idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 312 has weird spacing: '...-length uin...' == Line 322 has weird spacing: '...-length uin...' == Line 333 has weird spacing: '...-offset uin...' == Line 342 has weird spacing: '...pv4-ttl uin...' == Line 358 has weird spacing: '...address inet:...' == (21 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (June 12, 2019) is 1780 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 4200, but not defined == Unused Reference: 'RFC6991' is defined on line 4257, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim 3 Internet-Draft J. Jeong 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: December 14, 2019 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 June 12, 2019 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-06 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF). The YANG data 19 model in this document corresponds to the information model for NSF- 20 Facing Interface in Interface to Network Security Functions (I2NSF). 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on December 14, 2019. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 58 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 60 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 61 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 62 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 63 4.3. Condtion Clause . . . . . . . . . . . . . . . . . . . . . 7 64 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 65 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 66 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15 67 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15 68 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 89 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 90 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 90 72 8.2. Informative References . . . . . . . . . . . . . . . . . 91 73 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 93 74 A.1. Security Requirement 1: Block SNS Access during Business 75 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 93 76 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE 77 Packets Coming to the Company . . . . . . . . . . . . . . 96 78 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 79 Attacks on a Company Web Server . . . . . . . . . . . . . 99 80 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- 81 dm-05 . . . . . . . . . . . . . . . . . . . . . . . 102 82 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 102 83 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 102 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 103 86 1. Introduction 88 This document defines a YANG [RFC6020][RFC7950] data model for 89 security policy rule configuration of Network Security Functions 90 (NSF). The YANG data model corresponds to the information model 91 [i2nsf-nsf-cap-im] for NSF-Facing Interface in Interface to Network 92 Security Functions (I2NSF). The YANG data model in this document 93 focuses on security policy configuration for generic network security 94 functions. Note that security policy configuration for advanced 95 network security functions are written in [i2nsf-advanced-nsf-dm]. 97 This YANG data model uses an "Event-Condition-Action" (ECA) policy 98 model that is used as the basis for the design of I2NSF Policy 99 described in [RFC8329] and [i2nsf-nsf-cap-im]. 101 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 102 document provides the following features. 104 o Configuration for general security policy rule of generic network 105 security function. 107 o Configuration for an event clause of generic network security 108 function. 110 o Configuration for a condition clause of generic network security 111 function. 113 o Configuration for an action clause of generic network security 114 function. 116 2. Requirements Language 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in [RFC2119][RFC8174]. 