607 description 1608 "Identity for destination host unknown 1609 in destination unreachable types"; 1610 reference 1611 "RFC 792: Internet Control Message Protocol"; 1612 } 1614 identity source-host-isolated { 1615 base icmp-type; 1616 description 1617 "Identity for source host isolated 1618 in destination unreachable types"; 1619 reference 1620 "RFC 792: Internet Control Message Protocol"; 1621 } 1623 identity communication-prohibited-with-destination-network { 1624 base icmp-type; 1625 description 1626 "Identity for which communication with destination network 1627 is administratively prohibited in destination unreachable 1628 types"; 1629 reference 1630 "RFC 792: Internet Control Message Protocol"; 1631 } 1633 identity communication-prohibited-with-destination-host { 1634 base icmp-type; 1635 description 1636 "Identity for which communication with destination host 1637 is administratively prohibited in destination unreachable 1638 types"; 1639 reference 1640 "RFC 792: Internet Control Message Protocol"; 1641 } 1643 identity destination-network-unreachable-for-tos { 1644 base icmp-type; 1645 description 1646 "Identity for destination network unreachable 1647 for type of service in destination unreachable types"; 1648 reference 1649 "RFC 792: Internet Control Message Protocol"; 1650 } 1652 identity destination-host-unreachable-for-tos { 1653 base icmp-type; 1654 description 1655 "Identity for destination host unreachable 1656 for type of service in destination unreachable types"; 1657 reference 1658 "RFC 792: Internet Control Message Protocol"; 1659 } 1661 identity communication-prohibited { 1662 base icmp-type; 1663 description 1664 "Identity for communication administratively prohibited 1665 in destination unreachable types"; 1666 reference 1667 "RFC 792: Internet Control Message Protocol"; 1668 } 1670 identity host-precedence-violation { 1671 base icmp-type; 1672 description 1673 "Identity for host precedence violation 1674 in destination unreachable types"; 1675 reference 1676 "RFC 792: Internet Control Message Protocol"; 1677 } 1679 identity precedence-cutoff-in-effect { 1680 base icmp-type; 1681 description 1682 "Identity for precedence cutoff in effect 1683 in destination unreachable types"; 1684 reference 1685 "RFC 792: Internet Control Message Protocol"; 1686 } 1688 identity redirect-datagram-for-the-network { 1689 base icmp-type; 1690 description 1691 "Identity for redirect datagram for the network 1692 (or subnet) in redirect types"; 1693 reference 1694 "RFC 792: Internet Control Message Protocol"; 1696 } 1698 identity redirect-datagram-for-the-host { 1699 base icmp-type; 1700 description 1701 "Identity for redirect datagram for the host 1702 in redirect types"; 1703 reference 1704 "RFC 792: Internet Control Message Protocol"; 1705 } 1707 identity redirect-datagram-for-the-tos-and-network { 1708 base icmp-type; 1709 description 1710 "Identity for redirect datagram for the type of 1711 service and network in redirect types"; 1712 reference 1713 "RFC 792: Internet Control Message Protocol"; 1714 } 1716 identity redirect-datagram-for-the-tos-and-host { 1717 base icmp-type; 1718 description 1719 "Identity for redirect datagram for the type of 1720 service and host in redirect types"; 1721 reference 1722 "RFC 792: Internet Control Message Protocol"; 1723 } 1725 identity normal-router-advertisement { 1726 base icmp-type; 1727 description 1728 "Identity for normal router advertisement 1729 in router advertisement types"; 1730 reference 1731 "RFC 792: Internet Control Message Protocol"; 1732 } 1734 identity does-not-route-common-traffic { 1735 base icmp-type; 1736 description 1737 "Identity for does not route common traffic 1738 in router advertisement types"; 1739 reference 1740 "RFC 792: Internet Control Message Protocol"; 1741 } 1743 identity time-to-live-exceeded-in-transit { 1744 base icmp-type; 1745 description 1746 "Identity for time to live exceeded in transit 1747 in time exceeded types"; 1748 reference 1749 "RFC 792: Internet Control Message Protocol"; 1750 } 1752 identity fragment-reassembly-time-exceeded { 1753 base icmp-type; 1754 description 1755 "Identity for fragment reassembly time exceeded 1756 in time exceeded types"; 1757 reference 1758 "RFC 792: Internet Control Message Protocol"; 1759 } 1761 identity pointer-indicates-the-error { 1762 base icmp-type; 1763 description 1764 "Identity for pointer indicates the error 1765 in parameter problem types"; 1766 reference 1767 "RFC 792: Internet Control Message Protocol"; 1768 } 1770 identity missing-a-required-option { 1771 base icmp-type; 1772 description 1773 "Identity for missing a required option 1774 in parameter problem types"; 1775 reference 1776 "RFC 792: Internet Control Message Protocol"; 1777 } 1779 identity bad-length { 1780 base icmp-type; 1781 description 1782 "Identity for bad length 1783 in parameter problem types"; 1784 reference 1785 "RFC 792: Internet Control Message Protocol"; 1786 } 1788 identity bad-spi { 1789 base icmp-type; 1790 description 1791 "Identity for bad spi 1792 in photuris types"; 1793 reference 1794 "RFC 792: Internet Control Message Protocol"; 1795 } 1797 identity authentication-failed { 1798 base icmp-type; 1799 description 1800 "Identity for authentication failed 1801 in photuris types"; 1802 reference 1803 "RFC 792: Internet Control Message Protocol"; 1804 } 1806 identity decompression-failed { 1807 base icmp-type; 1808 description 1809 "Identity for decompression failed 1810 in photuris types"; 1811 reference 1812 "RFC 792: Internet Control Message Protocol"; 1813 } 1815 identity decryption-failed { 1816 base icmp-type; 1817 description 1818 "Identity for decryption failed 1819 in photuris types"; 1820 reference 1821 "RFC 792: Internet Control Message Protocol"; 1822 } 1824 identity need-authentication { 1825 base icmp-type; 1826 description 1827 "Identity for need authentication 1828 in photuris types"; 1829 reference 1830 "RFC 792: Internet Control Message Protocol"; 1831 } 1833 identity need-authorization { 1834 base icmp-type; 1835 description 1836 "Identity for need authorization 1837 in photuris types"; 1838 reference 1839 "RFC 792: Internet Control Message Protocol"; 1841 } 1843 identity req-no-error { 1844 base icmp-type; 1845 description 1846 "Identity for request with no error 1847 in extended echo request types"; 1848 reference 1849 "RFC 792: Internet Control Message Protocol 1850 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1851 } 1853 identity rep-no-error { 1854 base icmp-type; 1855 description 1856 "Identity for reply with no error 1857 in extended echo reply types"; 1858 reference 1859 "RFC 792: Internet Control Message Protocol 1860 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1861 } 1863 identity malformed-query { 1864 base icmp-type; 1865 description 1866 "Identity for malformed query 1867 in extended echo reply types"; 1868 reference 1869 "RFC 792: Internet Control Message Protocol 1870 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1871 } 1873 identity no-such-interface { 1874 base icmp-type; 1875 description 1876 "Identity for no such interface 1877 in extended echo reply types"; 1878 reference 1879 "RFC 792: Internet Control Message Protocol 1880 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1881 } 1883 identity no-such-table-entry { 1884 base icmp-type; 1885 description 1886 "Identity for no such table entry 1887 in extended echo reply types"; 1888 reference 1889 "RFC 792: Internet Control Message Protocol 1890 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1891 } 1893 identity multiple-interfaces-satisfy-query { 1894 base icmp-type; 1895 description 1896 "Identity for multiple interfaces satisfy query 1897 in extended echo reply types"; 1898 reference 1899 "RFC 792: Internet Control Message Protocol 1900 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1901 } 1903 identity target-device { 1904 description 1905 "Base identity for target devices"; 1906 reference 1907 "draft-ietf-i2nsf-capability-04: Information Model 1908 of NSFs Capabilities"; 1909 } 1911 identity pc { 1912 base target-device; 1913 description 1914 "Identity for pc"; 1915 } 1917 identity mobile-phone { 1918 base target-device; 1919 description 1920 "Identity for mobile-phone"; 1921 } 1923 identity voip-volte-phone { 1924 base target-device; 1925 description 1926 "Identity for voip-volte-phone"; 1927 } 1929 identity tablet { 1930 base target-device; 1931 description 1932 "Identity for tablet"; 1933 } 1935 identity iot { 1936 base target-device; 1937 description 1938 "Identity for IoT"; 1939 } 1941 identity vehicle { 1942 base target-device; 1943 description 1944 "Identity for vehicle"; 1945 } 1947 identity content-security-control { 1948 description 1949 "Base identity for content security control"; 1950 reference 1951 "RFC 8329: Framework for Interface to 1952 Network Security Functions - Differences 1953 from ACL Data Models 1954 draft-ietf-i2nsf-capability-04: Information Model 1955 of NSFs Capabilities"; 1956 } 1958 identity antivirus { 1959 base content-security-control; 1960 description 1961 "Identity for antivirus"; 1962 } 1964 identity ips { 1965 base content-security-control; 1966 description 1967 "Identity for ips"; 1968 } 1970 identity ids { 1971 base content-security-control; 1972 description 1973 "Identity for ids"; 1974 } 1976 identity url-filtering { 1977 base content-security-control; 1978 description 1979 "Identity for url filtering"; 1980 } 1982 identity mail-filtering { 1983 base content-security-control; 1984 description 1985 "Identity for mail