idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 316 has weird spacing: '...-length uin...' == Line 326 has weird spacing: '...-length uin...' == Line 337 has weird spacing: '...-offset uin...' == Line 346 has weird spacing: '...pv4-ttl uin...' == Line 362 has weird spacing: '...address inet:...' == (21 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 28, 2019) is 1846 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 4226, but not defined == Unused Reference: 'RFC6991' is defined on line 4284, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim 3 Internet-Draft J. Jeong 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: September 29, 2019 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 March 28, 2019 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-05 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on network security functions. The YANG data model in 19 this document is corresponding to the information model for Network 20 Security Functions (NSF)-Facing Interface in Interface to Network 21 Security Functions (I2NSF). 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 29, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 62 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 63 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 64 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 65 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 66 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 67 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15 68 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 70 7. Security Considerations . . . . . . . . . . . . . . . . . . . 90 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 90 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 90 73 8.2. Informative References . . . . . . . . . . . . . . . . . 91 74 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 93 75 A.1. Security Requirement 1: Block SNS Access during Business 76 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 93 77 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE 78 Packets Coming to the Company . . . . . . . . . . . . . . 96 79 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 80 Attacks on a Company Web Server . . . . . . . . . . . . . 99 81 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- 82 dm-04 . . . . . . . . . . . . . . . . . . . . . . . 102 83 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 102 84 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 102 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103 87 1. Introduction 89 This document defines a YANG [RFC6020][RFC7950] data model for 90 security policy rule configuration of network security devices. The 91 YANG data model is corresponding to the information model 92 [i2nsf-nsf-cap-im] for Network Security Functions (NSF) facing 93 interface in Interface to Network Security Functions (I2NSF). The 94 YANG data model in this document focuses on security policy 95 configuration for generic network security functions. Note that 96 security policy configuration for advanced network security functions 97 are written in [i2nsf-advanced-nsf-dm]. 99 This YANG data model uses an "Event-Condition-Action" (ECA) policy 100 model that is used as the basis for the design of I2NSF Policy 101 described in [RFC8329] and [i2nsf-nsf-cap-im]. Rules. 103 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 104 document provides the following features. 106 o Configuration for general security policy rule of generic network 107 security function. 109 o Configuration for an event clause of generic network security 110 function. 112 o Configuration for a condition clause of generic network security 113 function. 115 o Configuration for an action clause of generic network security 116 function. 118 2. Requirements Language 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 122 document are to be interpreted as described in [RFC2119][RFC8174]. 124 3. Terminology 126 This document uses the terminology described in 127 [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the 128 following terms are from [supa-policy-info-model]: 130 o Data Model: A data model is a representation of concepts of 131 interest to an environment in a form that is dependent on data 132 repository, data definition language, query language, 133 implementation language, and protocol. 135 o Information Model: An information model is a representation of 136 concepts of interest to an environment in a form that is 137 independent of data repository, data definition language, query 138 language, implementation language, and protocol. 140 3.1. Tree Diagrams 142 A simplified graphical representation of the data model is used in 143 this document. The meaning of the symbols in these diagrams 144 [RFC8340] is as follows: 146 o Brackets "[" and "]" enclose list keys. 148 o Abbreviations before data node names: "rw" means configuration 149 (read-write) and "ro" state data (read-only). 151 o Symbols after data node names: "?" means an optional node and "*" 152 denotes a "list" and "leaf-list". 154 o Parentheses enclose choice and case nodes, and case nodes are also 155 marked with a colon (":"). 157 o Ellipsis ("...") stands for contents of subtrees that are not 158 shown. 160 4. YANG Tree Diagram 162 This section shows an YANG tree diagram of generic network security 163 functions. Note that a detailed data model for the configuration of 164 the advanced network security functions is described in 165 [i2nsf-advanced-nsf-dm]. The section describes the following 166 subjects: 168 o General I2NSF security policy rule of generic network security 169 function. 171 o An event clause of generic network security function. 173 o A condition clause of generic network security function. 175 o An action clause of generic network security function. 177 4.1. General I2NSF Security Policy Rule 179 This section shows YANG tree diagram for general I2NSF security 180 policy rule. 182 module: ietf-i2nsf-policy-rule-for-nsf 183 +--rw i2nsf-security-policy 184 | +--rw system-policy* [system-policy-name] 185 | +--rw system-policy-name string 186 | +--rw priority-usage? identityref 187 | +--rw resolution-strategy? identityref 188 | +--rw default-action? identityref 189 | +--rw rules* [rule-name] 190 | | +--rw rule-name string 191 | | +--rw rule-description? string 192 | | +--rw rule-priority? uint8 193 | | +--rw rule-enable? boolean 194 | | +--rw rule-session-aging-time? uint16 195 | | +--rw rule-long-connection 196 | | | +--rw enable? boolean 197 | | | +--rw during? uint16 198 | | +--rw time-zone 199 | | | +--rw absolute-time-zone 200 | | | | +--rw start-time? start-time-type 201 | | | | +--rw end-time? end-time-type 202 | | | +--rw periodic-time-zone 203 | | | +--rw day 204 | | | | +--rw every-day? boolean 205 | | | | +--rw specific-day* day-type 206 | | | +--rw month 207 | | | +--rw every-month? boolean 208 | | | +--rw specific-month* month-type 209 | | +--rw event-clause-container 210 | | | ... 211 | | +--rw condition-clause-container 212 | | | ... 213 | | +--rw action-clause-container 214 | | ... 215 | +--rw rule-group 216 | +--rw groups* [group-name] 217 | +--rw group-name string 218 | +--rw rule-range 219 | | +--rw start-rule? string 220 | | +--rw end-rule? string 221 | +--rw enable? boolean 222 | +--rw description? string 223 +--rw i2nsf-ipsec 224 ... 226 Figure 1: YANG Tree Diagram for Network Security Policy 228 This YANG tree diagram shows general I2NSF security policy rule for 229 generic network security functions. 231 The system policy represents there could be multiple system policies 232 in one NSF, and each system policy is used by one virtual instance of 233 the NSF/device. The system policy includes system policy name, 234 priority usage, resolutation strategy, default action, and rules. 236 A resolution strategy is used to decide how to resolve conflicts that 237 occur between the actions of the same or different policy rules that 238 are matched and contained in this particular NSF. The resolution 239 strategy is defined as First Matching Rule (FMR), Last Matching Rule 240 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 241 Prioritized Matching Rule with No Errors (PMRN). The resolution 242 strategy can be extended according to specific vendor action 243 features. The resolution strategy is described in detail in 244 [i2nsf-nsf-cap-im]. 246 A default action is used to execute I2NSF policy rule when no rule 247 matches a packet. The default action is defined as pass, drop, 248 reject, alert, and mirror. The default action can be extended 249 according to specific vendor action features. The default action is 250 described in detail in [i2nsf-nsf-cap-im]. 252 The rules include rule name, rule description, rule priority, rule 253 enable, time zone, event clause container, condition clause 254 container, and action clause container. 256 4.2. Event Clause 258 This section shows YANG tree diagram for an event clause of I2NSF 259 security policy rule. 261 module: ietf-i2nsf-policy-rule-for-nsf 262 +--rw i2nsf-security-policy 263 | +--rw system-policy* [system-policy-name] 264 | ... 265 | +--rw rules* [rule-name] 266 | | ... 267 | | +--rw event-clause-container 268 | | | +--rw event-clause-description? string 269 | | | +--rw event-clauses 270 | | | +--rw system-event* identityref 271 | | | +--rw system-alarm* identityref 272 | | +--rw condition-clause-container 273 | | | ... 274 | | +--rw action-clause-container 275 | | ... 276 | +--rw rule-group 277 | ... 278 +--rw i2nsf-ipsec 279 ... 281 Figure 2: YANG Tree Diagram for an Event Clause 283 This YANG tree diagram shows an event clause of I2NSF security policy 284 rule for generic network security functions. An event clause is any 285 important occurrence in time of a change in the system being managed, 286 and/or in the environment of the system being managed. An event 287 clause is used to trigger the evaluation of the condition clause of 288 the I2NSF Policy Rule. The event clause is defined as system event 289 and system alarm. The event clause can be extended according to 290 specific vendor event features. The event clause is described in 291 detail in [i2nsf-nsf-cap-im]. 293 4.3. Condtion Clause 295 This section shows YANG tree diagram for a condition clause of I2NSF 296 security policy rule. 298 module: ietf-i2nsf-policy-rule-for-nsf 299 +--rw i2nsf-security-policy 300 | ... 301 | +--rw rules* [rule-name] 302 | | ... 303 | | +--rw event-clause-container 304 | | | ... 305 | | +--rw condition-clause-container 306 | | | +--rw condition-clause-description? string 307 | | | +--rw packet-security-ipv4-condition 308 | | | | +--rw ipv4-description? string 309 | | | | +--rw pkt-sec-ipv4-header-length 310 | | | | | +--rw (match-type)? 311 | | | | | +--:(exact-match) 312 | | | | | | +--rw ipv4-header-length* uint8 313 | | | | | +--:(range-match) 314 | | | | | +--rw range-ipv4-header-length* 315 [start-ipv4-header-length end-ipv4-header-length] 316 | | | | | +--rw start-ipv4-header-length uint8 317 | | | | | +--rw end-ipv4-header-length uint8 318 | | | | +--rw pkt-sec-ipv4-tos* identityref 319 | | | | +--rw pkt-sec-ipv4-total-length 320 | | | | | +--rw (match-type)? 321 | | | | | +--:(exact-match) 322 | | | | | | +--rw ipv4-total-length* uint16 323 | | | | | +--:(range-match) 324 | | | | | +--rw range-ipv4-total-length* 325 [start-ipv4-total-length end-ipv4-total-length] 326 | | | | | +--rw start-ipv4-total-length uint16 327 | | | | | +--rw end-ipv4-total-length uint16 328 | | | | +--rw pkt-sec-ipv4-id* uint16 329 | | | | +--rw pkt-sec-ipv4-fragment-flags* identityref 330 | | | | +--rw pkt-sec-ipv4-fragment-offset 331 | | | | | +--rw (match-type)? 332 | | | | | +--:(exact-match) 333 | | | | | | +--rw ipv4-fragment-offset* uint16 334 | | | | | +--:(range-match) 335 | | | | | +--rw range-ipv4-fragment-offset* 336 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 337 | | | | | +--rw start-ipv4-fragment-offset uint16 338 | | | | | +--rw end-ipv4-fragment-offset uint16 339 | | | | +--rw pkt-sec-ipv4-ttl 340 | | | | | +--rw (match-type)? 341 | | | | | +--:(exact-match) 342 | | | | | | +--rw ipv4-ttl* uint8 343 | | | | | +--:(range-match) 344 | | | | | +--rw range-ipv4-ttl* 345 [start-ipv4-ttl end-ipv4-ttl] 346 | | | | | +--rw start-ipv4-ttl uint8 347 | | | | | +--rw end-ipv4-ttl uint8 348 | | | | +--rw pkt-sec-ipv4-protocol* identityref 349 | | | | +--rw pkt-sec-ipv4-src 350 | | | | | +--rw (match-type)? 351 | | | | | +--:(exact-match) 352 | | | | | | +--rw ipv4-address* [ipv4] 353 | | | | | | +--rw ipv4 inet:ipv4-address 354 | | | | | | +--rw (subnet)? 355 | | | | | | +--:(prefix-length) 356 | | | | | | | +--rw prefix-length? uint8 357 | | | | | | +--:(netmask) 358 | | | | | | +--rw netmask? yang:dotted-quad 359 | | | | | +--:(range-match) 360 | | | | | +--rw range-ipv4-address* 361 [start-ipv4-address end-ipv4-address] 362 | | | | | +--rw start-ipv4-address inet:ipv4-address 363 | | | | | +--rw end-ipv4-address inet:ipv4-address 364 | | | | +--rw pkt-sec-ipv4-dest 365 | | | | | +--rw (match-type)? 366 | | | | | +--:(exact-match) 367 | | | | | | +--rw ipv4-address* [ipv4] 368 | | | | | | +--rw ipv4 inet:ipv4-address 369 | | | | | | +--rw (subnet)? 370 | | | | | | +--:(prefix-length) 371 | | | | | | | +--rw prefix-length? uint8 372 | | | | | | +--:(netmask) 373 | | | | | | +--rw netmask? yang:dotted-quad 374 | | | | | +--:(range-match) 375 | | | | | +--rw range-ipv4-address* 376 [start-ipv4-address end-ipv4-address] 377 | | | | | +--rw start-ipv4-address inet:ipv4-address 378 | | | | | +--rw end-ipv4-address inet:ipv4-address 379 | | | | +--rw pkt-sec-ipv4-ipopts* identityref 380 | | | | +--rw pkt-sec-ipv4-sameip? boolean 381 | | | | +--rw pkt-sec-ipv4-geoip* string 382 | | | +--rw packet-security-ipv6-condition 383 | | | | +--rw ipv6-description? string 384 | | | | +--rw pkt-sec-ipv6-traffic-class* identityref 385 | | | | +--rw pkt-sec-ipv6-flow-label 386 | | | | | +--rw (match-type)? 387 | | | | | +--:(exact-match) 388 | | | | | | +--rw ipv6-flow-label* uint32 389 | | | | | +--:(range-match) 390 | | | | | +--rw range-ipv6-flow-label* 391 [start-ipv6-flow-label end-ipv6-flow-label] 392 | | | | | +--rw start-ipv6-flow-label uint32 393 | | | | | +--rw end-ipv6-flow-label uint32 394 | | | | +--rw pkt-sec-ipv6-payload-length 395 | | | | | +--rw (match-type)? 396 | | | | | +--:(exact-match) 397 | | | | | | +--rw ipv6-payload-length* uint16 398 | | | | | +--:(range-match) 399 | | | | | +--rw range-ipv6-payload-length* 400 [start-ipv6-payload-length end-ipv6-payload-length] 401 | | | | | +--rw start-ipv6-payload-length uint16 402 | | | | | +--rw end-ipv6-payload-length uint16 403 | | | | +--rw pkt-sec-ipv6-next-header* identityref 404 | | | | +--rw pkt-sec-ipv6-hop-limit 405 | | | | | +--rw (match-type)? 406 | | | | | +--:(exact-match) 407 | | | | | | +--rw ipv6-hop-limit* uint8 408 | | | | | +--:(range-match) 409 | | | | | +--rw range-ipv6-hop-limit* 410 [start-ipv6-hop-limit end-ipv6-hop-limit] 411 | | | | | +--rw start-ipv6-hop-limit uint8 412 | | | | | +--rw end-ipv6-hop-limit uint8 413 | | | | +--rw pkt-sec-ipv6-src 414 | | | | | +--rw (match-type)? 415 | | | | | +--:(exact-match) 416 | | | | | | +--rw ipv6-address* [ipv6] 417 | | | | | | +--rw ipv6 inet:ipv6-address 418 | | | | | | +--rw prefix-length? uint8 419 | | | | | +--:(range-match) 420 | | | | | +--rw range-ipv6-address* 421 [start-ipv6-address end-ipv6-address] 422 | | | | | +--rw start-ipv6-address inet:ipv6-address 423 | | | | | +--rw end-ipv6-address inet:ipv6-address 424 | | | | +--rw pkt-sec-ipv6-dest 425 | | | | +--rw (match-type)? 