122 3. Terminology 124 This document uses the terminology described in 125 [i2nsf-nsf-cap-im][RFC8431][supa-policy-info-model]. Especially, the 126 following terms are from [supa-policy-info-model]: 128 o Data Model: A data model is a representation of concepts of 129 interest to an environment in a form that is dependent on data 130 repository, data definition language, query language, 131 implementation language, and protocol. 133 o Information Model: An information model is a representation of 134 concepts of interest to an environment in a form that is 135 independent of data repository, data definition language, query 136 language, implementation language, and protocol. 138 3.1. Tree Diagrams 140 A simplified graphical representation of the data model is used in 141 this document. The meaning of the symbols in these diagrams 142 [RFC8340] is as follows: 144 o Brackets "[" and "]" enclose list keys. 146 o Abbreviations before data node names: "rw" means configuration 147 (read-write) and "ro" state data (read-only). 149 o Symbols after data node names: "?" means an optional node and "*" 150 denotes a "list" and "leaf-list". 152 o Parentheses enclose choice and case nodes, and case nodes are also 153 marked with a colon (":"). 155 o Ellipsis ("...") stands for contents of subtrees that are not 156 shown. 158 4. YANG Tree Diagram 160 This section shows a YANG tree diagram of generic network security 161 functions. Note that a detailed data model for the configuration of 162 the advanced network security functions is described in 163 [i2nsf-advanced-nsf-dm]. The section describes the following 164 subjects: 166 o General I2NSF security policy rule of generic network security 167 function. 169 o An event clause of generic network security function. 171 o A condition clause of generic network security function. 173 o An action clause of generic network security function. 175 4.1. General I2NSF Security Policy Rule 177 This section shows the YANG tree diagram for general I2NSF security 178 policy rule. 180 module: ietf-i2nsf-policy-rule-for-nsf 181 +--rw i2nsf-security-policy 182 | +--rw system-policy* [system-policy-name] 183 | +--rw system-policy-name string 184 | +--rw priority-usage? identityref 185 | +--rw resolution-strategy? identityref 186 | +--rw default-action? identityref 187 | +--rw rules* [rule-name] 188 | | +--rw rule-name string 189 | | +--rw rule-description? string 190 | | +--rw rule-priority? uint8 191 | | +--rw rule-enable? boolean 192 | | +--rw rule-session-aging-time? uint16 193 | | +--rw rule-long-connection 194 | | | +--rw enable? boolean 195 | | | +--rw during? uint16 196 | | +--rw time-zone 197 | | | +--rw absolute-time-zone 198 | | | | +--rw start-time? start-time-type 199 | | | | +--rw end-time? end-time-type 200 | | | +--rw periodic-time-zone 201 | | | +--rw day 202 | | | | +--rw every-day? boolean 203 | | | | +--rw specific-day* day-type 204 | | | +--rw month 205 | | | +--rw every-month? boolean 206 | | | +--rw specific-month* month-type 207 | | +--rw event-clause-container 208 | | | ... 209 | | +--rw condition-clause-container 210 | | | ... 211 | | +--rw action-clause-container 212 | | ... 213 | +--rw rule-group 214 | +--rw groups* [group-name] 215 | +--rw group-name string 216 | +--rw rule-range 217 | | +--rw start-rule? string 218 | | +--rw end-rule? string 219 | +--rw enable? boolean 220 | +--rw description? string 221 +--rw i2nsf-ipsec? identityref 223 Figure 1: YANG Tree Diagram for Network Security Policy 225 This YANG tree diagram shows general I2NSF security policy rule for 226 generic network security functions. 228 The system policy represents there could be multiple system policies 229 in one NSF, and each system policy is used by one virtual instance of 230 the NSF/device. The system policy includes system policy name, 231 priority usage, resolutation strategy, default action, and rules. 