filtering"; 1986 } 1988 identity file-blocking { 1989 base content-security-control; 1990 description 1991 "Identity for file blocking"; 1992 } 1994 identity file-isolate { 1995 base content-security-control; 1996 description 1997 "Identity for file isolate"; 1998 } 2000 identity pkt-capture { 2001 base content-security-control; 2002 description 2003 "Identity for packet capture"; 2004 } 2006 identity application-control { 2007 base content-security-control; 2008 description 2009 "Identity for application control"; 2010 } 2012 identity voip-volte { 2013 base content-security-control; 2014 description 2015 "Identity for voip and volte"; 2016 } 2018 identity attack-mitigation-control { 2019 description 2020 "Base identity for attack mitigation control"; 2021 reference 2022 "RFC 8329: Framework for Interface to 2023 Network Security Functions - Differences 2024 from ACL Data Models 2025 draft-ietf-i2nsf-capability-04: Information Model 2026 of NSFs Capabilities"; 2027 } 2029 identity syn-flood { 2030 base attack-mitigation-control; 2031 description 2032 "Identity for syn flood"; 2034 } 2036 identity udp-flood { 2037 base attack-mitigation-control; 2038 description 2039 "Identity for udp flood"; 2040 } 2042 identity icmp-flood { 2043 base attack-mitigation-control; 2044 description 2045 "Identity for icmp flood"; 2046 } 2048 identity ip-frag-flood { 2049 base attack-mitigation-control; 2050 description 2051 "Identity for ip frag flood"; 2052 } 2054 identity ipv6-related { 2055 base attack-mitigation-control; 2056 description 2057 "Identity for ipv6 related"; 2058 } 2060 identity http-and-https-flood { 2061 base attack-mitigation-control; 2062 description 2063 "Identity for http and https flood"; 2064 } 2066 identity dns-flood { 2067 base attack-mitigation-control; 2068 description 2069 "Identity for dns flood"; 2070 } 2072 identity dns-amp-flood { 2073 base attack-mitigation-control; 2074 description 2075 "Identity for dns amp flood"; 2076 } 2078 identity ssl-ddos { 2079 base attack-mitigation-control; 2080 description 2081 "Identity for ssl ddos"; 2083 } 2085 identity ip-sweep { 2086 base attack-mitigation-control; 2087 description 2088 "Identity for ip sweep"; 2089 } 2091 identity port-scanning { 2092 base attack-mitigation-control; 2093 description 2094 "Identity for port scanning"; 2095 } 2097 identity ping-of-death { 2098 base attack-mitigation-control; 2099 description 2100 "Identity for ping of death"; 2101 } 2103 identity teardrop { 2104 base attack-mitigation-control; 2105 description 2106 "Identity for teardrop"; 2107 } 2109 identity oversized-icmp { 2110 base attack-mitigation-control; 2111 description 2112 "Identity for oversized icmp"; 2113 } 2115 identity tracert { 2116 base attack-mitigation-control; 2117 description 2118 "Identity for tracert"; 2119 } 2121 identity ingress-action { 2122 description 2123 "Base identity for action"; 2124 reference 2125 "draft-ietf-i2nsf-capability-04: Information Model 2126 of NSFs Capabilities - Ingress Action"; 2127 } 2129 identity egress-action { 2130 description 2131 "Base identity for egress action"; 2132 reference 2133 "draft-ietf-i2nsf-capability-04: Information Model 2134 of NSFs Capabilities - Egress action"; 2135 } 2137 identity default-action { 2138 description 2139 "Base identity for default action"; 2140 reference 2141 "draft-ietf-i2nsf-capability-04: Information Model 2142 of NSFs Capabilities - Default action"; 2143 } 2145 identity pass { 2146 base ingress-action; 2147 base egress-action; 2148 base default-action; 2149 description 2150 "Identity for pass"; 2151 reference 2152 "draft-ietf-i2nsf-capability-04: Information Model 2153 of NSFs Capabilities - Actions and 2154 default action"; 2155 } 2157 identity drop { 2158 base ingress-action; 2159 base egress-action; 2160 base default-action; 2161 description 2162 "Identity for drop"; 2163 reference 2164 "draft-ietf-i2nsf-capability-04: Information Model 2165 of NSFs Capabilities - Actions and 2166 default action"; 2167 } 2169 identity reject { 2170 base ingress-action; 2171 base egress-action; 2172 base default-action; 2173 description 2174 "Identity for reject"; 2175 reference 2176 "draft-ietf-i2nsf-capability-04: Information Model 2177 of NSFs Capabilities - Actions and 2178 default action"; 2180 } 2182 identity alert { 2183 base ingress-action; 2184 base egress-action; 2185 base default-action; 2186 description 2187 "Identity for alert"; 2188 reference 2189 "draft-ietf-i2nsf-capability-04: Information Model 2190 of NSFs Capabilities - Actions and 2191 default action"; 2192 } 2194 identity mirror { 2195 base ingress-action; 2196 base egress-action; 2197 base default-action; 2198 description 2199 "Identity for mirror"; 2200 reference 2201 "draft-ietf-i2nsf-capability-04: Information Model 2202 of NSFs Capabilities - Actions and 2203 default action"; 2204 } 2206 identity log-action { 2207 description 2208 "Base identity for log action"; 2209 } 2211 identity rule-log { 2212 base log-action; 2213 description 2214 "Identity for rule log"; 2215 } 2217 identity session-log { 2218 base log-action; 2219 description 2220 "Identity for session log"; 2221 } 2223 identity invoke-signaling { 2224 base egress-action; 2225 description 2226 "Identity for invoke signaling"; 2227 } 2228 identity tunnel-encapsulation { 2229 base egress-action; 2230 description 2231 "Identity for tunnel encapsulation"; 2232 } 2234 identity forwarding { 2235 base egress-action; 2236 description 2237 "Identity for forwarding"; 2238 } 2240 identity redirection { 2241 base egress-action; 2242 description 2243 "Identity for redirection"; 2245 } 2247 identity resolution-strategy { 2248 description 2249 "Base identity for resolution strategy"; 2250 reference 2251 "draft-ietf-i2nsf-capability-04: Information Model 2252 of NSFs Capabilities - Resolution Strategy"; 2253 } 2255 identity fmr { 2256 base resolution-strategy; 2257 description 2258 "Identity for First Matching Rule (FMR)"; 2259 reference 2260 "draft-ietf-i2nsf-capability-04: Information Model 2261 of NSFs Capabilities - Resolution Strategy"; 2262 } 2264 identity lmr { 2265 base resolution-strategy; 2266 description 2267 "Identity for Last Matching Rule (LMR)"; 2268 reference 2269 "draft-ietf-i2nsf-capability-04: Information Model 2270 of NSFs Capabilities - Resolution Strategy"; 2271 } 2273 identity pmr { 2274 base resolution-strategy; 2275 description 2276 "Identity for Prioritized Matching Rule (PMR)"; 2277 reference 2278 "draft-ietf-i2nsf-capability-04: Information Model 2279 of NSFs Capabilities - Resolution Strategy"; 2280 } 2282 identity pmre { 2283 base resolution-strategy; 2284 description 2285 "Identity for Prioritized Matching Rule 2286 with Errors (PMRE)"; 2287 reference 2288 "draft-ietf-i2nsf-capability-04: Information Model 2289 of NSFs Capabilities - Resolution Strategy"; 2290 } 2292 identity pmrn { 2293 base resolution-strategy; 2294 description 2295 "Identity for Prioritized Matching Rule 2296 with No Errors (PMRN)"; 2297 reference 2298 "draft-ietf-i2nsf-capability-04: Information Model 2299 of NSFs Capabilities - Resolution Strategy"; 2300 } 2302 /* 2303 * Typedefs 2304 */ 2306 typedef start-time-type { 2307 type union { 2308 type string { 2309 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2310 + '(Z|[\+\-]\d{2}:\d{2})'; 2311 } 2313 type enumeration { 2314 enum right-away { 2315 description 2316 "Immediate rule execution 2317 in the system."; 2318 } 2319 } 2320 } 2322 description 2323 "Start time when the rules are applied."; 2325 } 2327 typedef end-time-type { 2328 type union { 2329 type string { 2330 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2331 + '(Z|[\+\-]\d{2}:\d{2})'; 2332 } 2334 type enumeration { 2335 enum infinitely { 2336 description 2337 "Infinite rule execution 2338 in the system."; 2339 } 2340 } 2341 } 2342 description 2343 "End time when the rules are applied."; 2344 } 2346 typedef day-type { 2347 type enumeration { 2348 enum sunday { 2349 description 2350 "Sunday for periodic day"; 2351 } 2352 enum monday { 2353 description 2354 "Monday for periodic day"; 2355 } 2356 enum tuesday { 2357 description 2358 "Tuesday for periodic day"; 2359 } 2360 enum wednesday { 2361 description 2362 "Wednesday for periodic day"; 2363 } 2364 enum thursday { 2365 description 2366 "Thursday for periodic day"; 2367 } 2368 enum friday { 2369 description 2370 "Friday for periodic day"; 2371 } 2372 enum saturday { 2373 description 2374 "Saturday for periodic day"; 2375 } 2376 } 2377 description 2378 "This can be used for the rules to be applied 2379 according to periodic day"; 2380 } 2382 typedef month-type { 2383 type enumeration { 2384 enum january { 2385 description 2386 "January for periodic month"; 2387 } 2388 enum february { 2389 description 2390 "February for periodic month"; 2391 } 2392 enum march { 2393 description 2394 "March for periodic month"; 2395 } 2396 enum april { 2397 description 2398 "April for periodic month"; 2399 } 2400 enum may { 2401 description 2402 "May for periodic month"; 2403 } 2404 enum june { 2405 description 2406 "June for periodic month"; 2407 } 2408 enum july { 2409 description 2410 "July for periodic month"; 2411 } 2412 enum august { 2413 description 2414 "August for periodic month"; 2415 } 2416 enum september { 2417 description 2418 "September for periodic month"; 2419 } 2420 enum october { 2421 description 2422 "October for periodic month"; 2423 } 2424 enum november { 2425 description 2426 "November for periodic month"; 2427 } 2428 enum december { 2429 description 2430 "December for periodic month"; 2431 } 2432 } 