426 | | | | +--:(exact-match) 427 | | | | | +--rw ipv6-address* [ipv6] 428 | | | | | +--rw ipv6 inet:ipv6-address 429 | | | | | +--rw prefix-length? uint8 430 | | | | +--:(range-match) 431 | | | | +--rw range-ipv6-address* 432 [start-ipv6-address end-ipv6-address] 433 | | | | +--rw start-ipv6-address inet:ipv6-address 434 | | | | +--rw end-ipv6-address inet:ipv6-address 435 | | | +--rw packet-security-tcp-condition 436 | | | | +--rw tcp-description? string 437 | | | | +--rw pkt-sec-tcp-src-port-num 438 | | | | | +--rw (match-type)? 439 | | | | | +--:(exact-match) 440 | | | | | | +--rw port-num* inet:port-number 441 | | | | | +--:(range-match) 442 | | | | | +--rw range-port-num* 443 [start-port-num end-port-num] 444 | | | | | +--rw start-port-num inet:port-number 445 | | | | | +--rw end-port-num inet:port-number 446 | | | | +--rw pkt-sec-tcp-dest-port-num 447 | | | | | +--rw (match-type)? 448 | | | | | +--:(exact-match) 449 | | | | | | +--rw port-num* inet:port-number 450 | | | | | +--:(range-match) 451 | | | | | +--rw range-port-num* 453 [start-port-num end-port-num] 454 | | | | | +--rw start-port-num inet:port-number 455 | | | | | +--rw end-port-num inet:port-number 456 | | | | +--rw pkt-sec-tcp-seq-num 457 | | | | | +--rw (match-type)? 458 | | | | | +--:(exact-match) 459 | | | | | | +--rw tcp-seq-num* uint32 460 | | | | | +--:(range-match) 461 | | | | | +--rw range-tcp-seq-num* 462 [start-tcp-seq-num end-tcp-seq-num] 463 | | | | | +--rw start-tcp-seq-num uint32 464 | | | | | +--rw end-tcp-seq-num uint32 465 | | | | +--rw pkt-sec-tcp-ack-num 466 | | | | | +--rw (match-type)? 467 | | | | | +--:(exact-match) 468 | | | | | | +--rw tcp-ack-num* uint32 469 | | | | | +--:(range-match) 470 | | | | | +--rw range-tcp-ack-num* 471 [start-tcp-ack-num end-tcp-ack-num] 472 | | | | | +--rw start-tcp-ack-num uint32 473 | | | | | +--rw end-tcp-ack-num uint32 474 | | | | +--rw pkt-sec-tcp-window-size 475 | | | | | +--rw (match-type)? 476 | | | | | +--:(exact-match) 477 | | | | | | +--rw tcp-window-size* uint16 478 | | | | | +--:(range-match) 479 | | | | | +--rw range-tcp-window-size* 480 [start-tcp-window-size end-tcp-window-size] 481 | | | | | +--rw start-tcp-window-size uint16 482 | | | | | +--rw end-tcp-window-size uint16 483 | | | | +--rw pkt-sec-tcp-flags* identityref 484 | | | +--rw packet-security-udp-condition 485 | | | | +--rw udp-description? string 486 | | | | +--rw pkt-sec-udp-src-port-num 487 | | | | | +--rw (match-type)? 488 | | | | | +--:(exact-match) 489 | | | | | | +--rw port-num* inet:port-number 490 | | | | | +--:(range-match) 491 | | | | | +--rw range-port-num* 492 [start-port-num end-port-num] 493 | | | | | +--rw start-port-num inet:port-number 494 | | | | | +--rw end-port-num inet:port-number 495 | | | | +--rw pkt-sec-udp-dest-port-num 496 | | | | | +--rw (match-type)? 497 | | | | | +--:(exact-match) 498 | | | | | | +--rw port-num* inet:port-number 499 | | | | | +--:(range-match) 500 | | | | | +--rw range-port-num* 502 [start-port-num end-port-num] 503 | | | | | +--rw start-port-num inet:port-number 504 | | | | | +--rw end-port-num inet:port-number 505 | | | | +--rw pkt-sec-udp-total-length 506 | | | | +--rw (match-type)? 507 | | | | +--:(exact-match) 508 | | | | | +--rw udp-total-length* uint32 509 | | | | +--:(range-match) 510 | | | | +--rw range-udp-total-length* 511 [start-udp-total-length end-udp-total-length] 512 | | | | +--rw start-udp-total-length uint32 513 | | | | +--rw end-udp-total-length uint32 514 | | | +--rw packet-security-icmp-condition 515 | | | | +--rw icmp-description? string 516 | | | | +--rw pkt-sec-icmp-type-and-code* identityref 517 | | | +--rw packet-security-url-category-condition 518 | | | | +--rw url-category-description? string 519 | | | | +--rw pre-defined-category* string 520 | | | | +--rw user-defined-category* string 521 | | | +--rw packet-security-voice-condition 522 | | | | +--rw voice-description? string 523 | | | | +--rw pkt-sec-src-voice-id* string 524 | | | | +--rw pkt-sec-dest-voice-id* string 525 | | | | +--rw pkt-sec-user-agent* string 526 | | | +--rw packet-security-ddos-condition 527 | | | | +--rw ddos-description? string 528 | | | | +--rw pkt-sec-alert-rate? uint32 529 | | | +--rw packet-security-payload-condition 530 | | | | +--rw packet-payload-description? string 531 | | | | +--rw pkt-payload-content* string 532 | | | +--rw context-condition 533 | | | +--rw context-description? string 534 | | | +--rw acl-number* uint32 535 | | | +--rw application-condition 536 | | | | +--rw application-description? string 537 | | | | +--rw application-object* string 538 | | | | +--rw application-group* string 539 | | | | +--rw application-label* string 540 | | | | +--rw category 541 | | | | +--rw application-category* 542 [name application-subcategory] 543 | | | | +--rw name string 544 | | | | +--rw application-subcategory string 545 | | | +--rw target-condition 546 | | | | +--rw target-description? string 547 | | | | +--rw device-sec-context-cond 548 | | | | +--rw target-device* identityref 549 | | | +--rw users-condition 550 | | | | +--rw users-description? string 551 | | | | +--rw user 552 | | | | | +--rw (user-name)? 553 | | | | | +--:(tenant) 554 | | | | | | +--rw tenant uint8 555 | | | | | +--:(vn-id) 556 | | | | | +--rw vn-id uint8 557 | | | | +--rw group 558 | | | | | +--rw (group-name)? 559 | | | | | +--:(tenant) 560 | | | | | | +--rw tenant uint8 561 | | | | | +--:(vn-id) 562 | | | | | +--rw vn-id uint8 563 | | | | +--rw security-grup string 564 | | | +--rw gen-context-condition 565 | | | +--rw gen-context-description? string 566 | | | +--rw geographic-location 567 | | | +--rw src-geographic-location* uint32 568 | | | +--rw dest-geographic-location* uint32 569 | | +--rw action-clause-container 570 | | ... 571 | +--rw rule-group 572 | ... 573 +--rw i2nsf-ipsec 574 ... 576 Figure 3: YANG Tree Diagram for a Condition Clause 578 This YANG tree diagram shows an condition clause of I2NSF security 579 policy rule for generic network security functions. A condition 580 clause is defined as a set of attributes, features, and/or values 581 that are to be compared with a set of known attributes, features, 582 and/or values in order to determine whether or not the set of actions 583 in that (imperative) I2NSF policy rule can be executed or not. The 584 condition clause is classified as conditions of generic network 585 security functions, advanced network security functions, and context. 586 The condition clause of generic network security functions is defined 587 as packet security IPv4 condition, packet security IPv6 condition, 588 packet security tcp condition, and packet security icmp condition. 589 The condition clause of advanced network security functions is 590 defined as packet security url category condition, packet security 591 voice condition, packet security ddos condition, and packet security 592 payload condition. The condition clause of context is defined as acl 593 number condition, application condition, target condition, users 594 condition, and geography condition. Note that this document deals 595 only with simple conditions of advanced network security functions. 596 The condition clauses of advanced network security functions are 597 described in detail in [i2nsf-advanced-nsf-dm]. The condition clause 598 can be extended according to specific vendor condition features. The 599 condition clause is described in detail in [i2nsf-nsf-cap-im]. 601 4.4. Action Clause 603 This section shows YANG tree diagram for an action clause of I2NSF 604 security policy rule. 606 module: ietf-i2nsf-policy-rule-for-nsf 607 +--rw i2nsf-security-policy 608 | ... 609 | +--rw rules* [rule-name] 610 | | ... 611 | | +--rw event-clause-container 612 | | | ... 613 | | +--rw condition-clause-container 614 | | | ... 615 | | +--rw action-clause-container 616 | | +--rw action-clause-description? string 617 | | +--rw packet-action 618 | | | +--rw ingress-action? identityref 619 | | | +--rw egress-action? identityref 620 | | | +--rw log-action? identityref 621 | | +--rw advanced-action 622 | | +--rw content-security-control* identityref 623 | | +--rw attack-mitigation-control* identityref 624 | +--rw rule-group 625 | ... 626 +--rw i2nsf-ipsec 627 ... 629 Figure 4: YANG Tree Diagram for an Action Clause 631 This YANG tree diagram shows an action clause of I2NSF security 632 policy rule for generic network security functions. An action is 633 used to control and monitor aspects of flow-based NSFs when the event 634 and condition clauses are satisfied. NSFs provide security services 635 by executing various actions. The action clause is defined as 636 ingress action, egress action, and log action for packet action, and 637 advanced action for additional inspection. The action clause can be 638 extended according to specific vendor action features. The action 639 clause is described in detail in [i2nsf-nsf-cap-im]. 641 4.5. I2NSF Internet Key Exchange 643 This section shows YANG tree diagram for an I2NSF IPsec. 645 module: ietf-i2nsf-policy-rule-for-nsf 646 +--rw i2nsf-security-policy 647 | ... 648 | +--rw rules* [rule-name] 649 | | ... 650 | | +--rw event-clause-container 651 | | | ... 652 | | +--rw condition-clause-container 653 | | | ... 654 | | +--rw action-clause-container 655 | | ... 656 | +--rw rule-group 657 | ... 658 +--rw i2nsf-ipsec 659 +--rw ike 660 +--rw ikeless 662 Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage 664 This YANG tree diagram shows an I2NSF IPsec for an Internet key 665 exchange. An I2NSF IPsec is used to define a method required to 666 manage IPsec parameters for creating IPsec Security Associations 667 between two NSFs through either the IKEv2 protocol or the Security 668 Controller [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec 669 considers two cases such as IKE case (i.e., IPsec through IKE) and 670 IKEless case (i.e., IPsec not through IKE, but through a Security 671 Controller). Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 672 for the detailed description of the I2NSF IPsec. 674 5. YANG Data Module 676 5.1. I2NSF NSF-Facing Interface YANG Data Module 678 This section introduces an YANG data module for configuration of 679 security policy rules on network security functions. 681 file "ietf-i2nsf-policy-rule-for-nsf@2019-03-28.yang" 683 module ietf-i2nsf-policy-rule-for-nsf { 684 yang-version 1.1; 685 namespace 686 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 688 prefix 689 iiprfn; 691 import ietf-inet-types{ 692 prefix inet; 693 reference "RFC 6991"; 694 } 695 import ietf-yang-types{ 696 prefix yang; 697 reference "RFC 6991"; 698 } 700 /* 702 import ietf-ipsec-ike { 703 prefix iii; 704 reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04"; 705 } 706 import ietf-ipsec-ikeless { 707 prefix iiil; 708 reference "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04"; 709 } 711 */ 713 organization 714 "IETF I2NSF (Interface to Network Security Functions) 715 Working Group"; 717 contact 718 "WG Web: 719 WG List: 721 WG Chair: Adrian Farrel 722 724 WG Chair: Linda Dunbar 725 727 Editor: Jingyong Tim Kim 728 730 Editor: Jaehoon Paul Jeong 731 733 Editor: Susan Hares 734 "; 736 description 737 "This module defines a YANG data module for network security 738 functions. 740 Copyright (c) 2018 IETF Trust and the persons 741 identified as authors of the code. All rights reserved. 743 Redistribution and use in source and binary forms, with or 744 without modification, is permitted pursuant to, and subject 745 to the license terms contained in, the Simplified BSD License 746 set forth in Section 4.c of the IETF Trust's Legal Provisions 747 Relating to IETF Documents 748 (http://trustee.ietf.org/license-info). 750 This version of this YANG module is part of RFC 8341; see 751 the RFC itself for full legal notices."; 753 revision "2019-03-28"{ 754 description "Initial revision."; 755 reference 756 "RFC XXXX: I2NSF Network Security Function-Facing Interface 757 YANG Data Model"; 758 } 760 /* 761 * Identities 762 */ 764 identity priority-usage-type { 765 description 766 "Base identity for priority usage type."; 767 } 769 identity priority-by-order { 770 base priority-usage-type; 771 description 772 "Identity for priority by order"; 773 } 775 identity priority-by-number { 776 base priority-usage-type; 777 description 778 "Identity for priority by number"; 779 } 781 identity event { 782 description 783 "Base identity for event of policy."; 784 reference 785 "draft-hong-i2nsf-nsf-monitoring-data-model-06 786 - Event"; 787 } 789 identity system-event { 790 base event; 791 description 792 "Identity for system event"; 793 reference 794 "draft-hong-i2nsf-nsf-monitoring-data-model-06 795 - System event"; 796 } 798 identity system-alarm { 799 base event; 800 description 801 "Identity for system alarm"; 802 reference 803 "draft-hong-i2nsf-nsf-monitoring-data-model-06 804 - System alarm"; 805 } 807 identity access-violation { 808 base system-event; 809 description 810 "Identity for access violation 811 among system events"; 812 reference 813 "draft-hong-i2nsf-nsf-monitoring-data-model-06 814 - System event"; 815 } 817 identity configuration-change { 818 base system-event; 819 description 820 "Identity for configuration change 821 among system events"; 822 reference 823 "draft-hong-i2nsf-nsf-monitoring-data-model-06 824 - System event"; 825 } 827 identity memory-alarm { 828 base system-alarm; 829 description 830 "Identity for memory alarm 831 among system alarms"; 832 reference 833 "draft-hong-i2nsf-nsf-monitoring-data-model-06 834 - System alarm"; 835 } 837 identity cpu-alarm { 838 base system-alarm; 839 description 840 "Identity for cpu alarm 841 among system alarms"; 842 reference 843 "draft-hong-i2nsf-nsf-monitoring-data-model-06 844 - System alarm"; 845 } 847 identity disk-alarm { 848 base system-alarm; 849 description 850 "Identity for disk alarm 851 among system alarms"; 852 reference 853 "draft-hong-i2nsf-nsf-monitoring-data-model-06 854 - System alarm"; 855 } 857 identity hardware-alarm { 858 base system-alarm; 859 description 860 "Identity for hardware alarm 861 among system alarms"; 862 reference 863 "draft-hong-i2nsf-nsf-monitoring-data-model-06 864 - System alarm"; 865 } 867 identity interface-alarm { 868 base system-alarm; 869 description 870 "Identity for interface alarm 871 among system alarms"; 872 reference 873 "draft-hong-i2nsf-nsf-monitoring-data-model-06 874 - System alarm"; 875 } 877 identity type-of-service { 878 description 879 "Base identity for type of service of IPv4"; 880 reference 881 "RFC 791: Internet Protocol - Type of Service"; 882 } 884 identity traffic-class { 885 description 886 "Base identity for traffic-class of IPv6"; 887 reference 888 "RFC 2460: Internet Protocol, Version 6 (IPv6) 889 Specification - Traffic Class"; 890 } 892 identity normal { 893 base type-of-service; 894 base traffic-class; 895 description 896 "Identity for normal"; 897 reference 898 "RFC 791: Internet Protocol - Type of Service 899 RFC 2460: Internet Protocol, Version 6 (IPv6) 900 Specification - Traffic Class"; 901 } 903 identity minimize-cost { 904 base type-of-service; 905 base traffic-class; 906 description 907 "Identity for minimize cost"; 908 reference 909 "RFC 791: Internet Protocol - Type of Service 910 RFC 2460: Internet Protocol, Version 6 (IPv6) 911 Specification - Traffic Class"; 912 } 914 identity maximize-reliability { 915 base type-of-service; 916 base traffic-class; 917 description 918 "Identity for maximize reliability"; 919 reference 920 "RFC 791: Internet Protocol - Type of Service 921 RFC 2460: Internet Protocol, Version 6 (IPv6) 922 Specification - Traffic Class"; 923 } 925 identity maximize-throughput { 926 base type-of-service; 927 base traffic-class; 928 description 929 "Identity for maximize throughput"; 930 reference 931 "RFC 791: Internet Protocol - Type of Service 932 RFC 2460: Internet