233 A resolution strategy is used to decide how to resolve conflicts that 234 occur between the actions of the same or different policy rules that 235 are matched and contained in this particular NSF. The resolution 236 strategy is defined as First Matching Rule (FMR), Last Matching Rule 237 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 238 Prioritized Matching Rule with No Errors (PMRN). The resolution 239 strategy can be extended according to specific vendor action 240 features. The resolution strategy is described in detail in 241 [i2nsf-nsf-cap-im]. 243 A default action is used to execute I2NSF policy rule when no rule 244 matches a packet. The default action is defined as pass, drop, 245 reject, alert, and mirror. The default action can be extended 246 according to specific vendor action features. The default action is 247 described in detail in [i2nsf-nsf-cap-im]. 249 The rules include rule name, rule description, rule priority, rule 250 enable, time zone, event clause container, condition clause 251 container, and action clause container. 253 4.2. Event Clause 255 This section shows the YANG tree diagram for an event clause of I2NSF 256 security policy rule. 258 module: ietf-i2nsf-policy-rule-for-nsf 259 +--rw i2nsf-security-policy 260 | +--rw system-policy* [system-policy-name] 261 | ... 262 | +--rw rules* [rule-name] 263 | | ... 264 | | +--rw event-clause-container 265 | | | +--rw event-clause-description? string 266 | | | +--rw event-clauses 267 | | | +--rw system-event* identityref 268 | | | +--rw system-alarm* identityref 269 | | +--rw condition-clause-container 270 | | | ... 271 | | +--rw action-clause-container 272 | | ... 273 | +--rw rule-group 274 | ... 275 +--rw i2nsf-ipsec? identityref 277 Figure 2: YANG Tree Diagram for an Event Clause 279 This YANG tree diagram shows an event clause of I2NSF security policy 280 rule for generic network security functions. An event clause is any 281 important occurrence in time of a change in the system being managed, 282 and/or in the environment of the system being managed. An event 283 clause is used to trigger the evaluation of the condition clause of 284 the I2NSF Policy Rule. The event clause is defined as system event 285 and system alarm. The event clause can be extended according to 286 specific vendor event features. The event clause is described in 287 detail in [i2nsf-nsf-cap-im]. 289 4.3. Condtion Clause 291 This section shows the YANG tree diagram for a condition clause of 292 I2NSF security policy rule. 294 module: ietf-i2nsf-policy-rule-for-nsf 295 +--rw i2nsf-security-policy 296 | ... 297 | +--rw rules* [rule-name] 298 | | ... 299 | | +--rw event-clause-container 300 | | | ... 301 | | +--rw condition-clause-container 302 | | | +--rw condition-clause-description? string 303 | | | +--rw packet-security-ipv4-condition 304 | | | | +--rw ipv4-description? string 305 | | | | +--rw pkt-sec-ipv4-header-length 306 | | | | | +--rw (match-type)? 307 | | | | | +--:(exact-match) 308 | | | | | | +--rw ipv4-header-length* uint8 309 | | | | | +--:(range-match) 310 | | | | | +--rw range-ipv4-header-length* 311 [start-ipv4-header-length end-ipv4-header-length] 312 | | | | | +--rw start-ipv4-header-length uint8 313 | | | | | +--rw end-ipv4-header-length uint8 314 | | | | +--rw pkt-sec-ipv4-tos* identityref 315 | | | | +--rw pkt-sec-ipv4-total-length 316 | | | | | +--rw (match-type)? 317 | | | | | +--:(exact-match) 318 | | | | | | +--rw ipv4-total-length* uint16 319 | | | | | +--:(range-match) 320 | | | | | +--rw range-ipv4-total-length* 321 [start-ipv4-total-length end-ipv4-total-length] 322 | | | | | +--rw start-ipv4-total-length uint16 323 | | | | | +--rw end-ipv4-total-length uint16 324 | | | | +--rw pkt-sec-ipv4-id* uint16 325 | | | | +--rw pkt-sec-ipv4-fragment-flags* identityref 326 | | | | +--rw pkt-sec-ipv4-fragment-offset 327 | | | | | +--rw (match-type)? 