2433 description 2434 "This can be used for the rules to be applied 2435 according to periodic month"; 2436 } 2438 /* 2439 * Groupings 2440 */ 2442 grouping ipv4 { 2443 list ipv4-address { 2444 key "ipv4"; 2445 description 2446 "The list of IPv4 address."; 2448 leaf ipv4 { 2449 type inet:ipv4-address; 2450 description 2451 "The value of IPv4 address."; 2452 } 2453 choice subnet { 2454 description 2455 "The subnet can be specified as a prefix length or 2456 netmask."; 2457 leaf prefix-length { 2458 type uint8 { 2459 range "0..32"; 2460 } 2461 description 2462 "The length of the subnet prefix."; 2463 } 2464 leaf netmask { 2465 type yang:dotted-quad; 2466 description 2467 "The subnet specified as a netmask."; 2468 } 2470 } 2471 } 2472 description 2473 "Grouping for an IPv4 address"; 2475 reference 2476 "RFC 791: Internet Protocol - IPv4 address 2477 RFC 8344: A YANG Data Model for IP Management"; 2478 } 2480 grouping ipv6 { 2481 list ipv6-address { 2482 key "ipv6"; 2483 description 2484 "The list of IPv6 address."; 2486 leaf ipv6 { 2487 type inet:ipv6-address; 2488 description 2489 "The value of IPv6 address."; 2490 } 2492 leaf prefix-length { 2493 type uint8 { 2494 range "0..128"; 2495 } 2496 description 2497 "The length of the subnet prefix."; 2498 } 2499 } 2500 description 2501 "Grouping for an IPv6 address"; 2503 reference 2504 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2505 Specification - IPv6 address 2506 RFC 8344: A YANG Data Model for IP Management"; 2507 } 2509 grouping pkt-sec-ipv4 { 2510 choice match-type { 2511 description 2512 "There are two types to configure a security policy 2513 for IPv4 address, such as exact match and range match."; 2514 case exact-match { 2515 uses ipv4; 2516 description 2517 "Exact match for an IPv4 address."; 2519 } 2520 case range-match { 2521 list range-ipv4-address { 2522 key "start-ipv4-address end-ipv4-address"; 2523 leaf start-ipv4-address { 2524 type inet:ipv4-address; 2525 description 2526 "Start IPv4 address for a range match."; 2527 } 2529 leaf end-ipv4-address { 2530 type inet:ipv4-address; 2531 description 2532 "End IPv4 address for a range match."; 2533 } 2534 description 2535 "Range match for an IPv4 address."; 2536 } 2537 } 2538 } 2539 description 2540 "Grouping for an IPv4 address."; 2542 reference 2543 "RFC 791: Internet Protocol - IPv4 address"; 2544 } 2546 grouping pkt-sec-ipv6 { 2547 choice match-type { 2548 description 2549 "There are two types to configure a security policy 2550 for IPv6 address, such as exact match and range match."; 2551 case exact-match { 2552 uses ipv6; 2553 description 2554 "Exact match for an IPv6 address."; 2555 } 2556 case range-match { 2557 list range-ipv6-address { 2558 key "start-ipv6-address end-ipv6-address"; 2559 leaf start-ipv6-address { 2560 type inet:ipv6-address; 2561 description 2562 "Start IPv6 address for a range match."; 2563 } 2565 leaf end-ipv6-address { 2566 type inet:ipv6-address; 2567 description 2568 "End IPv6 address for a range match."; 2569 } 2570 description 2571 "Range match for an IPv6 address."; 2572 } 2573 } 2574 } 2575 description 2576 "Grouping for IPv6 address."; 2578 reference 2579 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2580 Specification - IPv6 address"; 2581 } 2583 grouping pkt-sec-port-number { 2584 choice match-type { 2585 description 2586 "There are two types to configure a security policy 2587 for a port number, such as exact match and range match."; 2588 case exact-match { 2589 leaf-list port-num { 2590 type inet:port-number; 2591 description 2592 "Exact match for a port number."; 2593 } 2594 } 2595 case range-match { 2596 list range-port-num { 2597 key "start-port-num end-port-num"; 2598 leaf start-port-num { 2599 type inet:port-number; 2600 description 2601 "Start port number for a range match."; 2602 } 2603 leaf end-port-num { 2604 type inet:port-number; 2605 description 2606 "Start port number for a range match."; 2607 } 2608 description 2609 "Range match for a port number."; 2610 } 2611 } 2612 } 2613 description 2614 "Grouping for port number."; 2616 reference 2617 "RFC 793: Transmission Control Protocol - Port number 2618 RFC 768: User Datagram Protocol - Port Number"; 2619 } 2621 /* 2622 * Data nodes 2623 */ 2625 container i2nsf-security-policy { 2626 description 2627 "Container for security policy 2628 including a set of security rules according to certain logic, 2629 i.e., their similarity or mutual relations, etc. The network 2630 security policy is able to apply over both the unidirectional 2631 and bidirectional traffic across the NSF. 2632 The I2NSF security policies use the Event-Condition-Action 2633 (ECA) policy model "; 2635 reference 2636 "RFC 8329: Framework for Interface to Network Security 2637 Functions - I2NSF Flow Security Policy Structure 2638 draft-ietf-i2nsf-capability-04: Information Model 2639 of NSFs Capabilities - Design Principles and ECA Policy Model 2640 Overview"; 2642 list system-policy { 2643 key "system-policy-name"; 2644 description 2645 "The system-policy represents there could be multiple system 2646 policies in one NSF, and each system policy is used by 2647 one virtual instance of the NSF/device."; 2649 leaf system-policy-name { 2650 type string; 2651 mandatory true; 2652 description 2653 "The name of the policy. 2654 This must be unique."; 2655 } 2657 leaf priority-usage { 2658 type identityref { 2659 base priority-usage-type; 2660 } 2661 default priority-by-order; 2662 description 2663 "Priority usage type for security policy rule: 2664 priority by order and priority by number"; 2665 } 2667 leaf resolution-strategy { 2668 type identityref { 2669 base resolution-strategy; 2670 } 2671 default fmr; 2672 description 2673 "The resolution strategies can be used to 2674 specify how to resolve conflicts that occur between 2675 the actions of the same or different policy rules that 2676 are matched and contained in this particular NSF"; 2678 reference 2679 "draft-ietf-i2nsf-capability-04: Information Model 2680 of NSFs Capabilities - Resolution strategy"; 2681 } 2683 leaf default-action { 2684 type identityref { 2685 base default-action; 2686 } 2687 default alert; 2688 description 2689 "This default action can be used to specify a predefined 2690 action when no other alternative action was matched 2691 by the currently executing I2NSF Policy Rule. An analogy 2692 is the use of a default statement in a C switch statement."; 2694 reference 2695 "draft-ietf-i2nsf-capability-04: Information Model 2696 of NSFs Capabilities - Default action"; 2697 } 2699 list rules { 2700 key "rule-name"; 2701 description 2702 "This is a rule for network security functions."; 2704 leaf rule-name { 2705 type string; 2706 mandatory true; 2707 description 2708 "The name of the rule. 2710 This must be unique."; 2711 } 2713 leaf rule-description { 2714 type string; 2715 description 2716 "This description gives more information about 2717 rules."; 2718 } 2720 leaf rule-priority { 2721 type uint8 { 2722 range "1..255"; 2723 } 2724 description 2725 "The priority keyword comes with a mandatory 2726 numeric value which can range from 1 till 255."; 2727 } 2729 leaf rule-enable { 2730 type boolean; 2731 description 2732 "True is enable. 2733 False is not enbale."; 2734 } 2736 leaf session-aging-time { 2737 type uint16; 2738 description 2739 "This is session aging time."; 2740 } 2742 container long-connection { 2743 description 2744 "This is long-connection"; 2746 leaf enable { 2747 type boolean; 2748 description 2749 "True is enable. 2750 False is not enbale."; 2751 } 2753 leaf during { 2754 type uint16; 2755 description 2756 "This is during time."; 2757 } 2759 } 2761 container time-zone { 2762 description 2763 "Time zone when the rules are applied"; 2764 container absolute-time-zone { 2765 description 2766 "Rule execution according to absolute time"; 2768 leaf start-time { 2769 type start-time-type; 2770 default right-away; 2771 description 2772 "Start time when the rules are applied"; 2773 } 2774 leaf end-time { 2775 type end-time-type; 2776 default infinitely; 2777 description 2778 "End time when the rules are applied"; 2779 } 2780 } 2782 container periodic-time-zone { 2783 description 2784 "Rule execution according to periodic time"; 2786 container day { 2787 description 2788 "Rule execution according to day."; 2789 leaf every-day { 2790 type boolean; 2791 default true; 2792 description 2793 "Rule execution every day"; 2794 } 2796 leaf-list specific-day { 2797 when "../every-day = 'false'"; 2798 type day-type; 2799 description 2800 "Rule execution according 2801 to specific day"; 2802 } 2803 } 2805 container month { 2806 description 2807 "Rule execution according to month."; 2808 leaf every-month { 2809 type boolean; 2810 default true; 2811 description 2812 "Rule execution every day"; 2813 } 2815 leaf-list specific-month { 2816 when "../every-month = 'false'"; 2817 type month-type; 2818 description 2819 "Rule execution according 2820 to month day"; 2821 } 2822 } 2823 } 2824 } 2826 container event-clause-container { 2827 description 2828 "An event is defined as any important 2829 occurrence in time of a change in the system being 2830 managed, and/or in the environment of the system being 2831 managed. When used in the context of policy rules for 2832 a flow-based NSF, it is used to determine whether the 2833 Condition clause of the Policy Rule can be evaluated 2834 or not. Examples of an I2NSF event include time and 2835 user actions (e.g., logon, logoff, and actions that 2836 violate any ACL.)