Protocol, Version 6 (IPv6) 933 Specification - Traffic Class"; 934 } 936 identity minimize-delay { 937 base type-of-service; 938 base traffic-class; 939 description 940 "Identity for minimize delay"; 941 reference 942 "RFC 791: Internet Protocol - Type of Service 943 RFC 2460: Internet Protocol, Version 6 (IPv6) 944 Specification - Traffic Class"; 945 } 947 identity maximize-security { 948 base type-of-service; 949 base traffic-class; 950 description 951 "Identity for maximize security"; 952 reference 953 "RFC 791: Internet Protocol - Type of Service 954 RFC 2460: Internet Protocol, Version 6 (IPv6) 955 Specification - Traffic Class"; 956 } 958 identity fragmentation-flags-type { 959 description 960 "Base identity for fragmentation flags type"; 961 reference 962 "RFC 791: Internet Protocol - Fragmentation Flags"; 963 } 965 identity fragment { 966 base fragmentation-flags-type; 967 description 968 "Identity for fragment"; 969 reference 970 "RFC 791: Internet Protocol - Fragmentation Flags"; 971 } 973 identity no-fragment { 974 base fragmentation-flags-type; 975 description 976 "Identity for no fragment"; 977 reference 978 "RFC 791: Internet Protocol - Fragmentation Flags"; 979 } 981 identity reserved { 982 base fragmentation-flags-type; 983 description 984 "Identity for reserved"; 985 reference 986 "RFC 791: Internet Protocol - Fragmentation Flags"; 987 } 989 identity protocol { 990 description 991 "Base identity for protocol of IPv4"; 992 reference 993 "RFC 790: Assigned numbers - Assigned Internet 994 Protocol Number 995 RFC 791: Internet Protocol - Protocol"; 996 } 998 identity next-header { 999 description 1000 "Base identity for next header of IPv6"; 1001 reference 1002 "RFC 2460: Internet Protocol, Version 6 (IPv6) 1003 Specification - Next Header"; 1004 } 1006 identity icmp { 1007 base protocol; 1008 base next-header; 1009 description 1010 "Identity for icmp"; 1011 reference 1012 "RFC 790: - Assigned numbers - Assigned Internet 1013 Protocol Number 1014 RFC 791: Internet Protocol - Type of Service 1015 RFC 2460: Internet Protocol, Version 6 (IPv6) 1016 Specification - Next Header"; 1017 } 1019 identity igmp { 1020 base protocol; 1021 base next-header; 1022 description 1023 "Identity for igmp"; 1024 reference 1025 "RFC 790: - Assigned numbers - Assigned Internet 1026 Protocol Number 1027 RFC 791: Internet Protocol - Type of Service 1028 RFC 2460: Internet Protocol, Version 6 (IPv6) 1029 Specification - Next Header"; 1030 } 1032 identity tcp { 1033 base protocol; 1034 base next-header; 1035 description 1036 "Identity for tcp"; 1037 reference 1038 "RFC 790: - Assigned numbers - Assigned Internet 1039 Protocol Number 1040 RFC 791: Internet Protocol - Type of Service 1041 RFC 2460: Internet Protocol, Version 6 (IPv6) 1042 Specification - Next Header"; 1043 } 1045 identity igrp { 1046 base protocol; 1047 base next-header; 1048 description 1049 "Identity for igrp"; 1050 reference 1051 "RFC 790: - Assigned numbers - Assigned Internet 1052 Protocol Number 1053 RFC 791: Internet Protocol - Type of Service 1054 RFC 2460: Internet Protocol, Version 6 (IPv6) 1055 Specification - Next Header"; 1056 } 1058 identity udp { 1059 base protocol; 1060 base next-header; 1061 description 1062 "Identity for udp"; 1063 reference 1064 "RFC 790: - Assigned numbers - Assigned Internet 1065 Protocol Number 1066 RFC 791: Internet Protocol - Type of Service 1067 RFC 2460: Internet Protocol, Version 6 (IPv6) 1068 Specification - Next Header"; 1069 } 1070 identity gre { 1071 base protocol; 1072 base next-header; 1073 description 1074 "Identity for gre"; 1075 reference 1076 "RFC 790: - Assigned numbers - Assigned Internet 1077 Protocol Number 1078 RFC 791: Internet Protocol - Type of Service 1079 RFC 2460: Internet Protocol, Version 6 (IPv6) 1080 Specification - Next Header"; 1081 } 1083 identity esp { 1084 base protocol; 1085 base next-header; 1086 description 1087 "Identity for esp"; 1088 reference 1089 "RFC 790: - Assigned numbers - Assigned Internet 1090 Protocol Number 1091 RFC 791: Internet Protocol - Type of Service 1092 RFC 2460: Internet Protocol, Version 6 (IPv6) 1093 Specification - Next Header"; 1094 } 1096 identity ah { 1097 base protocol; 1098 base next-header; 1099 description 1100 "Identity for ah"; 1101 reference 1102 "RFC 790: - Assigned numbers - Assigned Internet 1103 Protocol Number 1104 RFC 791: Internet Protocol - Type of Service 1105 RFC 2460: Internet Protocol, Version 6 (IPv6) 1106 Specification - Next Header"; 1107 } 1109 identity mobile { 1110 base protocol; 1111 base next-header; 1112 description 1113 "Identity for mobile"; 1114 reference 1115 "RFC 790: - Assigned numbers - Assigned Internet 1116 Protocol Number 1117 RFC 791: Internet Protocol - Type of Service 1118 RFC 2460: Internet Protocol, Version 6 (IPv6) 1119 Specification - Next Header"; 1120 } 1122 identity tlsp { 1123 base protocol; 1124 base next-header; 1125 description 1126 "Identity for tlsp"; 1127 reference 1128 "RFC 790: - Assigned numbers - Assigned Internet 1129 Protocol Number 1130 RFC 791: Internet Protocol - Type of Service 1131 RFC 2460: Internet Protocol, Version 6 (IPv6) 1132 Specification - Next Header"; 1133 } 1135 identity skip { 1136 base protocol; 1137 base next-header; 1138 description 1139 "Identity for skip"; 1140 reference 1141 "RFC 790: - Assigned numbers - Assigned Internet 1142 Protocol Number 1143 RFC 791: Internet Protocol - Type of Service 1144 RFC 2460: Internet Protocol, Version 6 (IPv6) 1145 Specification - Next Header"; 1146 } 1148 identity ipv6-icmp { 1149 base protocol; 1150 base next-header; 1151 description 1152 "Identity for IPv6 icmp "; 1153 reference 1154 "RFC 790: - Assigned numbers - Assigned Internet 1155 Protocol Number 1156 RFC 791: Internet Protocol - Type of Service 1157 RFC 2460: Internet Protocol, Version 6 (IPv6) 1158 Specification - Next Header"; 1159 } 1161 identity eigrp { 1162 base protocol; 1163 base next-header; 1164 description 1165 "Identity for eigrp"; 1166 reference 1167 "RFC 790: - Assigned numbers - Assigned Internet 1168 Protocol Number 1169 RFC 791: Internet Protocol - Type of Service 1170 RFC 2460: Internet Protocol, Version 6 (IPv6) 1171 Specification - Next Header"; 1172 } 1174 identity ospf { 1175 base protocol; 1176 base next-header; 1177 description 1178 "Identity for ospf"; 1179 reference 1180 "RFC 790: - Assigned numbers - Assigned Internet 1181 Protocol Number 1182 RFC 791: Internet Protocol - Type of Service 1183 RFC 2460: Internet Protocol, Version 6 (IPv6) 1184 Specification - Next Header"; 1185 } 1187 identity l2tp { 1188 base protocol; 1189 base next-header; 1190 description 1191 "Identity for l2tp"; 1192 reference 1193 "RFC 790: - Assigned numbers - Assigned Internet 1194 Protocol Number 1195 RFC 791: Internet Protocol - Type of Service 1196 RFC 2460: Internet Protocol, Version 6 (IPv6) 1197 Specification - Next Header"; 1198 } 1200 identity ipopts { 1201 description 1202 "Base identity for IP options"; 1203 reference 1204 "RFC 791: Internet Protocol - Options"; 1205 } 1207 identity rr { 1208 base ipopts; 1209 description 1210 "Identity for record route"; 1211 reference 1212 "RFC 791: Internet Protocol - Options"; 1213 } 1215 identity eol { 1216 base ipopts; 1217 description 1218 "Identity for end of list"; 1219 reference 1220 "RFC 791: Internet Protocol - Options"; 1221 } 1223 identity nop { 1224 base ipopts; 1225 description 1226 "Identity for no operation"; 1227 reference 1228 "RFC 791: Internet Protocol - Options"; 1229 } 1231 identity ts { 1232 base ipopts; 1233 description 1234 "Identity for time stamp"; 1235 reference 1236 "RFC 791: Internet Protocol - Options"; 1237 } 1239 identity sec { 1240 base ipopts; 1241 description 1242 "Identity for IP security"; 1243 reference 1244 "RFC 791: Internet Protocol - Options"; 1245 } 1247 identity esec { 1248 base ipopts; 1249 description 1250 "Identity for IP extended security"; 1251 reference 1252 "RFC 791: Internet Protocol - Options"; 1253 } 1255 identity lsrr { 1256 base ipopts; 1257 description 1258 "Identity for loose source routing"; 1259 reference 1260 "RFC 791: Internet Protocol - Options"; 1261 } 1263 identity ssrr { 1264 base ipopts; 1265 description 1266 "Identity for strict source routing"; 1267 reference 1268 "RFC 791: Internet Protocol - Options"; 1269 } 1271 identity satid { 1272 base ipopts; 1273 description 1274 "Identity for stream identifier"; 1275 reference 1276 "RFC 791: Internet Protocol - Options"; 1277 } 1279 identity any { 1280 base ipopts; 1281 description 1282 "Identity for which any IP options are set"; 1283 reference 1284 "RFC 791: Internet Protocol - Options"; 1285 } 1287 identity tcp-flags { 1288 description 1289 "Base identity for tcp flags"; 1290 reference 1291 "RFC 793: Transmission Control Protocol - Flags"; 1292 } 1294 identity cwr { 1295 base tcp-flags; 1296 description 1297 "Identity for congestion window reduced"; 1298 reference 1299 "RFC 793: Transmission Control Protocol - Flags"; 1300 } 1302 identity ecn { 1303 base tcp-flags; 1304 description 1305 "Identity for explicit congestion notification"; 1306 reference 1307 "RFC 793: Transmission Control Protocol - Flags"; 1309 } 1311 identity urg { 1312 base tcp-flags; 1313 description 1314 "Identity for urgent"; 1315 reference 1316 "RFC 793: Transmission Control Protocol - Flags"; 1317 } 1319 identity ack { 1320 base tcp-flags; 1321 description 1322 "Identity for acknowledgement"; 1323 reference 1324 "RFC 793: Transmission Control Protocol - Flags"; 1325 } 1327 identity psh { 1328 base tcp-flags; 1329 description 1330 "Identity for push"; 1331 reference 1332 "RFC 793: Transmission Control Protocol - Flags"; 1333 } 1335 identity rst { 1336 base tcp-flags; 1337 description 1338 "Identity for reset"; 1339 reference 1340 "RFC 793: Transmission Control Protocol - Flags"; 1341 } 1343 identity syn { 1344 base tcp-flags; 1345 description 1346 "Identity for synchronize"; 1347 reference 1348 "RFC 793: Transmission Control Protocol - Flags"; 1349 } 1351 identity fin { 1352 base tcp-flags; 1353 description 1354 "Identity for finish"; 1355 reference 1356 "RFC 793: Transmission Control Protocol - Flags"; 1358 } 1360 identity icmp-type { 1361 description 1362 "Base identity for icmp types"; 1363 reference 1364 "RFC 792: Internet Control Message Protocol"; 1365 } 1367 identity echo-reply { 1368 base icmp-type; 1369 description 1370 "Identity for echo reply"; 1371 reference 1372 "RFC 792: Internet Control Message Protocol"; 1373 } 1375 identity destination-unreachable { 1376 base icmp-type; 1377 description 1378 "Identity for destination unreachable"; 1379 reference 1380 "RFC 792: Internet Control Message Protocol"; 1381 } 1383 identity source-quench { 1384 base icmp-type; 1385 description 1386 "Identity for source quench"; 1387 reference 1388 "RFC 792: Internet Control Message Protocol"; 1389 } 1391 identity redirect { 1392 base icmp-type; 1393 description 1394 "Identity for redirect"; 1395 reference 1396 "RFC 792: Internet Control Message Protocol"; 1397 } 1399 identity alternate-host-address { 1400 base icmp-type; 1401 description 1402 "Identity for alternate host address"; 1403 reference 1404 "RFC 792: Internet Control Message Protocol"; 1405 } 1406 identity echo { 1407 base icmp-type; 1408 description 1409 "Identity for echo"; 1410 reference 1411 "RFC 792: Internet Control Message Protocol"; 1412 } 1414 identity router-advertisement { 1415 base icmp-type; 1416 description 1417 "Identity for router advertisement"; 1418 reference 1419 "RFC 792: Internet Control Message Protocol"; 1420 } 1422 identity router-solicitation { 1423 base icmp-type; 1424 description 1425 "Identity for router solicitation"; 1426 reference 1427 "RFC 792: Internet Control Message Protocol"; 1428 } 1430 identity time-exceeded { 1431 base icmp-type; 1432 description 1433 "Identity for time exceeded"; 1434 reference 1435 "RFC 792: Internet Control Message Protocol"; 1436 } 1438 identity parameter-problem { 1439 base icmp-type; 1440 description 1441 "Identity for parameter problem"; 1442 reference 1443 "RFC 792: Internet Control Message Protocol"; 1444 } 1446 identity timestamp { 1447 base icmp-type; 1448 description 1449 "Identity for timestamp"; 1450 reference 1451 "RFC 792: Internet Control Message Protocol"; 1452 } 1453 identity timestamp-reply { 1454 base icmp-type; 1455 description 1456 "Identity for timestamp reply"; 1457 reference 1458 "RFC 792: Internet Control Message Protocol"; 1459 } 1461 identity information-request { 1462 base icmp-type; 1463 description 1464 "Identity for information request"; 1465 reference 1466 "RFC 792: Internet Control Message Protocol"; 1467 } 1469 identity information-reply { 1470 base icmp-type; 1471 description 1472 "Identity for information reply"; 1473 reference 1474 "RFC 792: Internet Control Message Protocol"; 1475 } 1477 identity address-mask-request { 1478 base icmp-type; 1479 description 1480 "Identity for address mask request"; 1481 reference 1482 "RFC 792: Internet Control Message Protocol"; 1483 } 1485 identity address-mask-reply { 1486 base icmp-type; 1487 description 1488 "Identity for address mask reply"; 1489 reference 1490 "RFC 792: Internet Control Message Protocol"; 1491 } 1493 identity traceroute { 1494 base icmp-type; 1495 description 1496 "Identity for traceroute"; 1497 reference 1498 "RFC 792: Internet Control Message Protocol"; 1499 } 1500 identity datagram-conversion-error { 1501 base icmp-type; 1502 description 1503 "Identity for datagram conversion error"; 1504 reference 1505 "RFC 792: Internet Control Message Protocol"; 1506 } 1508 identity mobile-host-redirect { 1509 base icmp-type; 1510 description 1511 "Identity for mobile host redirect"; 1512 reference 1513 "RFC 792: Internet Control Message Protocol"; 1514 } 1516 identity ipv6-where-are-you { 1517 base icmp-type; 1518 description 1519 "Identity for IPv6 where are you"; 1520 reference 1521 "RFC 792: Internet Control Message Protocol"; 1522 } 1524 identity ipv6-i-am-here { 1525 base icmp-type ; 1526 description 1527 "Identity for IPv6 i am here"; 1528 reference 1529 "RFC 792: Internet Control Message Protocol"; 1530 } 1532 identity mobile-registration-request { 1533 base icmp-type; 1534 description 1535 "Identity for mobile registration request"; 1536 reference 1537 "RFC 792: Internet Control Message Protocol"; 1538 } 1540 identity mobile-registration-reply { 1541 base icmp-type; 1542 description 1543 "Identity for mobile registration reply"; 1544 reference 1545 "RFC 792: Internet Control Message Protocol"; 1546 } 1547 identity domain-name-request { 1548 base icmp-type; 1549 description 1550 "Identity for domain name request"; 1551 reference 1552 "RFC 792: Internet Control Message Protocol"; 1553 } 1555 identity domain-name-reply { 1556 base icmp-type; 1557 description 1558 "Identity for domain name reply"; 1559 reference 1560 "RFC 792: Internet Control Message Protocol"; 1561 } 1563 identity iskip { 1564 base icmp-type; 1565 description 1566 "Identity for icmp skip"; 1567 reference 1568 "RFC 792: Internet Control Message Protocol"; 1569 } 1571 identity photuris { 1572 base icmp-type; 1573 description 1574 "Identity for photuris"; 1575 reference 1576 "RFC 792: Internet Control Message Protocol"; 1577 } 1579 identity experimental-mobility-protocols { 1580 base icmp-type; 1581 description 1582 "Identity for experimental mobility protocols"; 1583 reference 1584 "RFC 792: Internet Control Message Protocol"; 1585 } 1587 identity extended-echo-request { 1588 base icmp-type; 1589 description 1590 "Identity for extended echo request"; 1591 reference 1592 "RFC 792: Internet Control Message Protocol 1593 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1594 } 1595 identity extended-echo-reply { 1596 base icmp-type; 1597 description 