328 | | | | | +--:(exact-match) 329 | | | | | | +--rw ipv4-fragment-offset* uint16 330 | | | | | +--:(range-match) 331 | | | | | +--rw range-ipv4-fragment-offset* 332 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 333 | | | | | +--rw start-ipv4-fragment-offset uint16 334 | | | | | +--rw end-ipv4-fragment-offset uint16 335 | | | | +--rw pkt-sec-ipv4-ttl 336 | | | | | +--rw (match-type)? 337 | | | | | +--:(exact-match) 338 | | | | | | +--rw ipv4-ttl* uint8 339 | | | | | +--:(range-match) 340 | | | | | +--rw range-ipv4-ttl* 341 [start-ipv4-ttl end-ipv4-ttl] 342 | | | | | +--rw start-ipv4-ttl uint8 343 | | | | | +--rw end-ipv4-ttl uint8 344 | | | | +--rw pkt-sec-ipv4-protocol* identityref 345 | | | | +--rw pkt-sec-ipv4-src 346 | | | | | +--rw (match-type)? 347 | | | | | +--:(exact-match) 348 | | | | | | +--rw ipv4-address* [ipv4] 349 | | | | | | +--rw ipv4 inet:ipv4-address 350 | | | | | | +--rw (subnet)? 351 | | | | | | +--:(prefix-length) 352 | | | | | | | +--rw prefix-length? uint8 353 | | | | | | +--:(netmask) 354 | | | | | | +--rw netmask? yang:dotted-quad 355 | | | | | +--:(range-match) 356 | | | | | +--rw range-ipv4-address* 357 [start-ipv4-address end-ipv4-address] 358 | | | | | +--rw start-ipv4-address inet:ipv4-address 359 | | | | | +--rw end-ipv4-address inet:ipv4-address 360 | | | | +--rw pkt-sec-ipv4-dest 361 | | | | | +--rw (match-type)? 362 | | | | | +--:(exact-match) 363 | | | | | | +--rw ipv4-address* [ipv4] 364 | | | | | | +--rw ipv4 inet:ipv4-address 365 | | | | | | +--rw (subnet)? 366 | | | | | | +--:(prefix-length) 367 | | | | | | | +--rw prefix-length? uint8 368 | | | | | | +--:(netmask) 369 | | | | | | +--rw netmask? yang:dotted-quad 370 | | | | | +--:(range-match) 371 | | | | | +--rw range-ipv4-address* 372 [start-ipv4-address end-ipv4-address] 373 | | | | | +--rw start-ipv4-address inet:ipv4-address 374 | | | | | +--rw end-ipv4-address inet:ipv4-address 375 | | | | +--rw pkt-sec-ipv4-ipopts* identityref 376 | | | | +--rw pkt-sec-ipv4-sameip? boolean 377 | | | | +--rw pkt-sec-ipv4-geoip* string 378 | | | +--rw packet-security-ipv6-condition 379 | | | | +--rw ipv6-description? string 380 | | | | +--rw pkt-sec-ipv6-traffic-class* identityref 381 | | | | +--rw pkt-sec-ipv6-flow-label 382 | | | | | +--rw (match-type)? 383 | | | | | +--:(exact-match) 384 | | | | | | +--rw ipv6-flow-label* uint32 385 | | | | | +--:(range-match) 386 | | | | | +--rw range-ipv6-flow-label* 387 [start-ipv6-flow-label end-ipv6-flow-label] 388 | | | | | +--rw start-ipv6-flow-label uint32 389 | | | | | +--rw end-ipv6-flow-label uint32 390 | | | | +--rw pkt-sec-ipv6-payload-length 391 | | | | | +--rw (match-type)? 392 | | | | | +--:(exact-match) 393 | | | | | | +--rw ipv6-payload-length* uint16 394 | | | | | +--:(range-match) 395 | | | | | +--rw range-ipv6-payload-length* 396 [start-ipv6-payload-length end-ipv6-payload-length] 397 | | | | | +--rw start-ipv6-payload-length uint16 398 | | | | | +--rw end-ipv6-payload-length uint16 399 | | | | +--rw pkt-sec-ipv6-next-header* identityref 400 | | | | +--rw pkt-sec-ipv6-hop-limit 401 | | | | | +--rw (match-type)? 402 | | | | | +--:(exact-match) 403 | | | | | | +--rw ipv6-hop-limit* uint8 404 | | | | | +--:(range-match) 405 | | | | | +--rw range-ipv6-hop-limit* 406 [start-ipv6-hop-limit end-ipv6-hop-limit] 407 | | | | | +--rw start-ipv6-hop-limit uint8 408 | | | | | +--rw end-ipv6-hop-limit uint8 409 | | | | +--rw pkt-sec-ipv6-src 410 | | | | | +--rw (match-type)? 411 | | | | | +--:(exact-match) 412 | | | | | | +--rw ipv6-address* [ipv6] 413 | | | | | | +--rw ipv6 inet:ipv6-address 414 | | | | | | +--rw prefix-length? uint8 415 | | | | | +--:(range-match) 416 | | | | | +--rw range-ipv6-address* 417 [start-ipv6-address end-ipv6-address] 418 | | | | | +--rw start-ipv6-address inet:ipv6-address 419 | | | | | +--rw end-ipv6-address inet:ipv6-address 420 | | | | +--rw pkt-sec-ipv6-dest 421 | | | | +--rw (match-type)? 