."; 2838 reference 2839 "RFC 8329: Framework for Interface to Network Security 2840 Functions - I2NSF Flow Security Policy Structure 2841 draft-ietf-i2nsf-capability-04: Information Model 2842 of NSFs Capabilities - Design Principles and ECA 2843 Policy Model Overview 2844 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2845 Data Model for Monitoring I2NSF Network Security 2846 Functions - System Alarm and System Events"; 2848 leaf event-clause-description { 2849 type string; 2850 description 2851 "Description for an event clause"; 2852 } 2853 container event-clauses { 2854 description 2855 "It has two event types such as 2856 system event and system alarm."; 2857 reference 2858 "RFC 8329: Framework for Interface to Network Security 2859 Functions - I2NSF Flow Security Policy Structure 2860 draft-ietf-i2nsf-capability-04: Information Model 2861 of NSFs Capabilities - Design Principles and ECA Policy 2862 Model Overview 2863 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2864 Data Model for Monitoring I2NSF Network Security 2865 Functions - System Alarm and System Events"; 2867 leaf-list system-event { 2868 type identityref { 2869 base system-event; 2870 } 2871 description 2872 "The security policy rule according to 2873 system events."; 2874 } 2876 leaf-list system-alarm { 2877 type identityref { 2878 base system-alarm; 2879 } 2880 description 2881 "The security policy rule according to 2882 system alarms."; 2883 } 2884 } 2885 } 2887 container condition-clause-container { 2888 description 2889 "A condition is defined as a set 2890 of attributes, features, and/or values that are to be 2891 compared with a set of known attributes, features, 2892 and/or values in order to determine whether or not the 2893 set of Actions in that (imperative) I2NSF Policy Rule 2894 can be executed or not. Examples of I2NSF Conditions 2895 include matching attributes of a packet or flow, and 2896 comparing the internal state of an NSF to a desired 2897 state."; 2898 reference 2899 "RFC 8329: Framework for Interface to Network Security 2900 Functions - I2NSF Flow Security Policy Structure 2901 draft-ietf-i2nsf-capability-04: Information Model 2902 of NSFs Capabilities - Design Principles and ECA Policy 2903 Model Overview"; 2905 leaf condition-clause-description { 2906 type string; 2907 description 2908 "Description for a condition clause."; 2909 } 2911 container packet-security-ipv4-condition { 2912 description 2913 "The purpose of this container is to represent IPv4 2914 packet header information to determine if the set 2915 of policy actions in this ECA policy rule should be 2916 executed or not."; 2917 reference 2918 "RFC 791: Internet Protocol"; 2920 leaf ipv4-description { 2921 type string; 2922 description 2923 "This is description for ipv4 condition."; 2924 } 2926 container pkt-sec-ipv4-header-length { 2927 choice match-type { 2928 description 2929 "There are two types to configure a security 2930 policy for IPv4 header length, such as exact match 2931 and range match."; 2932 case exact-match { 2933 leaf-list ipv4-header-length { 2934 type uint8 { 2935 range "5..15"; 2936 } 2937 description 2938 "Exact match for an IPv4 header length."; 2939 } 2940 } 2941 case range-match { 2942 list range-ipv4-header-length { 2943 key "start-ipv4-header-length 2944 end-ipv4-header-length"; 2945 leaf start-ipv4-header-length { 2946 type uint8 { 2947 range "5..15"; 2948 } 2949 description 2950 "Start IPv4 header length for a range match."; 2951 } 2953 leaf end-ipv4-header-length { 2954 type uint8 { 2955 range "5..15"; 2956 } 2957 description 2958 "End IPv4 header length for a range match."; 2959 } 2960 description 2961 "Range match for an IPv4 header length."; 2962 } 2963 } 2964 } 2965 description 2966 "The security policy rule according to 2967 IPv4 header length."; 2968 reference 2969 "RFC 791: Internet Protocol - Header length"; 2970 } 2972 leaf-list pkt-sec-ipv4-tos { 2973 type identityref { 2974 base type-of-service; 2975 } 2976 description 2977 "The security policy rule according to 2978 IPv4 type of service."; 2979 reference 2980 "RFC 791: Internet Protocol - Type of service"; 2981 } 2983 container pkt-sec-ipv4-total-length { 2984 choice match-type { 2985 description 2986 "There are two types to configure a security 2987 policy for IPv4 total length, such as exact match 2988 and range match."; 2989 case exact-match { 2990 leaf-list ipv4-total-length { 2991 type uint16; 2992 description 2993 "Exact match for an IPv4 total length."; 2994 } 2995 } 2996 case range-match { 2997 list range-ipv4-total-length { 2998 key "start-ipv4-total-length end-ipv4-total-length"; 2999 leaf start-ipv4-total-length { 3000 type uint16; 3001 description 3002 "Start IPv4 total length for a range match."; 3003 } 3004 leaf end-ipv4-total-length { 3005 type uint16; 3006 description 3007 "End IPv4 total length for a range match."; 3008 } 3009 description 3010 "Range match for an IPv4 total length."; 3011 } 3012 } 3013 } 3014 description 3015 "The security policy rule according to 3016 IPv4 total length."; 3017 reference 3018 "RFC 791: Internet Protocol - Total length"; 3019 } 3021 leaf-list pkt-sec-ipv4-id { 3022 type uint16; 3023 description 3024 "The security policy rule according to 3025 IPv4 identification."; 3026 reference 3027 "RFC 791: Internet Protocol - Identification"; 3028 } 3030 leaf-list pkt-sec-ipv4-fragment-flags { 3031 type identityref { 3032 base fragmentation-flags-type; 3033 } 3034 description 3035 "The security policy rule according to 3036 IPv4 fragment flags."; 3037 reference 3038 "RFC 791: Internet Protocol - Fragment flags"; 3039 } 3041 container pkt-sec-ipv4-fragment-offset { 3042 choice match-type { 3043 description 3044 "There are two types to configure a security 3045 policy for IPv4 fragment offset, such as exact match 3046 and range match."; 3047 case exact-match { 3048 leaf-list ipv4-fragment-offset { 3049 type uint16 { 3050 range "0..16383"; 3051 } 3052 description 3053 "Exact match for an IPv4 fragment offset."; 3054 } 3055 } 3056 case range-match { 3057 list range-ipv4-fragment-offset { 3058 key "start-ipv4-fragment-offset 3059 end-ipv4-fragment-offset"; 3060 leaf start-ipv4-fragment-offset { 3061 type uint16 { 3062 range "0..16383"; 3063 } 3064 description 3065 "Start IPv4 fragment offset for a range match."; 3066 } 3067 leaf end-ipv4-fragment-offset { 3068 type uint16 { 3069 range "0..16383"; 3070 } 3071 description 3072 "End IPv4 fragment offset for a range match."; 3073 } 3074 description 3075 "Range match for an IPv4 fragment offset."; 3076 } 3077 } 3078 } 3079 description 3080 "The security policy rule according to 3081 IPv4 fragment offset."; 3082 reference 3083 "RFC 791: Internet Protocol - Fragment offset"; 3084 } 3086 container pkt-sec-ipv4-ttl { 3087 choice match-type { 3088 description 3089 "There are two types to configure a security 3090 policy for IPv4 TTL, such as exact match 3091 and range match."; 3092 case exact-match { 3093 leaf-list ipv4-ttl { 3094 type uint8; 3095 description 3096 "Exact match for an IPv4 TTL."; 3097 } 3098 } 3099 case range-match { 3100 list range-ipv4-ttl { 3101 key "start-ipv4-ttl end-ipv4-ttl"; 3102 leaf start-ipv4-ttl { 3103 type uint8; 3104 description 3105 "Start IPv4 TTL for a range match."; 3106 } 3107 leaf end-ipv4-ttl { 3108 type uint8; 3109 description 3110 "End IPv4 TTL for a range match."; 3111 } 3112 description 3113 "Range match for an IPv4 TTL."; 3114 } 3115 } 3116 } 3117 description 3118 "The security policy rule according to 3119 IPv4 time-to-live (TTL)."; 3120 reference 3121 "RFC 791: Internet Protocol - Time to live"; 3122 } 3124 leaf-list pkt-sec-ipv4-protocol { 3125 type identityref { 3126 base protocol; 3127 } 3128 description 3129 "The security policy rule according to 3130 IPv4 protocol."; 3131 reference 3132 "RFC 791: Internet Protocol - Protocol"; 3133 } 3135 container pkt-sec-ipv4-src { 3136 uses pkt-sec-ipv4; 3137 description 3138 "The security policy rule according to 3139 IPv4 source address."; 3141 reference 3142 "RFC 791: Internet Protocol - IPv4 Address"; 3143 } 3145 container pkt-sec-ipv4-dest { 3146 uses pkt-sec-ipv4; 3147 description 3148 "The security policy rule according to 3149 IPv4 destination address."; 3150 reference 3151 "RFC 791: Internet Protocol - IPv4 Address"; 3152 } 3154 leaf-list pkt-sec-ipv4-ipopts { 3155 type identityref { 3156 base ipopts; 3157 } 3158 description 3159 "The security policy rule according to 3160 IPv4 options."; 3161 reference 3162 "RFC 791: Internet Protocol - Options"; 3163 } 3165 leaf pkt-sec-ipv4-sameip { 3166 type boolean; 3167 description 3168 "Every packet has a source IP-address and 3169 a destination IP-address. It can be that 3170 the source IP is the same as 3171 the destination IP."; 3172 } 3174 leaf-list pkt-sec-ipv4-geoip { 3175 type string; 3176 description 3177 "The geoip keyword enables you to match on 3178 the source, destination or source and destination 3179 IP addresses of network traffic and to see to 3180 which country it belongs. To do this, Suricata 3181 uses GeoIP API with MaxMind database format."; 3182 } 3183 } 3185 container packet-security-ipv6-condition { 3186 description 3187 "The purpose of this container is to represent 3188 IPv6 packet header information to determine 3189 if the set of policy actions in this ECA policy 3190 rule should be executed or not."; 3191 reference 3192 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3193 Specification"; 3195 leaf ipv6-description { 3196 type string; 3197 description 3198 "This is description for ipv6 condition."; 3199 } 3201 leaf-list pkt-sec-ipv6-traffic-class { 3202 type