1598 "Identity for extended echo reply"; 1599 reference 1600 "RFC 792: Internet Control Message Protocol 1601 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1602 } 1604 identity net-unreachable { 1605 base icmp-type; 1606 description 1607 "Identity for net unreachable 1608 in destination unreachable types"; 1609 reference 1610 "RFC 792: Internet Control Message Protocol"; 1611 } 1613 identity host-unreachable { 1614 base icmp-type; 1615 description 1616 "Identity for host unreachable 1617 in destination unreachable types"; 1618 reference 1619 "RFC 792: Internet Control Message Protocol"; 1620 } 1622 identity protocol-unreachable { 1623 base icmp-type; 1624 description 1625 "Identity for protocol unreachable 1626 in destination unreachable types"; 1627 reference 1628 "RFC 792: Internet Control Message Protocol"; 1629 } 1631 identity port-unreachable { 1632 base icmp-type; 1633 description 1634 "Identity for port unreachable 1635 in destination unreachable types"; 1636 reference 1637 "RFC 792: Internet Control Message Protocol"; 1638 } 1640 identity fragment-set { 1641 base icmp-type; 1642 description 1643 "Identity for fragmentation set 1644 in destination unreachable types"; 1645 reference 1646 "RFC 792: Internet Control Message Protocol"; 1647 } 1649 identity source-route-failed { 1650 base icmp-type; 1651 description 1652 "Identity for source route failed 1653 in destination unreachable types"; 1654 reference 1655 "RFC 792: Internet Control Message Protocol"; 1656 } 1658 identity destination-network-unknown { 1659 base icmp-type; 1660 description 1661 "Identity for destination network unknown 1662 in destination unreachable types"; 1663 reference 1664 "RFC 792: Internet Control Message Protocol"; 1665 } 1667 identity destination-host-unknown { 1668 base icmp-type; 1669 description 1670 "Identity for destination host unknown 1671 in destination unreachable types"; 1672 reference 1673 "RFC 792: Internet Control Message Protocol"; 1674 } 1676 identity source-host-isolated { 1677 base icmp-type; 1678 description 1679 "Identity for source host isolated 1680 in destination unreachable types"; 1681 reference 1682 "RFC 792: Internet Control Message Protocol"; 1683 } 1685 identity communication-prohibited-with-destination-network { 1686 base icmp-type; 1687 description 1688 "Identity for which communication with destination network 1689 is administratively prohibited in destination unreachable 1690 types"; 1692 reference 1693 "RFC 792: Internet Control Message Protocol"; 1694 } 1696 identity communication-prohibited-with-destination-host { 1697 base icmp-type; 1698 description 1699 "Identity for which communication with destination host 1700 is administratively prohibited in destination unreachable 1701 types"; 1702 reference 1703 "RFC 792: Internet Control Message Protocol"; 1704 } 1706 identity destination-network-unreachable-for-tos { 1707 base icmp-type; 1708 description 1709 "Identity for destination network unreachable 1710 for type of service in destination unreachable types"; 1711 reference 1712 "RFC 792: Internet Control Message Protocol"; 1713 } 1715 identity destination-host-unreachable-for-tos { 1716 base icmp-type; 1717 description 1718 "Identity for destination host unreachable 1719 for type of service in destination unreachable types"; 1720 reference 1721 "RFC 792: Internet Control Message Protocol"; 1722 } 1724 identity communication-prohibited { 1725 base icmp-type; 1726 description 1727 "Identity for communication administratively prohibited 1728 in destination unreachable types"; 1729 reference 1730 "RFC 792: Internet Control Message Protocol"; 1731 } 1733 identity host-precedence-violation { 1734 base icmp-type; 1735 description 1736 "Identity for host precedence violation 1737 in destination unreachable types"; 1738 reference 1739 "RFC 792: Internet Control Message Protocol"; 1741 } 1743 identity precedence-cutoff-in-effect { 1744 base icmp-type; 1745 description 1746 "Identity for precedence cutoff in effect 1747 in destination unreachable types"; 1748 reference 1749 "RFC 792: Internet Control Message Protocol"; 1750 } 1752 identity redirect-datagram-for-the-network { 1753 base icmp-type; 1754 description 1755 "Identity for redirect datagram for the network 1756 (or subnet) in redirect types"; 1757 reference 1758 "RFC 792: Internet Control Message Protocol"; 1759 } 1761 identity redirect-datagram-for-the-host { 1762 base icmp-type; 1763 description 1764 "Identity for redirect datagram for the host 1765 in redirect types"; 1766 reference 1767 "RFC 792: Internet Control Message Protocol"; 1768 } 1770 identity redirect-datagram-for-the-tos-and-network { 1771 base icmp-type; 1772 description 1773 "Identity for redirect datagram for the type of 1774 service and network in redirect types"; 1775 reference 1776 "RFC 792: Internet Control Message Protocol"; 1777 } 1779 identity redirect-datagram-for-the-tos-and-host { 1780 base icmp-type; 1781 description 1782 "Identity for redirect datagram for the type of 1783 service and host in redirect types"; 1784 reference 1785 "RFC 792: Internet Control Message Protocol"; 1786 } 1788 identity normal-router-advertisement { 1789 base icmp-type; 1790 description 1791 "Identity for normal router advertisement 1792 in router advertisement types"; 1793 reference 1794 "RFC 792: Internet Control Message Protocol"; 1795 } 1797 identity does-not-route-common-traffic { 1798 base icmp-type; 1799 description 1800 "Identity for does not route common traffic 1801 in router advertisement types"; 1802 reference 1803 "RFC 792: Internet Control Message Protocol"; 1804 } 1806 identity time-to-live-exceeded-in-transit { 1807 base icmp-type; 1808 description 1809 "Identity for time to live exceeded in transit 1810 in time exceeded types"; 1811 reference 1812 "RFC 792: Internet Control Message Protocol"; 1813 } 1815 identity fragment-reassembly-time-exceeded { 1816 base icmp-type; 1817 description 1818 "Identity for fragment reassembly time exceeded 1819 in time exceeded types"; 1820 reference 1821 "RFC 792: Internet Control Message Protocol"; 1822 } 1824 identity pointer-indicates-the-error { 1825 base icmp-type; 1826 description 1827 "Identity for pointer indicates the error 1828 in parameter problem types"; 1829 reference 1830 "RFC 792: Internet Control Message Protocol"; 1831 } 1833 identity missing-a-required-option { 1834 base icmp-type; 1835 description 1836 "Identity for missing a required option 1837 in parameter problem types"; 1838 reference 1839 "RFC 792: Internet Control Message Protocol"; 1840 } 1842 identity bad-length { 1843 base icmp-type; 1844 description 1845 "Identity for bad length 1846 in parameter problem types"; 1847 reference 1848 "RFC 792: Internet Control Message Protocol"; 1849 } 1851 identity bad-spi { 1852 base icmp-type; 1853 description 1854 "Identity for bad spi 1855 in photuris types"; 1856 reference 1857 "RFC 792: Internet Control Message Protocol"; 1858 } 1860 identity authentication-failed { 1861 base icmp-type; 1862 description 1863 "Identity for authentication failed 1864 in photuris types"; 1865 reference 1866 "RFC 792: Internet Control Message Protocol"; 1867 } 1869 identity decompression-failed { 1870 base icmp-type; 1871 description 1872 "Identity for decompression failed 1873 in photuris types"; 1874 reference 1875 "RFC 792: Internet Control Message Protocol"; 1876 } 1878 identity decryption-failed { 1879 base icmp-type; 1880 description 1881 "Identity for decryption failed 1882 in photuris types"; 1883 reference 1884 "RFC 792: Internet Control Message Protocol"; 1886 } 1888 identity need-authentication { 1889 base icmp-type; 1890 description 1891 "Identity for need authentication 1892 in photuris types"; 1893 reference 1894 "RFC 792: Internet Control Message Protocol"; 1895 } 1897 identity need-authorization { 1898 base icmp-type; 1899 description 1900 "Identity for need authorization 1901 in photuris types"; 1902 reference 1903 "RFC 792: Internet Control Message Protocol"; 1904 } 1906 identity req-no-error { 1907 base icmp-type; 1908 description 1909 "Identity for request with no error 1910 in extended echo request types"; 1911 reference 1912 "RFC 792: Internet Control Message Protocol 1913 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1914 } 1916 identity rep-no-error { 1917 base icmp-type; 1918 description 1919 "Identity for reply with no error 1920 in extended echo reply types"; 1921 reference 1922 "RFC 792: Internet Control Message Protocol 1923 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1924 } 1926 identity malformed-query { 1927 base icmp-type; 1928 description 1929 "Identity for malformed query 1930 in extended echo reply types"; 1931 reference 1932 "RFC 792: Internet Control Message Protocol 1933 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1935 } 1937 identity no-such-interface { 1938 base icmp-type; 1939 description 1940 "Identity for no such interface 1941 in extended echo reply types"; 1942 reference 1943 "RFC 792: Internet Control Message Protocol 1944 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1945 } 1947 identity no-such-table-entry { 1948 base icmp-type; 1949 description 1950 "Identity for no such table entry 1951 in extended echo reply types"; 1952 reference 1953 "RFC 792: Internet Control Message Protocol 1954 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1955 } 1957 identity multiple-interfaces-satisfy-query { 1958 base icmp-type; 1959 description 1960 "Identity for multiple interfaces satisfy query 1961 in extended echo reply types"; 1962 reference 1963 "RFC 792: Internet Control Message Protocol 1964 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1965 } 1967 identity target-device { 1968 description 1969 "Base identity for target devices"; 1970 reference 1971 "draft-ietf-i2nsf-capability-04: Information Model 1972 of NSFs Capabilities"; 1973 } 1975 identity pc { 1976 base target-device; 1977 description 1978 "Identity for pc"; 1979 } 1981 identity mobile-phone { 1982 base target-device; 1983 description 1984 "Identity for mobile-phone"; 1985 } 1987 identity voip-volte-phone { 1988 base target-device; 1989 description 1990 "Identity for voip-volte-phone"; 1991 } 1993 identity tablet { 1994 base target-device; 1995 description 1996 "Identity for tablet"; 1997 } 1999 identity iot { 2000 base target-device; 2001 description 2002 "Identity for IoT"; 2003 } 2005 identity vehicle { 2006 base target-device; 2007 description 2008 "Identity for vehicle"; 2009 } 2011 identity content-security-control { 2012 description 2013 "Base identity for content security control"; 2014 reference 2015 "RFC 8329: Framework for Interface to 2016 Network Security Functions - Differences 2017 from ACL Data Models 2018 draft-ietf-i2nsf-capability-04: Information Model 2019 of NSFs Capabilities"; 2020 } 2022 identity antivirus { 2023 base content-security-control; 2024 description 2025 "Identity for antivirus"; 2026 } 2028 identity ips { 2029 base content-security-control; 2030 description 2031 "Identity for ips"; 2032 } 2034 identity ids { 2035 base content-security-control; 2036 description 2037 "Identity for ids"; 2038 } 2040 identity url-filtering { 2041 base content-security-control; 2042 description 2043 "Identity for url filtering"; 2044 } 2046 identity mail-filtering { 2047 base content-security-control; 2048 description 2049 "Identity for mail filtering"; 2050 } 2052 identity file-blocking { 2053 base content-security-control; 2054 description 2055 "Identity for file blocking"; 2056 } 2058 identity file-isolate { 2059 base content-security-control; 2060 description 2061 "Identity for file isolate"; 2062 } 2064 identity pkt-capture { 2065 base content-security-control; 2066 description 2067 "Identity for packet capture"; 2068 } 2070 identity application-control { 2071 base content-security-control; 2072 description 2073 "Identity for application control"; 2074 } 2076 identity voip-volte { 2077 base content-security-control; 2078 description 2079 "Identity for voip and volte"; 2080 } 2082 identity attack-mitigation-control { 2083 description 2084 "Base identity for attack mitigation control"; 2085 reference 2086 "RFC 8329: Framework for Interface to 2087 Network Security Functions - Differences 2088 from ACL Data Models 2089 draft-ietf-i2nsf-capability-04: Information Model 2090 of NSFs Capabilities"; 2091 } 2093 identity syn-flood { 2094 base attack-mitigation-control; 2095 description 2096 "Identity for syn flood"; 2097 } 2099 identity udp-flood { 2100 base attack-mitigation-control; 2101 description 2102 "Identity for udp flood"; 2103 } 2105 identity icmp-flood { 2106 base attack-mitigation-control; 2107 description 2108 "Identity for icmp flood"; 2109 } 2111 identity ip-frag-flood { 2112 base attack-mitigation-control; 2113 description 2114 "Identity for ip frag flood"; 2115 } 2117 identity ipv6-related { 2118 base attack-mitigation-control; 2119 description 2120 "Identity for ipv6 related"; 2121 } 2123 identity http-and-https-flood { 2124 base attack-mitigation-control; 2125 description 2126 "Identity for http and https flood"; 2128 } 2130 identity dns-flood { 2131 base attack-mitigation-control; 2132 description 2133 "Identity for dns flood"; 2134 } 2136 identity dns-amp-flood { 2137 base attack-mitigation-control; 2138 description 2139 "Identity for dns amp flood"; 2140 } 2142 identity ssl-ddos { 2143 base attack-mitigation-control; 2144 description 2145 "Identity for ssl ddos"; 2146 } 2148 identity ip-sweep { 2149 base attack-mitigation-control; 2150 description 2151 "Identity for ip sweep"; 2152 } 2154 identity port-scanning { 2155 base attack-mitigation-control; 2156 description 2157 "Identity for port scanning"; 2158 } 2160 identity ping-of-death { 2161 base attack-mitigation-control; 2162 description 2163 "Identity for ping of death"; 2164 } 2166 identity teardrop { 2167 base attack-mitigation-control; 2168 description 2169 "Identity for teardrop"; 2170 } 2172 identity oversized-icmp { 2173 base attack-mitigation-control; 2174 description 2175 "Identity for oversized icmp"; 2177 } 2179 identity tracert { 2180 base attack-mitigation-control; 2181 description 2182 "Identity for tracert"; 2183 } 2185 identity ingress-action { 2186 description 2187 "Base identity for action"; 2188 reference 2189 "draft-ietf-i2nsf-capability-04: Information Model 2190 of NSFs Capabilities - Ingress Action"; 2191 } 2193 identity egress-action { 2194 description 2195 "Base identity for egress action"; 2196 reference 2197 "draft-ietf-i2nsf-capability-04: Information Model 2198 of NSFs Capabilities - Egress action"; 2199 } 2201 identity default-action { 2202 description 2203 "Base identity for default action"; 2204 reference 2205 "draft-ietf-i2nsf-capability-04: Information Model 2206 of NSFs Capabilities - Default action"; 2207 } 2209 identity pass { 2210 base ingress-action; 2211 base egress-action; 2212 base default-action; 2213 description 2214 "Identity for pass"; 2215 reference 2216 "draft-ietf-i2nsf-capability-04: Information Model 2217 of NSFs Capabilities - Actions and 2218 default action"; 2219 } 2221 identity drop { 2222 base ingress-action; 2223 base egress-action; 2224 base default-action; 2225 description 2226 "Identity for drop"; 2227 reference 2228 "draft-ietf-i2nsf-capability-04: Information Model 2229 of NSFs Capabilities - Actions and 2230 default action"; 2231 } 2233 identity reject { 2234 base ingress-action; 2235 base egress-action; 2236 base default-action; 2237 description 2238 "Identity for reject"; 2239 reference 2240 "draft-ietf-i2nsf-capability-04: Information Model 2241 of NSFs Capabilities - Actions and 2242 default action"; 2243 } 2245 identity alert { 2246 base ingress-action; 2247 base egress-action; 2248 base default-action; 