422 | | | | +--:(exact-match) 423 | | | | | +--rw ipv6-address* [ipv6] 424 | | | | | +--rw ipv6 inet:ipv6-address 425 | | | | | +--rw prefix-length? uint8 426 | | | | +--:(range-match) 427 | | | | +--rw range-ipv6-address* 428 [start-ipv6-address end-ipv6-address] 429 | | | | +--rw start-ipv6-address inet:ipv6-address 430 | | | | +--rw end-ipv6-address inet:ipv6-address 431 | | | +--rw packet-security-tcp-condition 432 | | | | +--rw tcp-description? string 433 | | | | +--rw pkt-sec-tcp-src-port-num 434 | | | | | +--rw (match-type)? 435 | | | | | +--:(exact-match) 436 | | | | | | +--rw port-num* inet:port-number 437 | | | | | +--:(range-match) 438 | | | | | +--rw range-port-num* 439 [start-port-num end-port-num] 440 | | | | | +--rw start-port-num inet:port-number 441 | | | | | +--rw end-port-num inet:port-number 442 | | | | +--rw pkt-sec-tcp-dest-port-num 443 | | | | | +--rw (match-type)? 444 | | | | | +--:(exact-match) 445 | | | | | | +--rw port-num* inet:port-number 446 | | | | | +--:(range-match) 447 | | | | | +--rw range-port-num* 448 [start-port-num end-port-num] 449 | | | | | +--rw start-port-num inet:port-number 450 | | | | | +--rw end-port-num inet:port-number 451 | | | | +--rw pkt-sec-tcp-seq-num 452 | | | | | +--rw (match-type)? 453 | | | | | +--:(exact-match) 454 | | | | | | +--rw tcp-seq-num* uint32 455 | | | | | +--:(range-match) 456 | | | | | +--rw range-tcp-seq-num* 457 [start-tcp-seq-num end-tcp-seq-num] 458 | | | | | +--rw start-tcp-seq-num uint32 459 | | | | | +--rw end-tcp-seq-num uint32 460 | | | | +--rw pkt-sec-tcp-ack-num 461 | | | | | +--rw (match-type)? 462 | | | | | +--:(exact-match) 463 | | | | | | +--rw tcp-ack-num* uint32 464 | | | | | +--:(range-match) 465 | | | | | +--rw range-tcp-ack-num* 466 [start-tcp-ack-num end-tcp-ack-num] 467 | | | | | +--rw start-tcp-ack-num uint32 468 | | | | | +--rw end-tcp-ack-num uint32 469 | | | | +--rw pkt-sec-tcp-window-size 470 | | | | | +--rw (match-type)? 471 | | | | | +--:(exact-match) 472 | | | | | | +--rw tcp-window-size* uint16 473 | | | | | +--:(range-match) 474 | | | | | +--rw range-tcp-window-size* 475 [start-tcp-window-size end-tcp-window-size] 476 | | | | | +--rw start-tcp-window-size uint16 477 | | | | | +--rw end-tcp-window-size uint16 478 | | | | +--rw pkt-sec-tcp-flags* identityref 479 | | | +--rw packet-security-udp-condition 480 | | | | +--rw udp-description? string 481 | | | | +--rw pkt-sec-udp-src-port-num 482 | | | | | +--rw (match-type)? 483 | | | | | +--:(exact-match) 484 | | | | | | +--rw port-num* inet:port-number 485 | | | | | +--:(range-match) 486 | | | | | +--rw range-port-num* 487 [start-port-num end-port-num] 488 | | | | | +--rw start-port-num inet:port-number 489 | | | | | +--rw end-port-num inet:port-number 490 | | | | +--rw pkt-sec-udp-dest-port-num 491 | | | | | +--rw (match-type)? 492 | | | | | +--:(exact-match) 493 | | | | | | +--rw port-num* inet:port-number 494 | | | | | +--:(range-match) 495 | | | | | +--rw range-port-num* 496 [start-port-num end-port-num] 497 | | | | | +--rw start-port-num inet:port-number 498 | | | | | +--rw end-port-num inet:port-number 499 | | | | +--rw pkt-sec-udp-total-length 500 | | | | +--rw (match-type)? 501 | | | | +--:(exact-match) 502 | | | | | +--rw udp-total-length* uint32 503 | | | | +--:(range-match) 504 | | | | +--rw range-udp-total-length* 505 [start-udp-total-length end-udp-total-length] 506 | | | | +--rw start-udp-total-length uint32 507 | | | | +--rw end-udp-total-length uint32 508 | | | +--rw packet-security-icmp-condition 509 | | | | +--rw icmp-description? string 510 | | | | +--rw pkt-sec-icmp-type-and-code* identityref 511 | | | +--rw packet-security-url-category-condition 512 | | | | +--rw url-category-description? string 513 | | | | +--rw pre-defined-category* string 514 | | | | +--rw user-defined-category* string 515 | | | +--rw packet-security-voice-condition 516 | | | | +--rw voice-description? string 517 | | | | +--rw pkt-sec-src-voice-id* string 518 | | | | +--rw