identityref { 3203 base traffic-class; 3204 } 3205 description 3206 "The security policy rule according to 3207 IPv6 traffic class."; 3208 reference 3209 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3210 Specification - Traffic class"; 3211 } 3213 container pkt-sec-ipv6-flow-label { 3214 choice match-type { 3215 description 3216 "There are two types to configure a security 3217 policy for IPv6 flow label, such as exact match 3218 and range match."; 3219 case exact-match { 3220 leaf-list ipv6-flow-label { 3221 type uint32 { 3222 range "0..1048575"; 3223 } 3224 description 3225 "Exact match for an IPv6 flow label."; 3226 } 3227 } 3228 case range-match { 3229 list range-ipv6-flow-label { 3230 key "start-ipv6-flow-label end-ipv6-flow-label"; 3231 leaf start-ipv6-flow-label { 3232 type uint32 { 3233 range "0..1048575"; 3234 } 3235 description 3236 "Start IPv6 flow label for a range match."; 3237 } 3238 leaf end-ipv6-flow-label { 3239 type uint32 { 3240 range "0..1048575"; 3241 } 3242 description 3243 "End IPv6 flow label for a range match."; 3244 } 3245 description 3246 "Range match for an IPv6 flow label."; 3247 } 3248 } 3249 } 3250 description 3251 "The security policy rule according to 3252 IPv6 flow label."; 3253 reference 3254 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3255 Specification - Flow label"; 3256 } 3258 container pkt-sec-ipv6-payload-length { 3259 choice match-type { 3260 description 3261 "There are two types to configure a security 3262 policy for IPv6 payload length, such as 3263 exact match and range match."; 3264 case exact-match { 3265 leaf-list ipv6-payload-length { 3266 type uint16; 3267 description 3268 "Exact match for an IPv6 payload length."; 3269 } 3270 } 3271 case range-match { 3272 list range-ipv6-payload-length { 3273 key "start-ipv6-payload-length 3274 end-ipv6-payload-length"; 3275 leaf start-ipv6-payload-length { 3276 type uint16; 3277 description 3278 "Start IPv6 payload length for a range match."; 3279 } 3280 leaf end-ipv6-payload-length { 3281 type uint16; 3282 description 3283 "End IPv6 payload length for a range match."; 3285 } 3286 description 3287 "Range match for an IPv6 payload length."; 3288 } 3289 } 3290 } 3291 description 3292 "The security policy rule according to 3293 IPv6 payload length."; 3294 reference 3295 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3296 Specification - Payload length"; 3297 } 3299 leaf-list pkt-sec-ipv6-next-header { 3300 type identityref { 3301 base next-header; 3302 } 3303 description 3304 "The security policy rule according to 3305 IPv6 next header."; 3306 reference 3307 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3308 Specification - Next header"; 3309 } 3311 container pkt-sec-ipv6-hop-limit { 3312 choice match-type { 3313 description 3314 "There are two types to configure a security 3315 policy for IPv6 hop limit, such as exact match 3316 and range match."; 3317 case exact-match { 3318 leaf-list ipv6-hop-limit { 3319 type uint8; 3320 description 3321 "Exact match for an IPv6 hop limit."; 3322 } 3323 } 3324 case range-match { 3325 list range-ipv6-hop-limit { 3326 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3327 leaf start-ipv6-hop-limit { 3328 type uint8; 3329 description 3330 "Start IPv6 hop limit for a range match."; 3331 } 3332 leaf end-ipv6-hop-limit { 3333 type uint8; 3334 description 3335 "End IPv6 hop limit for a range match."; 3336 } 3337 description 3338 "Range match for an IPv6 hop limit."; 3339 } 3340 } 3341 } 3342 description 3343 "The security policy rule according to 3344 IPv6 hop limit."; 3345 reference 3346 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3347 Specification - Hop limit"; 3348 } 3350 container pkt-sec-ipv6-src { 3351 uses pkt-sec-ipv6; 3352 description 3353 "The security policy rule according to 3354 IPv6 source address."; 3355 reference 3356 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3357 Specification - IPv6 address"; 3358 } 3360 container pkt-sec-ipv6-dest { 3361 uses pkt-sec-ipv6; 3362 description 3363 "The security policy rule according to 3364 IPv6 destination address."; 3365 reference 3366 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3367 Specification - IPv6 address"; 3368 } 3370 } 3372 container packet-security-tcp-condition { 3373 description 3374 "The purpose of this container is to represent 3375 TCP packet header information to determine 3376 if the set of policy actions in this ECA policy 3377 rule should be executed or not."; 3378 reference 3379 "RFC 793: Transmission Control Protocol"; 3381 leaf tcp-description { 3382 type string; 3383 description 3384 "This is description for tcp condition."; 3385 } 3387 container pkt-sec-tcp-src-port-num { 3388 uses pkt-sec-port-number; 3389 description 3390 "The security policy rule according to 3391 tcp source port number."; 3392 reference 3393 "RFC 793: Transmission Control Protocol 3394 - Port number"; 3395 } 3397 container pkt-sec-tcp-dest-port-num { 3398 uses pkt-sec-port-number; 3399 description 3400 "The security policy rule according to 3401 tcp destination port number."; 3402 reference 3403 "RFC 793: Transmission Control Protocol 3404 - Port number"; 3405 } 3407 container pkt-sec-tcp-seq-num { 3408 choice match-type { 3409 description 3410 "There are two types to configure a security 3411 policy for tcp sequence number, 3412 such as exact match and range match."; 3413 case exact-match { 3414 leaf-list tcp-seq-num { 3415 type uint32; 3416 description 3417 "Exact match for an tcp sequence number."; 3418 } 3419 } 3420 case range-match { 3421 list range-tcp-seq-num { 3422 key "start-tcp-seq-num end-tcp-seq-num"; 3423 leaf start-tcp-seq-num { 3424 type uint32; 3425 description 3426 "Start tcp sequence number for a range match."; 3427 } 3428 leaf end-tcp-seq-num { 3429 type uint32; 3430 description 3431 "End tcp sequence number for a range match."; 3432 } 3433 description 3434 "Range match for a tcp sequence number."; 3435 } 3436 } 3437 } 3438 description 3439 "The security policy rule according to 3440 tcp sequence number."; 3441 reference 3442 "RFC 793: Transmission Control Protocol 3443 - Sequence number"; 3444 } 3446 container pkt-sec-tcp-ack-num { 3447 choice match-type { 3448 description 3449 "There are two types to configure a security 3450 policy for tcp acknowledgement number, 3451 such as exact match and range match."; 3452 case exact-match { 3453 leaf-list tcp-ack-num { 3454 type uint32; 3455 description 3456 "Exact match for an tcp acknowledgement number."; 3457 } 3458 } 3459 case range-match { 3460 list range-tcp-ack-num { 3461 key "start-tcp-ack-num end-tcp-ack-num"; 3462 leaf start-tcp-ack-num { 3463 type uint32; 3464 description 3465 "Start tcp acknowledgement number 3466 for a range match."; 3467 } 3468 leaf end-tcp-ack-num { 3469 type uint32; 3470 description 3471 "End tcp acknowledgement number 3472 for a range match."; 3473 } 3474 description 3475 "Range match for a tcp acknowledgement number."; 3477 } 3478 } 3479 } 3480 description 3481 "The security policy rule according to 3482 tcp acknowledgement number."; 3483 reference 3484 "RFC 793: Transmission Control Protocol 3485 - Acknowledgement number"; 3486 } 3488 container pkt-sec-tcp-window-size { 3489 choice match-type { 3490 description 3491 "There are two types to configure a security 3492 policy for tcp window size, 3493 such as exact match and range match."; 3494 case exact-match { 3495 leaf-list tcp-window-size { 3496 type uint16; 3497 description 3498 "Exact match for an tcp window size."; 3499 } 3500 } 3501 case range-match { 3502 list range-tcp-window-size { 3503 key "start-tcp-window-size end-tcp-window-size"; 3504 leaf start-tcp-window-size { 3505 type uint16; 3506 description 3507 "Start tcp window size for a range match."; 3508 } 3509 leaf end-tcp-window-size { 3510 type uint16; 3511 description 3512 "End tcp window size for a range match."; 3513 } 3514 description 3515 "Range match for a tcp window size."; 3516 } 3517 } 3518 } 3519 description 3520 "The security policy rule according to 3521 tcp window size."; 3522 reference 3523 "RFC 793: Transmission Control Protocol 3524 - Window size"; 3526 } 3528 leaf-list pkt-sec-tcp-flags { 3529 type identityref { 3530 base tcp-flags; 3531 } 3532 description 3533 "The security policy rule according to 3534 tcp flags."; 3535 reference 3536 "RFC 793: Transmission Control Protocol 3537 - Flags"; 3538 } 3539 } 3541 container packet-security-udp-condition { 3542 description 3543 "The purpose of this container is to represent 3544 UDP packet header information to determine 3545 if the set of policy actions in this ECA policy 3546 rule should be executed or not."; 3547 reference 3548 "RFC 793: Transmission Control Protocol"; 3550 leaf udp-description { 3551 type string; 3552 description 3553 "This is description for udp condition."; 3554 } 3556 container pkt-sec-udp-src-port-num { 3557 uses pkt-sec-port-number; 3558 description 3559 "The security policy rule according to 3560 udp source port number."; 3561 reference 3562 "RFC 793: Transmission Control Protocol 3563 - Port number"; 3564 } 3566 container pkt-sec-udp-dest-port-num { 3567 uses pkt-sec-port-number; 3568 description 3569 "The security policy rule according to 3570 udp destination port number."; 3571 reference 3572 "RFC 768: User Datagram Protocol 3573 - Total Length"; 3574 } 3576 container pkt-sec-udp-total-length { 3577 choice match-type { 3578 description 3579 "There are two types to configure a security 3580 policy for udp sequence number, 3581 such as exact match and range match."; 3582 case exact-match { 3583 leaf-list udp-total-length { 3584 type uint32; 3585 description 3586 "Exact match for an udp-total-length."; 3587 } 3588 } 3589 case range-match { 3590 list range-udp-total-length { 3591 key "start-udp-total-length end-udp-total-length"; 3592 leaf start-udp-total-length { 3593 type uint32; 3594 description 3595 "Start udp total length for a range match."; 3596 } 3597 leaf end-udp-total-length { 3598 type uint32; 3599 description 3600 "End udp total length for a range match."; 3601 } 3602 description 3603 "Range match for a udp total length."; 3604 } 3605 } 3606 } 3607 description 3608 "The security policy rule according to 3609 udp total length."; 3610 reference 3611 "RFC 768: User Datagram Protocol 3612 - Total Length"; 3613 } 3614 } 3616 container packet-security-icmp-condition { 3617 description 3618 "The purpose of this container is to represent 3619 ICMP packet header information to determine 3620 if the set of policy actions in this ECA policy 3621 rule should be executed or not."; 3622 reference 3623 "RFC 792: Internet Control Message Protocol 3624 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3626 leaf icmp-description { 3627 type string; 3628 description 3629 "This is description for icmp condition."; 3630 } 3632 leaf-list pkt-sec-icmp-type-and-code { 3633 type identityref { 3634 base icmp-type; 3635 } 3636 description 3637 "The security policy rule according to 3638 ICMP parameters."; 3639 reference 3640 "RFC 792: Internet Control Message Protocol 3641 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3642 } 3643 } 3645 container packet-security-http-condition { 3646 description 3647 "Condition for http."; 3649 leaf http-description { 3650 type string; 3651 description 3652 "This is description for http condition."; 3653 } 3655 leaf-list pkt-sec-uri-content { 3656 type string; 3657 description 3658 "The security policy rule according to 3659 uri content."; 3660 } 3662 leaf-list pkt-sec-url-content { 3663 type string; 3664 description 3665 "The security policy rule according to 3666 url content."; 3668 } 3669 } 3671 container packet-security-voice-condition { 3672 description 3673 "For the VoIP/VoLTE security system, a VoIP/ 3674 VoLTE security system can monitor each 3675 VoIP/VoLTE flow and manage VoIP/VoLTE 3676 security rules controlled by a centralized 3677 server for VoIP/VoLTE security service 3678 (called VoIP IPS). The VoIP/VoLTE security 3679 system controls each switch for the 3680 VoIP/VoLTE call flow management by 3681 manipulating the rules that can be added, 3682 deleted, or modified dynamically."; 3683 reference 3684 "RFC 3261: SIP: Session Initiation Protocol"; 3686 leaf voice-description { 3687 type string; 3688 description 3689 "This is description for voice condition."; 3690 } 3692 leaf-list pkt-sec-src-voice-id { 3693 type string; 3694 description 3695 "The security policy rule according to 3696 a source voice ID for VoIP and VoLTE."; 3697 } 3699 leaf-list pkt-sec-dest-voice-id { 3700 type string; 3701 description 3702 "The security policy rule according to 3703 a destination voice ID for VoIP and VoLTE."; 3704 } 3706 leaf-list pkt-sec-user-agent { 3707 type string; 3708 description 3709 "The security policy rule according to 3710 an user agent for VoIP and VoLTE."; 3711 } 3712 } 3714 container packet-security-ddos-condition { 3715 description 3716 "Condition for DDoS attack."; 3718 leaf ddos-description { 3719 type string; 3720 description 3721 "This is description for ddos condition."; 3722 } 3724 leaf pkt-sec-alert-rate { 3725 type uint32; 3726 description 3727 "The alert rate of flood detect for 3728 same packets."; 3729 } 3730 } 3732 container packet-payload-condition { 3733 description 3734 "Condition for packet payload"; 3735 leaf packet-payload-description { 3736 type string; 3737 description 3738 "This is description for payload condition. 3739 Vendors can write instructions for payload condition 3740 that vendor made"; 3741 } 3742 leaf-list pkt-payload-content { 3743 type string; 3744 description 3745 "The content keyword is very important in 3746 signatures. Between the quotation marks you 3747 can write on what you would like the 3748 signature to match."; 3749 } 3750 } 3752 leaf-list acl-number { 3753 type uint32; 3754 description 3755 "This is acl-number."; 3756 } 3758 container application-condition { 3759 description 3760 "Condition for application"; 3761 leaf application-description { 3762 type string; 3763 description 3764 "This is description for application condition."; 3765 } 3766 leaf-list application-object { 3767 type string; 3768 description 3769 "This is application object."; 3770 } 3771 leaf-list application-group { 3772 type string; 3773 description 3774 "This is application group."; 3775 } 3776 leaf-list application-label { 3777 type string; 3778 description 3779 "This is application label."; 3780 } 3781 container category { 3782 description 3783 "This is application category"; 3784 list application-category { 3785 key "name application-subcategory"; 3786 description 3787 "This is application category list"; 3788 leaf name { 3789 type string; 3790 description 3791 "This is name for application category."; 3792 } 3793 leaf application-subcategory { 3794 type string; 3795 description 3796 "This is application subcategory."; 3797 } 3798 } 3799 } 3800 } 3802 container target-condition { 3803 description 3804 "Condition for target"; 3805 leaf target-description { 3806 type string; 3807 description 3808 "This is description for target condition. 3809 Vendors can write instructions for target condition 3810 that vendor made"; 3811 } 3812 container device-sec-context-cond { 3813 description 3814 "The device attribute that can identify a device, 3815 including the device type (i.e., router, switch, 3816 pc, ios, or android) and the device's owner as 3817 well."; 3819 leaf-list target-device { 3820 type identityref { 3821 base target-device; 3822 } 3823 description 3824 "Leaf list for target devices"; 3825 } 3826 } 3827 } 3828 container users-condition { 3829 description 3830 "Condition for users"; 3831 leaf users-description { 3832 type string; 3833 description 3834 "This is description for user condition. 3835 Vendors can write instructions for user condition 3836 that vendor made"; 3837 } 3838 container user{ 3839 description 3840 "The user (or user group) information with which 3841 network flow is associated: The user has many 3842 attributes such as name, id, password, type, 3843 authentication mode and so on. Name/id is often 3844 used in the security policy to identify the user. 3845 Besides, NSF is aware of the IP address of the 3846 user provided by a unified user management system 3847 via network. Based on name-address association, 3848 NSF is able to enforce the security functions 3849 over the given user (or user group)"; 3851 choice user-name { 3852 description 3853 "The name of the user. 3854 This must be unique."; 3856 case tenant { 3857 description 3858 "Tenant information."; 3860 leaf tenant { 3861 type uint8; 3862 mandatory true; 3863 description 3864 "User's tenant information."; 3865 } 3866 } 3868 case vn-id { 3869 description 3870 "VN-ID information."; 3872 leaf vn-id { 3873 type uint8; 3874 mandatory true; 3875 description 3876 "User's VN-ID information."; 3877 } 3878 } 3879 } 3880 } 3881 container group { 3882 description 3883 "The user (or user group) information with which 3884 network flow is associated: The user has many 3885 attributes such as name, id, password, type, 3886 authentication mode and so on. Name/id is often 3887 used in the security policy to identify the user. 3888 Besides, NSF is aware of the IP address of the 3889 user provided by a unified user management system 3890 via network. Based on name-address association, 3891 NSF is able to enforce the security functions 3892 over the given user (or user group)"; 3894 choice group-name { 3895 description 3896 "The name of the user. 3897 This must be unique."; 3899 case tenant { 3900 description 3901 "Tenant information."; 3903 leaf tenant { 3904 type uint8; 3905 mandatory true; 3906 description 3907 "User's tenant information."; 3909 } 3910 } 3912 case vn-id { 3913 description 3914 "VN-ID information."; 3916 leaf vn-id { 3917 type uint8; 3918 mandatory true; 3919 description 3920 "User's VN-ID information."; 3921 } 3922 } 3923 } 3924 } 3925 leaf security-grup { 3926 type string; 3927 mandatory true; 3928 description 3929 "security-grup."; 3930 } 3931 } 3933 container url-category-condition { 3934 description 3935 "Condition for url category"; 3936 leaf url-category-description { 3937 type string; 3938 description 3939 "This is description for url category condition. 3940 Vendors can write instructions for context condition 3941 that vendor made"; 3942 } 3944 leaf-list pre-defined-category { 3945 type string; 3946 description 3947 "This is pre-defined-category."; 3948 } 3949 leaf-list user-defined-category { 3950 type string; 3951 description 3952 "This user-defined-category."; 3953 } 3954 } 3956 container context-condition { 3957 description 3958 "Condition for context"; 3959 leaf context-description { 3960 type string; 3961 description 3962 "This is description for context condition. 3963 Vendors can write instructions for context condition 3964 that vendor made"; 3965 } 3966 } 3968 container gen-context-condition { 3969 description 3970 "Condition for generic context"; 3971 leaf gen-context-description { 3972 type string; 3973 description 3974 "This is description for generic context condition. 