2249 description 2250 "Identity for alert"; 2251 reference 2252 "draft-ietf-i2nsf-capability-04: Information Model 2253 of NSFs Capabilities - Actions and 2254 default action"; 2255 } 2257 identity mirror { 2258 base ingress-action; 2259 base egress-action; 2260 base default-action; 2261 description 2262 "Identity for mirror"; 2263 reference 2264 "draft-ietf-i2nsf-capability-04: Information Model 2265 of NSFs Capabilities - Actions and 2266 default action"; 2267 } 2269 identity log-action { 2270 description 2271 "Base identity for log action"; 2272 } 2273 identity rule-log { 2274 base log-action; 2275 description 2276 "Identity for rule log"; 2277 } 2279 identity session-log { 2280 base log-action; 2281 description 2282 "Identity for session log"; 2283 } 2285 identity invoke-signaling { 2286 base egress-action; 2287 description 2288 "Identity for invoke signaling"; 2289 } 2291 identity tunnel-encapsulation { 2292 base egress-action; 2293 description 2294 "Identity for tunnel encapsulation"; 2295 } 2297 identity forwarding { 2298 base egress-action; 2299 description 2300 "Identity for forwarding"; 2301 } 2303 identity redirection { 2304 base egress-action; 2305 description 2306 "Identity for redirection"; 2308 } 2310 identity resolution-strategy { 2311 description 2312 "Base identity for resolution strategy"; 2313 reference 2314 "draft-ietf-i2nsf-capability-04: Information Model 2315 of NSFs Capabilities - Resolution Strategy"; 2316 } 2318 identity fmr { 2319 base resolution-strategy; 2320 description 2321 "Identity for First Matching Rule (FMR)"; 2322 reference 2323 "draft-ietf-i2nsf-capability-04: Information Model 2324 of NSFs Capabilities - Resolution Strategy"; 2325 } 2327 identity lmr { 2328 base resolution-strategy; 2329 description 2330 "Identity for Last Matching Rule (LMR)"; 2331 reference 2332 "draft-ietf-i2nsf-capability-04: Information Model 2333 of NSFs Capabilities - Resolution Strategy"; 2334 } 2336 identity pmr { 2337 base resolution-strategy; 2338 description 2339 "Identity for Prioritized Matching Rule (PMR)"; 2340 reference 2341 "draft-ietf-i2nsf-capability-04: Information Model 2342 of NSFs Capabilities - Resolution Strategy"; 2343 } 2345 identity pmre { 2346 base resolution-strategy; 2347 description 2348 "Identity for Prioritized Matching Rule 2349 with Errors (PMRE)"; 2350 reference 2351 "draft-ietf-i2nsf-capability-04: Information Model 2352 of NSFs Capabilities - Resolution Strategy"; 2353 } 2355 identity pmrn { 2356 base resolution-strategy; 2357 description 2358 "Identity for Prioritized Matching Rule 2359 with No Errors (PMRN)"; 2360 reference 2361 "draft-ietf-i2nsf-capability-04: Information Model 2362 of NSFs Capabilities - Resolution Strategy"; 2363 } 2365 /* 2366 * Typedefs 2367 */ 2369 typedef start-time-type { 2370 type union { 2371 type string { 2372 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2373 + '(Z|[\+\-]\d{2}:\d{2})'; 2374 } 2376 type enumeration { 2377 enum right-away { 2378 description 2379 "Immediate rule execution 2380 in the system."; 2381 } 2382 } 2383 } 2385 description 2386 "Start time when the rules are applied."; 2387 } 2389 typedef end-time-type { 2390 type union { 2391 type string { 2392 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2393 + '(Z|[\+\-]\d{2}:\d{2})'; 2394 } 2396 type enumeration { 2397 enum infinitely { 2398 description 2399 "Infinite rule execution 2400 in the system."; 2401 } 2402 } 2403 } 2404 description 2405 "End time when the rules are applied."; 2406 } 2408 typedef day-type { 2409 type enumeration { 2410 enum sunday { 2411 description 2412 "Sunday for periodic day"; 2413 } 2414 enum monday { 2415 description 2416 "Monday for periodic day"; 2418 } 2419 enum tuesday { 2420 description 2421 "Tuesday for periodic day"; 2422 } 2423 enum wednesday { 2424 description 2425 "Wednesday for periodic day"; 2426 } 2427 enum thursday { 2428 description 2429 "Thursday for periodic day"; 2430 } 2431 enum friday { 2432 description 2433 "Friday for periodic day"; 2434 } 2435 enum saturday { 2436 description 2437 "Saturday for periodic day"; 2438 } 2439 } 2440 description 2441 "This can be used for the rules to be applied 2442 according to periodic day"; 2443 } 2445 typedef month-type { 2446 type enumeration { 2447 enum january { 2448 description 2449 "January for periodic month"; 2450 } 2451 enum february { 2452 description 2453 "February for periodic month"; 2454 } 2455 enum march { 2456 description 2457 "March for periodic month"; 2458 } 2459 enum april { 2460 description 2461 "April for periodic month"; 2462 } 2463 enum may { 2464 description 2465 "May for periodic month"; 2467 } 2468 enum june { 2469 description 2470 "June for periodic month"; 2471 } 2472 enum july { 2473 description 2474 "July for periodic month"; 2475 } 2476 enum august { 2477 description 2478 "August for periodic month"; 2479 } 2480 enum september { 2481 description 2482 "September for periodic month"; 2483 } 2484 enum october { 2485 description 2486 "October for periodic month"; 2487 } 2488 enum november { 2489 description 2490 "November for periodic month"; 2491 } 2492 enum december { 2493 description 2494 "December for periodic month"; 2495 } 2496 } 2497 description 2498 "This can be used for the rules to be applied 2499 according to periodic month"; 2500 } 2502 /* 2503 * Groupings 2504 */ 2506 grouping ipv4 { 2507 list ipv4-address { 2508 key "ipv4"; 2509 description 2510 "The list of IPv4 address."; 2512 leaf ipv4 { 2513 type inet:ipv4-address; 2514 description 2515 "The value of IPv4 address."; 2516 } 2517 choice subnet { 2518 description 2519 "The subnet can be specified as a prefix length or 2520 netmask."; 2521 leaf prefix-length { 2522 type uint8 { 2523 range "0..32"; 2524 } 2525 description 2526 "The length of the subnet prefix."; 2527 } 2528 leaf netmask { 2529 type yang:dotted-quad; 2530 description 2531 "The subnet specified as a netmask."; 2532 } 2533 } 2534 } 2535 description 2536 "Grouping for an IPv4 address"; 2538 reference 2539 "RFC 791: Internet Protocol - IPv4 address 2540 RFC 8344: A YANG Data Model for IP Management"; 2541 } 2543 grouping ipv6 { 2544 list ipv6-address { 2545 key "ipv6"; 2546 description 2547 "The list of IPv6 address."; 2549 leaf ipv6 { 2550 type inet:ipv6-address; 2551 description 2552 "The value of IPv6 address."; 2553 } 2555 leaf prefix-length { 2556 type uint8 { 2557 range "0..128"; 2558 } 2559 description 2560 "The length of the subnet prefix."; 2561 } 2562 } 2563 description 2564 "Grouping for an IPv6 address"; 2566 reference 2567 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2568 Specification - IPv6 address 2569 RFC 8344: A YANG Data Model for IP Management"; 2570 } 2572 grouping pkt-sec-ipv4 { 2573 choice match-type { 2574 description 2575 "There are two types to configure a security policy 2576 for IPv4 address, such as exact match and range match."; 2577 case exact-match { 2578 uses ipv4; 2579 description 2580 "Exact match for an IPv4 address."; 2581 } 2582 case range-match { 2583 list range-ipv4-address { 2584 key "start-ipv4-address end-ipv4-address"; 2585 leaf start-ipv4-address { 2586 type inet:ipv4-address; 2587 description 2588 "Start IPv4 address for a range match."; 2589 } 2591 leaf end-ipv4-address { 2592 type inet:ipv4-address; 2593 description 2594 "End IPv4 address for a range match."; 2595 } 2596 description 2597 "Range match for an IPv4 address."; 2598 } 2599 } 2600 } 2601 description 2602 "Grouping for an IPv4 address."; 2604 reference 2605 "RFC 791: Internet Protocol - IPv4 address"; 2606 } 2608 grouping pkt-sec-ipv6 { 2609 choice match-type { 2610 description 2611 "There are two types to configure a security policy 2612 for IPv6 address, such as exact match and range match."; 2613 case exact-match { 2614 uses ipv6; 2615 description 2616 "Exact match for an IPv6 address."; 2617 } 2618 case range-match { 2619 list range-ipv6-address { 2620 key "start-ipv6-address end-ipv6-address"; 2621 leaf start-ipv6-address { 2622 type inet:ipv6-address; 2623 description 2624 "Start IPv6 address for a range match."; 2625 } 2627 leaf end-ipv6-address { 2628 type inet:ipv6-address; 2629 description 2630 "End IPv6 address for a range match."; 2631 } 2632 description 2633 "Range match for an IPv6 address."; 2634 } 2635 } 2636 } 2637 description 2638 "Grouping for IPv6 address."; 2640 reference 2641 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2642 Specification - IPv6 address"; 2643 } 2645 grouping pkt-sec-port-number { 2646 choice match-type { 2647 description 2648 "There are two types to configure a security policy 2649 for a port number, such as exact match and range match."; 2650 case exact-match { 2651 leaf-list port-num { 2652 type inet:port-number; 2653 description 2654 "Exact match for a port number."; 2655 } 2656 } 2657 case range-match { 2658 list range-port-num { 2659 key "start-port-num end-port-num"; 2660 leaf start-port-num { 2661 type inet:port-number; 2662 description 2663 "Start port number for a range match."; 2664 } 2665 leaf end-port-num { 2666 type inet:port-number; 2667 description 2668 "Start port number for a range match."; 2669 } 2670 description 2671 "Range match for a port number."; 2672 } 2673 } 2674 } 2675 description 2676 "Grouping for port number."; 2678 reference 2679 "RFC 793: Transmission Control Protocol - Port number 2680 RFC 768: User Datagram Protocol - Port Number"; 2681 } 2683 /* 2684 * Data nodes 2685 */ 2687 container i2nsf-security-policy { 2688 description 2689 "Container for security policy 2690 including a set of security rules according to certain logic, 2691 i.e., their similarity or mutual relations, etc. The network 2692 security policy is able to apply over both the unidirectional 2693 and bidirectional traffic across the NSF. 2694 The I2NSF security policies use the Event-Condition-Action 2695 (ECA) policy model "; 2697 reference 2698 "RFC 8329: Framework for Interface to Network Security 2699 Functions - I2NSF Flow Security Policy Structure 2700 draft-ietf-i2nsf-capability-04: Information Model 2701 of NSFs Capabilities - Design Principles and ECA Policy Model 2702 Overview"; 2704 list system-policy { 2705 key "system-policy-name"; 2706 description 2707 "The system-policy represents there could be multiple system 2708 policies in one NSF, and each system policy is used by 2709 one virtual instance of the NSF/device."; 2711 leaf system-policy-name { 2712 type string; 2713 mandatory true; 2714 description 2715 "The name of the policy. 2716 This must be unique."; 2717 } 2719 leaf priority-usage { 2720 type identityref { 2721 base priority-usage-type; 2722 } 2723 default priority-by-order; 2724 description 2725 "Priority usage type for security policy rule: 2726 priority by order and priority by number"; 2727 } 2729 leaf resolution-strategy { 2730 type identityref { 2731 base resolution-strategy; 2732 } 2733 default fmr; 2734 description 2735 "The resolution strategies can be used to 2736 specify how to resolve conflicts that occur between 2737 the actions of the same or different policy rules that 2738 are matched and contained in this particular NSF"; 2740 reference 2741 "draft-ietf-i2nsf-capability-04: Information Model 2742 of NSFs Capabilities - Resolution strategy"; 2743 } 2745 leaf default-action { 2746 type identityref { 2747 base default-action; 2748 } 2749 default alert; 2750 description 2751 "This default action can be used to specify a predefined 2752 action when no other alternative action was matched 2753 by the currently executing I2NSF Policy Rule. An analogy 2754 is the use of a default statement in a C switch statement."; 2756 reference 2757 "draft-ietf-i2nsf-capability-04: Information Model 2758 of NSFs Capabilities - Default action"; 2759 } 2761 list rules { 2762 key "rule-name"; 2763 description 2764 "This is a rule for network security functions."; 2766 leaf rule-name { 2767 type string; 2768 mandatory true; 2769 description 2770 "The name of the rule. 2771 This must be unique."; 2772 } 2774 leaf rule-description { 2775 type string; 2776 description 2777 "This description gives more information about 2778 rules."; 2779 } 2781 leaf rule-priority { 2782 type uint8 { 2783 range "1..255"; 2784 } 2785 description 2786 "The priority keyword comes with a mandatory 2787 numeric value which can range from 1 till 255."; 2788 } 2790 leaf rule-enable { 2791 type boolean; 2792 description 2793 "True is enable. 2794 False is not enbale."; 2795 } 2797 leaf session-aging-time { 2798 type uint16; 2799 description 2800 "This is session aging time."; 2801 } 2803 container long-connection { 2804 description 2805 "This is long-connection"; 2807 leaf enable { 2808 type boolean; 2809 description 2810 "True is enable. 2811 False is not enbale."; 2812 } 2814 leaf during { 2815 type uint16; 2816 description 2817 "This is during time."; 2818 } 2819 } 2821 container time-zone { 2822 description 2823 "Time zone when the rules are applied"; 2824 container absolute-time-zone { 2825 description 2826 "Rule execution according to absolute time"; 2828 leaf start-time { 2829 type start-time-type; 2830 default right-away; 2831 description 2832 "Start time when the rules are applied"; 2833 } 2834 leaf end-time { 2835 type end-time-type; 2836 default infinitely; 2837 description 2838 "End time when the rules are applied"; 2839 } 2840 } 2842 container periodic-time-zone { 2843 description 2844 "Rule execution according to periodic time"; 2846 container day { 2847 description 2848 "Rule execution according to day."; 2849 leaf every-day { 2850 type boolean; 2851 default true; 2852 description 2853 "Rule execution every day"; 2854 } 2856 leaf-list specific-day { 2857 when "../every-day = 'false'"; 2858 type day-type; 2859 description 2860 "Rule execution according 2861 to specific day"; 2862 } 2863 } 2865 container month { 2866 description 2867 "Rule execution according to month."; 2868 leaf every-month { 2869 type boolean; 2870 default true; 2871 description 2872 "Rule execution every day"; 2873 } 2875 leaf-list specific-month { 2876 when "../every-month = 'false'"; 2877 type month-type; 2878 description 2879 "Rule execution according 2880 to month day"; 2881 } 2882 } 2883 } 2884 } 2886 container event-clause-container { 2887 description 2888 "An event is defined as any important 2889 occurrence in time of a change in the system being 2890 managed, and/or in the environment of the system being 2891 managed. When used in the context of policy rules for 2892 a flow-based NSF, it is used to determine whether the 2893 Condition clause of the Policy Rule can be evaluated 2894 or not. Examples of an I2NSF event include time and 2895 user actions (e.g., logon, logoff, and actions that 2896 violate any ACL.)