3975 Vendors can write instructions for generic context 3976 condition that vendor made"; 3977 } 3979 container geographic-location { 3980 description 3981 "The location where network traffic is associated 3982 with. The region can be the geographic location 3983 such as country, province, and city, 3984 as well as the logical network location such as 3985 IP address, network section, and network domain."; 3987 leaf-list src-geographic-location { 3988 type uint32; 3989 description 3990 "This is mapped to ip address. We can acquire 3991 source region through ip address stored in the 3992 database."; 3993 } 3994 leaf-list dest-geographic-location { 3995 type uint32; 3996 description 3997 "This is mapped to ip address. We can acquire 3998 destination region through ip address stored 3999 in the database."; 4000 } 4001 } 4002 } 4003 } 4004 container action-clause-container { 4005 description 4006 "An action is used to control and monitor aspects of 4007 flow-based NSFs when the event and condition clauses 4008 are satisfied. NSFs provide security functions by 4009 executing various Actions. Examples of I2NSF Actions 4010 include providing intrusion detection and/or protection, 4011 web and flow filtering, and deep packet inspection 4012 for packets and flows."; 4013 reference 4014 "RFC 8329: Framework for Interface to Network Security 4015 Functions - I2NSF Flow Security Policy Structure 4016 draft-ietf-i2nsf-capability-04: Information Model 4017 of NSFs Capabilities - Design Principles and ECA Policy 4018 Model Overview"; 4020 leaf action-clause-description { 4021 type string; 4022 description 4023 "Description for an action clause."; 4024 } 4026 container packet-action { 4027 description 4028 "Action for packets"; 4029 reference 4030 "RFC 8329: Framework for Interface to Network Security 4031 Functions - I2NSF Flow Security Policy Structure 4032 draft-ietf-i2nsf-capability-04: Information Model 4033 of NSFs Capabilities - Design Principles and ECA 4034 Policy Model Overview"; 4036 leaf ingress-action { 4037 type identityref { 4038 base ingress-action; 4039 } 4040 description 4041 "Action: pass, drop, reject, alert, and mirror."; 4042 } 4044 leaf egress-action { 4045 type identityref { 4046 base egress-action; 4047 } 4048 description 4049 "Egress action: pass, drop, reject, alert, mirror, 4050 invoke-signaling, tunnel-encapsulation, 4051 forwarding, and redirection."; 4053 } 4055 leaf log-action { 4056 type identityref { 4057 base log-action; 4058 } 4059 description 4060 "Log action: rule log and session log"; 4061 } 4063 } 4065 container advanced-action { 4066 description 4067 "If the packet need be additionally inspected, 4068 the packet are passed to advanced network 4069 security functions according to the profile."; 4070 reference 4071 "RFC 8329: Framework for Interface to Network Security 4072 Functions - Differences from ACL Data Models"; 4074 leaf-list content-security-control { 4075 type identityref { 4076 base content-security-control; 4077 } 4078 description 4079 "The Profile is divided into content security 4080 control and attack-mitigation-control. 4081 Content security control: antivirus, ips, ids, 4082 url filtering, mail filtering, file blocking, 4083 file isolate, packet capture, application control, 4084 voip and volte."; 4085 } 4087 leaf-list attack-mitigation-control { 4088 type identityref { 4089 base attack-mitigation-control; 4090 } 4091 description 4092 "The Profile is divided into content security 4093 control and attack-mitigation-control. 4094 Attack mitigation control: syn flood, udp flood, 4095 icmp flood, ip frag flood, ipv6 related, http flood, 4096 https flood, dns flood, dns amp flood, ssl ddos, 4097 ip sweep, port scanning, ping of death, teardrop, 4098 oversized icmp, tracert."; 4099 } 4100 } 4102 } 4103 } 4104 container rule-group { 4105 description 4106 "This is rule group"; 4108 list groups { 4109 key "group-name"; 4110 description 4111 "This is a group for rules"; 4113 leaf group-name { 4114 type string; 4115 description 4116 "This is a group for rules"; 4117 } 4119 container rule-range { 4120 description 4121 "This is a rule range."; 4123 leaf start-rule { 4124 type string; 4125 description 4126 "This is a start rule"; 4127 } 4128 leaf end-rule { 4129 type string; 4130 description 4131 "This is a end rule"; 4132 } 4133 } 4134 leaf enable { 4135 type boolean; 4136 description 4137 "This is enable 4138 False is not enable."; 4139 } 4140 leaf description { 4141 type string; 4142 description 4143 "This is a desription for rule-group"; 4144 } 4145 } 4146 } 4147 } 4148 } 4149 } 4150 4152 Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 4154 6. IANA Considerations 4156 This document requests IANA to register the following URI in the 4157 "IETF XML Registry" [RFC3688]: 4159 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4161 Registrant Contact: The IESG. 4163 XML: N/A; the requested URI is an XML namespace. 4165 This document requests IANA to register the following YANG module in 4166 the "YANG Module Names" registry [RFC7950]. 4168 name: ietf-i2nsf-policy-rule-for-nsf 4170 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- 4171 nsf 4173 prefix: iiprfn 4175 reference: RFC XXXX 4177 7. Security Considerations 4179 The YANG module specified in this document defines a data schema 4180 designed to be accessed through network management protocols such as 4181 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 4182 the secure transport layer, and the required transport secure 4183 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 4184 is HTTPS, and the required transport secure transport is TLS 4185 [RFC8446]. 4187 The NETCONF access control model [RFC8341] provides a means of 4188 restricting access to specific NETCONF or RESTCONF users to a 4189 preconfigured subset of all available NETCONF or RESTCONF protocol 4190 operations and content. 4192 8. References 4193 8.1. Normative References 4195 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4196 Requirement Levels", BCP 14, RFC 2119, 4197 DOI 10.17487/RFC2119, March 1997, 4198 . 4200 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 4201 the Network Configuration Protocol (NETCONF)", RFC 6020, 4202 DOI 10.17487/RFC6020, October 2010, 4203 . 4205 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4206 and A. Bierman, Ed., "Network Configuration Protocol 4207 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4208 . 4210 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4211 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4212 . 4214 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4215 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4216 . 4218 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4219 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4220 . 4222 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4223 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4224 . 4226 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4227 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4228 May 2017, . 4230 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4231 Kumar, "Framework for Interface to Network Security 4232 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4233 . 4235 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4236 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4237 . 4239 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4240 Access Control Model", STD 91, RFC 8341, 4241 DOI 10.17487/RFC8341, March 2018, 4242 . 4244 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 4245 S., and N. Bahadur, "A YANG Data Model for the Routing 4246 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 4247 September 2018, . 4249 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4250 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4251 . 4253 8.2. Informative References 4255 [i2nsf-advanced-nsf-dm] 4256 Pan, W. and L. Xia, "Configuration of Advanced Security 4257 Functions with I2NSF Security Controller", draft-dong- 4258 i2nsf-asf-config-01 (work in progress), October 2018. 4260 [i2nsf-nsf-cap-dm] 4261 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 4262 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 4263 capability-data-model-03 (work in progress), March 2019. 4265 [i2nsf-nsf-cap-im] 4266 Xia, L., Strassner, J., Basile, C., and D. Lopez, 4267 "Information Model of NSFs Capabilities", draft-ietf- 4268 i2nsf-capability-04 (work in progress), October 2018. 4270 [supa-policy-info-model] 4271 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 4272 Information Model for Simplified Use of Policy 4273 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 4274 model-03 (work in progress), May 2017. 4276 Appendix A. Configuration Examples 4278 This section shows configuration examples of "ietf-i2nsf-policy-rule- 4279 for-nsf" module for security policy rules of network security 4280 devices. For security requirements, we assume that the NSFs (i.e., 4281 General firewall, Time based firewall, URL filter, VoIP/VoLTE filter, 4282 and http and https flood mitigation ) described in Appendix A. 4283 Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF 4284 framework. With the registed NSFs, we show configuration examples 4285 for security policy rules of network security functions according to 4286 the following three security requirements: (i) Block SNS access 4287 during business hours, (ii) Block malicious VoIP/VoLTE packets coming 4288 to the company, and (iii) Mitigate http and https flood attacks on 4289 company web server. 4291 A.1. Security Requirement 1: Block SNS Access during Business Hours 4293 This section shows a configuration example for blocking SNS access 4294 during business hours. 4296 4298 4299 sns_access 4300 4301 block_sns_access_during_operation_time 4302 4303 4304 09:00:00Z 4305 18:00:00Z 4306 4307 4308 4309 4310 4311 4312 221.159.112.1 4313 221.159.112.90 4314 4315 4316 4317 4318 4319 4320 url-filtering 4321 4322 4323 4324 4325 4327 Figure 6: Configuration XML for Time based Firewall to Block SNS 4328 Access during Business Hours 4330 4332 4333 sns_access 4334 4335 block_sns_access_during_operation_time 4336 4337 4338 facebook 4339 instagram 4340 4341 4342 4343 4344 drop 4345 4346 4347 4348 4349 4351 Figure 7: Configuration XML for Web Filter to Block SNS Access during 4352 Business Hours 4354 Figure 6 and Figure 7 show the configuration XML documents for time 4355 based firewall and web filter to block SNS access during business 4356 hours. For the security requirement, two NSFs (i.e., a time based 4357 firewall and a web filter) were used because one NSF can not meet the 4358 security requirement. The instances of XML documents for the time 4359 based firewall and the web filter are as follows: Note that a 4360 detailed data model for the configuration of the advanced network 4361 security function (i.e., web filter) is described in 4362 [i2nsf-advanced-nsf-dm]. 4364 Time based Firewall 4366 1. The name of the system policy is sns_access. 4368 2. The name of the rule is block_sns_access_during_operation_time. 4370 3. The rule is operated during the business hours (i.e., from 9 a.m. 4371 to 6 p.m.). 4373 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 4374 to 221.159.112.90) to inspect the outgoing packets of employees. 4376 5. If the outgoing packets match the rules above, the time based 4377 firewall sends the packets to url filtering for additional 4378 inspection because the time based firewall can not inspect 4379 contents of the packets for the SNS URL. 4381 Web Filter 4383 1. The name of the system policy is sns_access. 4385 2. The name of the rule is block_facebook_and_instagram. 4387 3. The rule inspects URL address to block the access packets to the 4388 facebook or the instagram. 4390 4. If the outgoing packets match the rules above, the packets are 4391 blocked. 4393 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 4394 to the Company 4396 This section shows a configuration example for blocking malicious 4397 VoIP/VoLTE packets coming to the company. 4399 4401 4402 voip_volte_inspection 4403 4404 block_malicious_voice_id 4405 4406 4407 4408 4409 221.159.112.1 4410 221.159.112.90 4411 4412 4413 4414 4415 4416 5060 4417 5061 4418 4419 4420 4421 4422 4423 voip-volte 4424 4425 4426 4427 4428 4430 Figure 8: Configuration XML for General Firewall to Block Malicious 4431 VoIP/VoLTE Packets Coming to the Company 4433 4435 4436 voip_volte_inspection 4437 4438 block_malicious_voice_id 4439 4440 4441 11111@voip.black.com 4442 22222@voip.black.com 4443 4444 4445 4446 4447 drop 4448 4449 4450 4451 4452 4454 Figure 9: Configuration XML for VoIP/VoLTE Filter to Block Malicious 4455 VoIP/VoLTE Packets Coming to the Company 4457 Figure 8 and Figure 9 show the configuration XML documents for 4458 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 4459 packets coming to the company. For the security requirement, two 4460 NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used 4461 because one NSF can not meet the security requirement. The instances 4462 of XML documents for the general firewall and the VoIP/VoLTE filter 4463 are as follows: Note that a detailed data model for the configuration 4464 of the advanced network security function (i.e., VoIP/VoLTE filter) 4465 is described in [i2nsf-advanced-nsf-dm]. 4467 General Firewall 4469 1. The name of the system policy is voip_volte_inspection. 4471 2. The name of the rule is block_malicious_voip_volte_packets. 4473 3. The rule inspects a destination IPv4 address (i.e., from 4474 221.159.112.1 to 221.159.112.90) to inspect the packets coming 4475 into the company. 4477 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 4478 VoIP/VoLTE packet. 4480 5. If the incoming packets match the rules above, the general 4481 firewall sends the packets to VoIP/VoLTE filter for additional 4482 inspection because the general firewall can not inspect contents 4483 of the VoIP/VoLTE packets. 4485 VoIP/VoLTE Filter 4487 1. The name of the system policy is malicious_voice_id. 4489 2. The name of the rule is block_malicious_voice_id. 4491 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 4492 the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and 4493 22222@voip.black.com). 4495 4. If the incoming packets match the rules above, the packets are 4496 blocked. 4498 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 4499 Company Web Server 4501 This section shows a configuration example for mitigating http and 4502 https flood attacks on a company web server. 4504 4506 4507 flood_attack_mitigation 4508 4509 mitigate_http_and_https_flood_attack 4510 4511 4512 4513 4514 221.159.112.95 4515 4516 4517 4518 4519 4520 80 4521 443 4522 4523 4524 4525 4526 4527 http-and-https-flood 4528 4529 4530 4531 4532 4533 4535 Figure 10: Configuration XML for General Firewall to Mitigate HTTP 4536 and HTTPS Flood Attacks on a Company Web Server 4538 4540 4541 flood_attack_mitigation 4542 4543 mitigate_http_and_https_flood_attack 4544 4545 4546 100 4547 4548 4549 4550 4551 drop 4552 4553 4554 4555 4556 4558 Figure 11: Configuration XML for HTTP and HTTPS Flood Attack 4559 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4560 Server 4562 Figure 10 and Figure 11 show the configuration XML documents for 4563 general firewall and http and https flood attack mitigation to 4564 mitigate http and https flood attacks on a company web server. For 4565 the security requirement, two NSFs (i.e., a general firewall and a 4566 http and https flood attack mitigation) were used because one NSF can 4567 not meet the security requirement. The instances of XML documents 4568 for the general firewall and http and https flood attack mitigation 4569 are as follows: Note that a detailed data model for the configuration 4570 of the advanced network security function (i.e., http and https flood 4571 attack mitigation) is described in [i2nsf-advanced-nsf-dm]. 4573 General Firewall 4575 1. The name of the system policy is flood_attack_mitigation. 4577 2. The name of the rule is mitigate_http_and_https_flood_attack. 4579 3. The rule inspects a destination IPv4 address (i.e., 4580 221.159.112.95) to inspect the access packets coming into the 4581 company web server. 4583 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4584 http and https packet. 4586 5. If the packets match the rules above, the general firewall sends 4587 the packets to http and https flood attack mitigation for 4588 additional inspection because the general firewall can not contrl 4589 the amount of packets for http and https packets. 4591 HTTP and HTTPS Flood Attack Mitigation 4593 1. The name of the system policy is 4594 http_and_https_flood_attack_mitigation. 4596 2. The name of the rule is 100_per_second. 4598 3. The rule controls the http and https packets according to the 4599 amount of incoming packets. 4601 4. If the incoming packets match the rules above, the packets are 4602 blocked. 4604 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-03 4606 The following changes are made from draft-ietf-i2nsf-nsf-facing- 4607 interface-dm-04: 4609 o We added fields for a rule (e.g., rule session aging time, rule 4610 long connection, and rule group). 4612 o We added fields for a condition (e.g., payload, acl number, 4613 application, target, users, url category, context, and generic 4614 context) 4616 Appendix C. Acknowledgments 4618 This work was supported by Institute for Information & communications 4619 Technology Promotion (IITP) grant funded by the Korea government 4620 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 4621 Technology Development for the Customized Security Service 4622 Provisioning). 4624 Appendix D. Contributors 4626 This document is made by the group effort of I2NSF working group. 4627 Many people actively contributed to this document. The following are 4628 considered co-authors: 4630 o Hyoungshick Kim (Sungkyunkwan University) 4632 o Daeyoung Hyun (Sungkyunkwan University) 4633 o Dongjin Hong (Sungkyunkwan University) 4635 o Liang Xia (Huawei) 4637 o Tae-Jin Ahn (Korea Telecom) 4639 o Se-Hui Lee (Korea Telecom) 4641 Authors' Addresses 4643 Jinyong Tim Kim 4644 Department of Computer Engineering 4645 Sungkyunkwan University 4646 2066 Seobu-Ro, Jangan-Gu 4647 Suwon, Gyeonggi-Do 16419 4648 Republic of Korea 4650 Phone: +82 10 8273 0930 4651 EMail: timkim@skku.edu 4653 Jaehoon Paul Jeong 4654 Department of Software 4655 Sungkyunkwan University 4656 2066 Seobu-Ro, Jangan-Gu 4657 Suwon, Gyeonggi-Do 16419 4658 Republic of Korea 4660 Phone: +82 31 299 4957 4661 Fax: +82 31 290 7996 4662 EMail: pauljeong@skku.edu 4663 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4665 Jung-Soo Park 4666 Electronics and Telecommunications Research Institute 4667 218 Gajeong-Ro, Yuseong-Gu 4668 Daejeon 34129 4669 Republic of Korea 4671 Phone: +82 42 860 6514 4672 EMail: pjs@etri.re.kr 4673 Susan Hares 4674 Huawei 4675 7453 Hickory Hill 4676 Saline, MI 48176 4677 USA 4679 Phone: +1-734-604-0332 4680 EMail: shares@ndzh.com 4682 Qiushi Lin 4683 Huawei 4684 Huawei Industrial Base 4685 Shenzhen, Guangdong 518129 4686 China 4688 EMail: linqiushi@huawei.com