."; 2898 reference 2899 "RFC 8329: Framework for Interface to Network Security 2900 Functions - I2NSF Flow Security Policy Structure 2901 draft-ietf-i2nsf-capability-04: Information Model 2902 of NSFs Capabilities - Design Principles and ECA 2903 Policy Model Overview 2904 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2905 Data Model for Monitoring I2NSF Network Security 2906 Functions - System Alarm and System Events"; 2908 leaf event-clause-description { 2909 type string; 2910 description 2911 "Description for an event clause"; 2912 } 2914 container event-clauses { 2915 description 2916 "It has two event types such as 2917 system event and system alarm."; 2918 reference 2919 "RFC 8329: Framework for Interface to Network Security 2920 Functions - I2NSF Flow Security Policy Structure 2921 draft-ietf-i2nsf-capability-04: Information Model 2922 of NSFs Capabilities - Design Principles and ECA Policy 2923 Model Overview 2924 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2925 Data Model for Monitoring I2NSF Network Security 2926 Functions - System Alarm and System Events"; 2928 leaf-list system-event { 2929 type identityref { 2930 base system-event; 2931 } 2932 description 2933 "The security policy rule according to 2934 system events."; 2935 } 2937 leaf-list system-alarm { 2938 type identityref { 2939 base system-alarm; 2940 } 2941 description 2942 "The security policy rule according to 2943 system alarms."; 2944 } 2945 } 2946 } 2948 container condition-clause-container { 2949 description 2950 "A condition is defined as a set 2951 of attributes, features, and/or values that are to be 2952 compared with a set of known attributes, features, 2953 and/or values in order to determine whether or not the 2954 set of Actions in that (imperative) I2NSF Policy Rule 2955 can be executed or not. Examples of I2NSF Conditions 2956 include matching attributes of a packet or flow, and 2957 comparing the internal state of an NSF to a desired 2958 state."; 2959 reference 2960 "RFC 8329: Framework for Interface to Network Security 2961 Functions - I2NSF Flow Security Policy Structure 2962 draft-ietf-i2nsf-capability-04: Information Model 2963 of NSFs Capabilities - Design Principles and ECA Policy 2964 Model Overview"; 2966 leaf condition-clause-description { 2967 type string; 2968 description 2969 "Description for a condition clause."; 2970 } 2972 container packet-security-ipv4-condition { 2973 description 2974 "The purpose of this container is to represent IPv4 2975 packet header information to determine if the set 2976 of policy actions in this ECA policy rule should be 2977 executed or not."; 2978 reference 2979 "RFC 791: Internet Protocol"; 2981 leaf ipv4-description { 2982 type string; 2983 description 2984 "This is description for ipv4 condition."; 2985 } 2987 container pkt-sec-ipv4-header-length { 2988 choice match-type { 2989 description 2990 "There are two types to configure a security 2991 policy for IPv4 header length, such as exact match 2992 and range match."; 2993 case exact-match { 2994 leaf-list ipv4-header-length { 2995 type uint8 { 2996 range "5..15"; 2997 } 2998 description 2999 "Exact match for an IPv4 header length."; 3000 } 3001 } 3002 case range-match { 3003 list range-ipv4-header-length { 3004 key "start-ipv4-header-length 3005 end-ipv4-header-length"; 3006 leaf start-ipv4-header-length { 3007 type uint8 { 3008 range "5..15"; 3009 } 3010 description 3011 "Start IPv4 header length for a range match."; 3012 } 3014 leaf end-ipv4-header-length { 3015 type uint8 { 3016 range "5..15"; 3017 } 3018 description 3019 "End IPv4 header length for a range match."; 3020 } 3021 description 3022 "Range match for an IPv4 header length."; 3023 } 3024 } 3025 } 3026 description 3027 "The security policy rule according to 3028 IPv4 header length."; 3029 reference 3030 "RFC 791: Internet Protocol - Header length"; 3031 } 3033 leaf-list pkt-sec-ipv4-tos { 3034 type identityref { 3035 base type-of-service; 3036 } 3037 description 3038 "The security policy rule according to 3039 IPv4 type of service."; 3040 reference 3041 "RFC 791: Internet Protocol - Type of service"; 3042 } 3044 container pkt-sec-ipv4-total-length { 3045 choice match-type { 3046 description 3047 "There are two types to configure a security 3048 policy for IPv4 total length, such as exact match 3049 and range match."; 3050 case exact-match { 3051 leaf-list ipv4-total-length { 3052 type uint16; 3053 description 3054 "Exact match for an IPv4 total length."; 3055 } 3056 } 3057 case range-match { 3058 list range-ipv4-total-length { 3059 key "start-ipv4-total-length end-ipv4-total-length"; 3060 leaf start-ipv4-total-length { 3061 type uint16; 3062 description 3063 "Start IPv4 total length for a range match."; 3064 } 3065 leaf end-ipv4-total-length { 3066 type uint16; 3067 description 3068 "End IPv4 total length for a range match."; 3069 } 3070 description 3071 "Range match for an IPv4 total length."; 3072 } 3073 } 3074 } 3075 description 3076 "The security policy rule according to 3077 IPv4 total length."; 3078 reference 3079 "RFC 791: Internet Protocol - Total length"; 3080 } 3082 leaf-list pkt-sec-ipv4-id { 3083 type uint16; 3084 description 3085 "The security policy rule according to 3086 IPv4 identification."; 3088 reference 3089 "RFC 791: Internet Protocol - Identification"; 3090 } 3092 leaf-list pkt-sec-ipv4-fragment-flags { 3093 type identityref { 3094 base fragmentation-flags-type; 3095 } 3096 description 3097 "The security policy rule according to 3098 IPv4 fragment flags."; 3099 reference 3100 "RFC 791: Internet Protocol - Fragment flags"; 3101 } 3103 container pkt-sec-ipv4-fragment-offset { 3104 choice match-type { 3105 description 3106 "There are two types to configure a security 3107 policy for IPv4 fragment offset, such as exact match 3108 and range match."; 3109 case exact-match { 3110 leaf-list ipv4-fragment-offset { 3111 type uint16 { 3112 range "0..16383"; 3113 } 3114 description 3115 "Exact match for an IPv4 fragment offset."; 3116 } 3117 } 3118 case range-match { 3119 list range-ipv4-fragment-offset { 3120 key "start-ipv4-fragment-offset 3121 end-ipv4-fragment-offset"; 3122 leaf start-ipv4-fragment-offset { 3123 type uint16 { 3124 range "0..16383"; 3125 } 3126 description 3127 "Start IPv4 fragment offset for a range match."; 3128 } 3129 leaf end-ipv4-fragment-offset { 3130 type uint16 { 3131 range "0..16383"; 3132 } 3133 description 3134 "End IPv4 fragment offset for a range match."; 3135 } 3136 description 3137 "Range match for an IPv4 fragment offset."; 3138 } 3139 } 3140 } 3141 description 3142 "The security policy rule according to 3143 IPv4 fragment offset."; 3144 reference 3145 "RFC 791: Internet Protocol - Fragment offset"; 3146 } 3148 container pkt-sec-ipv4-ttl { 3149 choice match-type { 3150 description 3151 "There are two types to configure a security 3152 policy for IPv4 TTL, such as exact match 3153 and range match."; 3154 case exact-match { 3155 leaf-list ipv4-ttl { 3156 type uint8; 3157 description 3158 "Exact match for an IPv4 TTL."; 3159 } 3160 } 3161 case range-match { 3162 list range-ipv4-ttl { 3163 key "start-ipv4-ttl end-ipv4-ttl"; 3164 leaf start-ipv4-ttl { 3165 type uint8; 3166 description 3167 "Start IPv4 TTL for a range match."; 3168 } 3169 leaf end-ipv4-ttl { 3170 type uint8; 3171 description 3172 "End IPv4 TTL for a range match."; 3173 } 3174 description 3175 "Range match for an IPv4 TTL."; 3176 } 3177 } 3178 } 3179 description 3180 "The security policy rule according to 3181 IPv4 time-to-live (TTL)."; 3182 reference 3183 "RFC 791: Internet Protocol - Time to live"; 3185 } 3187 leaf-list pkt-sec-ipv4-protocol { 3188 type identityref { 3189 base protocol; 3190 } 3191 description 3192 "The security policy rule according to 3193 IPv4 protocol."; 3194 reference 3195 "RFC 791: Internet Protocol - Protocol"; 3196 } 3198 container pkt-sec-ipv4-src { 3199 uses pkt-sec-ipv4; 3200 description 3201 "The security policy rule according to 3202 IPv4 source address."; 3203 reference 3204 "RFC 791: Internet Protocol - IPv4 Address"; 3205 } 3207 container pkt-sec-ipv4-dest { 3208 uses pkt-sec-ipv4; 3209 description 3210 "The security policy rule according to 3211 IPv4 destination address."; 3212 reference 3213 "RFC 791: Internet Protocol - IPv4 Address"; 3214 } 3216 leaf-list pkt-sec-ipv4-ipopts { 3217 type identityref { 3218 base ipopts; 3219 } 3220 description 3221 "The security policy rule according to 3222 IPv4 options."; 3223 reference 3224 "RFC 791: Internet Protocol - Options"; 3225 } 3227 leaf pkt-sec-ipv4-sameip { 3228 type boolean; 3229 description 3230 "Every packet has a source IP-address and 3231 a destination IP-address. It can be that 3232 the source IP is the same as 3233 the destination IP."; 3234 } 3236 leaf-list pkt-sec-ipv4-geoip { 3237 type string; 3238 description 3239 "The geoip keyword enables you to match on 3240 the source, destination or source and destination 3241 IP addresses of network traffic and to see to 3242 which country it belongs. To do this, Suricata 3243 uses GeoIP API with MaxMind database format."; 3244 } 3245 } 3247 container packet-security-ipv6-condition { 3248 description 3249 "The purpose of this container is to represent 3250 IPv6 packet header information to determine 3251 if the set of policy actions in this ECA policy 3252 rule should be executed or not."; 3253 reference 3254 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3255 Specification"; 3257 leaf ipv6-description { 3258 type string; 3259 description 3260 "This is description for ipv6 condition."; 3261 } 3263 leaf-list pkt-sec-ipv6-traffic-class { 3264 type identityref { 3265 base traffic-class; 3266 } 3267 description 3268 "The security policy rule according to 3269 IPv6 traffic class."; 3270 reference 3271 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3272 Specification - Traffic class"; 3273 } 3275 container pkt-sec-ipv6-flow-label { 3276 choice match-type { 3277 description 3278 "There are two types to configure a security 3279 policy for IPv6 flow label, such as exact match 3280 and range match."; 3281 case exact-match { 3282 leaf-list ipv6-flow-label { 3283 type uint32 { 3284 range "0..1048575"; 3285 } 3286 description 3287 "Exact match for an IPv6 flow label."; 3288 } 3289 } 3290 case range-match { 3291 list range-ipv6-flow-label { 3292 key "start-ipv6-flow-label end-ipv6-flow-label"; 3293 leaf start-ipv6-flow-label { 3294 type uint32 { 3295 range "0..1048575"; 3296 } 3297 description 3298 "Start IPv6 flow label for a range match."; 3299 } 3300 leaf end-ipv6-flow-label { 3301 type uint32 { 3302 range "0..1048575"; 3303 } 3304 description 3305 "End IPv6 flow label for a range match."; 3306 } 3307 description 3308 "Range match for an IPv6 flow label."; 3309 } 3310 } 3311 } 3312 description 3313 "The security policy rule according to 3314 IPv6 flow label."; 3315 reference 3316 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3317 Specification - Flow label"; 3318 } 3320 container pkt-sec-ipv6-payload-length { 3321 choice match-type { 3322 description 3323 "There are two types to configure a security 3324 policy for IPv6 payload length, such as 3325 exact match and range match."; 3326 case exact-match { 3327 leaf-list ipv6-payload-length { 3328 type uint16; 3329 description 3330 "Exact match for an IPv6 payload length."; 3331 } 3332 } 3333 case range-match { 3334 list range-ipv6-payload-length { 3335 key "start-ipv6-payload-length 3336 end-ipv6-payload-length"; 3337 leaf start-ipv6-payload-length { 3338 type uint16; 3339 description 3340 "Start IPv6 payload length for a range match."; 3341 } 3342 leaf end-ipv6-payload-length { 3343 type uint16; 3344 description 3345 "End IPv6 payload length for a range match."; 3346 } 3347 description 3348 "Range match for an IPv6 payload length."; 3349 } 3350 } 3351 } 3352 description 3353 "The security policy rule according to 3354 IPv6 payload length."; 3355 reference 3356 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3357 Specification - Payload length"; 3358 } 3360 leaf-list pkt-sec-ipv6-next-header { 3361 type identityref { 3362 base next-header; 3363 } 3364 description 3365 "The security policy rule according to 3366 IPv6 next header."; 3367 reference 3368 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3369 Specification - Next header"; 3370 } 3372 container pkt-sec-ipv6-hop-limit { 3373 choice match-type { 3374 description 3375 "There are two types to configure a security 3376 policy for IPv6 hop limit, such as exact match 3377 and range match."; 3378 case exact-match { 3379 leaf-list ipv6-hop-limit { 3380 type uint8; 3381 description 3382 "Exact match for an IPv6 hop limit."; 3383 } 3384 } 3385 case range-match { 3386 list range-ipv6-hop-limit { 3387 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3388 leaf start-ipv6-hop-limit { 3389 type uint8; 3390 description 3391 "Start IPv6 hop limit for a range match."; 3392 } 3393 leaf end-ipv6-hop-limit { 3394 type uint8; 3395 description 3396 "End IPv6 hop limit for a range match."; 3397 } 3398 description 3399 "Range match for an IPv6 hop limit."; 3400 } 3401 } 3402 } 3403 description 3404 "The security policy rule according to 3405 IPv6 hop limit."; 3406 reference 3407 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3408 Specification - Hop limit"; 3409 } 3411 container pkt-sec-ipv6-src { 3412 uses pkt-sec-ipv6; 3413 description 3414 "The security policy rule according to 3415 IPv6 source address."; 3416 reference 3417 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3418 Specification - IPv6 address"; 3419 } 3421 container pkt-sec-ipv6-dest { 3422 uses pkt-sec-ipv6; 3423 description 3424 "The security policy rule according to 3425 IPv6 destination address."; 3426 reference 3427 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3428 Specification - IPv6 address"; 3429 } 3431 } 3433 container packet-security-tcp-condition { 3434 description 3435 "The purpose of this container is to represent 3436 TCP packet header information to determine 3437 if the set of policy actions in this ECA policy 3438 rule should be executed or not."; 3439 reference 3440 "RFC 793: Transmission Control Protocol"; 3442 leaf tcp-description { 3443 type string; 3444 description 3445 "This is description for tcp condition."; 3446 } 3448 container pkt-sec-tcp-src-port-num { 3449 uses pkt-sec-port-number; 3450 description 3451 "The security policy rule according to 3452 tcp source port number."; 3453 reference 3454 "RFC 793: Transmission Control Protocol 3455 - Port number"; 3456 } 3458 container pkt-sec-tcp-dest-port-num { 3459 uses pkt-sec-port-number; 3460 description 3461 "The security policy rule according to 3462 tcp destination port number."; 3463 reference 3464 "RFC 793: Transmission Control Protocol 3465 - Port number"; 3466 } 3468 container pkt-sec-tcp-seq-num { 3469 choice match-type { 3470 description 3471 "There are two types to configure a security 3472 policy for tcp sequence number, 3473 such as exact match and range match."; 3474 case exact-match { 3475 leaf-list tcp-seq-num { 3476 type uint32; 3477 description 3478 "Exact match for an tcp sequence number."; 3479 } 3480 } 3481 case range-match { 3482 list range-tcp-seq-num { 3483 key "start-tcp-seq-num end-tcp-seq-num"; 3484 leaf start-tcp-seq-num { 3485 type uint32; 3486 description 3487 "Start tcp sequence number for a range match."; 3488 } 3489 leaf end-tcp-seq-num { 3490 type uint32; 3491 description 3492 "End tcp sequence number for a range match."; 3493 } 3494 description 3495 "Range match for a tcp sequence number."; 3496 } 3497 } 3498 } 3499 description 3500 "The security policy rule according to 3501 tcp sequence number."; 3502 reference 3503 "RFC 793: Transmission Control Protocol 3504 - Sequence number"; 3505 } 3507 container pkt-sec-tcp-ack-num { 3508 choice match-type { 3509 description 3510 "There are two types to configure a security 3511 policy for tcp acknowledgement number, 3512 such as exact match and range match."; 3513 case exact-match { 3514 leaf-list tcp-ack-num { 3515 type uint32; 3516 description 3517 "Exact match for an tcp acknowledgement number."; 3519 } 3520 } 3521 case range-match { 3522 list range-tcp-ack-num { 3523 key "start-tcp-ack-num end-tcp-ack-num"; 3524 leaf start-tcp-ack-num { 3525 type uint32; 3526 description 3527 "Start tcp acknowledgement number 3528 for a range match."; 3529 } 3530 leaf end-tcp-ack-num { 3531 type uint32; 3532 description 3533 "End tcp acknowledgement number 3534 for a range match."; 3535 } 3536 description 3537 "Range match for a tcp acknowledgement number."; 3538 } 3539 } 3540 } 3541 description 3542 "The security policy rule according to 3543 tcp acknowledgement number."; 3544 reference 3545 "RFC 793: Transmission Control Protocol 3546 - Acknowledgement number"; 3547 } 3549 container pkt-sec-tcp-window-size { 3550 choice match-type { 3551 description 3552 "There are two types to configure a security 3553 policy for tcp window size, 3554 such as exact match and range match."; 3555 case exact-match { 3556 leaf-list tcp-window-size { 3557 type uint16; 3558 description 3559 "Exact match for an tcp window size."; 3560 } 3561 } 3562 case range-match { 3563 list range-tcp-window-size { 3564 key "start-tcp-window-size end-tcp-window-size"; 3565 leaf start-tcp-window-size { 3566 type uint16; 3567 description 3568 "Start tcp window size for a range match."; 3569 } 3570 leaf end-tcp-window-size { 3571 type uint16; 3572 description 3573 "End tcp window size for a range match."; 3574 } 3575 description 3576 "Range match for a tcp window size."; 3577 } 3578 } 3579 } 3580 description 3581 "The security policy rule according to 3582 tcp window size."; 3583 reference 3584 "RFC 793: Transmission Control Protocol 3585 - Window size"; 3586 } 3588 leaf-list pkt-sec-tcp-flags { 3589 type identityref { 3590 base tcp-flags; 3591 } 3592 description 3593 "The security policy rule according to 3594 tcp flags."; 3595 reference 3596 "RFC 793: Transmission Control Protocol 3597 - Flags"; 3598 } 3599 } 3601 container packet-security-udp-condition { 3602 description 3603 "The purpose of this container is to represent 3604 UDP packet header information to determine 3605 if the set of policy actions in this ECA policy 3606 rule should be executed or not."; 3607 reference 3608 "RFC 793: Transmission Control Protocol"; 3610 leaf udp-description { 3611 type string; 3612 description 3613 "This is description for udp condition."; 3615 } 3617 container pkt-sec-udp-src-port-num { 3618 uses pkt-sec-port-number; 3619 description 3620 "The security policy rule according to 3621 udp source port number."; 3622 reference 3623 "RFC 793: Transmission Control Protocol 3624 - Port number"; 3625 } 3627 container pkt-sec-udp-dest-port-num { 3628 uses pkt-sec-port-number; 3629 description 3630 "The security policy rule according to 3631 udp destination port number."; 3632 reference 3633 "RFC 768: User Datagram Protocol 3634 - Total Length"; 3635 } 3637 container pkt-sec-udp-total-length { 3638 choice match-type { 3639 description 3640 "There are two types to configure a security 3641 policy for udp sequence number, 3642 such as exact match and range match."; 3643 case exact-match { 3644 leaf-list udp-total-length { 3645 type uint32; 3646 description 3647 "Exact match for an udp-total-length."; 3648 } 3649 } 3650 case range-match { 3651 list range-udp-total-length { 3652 key "start-udp-total-length end-udp-total-length"; 3653 leaf start-udp-total-length { 3654 type uint32; 3655 description 3656 "Start udp total length for a range match."; 3657 } 3658 leaf end-udp-total-length { 3659 type uint32; 3660 description 3661 "End udp total length for a range match."; 3663 } 3664 description 3665 "Range match for a udp total length."; 3666 } 3667 } 3668 } 3669 description 3670 "The security policy rule according to 3671 udp total length."; 3672 reference 3673 "RFC 768: User Datagram Protocol 3674 - Total Length"; 3675 } 3676 } 3678 container packet-security-icmp-condition { 3679 description 3680 "The purpose of this container is to represent 3681 ICMP packet header information to determine 3682 if the set of policy actions in this ECA policy 3683 rule should be executed or not."; 3684 reference 3685 "RFC 792: Internet Control Message Protocol 3686 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3688 leaf icmp-description { 3689 type string; 3690 description 3691 "This is description for icmp condition."; 3692 } 3694 leaf-list pkt-sec-icmp-type-and-code { 3695 type identityref { 3696 base icmp-type; 3697 } 3698 description 3699 "The security policy rule according to 3700 ICMP parameters."; 3701 reference 3702 "RFC 792: Internet Control Message Protocol 3703 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3704 } 3705 } 3707 container packet-security-url-category-condition { 3708 description 3709 "Condition for url category"; 3711 leaf url-category-description { 3712 type string; 3713 description 3714 "This is description for url category condition. 3715 Vendors can write instructions for context condition 3716 that vendor made"; 3717 } 3719 leaf-list pre-defined-category { 3720 type string; 3721 description 3722 "This is pre-defined-category."; 3723 } 3724 leaf-list user-defined-category { 3725 type string; 3726 description 3727 "This user-defined-category."; 3728 } 3729 } 3731 container packet-security-voice-condition { 3732 description 3733 "For the VoIP/VoLTE security system, a VoIP/ 3734 VoLTE security system can monitor each 3735 VoIP/VoLTE flow and manage VoIP/VoLTE 3736 security rules controlled by a centralized 3737 server for VoIP/VoLTE security service 3738 (called VoIP IPS). The VoIP/VoLTE security 3739 system controls each switch for the 3740 VoIP/VoLTE call flow management by 3741 manipulating the rules that can be added, 3742 deleted, or modified dynamically."; 3743 reference 3744 "RFC 3261: SIP: Session Initiation Protocol"; 3746 leaf voice-description { 3747 type string; 3748 description 3749 "This is description for voice condition."; 3750 } 3752 leaf-list pkt-sec-src-voice-id { 3753 type string; 3754 description 3755 "The security policy rule according to 3756 a source voice ID for VoIP and VoLTE."; 3757 } 3758 leaf-list pkt-sec-dest-voice-id { 3759 type string; 3760 description 3761 "The security policy rule according to 3762 a destination voice ID for VoIP and VoLTE."; 3763 } 3765 leaf-list pkt-sec-user-agent { 3766 type string; 3767 description 3768 "The security policy rule according to 3769 an user agent for VoIP and VoLTE."; 3770 } 3771 } 3773 container packet-security-ddos-condition { 3774 description 3775 "Condition for DDoS attack."; 3777 leaf ddos-description { 3778 type string; 3779 description 3780 "This is description for ddos condition."; 3781 } 3783 leaf pkt-sec-alert-rate { 3784 type uint32; 3785 description 3786 "The alert rate of flood detect for 3787 same packets."; 3788 } 3789 } 3791 container packet-security-payload-condition { 3792 description 3793 "Condition for packet payload"; 3794 leaf packet-payload-description { 3795 type string; 3796 description 3797 "This is description for payload condition. 3798 Vendors can write instructions for payload condition 3799 that vendor made"; 3800 } 3801 leaf-list pkt-payload-content { 3802 type string; 3803 description 3804 "The content keyword is very important in 3805 signatures. Between the quotation marks you 3806 can write on what you would like the 3807 signature to match."; 3808 } 3809 } 3811 container context-condition { 3812 description 3813 "Condition for context"; 3814 leaf context-description { 3815 type string; 3816 description 3817 "This is description for context condition. 3818 Vendors can write instructions for context condition 3819 that vendor made"; 3820 } 3822 leaf-list acl-number { 3823 type uint32; 3824 description 3825 "This is acl-number."; 3826 } 3828 container application-condition { 3829 description 3830 "Condition for application"; 3831 leaf application-description { 3832 type string; 3833 description 3834 "This is description for application condition."; 3835 } 3836 leaf-list application-object { 3837 type string; 3838 description 3839 "This is application object."; 3840 } 3841 leaf-list application-group { 3842 type string; 3843 description 3844 "This is application group."; 3845 } 3846 leaf-list application-label { 3847 type string; 3848 description 3849 "This is application label."; 3850 } 3851 container category { 3852 description 3853 "This is application category"; 3855 list application-category { 3856 key "name application-subcategory"; 3857 description 3858 "This is application category list"; 3859 leaf name { 3860 type string; 3861 description 3862 "This is name for application category."; 3863 } 3864 leaf application-subcategory { 3865 type string; 3866 description 3867 "This is application subcategory."; 3868 } 3869 } 3870 } 3871 } 3873 container target-condition { 3874 description 3875 "Condition for target"; 3876 leaf target-description { 3877 type string; 3878 description 3879 "This is description for target condition. 3880 Vendors can write instructions for target condition 3881 that vendor made"; 3882 } 3884 container device-sec-context-cond { 3885 description 3886 "The device attribute that can identify a device, 3887 including the device type (i.e., router, switch, 3888 pc, ios, or android) and the device's owner as 3889 well."; 3891 leaf-list target-device { 3892 type identityref { 3893 base target-device; 3894 } 3895 description 3896 "Leaf list for target devices"; 3897 } 3898 } 3899 } 3901 container users-condition { 3902 description 3903 "Condition for users"; 3904 leaf users-description { 3905 type string; 3906 description 3907 "This is description for user condition. 3908 Vendors can write instructions for user condition 3909 that vendor made"; 3910 } 3911 container user{ 3912 description 3913 "The user (or user group) information with which 3914 network flow is associated: The user has many 3915 attributes such as name, id, password, type, 3916 authentication mode and so on. Name/id is often 3917 used in the security policy to identify the user. 3918 Besides, NSF is aware of the IP address of the 3919 user provided by a unified user management system 3920 via network. Based on name-address association, 3921 NSF is able to enforce the security functions 3922 over the given user (or user group)"; 3924 choice user-name { 3925 description 3926 "The name of the user. 3927 This must be unique."; 3929 case tenant { 3930 description 3931 "Tenant information."; 3933 leaf tenant { 3934 type uint8; 3935 mandatory true; 3936 description 3937 "User's tenant information."; 3938 } 3939 } 3941 case vn-id { 3942 description 3943 "VN-ID information."; 3945 leaf vn-id { 3946 type uint8; 3947 mandatory true; 3948 description 3949 "User's VN-ID information."; 3950 } 3952 } 3953 } 3954 } 3956 container group { 3957 description 3958 "The user (or user group) information with which 3959 network flow is associated: The user has many 3960 attributes such as name, id, password, type, 3961 authentication mode and so on. Name/id is often 3962 used in the security policy to identify the user. 3963 Besides, NSF is aware of the IP address of the 3964 user provided by a unified user management system 3965 via network. Based on name-address association, 3966 NSF is able to enforce the security functions 3967 over the given user (or user group)"; 3969 choice group-name { 3970 description 3971 "The name of the user. 3972 This must be unique."; 3974 case tenant { 3975 description 3976 "Tenant information."; 3978 leaf tenant { 3979 type uint8; 3980 mandatory true; 3981 description 3982 "User's tenant information."; 3983 } 3984 } 3986 case vn-id { 3987 description 3988 "VN-ID information."; 3990 leaf vn-id { 3991 type uint8; 3992 mandatory true; 3993 description 3994 "User's VN-ID information."; 3995 } 3996 } 3997 } 3998 } 3999 leaf security-grup { 4000 type string; 4001 mandatory true; 4002 description 4003 "security-grup."; 4004 } 4005 } 4007 container gen-context-condition { 4008 description 4009 "Condition for generic context"; 4010 leaf gen-context-description { 4011 type string; 4012 description 4013 "This is description for generic context condition. 4014 Vendors can write instructions for generic context 4015 condition that vendor made"; 4016 } 4018 container geographic-location { 4019 description 4020 "The location where network traffic is associated 4021 with. The region can be the geographic location 4022 such as country, province, and city, 4023 as well as the logical network location such as 4024 IP address, network section, and network domain."; 4026 leaf-list src-geographic-location { 4027 type uint32; 4028 description 4029 "This is mapped to ip address. We can acquire 4030 source region through ip address stored in the 4031 database."; 4032 } 4033 leaf-list dest-geographic-location { 4034 type uint32; 4035 description 4036 "This is mapped to ip address. We can acquire 4037 destination region through ip address stored 4038 in the database."; 4039 } 4040 } 4041 } 4042 } 4043 } 4044 container action-clause-container { 4045 description 4046 "An action is used to control and monitor aspects of 4047 flow-based NSFs when the event and condition clauses 4048 are satisfied. NSFs provide security functions by 4049 executing various Actions. Examples of I2NSF Actions 4050 include providing intrusion detection and/or protection, 4051 web and flow filtering, and deep packet inspection 4052 for packets and flows."; 4053 reference 4054 "RFC 8329: Framework for Interface to Network Security 4055 Functions - I2NSF Flow Security Policy Structure 4056 draft-ietf-i2nsf-capability-04: Information Model 4057 of NSFs Capabilities - Design Principles and ECA Policy 4058 Model Overview"; 4060 leaf action-clause-description { 4061 type string; 4062 description 4063 "Description for an action clause."; 4064 } 4066 container packet-action { 4067 description 4068 "Action for packets"; 4069 reference 4070 "RFC 8329: Framework for Interface to Network Security 4071 Functions - I2NSF Flow Security Policy Structure 4072 draft-ietf-i2nsf-capability-04: Information Model 4073 of NSFs Capabilities - Design Principles and ECA 4074 Policy Model Overview"; 4076 leaf ingress-action { 4077 type identityref { 4078 base ingress-action; 4079 } 4080 description 4081 "Action: pass, drop, reject, alert, and mirror."; 4082 } 4084 leaf egress-action { 4085 type identityref { 4086 base egress-action; 4087 } 4088 description 4089 "Egress action: pass, drop, reject, alert, mirror, 4090 invoke-signaling, tunnel-encapsulation, 4091 forwarding, and redirection."; 4093 } 4095 leaf log-action { 4096 type identityref { 4097 base log-action; 4098 } 4099 description 4100 "Log action: rule log and session log"; 4101 } 4103 } 4105 container advanced-action { 4106 description 4107 "If the packet need be additionally inspected, 4108 the packet are passed to advanced network 4109 security functions according to the profile."; 4110 reference 4111 "RFC 8329: Framework for Interface to Network Security 4112 Functions - Differences from ACL Data Models"; 4114 leaf-list content-security-control { 4115 type identityref { 4116 base content-security-control; 4117 } 4118 description 4119 "The Profile is divided into content security 4120 control and attack-mitigation-control. 4121 Content security control: antivirus, ips, ids, 4122 url filtering, mail filtering, file blocking, 4123 file isolate, packet capture, application control, 4124 voip and volte."; 4125 } 4127 leaf-list attack-mitigation-control { 4128 type identityref { 4129 base attack-mitigation-control; 4130 } 4131 description 4132 "The Profile is divided into content security 4133 control and attack-mitigation-control. 4134 Attack mitigation control: syn flood, udp flood, 4135 icmp flood, ip frag flood, ipv6 related, http flood, 4136 https flood, dns flood, dns amp flood, ssl ddos, 4137 ip sweep, port scanning, ping of death, teardrop, 4138 oversized icmp, tracert."; 4139 } 4140 } 4142 } 4143 } 4144 container rule-group { 4145 description 4146 "This is rule group"; 4148 list groups { 4149 key "group-name"; 4150 description 4151 "This is a group for rules"; 4153 leaf group-name { 4154 type string; 4155 description 4156 "This is a group for rules"; 4157 } 4159 container rule-range { 4160 description 4161 "This is a rule range."; 4163 leaf start-rule { 4164 type string; 4165 description 4166 "This is a start rule"; 4167 } 4168 leaf end-rule { 4169 type string; 4170 description 4171 "This is a end rule"; 4172 } 4173 } 4174 leaf enable { 4175 type boolean; 4176 description 4177 "This is enable 4178 False is not enable."; 4179 } 4180 leaf description { 4181 type string; 4182 description 4183 "This is a desription for rule-group"; 4184 } 4185 } 4186 } 4187 } 4188 } 4189 container i2nsf-ipsec { 4190 description 4191 "Internet Key Exchnage for NSFs 4192 in the I2NSF framework"; 4194 container ike { 4195 description 4196 "IKE case: IPsec with IKE in the NSF"; 4197 /* 4198 uses "iii:ikev2"; 4199 */ 4200 reference 4201 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 4202 - ike"; 4204 } 4206 container ikeless { 4207 description 4208 "IKEless case: IPsec without IKEv2 in the NSF"; 4209 /* 4210 uses "iiil:ietf-ipsec"; 4211 */ 4212 reference 4213 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 4214 - ikeless"; 4215 } 4216 } 4217 } 4219 4221 Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface 4223 6. IANA Considerations 4225 This document requests IANA to register the following URI in the 4226 "IETF XML Registry" [RFC3688]: 4228 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4230 Registrant Contact: The IESG. 4232 XML: N/A; the requested URI is an XML namespace. 4234 This document requests IANA to register the following YANG module in 4235 the "YANG Module Names" registry [RFC7950]. 4237 name: ietf-i2nsf-policy-rule-for-nsf 4239 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- 4240 nsf 4242 prefix: iiprfn 4244 reference: RFC XXXX 4246 7. Security Considerations 4248 The YANG module specified in this document defines a data schema 4249 designed to be accessed through network management protocols such as 4250 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 4251 the secure transport layer, and the required transport secure 4252 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 4253 is HTTPS, and the required transport secure transport is TLS 4254 [RFC8446]. 4256 The NETCONF access control model [RFC8341] provides a means of 4257 restricting access to specific NETCONF or RESTCONF users to a 4258 preconfigured subset of all available NETCONF or RESTCONF protocol 4259 operations and content. 4261 8. References 4263 8.1. Normative References 4265 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4266 Requirement Levels", BCP 14, RFC 2119, 4267 DOI 10.17487/RFC2119, March 1997, 4268 . 4270 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 4271 the Network Configuration Protocol (NETCONF)", RFC 6020, 4272 DOI 10.17487/RFC6020, October 2010, 4273 . 4275 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4276 and A. Bierman, Ed., "Network Configuration Protocol 4277 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4278 . 4280 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4281 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4282 . 4284 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4285 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4286 . 4288 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4289 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4290 . 4292 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4293 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4294 . 4296 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4297 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4298 May 2017, . 4300 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4301 Kumar, "Framework for Interface to Network Security 4302 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4303 . 4305 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4306 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4307 . 4309 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4310 Access Control Model", STD 91, RFC 8341, 4311 DOI 10.17487/RFC8341, March 2018, 4312 . 4314 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 4315 S., and N. Bahadur, "A YANG Data Model for the Routing 4316 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 4317 September 2018, . 4319 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4320 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4321 . 4323 8.2. Informative References 4325 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 4326 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 4327 Garcia, "Software-Defined Networking (SDN)-based IPsec 4328 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 4329 protection-04 (work in progress), March 2019. 4331 [i2nsf-advanced-nsf-dm] 4332 Pan, W. and L. Xia, "Configuration of Advanced Security 4333 Functions with I2NSF Security Controller", draft-dong- 4334 i2nsf-asf-config-01 (work in progress), October 2018. 4336 [i2nsf-nsf-cap-dm] 4337 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 4338 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 4339 capability-data-model-03 (work in progress), March 2019. 4341 [i2nsf-nsf-cap-im] 4342 Xia, L., Strassner, J., Basile, C., and D. Lopez, 4343 "Information Model of NSFs Capabilities", draft-ietf- 4344 i2nsf-capability-04 (work in progress), October 2018. 4346 [supa-policy-info-model] 4347 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 4348 Information Model for Simplified Use of Policy 4349 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 4350 model-03 (work in progress), May 2017. 4352 Appendix A. Configuration Examples 4354 This section shows configuration examples of "ietf-i2nsf-policy-rule- 4355 for-nsf" module for security policy rules of network security 4356 devices. For security requirements, we assume that the NSFs (i.e., 4357 General firewall, Time based firewall, URL filter, VoIP/VoLTE filter, 4358 and http and https flood mitigation ) described in Appendix A. 4359 Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF 4360 framework. With the registed NSFs, we show configuration examples 4361 for security policy rules of network security functions according to 4362 the following three security requirements: (i) Block SNS access 4363 during business hours, (ii) Block malicious VoIP/VoLTE packets coming 4364 to the company, and (iii) Mitigate http and https flood attacks on 4365 company web server. 4367 A.1. Security Requirement 1: Block SNS Access during Business Hours 4369 This section shows a configuration example for blocking SNS access 4370 during business hours. 4372 4374 4375 sns_access 4376 4377 block_sns_access_during_operation_time 4378 4379 4380 09:00:00Z 4381 18:00:00Z 4382 4383 4384 4385 4386 4387 4388 221.159.112.1 4389 221.159.112.90 4390 4391 4392 4393 4394 4395 4396 url-filtering 4397 4398 4399 4400 4401 4403 Figure 7: Configuration XML for Time based Firewall to Block SNS 4404 Access during Business Hours 4406 4408 4409 sns_access 4410 4411 block_sns_access_during_operation_time 4412 4413 4414 facebook 4415 instagram 4416 4417 4418 4419 4420 drop 4421 4422 4423 4424 4425 4427 Figure 8: Configuration XML for Web Filter to Block SNS Access during 4428 Business Hours 4430 Figure 7 and Figure 8 show the configuration XML documents for time 4431 based firewall and web filter to block SNS access during business 4432 hours. For the security requirement, two NSFs (i.e., a time based 4433 firewall and a web filter) were used because one NSF can not meet the 4434 security requirement. The instances of XML documents for the time 4435 based firewall and the web filter are as follows: Note that a 4436 detailed data model for the configuration of the advanced network 4437 security function (i.e., web filter) is described in 4438 [i2nsf-advanced-nsf-dm]. 4440 Time based Firewall 4442 1. The name of the system policy is sns_access. 4444 2. The name of the rule is block_sns_access_during_operation_time. 4446 3. The rule is operated during the business hours (i.e., from 9 a.m. 4447 to 6 p.m.). 4449 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 4450 to 221.159.112.90) to inspect the outgoing packets of employees. 4452 5. If the outgoing packets match the rules above, the time based 4453 firewall sends the packets to url filtering for additional 4454 inspection because the time based firewall can not inspect 4455 contents of the packets for the SNS URL. 4457 Web Filter 4459 1. The name of the system policy is sns_access. 4461 2. The name of the rule is block_facebook_and_instagram. 4463 3. The rule inspects URL address to block the access packets to the 4464 facebook or the instagram. 4466 4. If the outgoing packets match the rules above, the packets are 4467 blocked. 4469 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 4470 to the Company 4472 This section shows a configuration example for blocking malicious 4473 VoIP/VoLTE packets coming to the company. 4475 4477 4478 voip_volte_inspection 4479 4480 block_malicious_voice_id 4481 4482 4483 4484 4485 221.159.112.1 4486 221.159.112.90 4487 4488 4489 4490 4491 4492 5060 4493 5061 4494 4495 4496 4497 4498 4499 voip-volte 4500 4501 4502 4503 4504 4506 Figure 9: Configuration XML for General Firewall to Block Malicious 4507 VoIP/VoLTE Packets Coming to the Company 4509 4511 4512 voip_volte_inspection 4513 4514 block_malicious_voice_id 4515 4516 4517 11111@voip.black.com 4518 22222@voip.black.com 4519 4520 4521 4522 4523 drop 4524 4525 4526 4527 4528 4530 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious 4531 VoIP/VoLTE Packets Coming to the Company 4533 Figure 9 and Figure 10 show the configuration XML documents for 4534 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 4535 packets coming to the company. For the security requirement, two 4536 NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used 4537 because one NSF can not meet the security requirement. The instances 4538 of XML documents for the general firewall and the VoIP/VoLTE filter 4539 are as follows: Note that a detailed data model for the configuration 4540 of the advanced network security function (i.e., VoIP/VoLTE filter) 4541 is described in [i2nsf-advanced-nsf-dm]. 4543 General Firewall 4545 1. The name of the system policy is voip_volte_inspection. 4547 2. The name of the rule is block_malicious_voip_volte_packets. 4549 3. The rule inspects a destination IPv4 address (i.e., from 4550 221.159.112.1 to 221.159.112.90) to inspect the packets coming 4551 into the company. 4553 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 4554 VoIP/VoLTE packet. 4556 5. If the incoming packets match the rules above, the general 4557 firewall sends the packets to VoIP/VoLTE filter for additional 4558 inspection because the general firewall can not inspect contents 4559 of the VoIP/VoLTE packets. 4561 VoIP/VoLTE Filter 4563 1. The name of the system policy is malicious_voice_id. 4565 2. The name of the rule is block_malicious_voice_id. 4567 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 4568 the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and 4569 22222@voip.black.com). 4571 4. If the incoming packets match the rules above, the packets are 4572 blocked. 4574 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 4575 Company Web Server 4577 This section shows a configuration example for mitigating http and 4578 https flood attacks on a company web server. 4580 4582 4583 flood_attack_mitigation 4584 4585 mitigate_http_and_https_flood_attack 4586 4587 4588 4589 4590 221.159.112.95 4591 4592 4593 4594 4595 4596 80 4597 443 4598 4599 4600 4601 4602 4603 http-and-https-flood 4604 4605 4606 4607 4608 4609 4611 Figure 11: Configuration XML for General Firewall to Mitigate HTTP 4612 and HTTPS Flood Attacks on a Company Web Server 4614 4616 4617 flood_attack_mitigation 4618 4619 mitigate_http_and_https_flood_attack 4620 4621 4622 100 4623 4624 4625 4626 4627 drop 4628 4629 4630 4631 4632 4634 Figure 12: Configuration XML for HTTP and HTTPS Flood Attack 4635 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4636 Server 4638 Figure 11 and Figure 12 show the configuration XML documents for 4639 general firewall and http and https flood attack mitigation to 4640 mitigate http and https flood attacks on a company web server. For 4641 the security requirement, two NSFs (i.e., a general firewall and a 4642 http and https flood attack mitigation) were used because one NSF can 4643 not meet the security requirement. The instances of XML documents 4644 for the general firewall and http and https flood attack mitigation 4645 are as follows: Note that a detailed data model for the configuration 4646 of the advanced network security function (i.e., http and https flood 4647 attack mitigation) is described in [i2nsf-advanced-nsf-dm]. 4649 General Firewall 4651 1. The name of the system policy is flood_attack_mitigation. 4653 2. The name of the rule is mitigate_http_and_https_flood_attack. 4655 3. The rule inspects a destination IPv4 address (i.e., 4656 221.159.112.95) to inspect the access packets coming into the 4657 company web server. 4659 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4660 http and https packet. 4662 5. If the packets match the rules above, the general firewall sends 4663 the packets to http and https flood attack mitigation for 4664 additional inspection because the general firewall can not contrl 4665 the amount of packets for http and https packets. 4667 HTTP and HTTPS Flood Attack Mitigation 4669 1. The name of the system policy is 4670 http_and_https_flood_attack_mitigation. 4672 2. The name of the rule is 100_per_second. 4674 3. The rule controls the http and https packets according to the 4675 amount of incoming packets. 4677 4. If the incoming packets match the rules above, the packets are 4678 blocked. 4680 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-04 4682 The following changes are made from draft-ietf-i2nsf-nsf-facing- 4683 interface-dm-04: 4685 o We changed http fields to url category fields. 4687 o We added fields for a context condition (e.g., acl number, 4688 application, target, user, group, and geography). 4690 o We added an I2NSF IPsec field for configuration and state data for 4691 IPsec management. 4693 Appendix C. Acknowledgments 4695 This work was supported by Institute for Information & communications 4696 Technology Promotion (IITP) grant funded by the Korea government 4697 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 4698 Technology Development for the Customized Security Service 4699 Provisioning). 4701 Appendix D. Contributors 4703 This document is made by the group effort of I2NSF working group. 4704 Many people actively contributed to this document. The following are 4705 considered co-authors: 4707 o Hyoungshick Kim (Sungkyunkwan University) 4709 o Daeyoung Hyun (Sungkyunkwan University) 4710 o Dongjin Hong (Sungkyunkwan University) 4712 o Liang Xia (Huawei) 4714 o Tae-Jin Ahn (Korea Telecom) 4716 o Se-Hui Lee (Korea Telecom) 4718 Authors' Addresses 4720 Jinyong Tim Kim 4721 Department of Computer Engineering 4722 Sungkyunkwan University 4723 2066 Seobu-Ro, Jangan-Gu 4724 Suwon, Gyeonggi-Do 16419 4725 Republic of Korea 4727 Phone: +82 10 8273 0930 4728 EMail: timkim@skku.edu 4730 Jaehoon Paul Jeong 4731 Department of Software 4732 Sungkyunkwan University 4733 2066 Seobu-Ro, Jangan-Gu 4734 Suwon, Gyeonggi-Do 16419 4735 Republic of Korea 4737 Phone: +82 31 299 4957 4738 Fax: +82 31 290 7996 4739 EMail: pauljeong@skku.edu 4740 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4742 Jung-Soo Park 4743 Electronics and Telecommunications Research Institute 4744 218 Gajeong-Ro, Yuseong-Gu 4745 Daejeon 34129 4746 Republic of Korea 4748 Phone: +82 42 860 6514 4749 EMail: pjs@etri.re.kr 4750 Susan Hares 4751 Huawei 4752 7453 Hickory Hill 4753 Saline, MI 48176 4754 USA 4756 Phone: +1-734-604-0332 4757 EMail: shares@ndzh.com 4759 Qiushi Lin 4760 Huawei 4761 Huawei Industrial Base 4762 Shenzhen, Guangdong 518129 4763 China 4765 EMail: linqiushi@huawei.com