pkt-sec-dest-voice-id* string 519 | | | | +--rw pkt-sec-user-agent* string 520 | | | +--rw packet-security-ddos-condition 521 | | | | +--rw ddos-description? string 522 | | | | +--rw pkt-sec-alert-rate? uint32 523 | | | +--rw packet-security-payload-condition 524 | | | | +--rw packet-payload-description? string 525 | | | | +--rw pkt-payload-content* string 526 | | | +--rw context-condition 527 | | | +--rw context-description? string 528 | | | +--rw acl-number* uint32 529 | | | +--rw application-condition 530 | | | | +--rw application-description? string 531 | | | | +--rw application-object* string 532 | | | | +--rw application-group* string 533 | | | | +--rw application-label* string 534 | | | | +--rw category 535 | | | | +--rw application-category* 536 [name application-subcategory] 537 | | | | +--rw name string 538 | | | | +--rw application-subcategory string 539 | | | +--rw target-condition 540 | | | | +--rw target-description? string 541 | | | | +--rw device-sec-context-cond 542 | | | | +--rw target-device* identityref 543 | | | +--rw users-condition 544 | | | | +--rw users-description? string 545 | | | | +--rw user 546 | | | | | +--rw (user-name)? 547 | | | | | +--:(tenant) 548 | | | | | | +--rw tenant uint8 549 | | | | | +--:(vn-id) 550 | | | | | +--rw vn-id uint8 551 | | | | +--rw group 552 | | | | | +--rw (group-name)? 553 | | | | | +--:(tenant) 554 | | | | | | +--rw tenant uint8 555 | | | | | +--:(vn-id) 556 | | | | | +--rw vn-id uint8 557 | | | | +--rw security-grup string 558 | | | +--rw gen-context-condition 559 | | | +--rw gen-context-description? string 560 | | | +--rw geographic-location 561 | | | +--rw src-geographic-location* uint32 562 | | | +--rw dest-geographic-location* uint32 563 | | +--rw action-clause-container 564 | | ... 565 | +--rw rule-group 566 | ... 567 +--rw i2nsf-ipsec? identityref 569 Figure 3: YANG Tree Diagram for a Condition Clause 571 This YANG tree diagram shows a condition clause of I2NSF security 572 policy rule for generic network security functions. A condition 573 clause is defined as a set of attributes, features, and/or values 574 that are to be compared with a set of known attributes, features, 575 and/or values in order to determine whether or not the set of actions 576 in that (imperative) I2NSF policy rule can be executed or not. The 577 condition clause is classified as conditions of generic network 578 security functions, advanced network security functions, and context. 579 The condition clause of generic network security functions is defined 580 as packet security IPv4 condition, packet security IPv6 condition, 581 packet security tcp condition, and packet security icmp condition. 582 The condition clause of advanced network security functions is 583 defined as packet security url category condition, packet security 584 voice condition, packet security ddos condition, and packet security 585 payload condition. The condition clause of context is defined as acl 586 number condition, application condition, target condition, users 587 condition, and geography condition. Note that this document deals 588 only with simple conditions of advanced network security functions. 589 The condition clauses of advanced network security functions are 590 described in detail in [i2nsf-advanced-nsf-dm]. The condition clause 591 can be extended according to specific vendor condition features. The 592 condition clause is described in detail in [i2nsf-nsf-cap-im]. 594 4.4. Action Clause 596 This section shows the YANG tree diagram for an action clause of 597 I2NSF security policy rule. 599 module: ietf-i2nsf-policy-rule-for-nsf 600 +--rw i2nsf-security-policy 601 | ... 602 | +--rw rules* [rule-name] 603 | | ... 604 | | +--rw event-clause-container 605 | | | ... 606 | | +--rw condition-clause-container 607 | | | ... 608 | | +--rw action-clause-container 609 | | +--rw action-clause-description? string 610 | | +--rw packet-action 611 | | | +--rw ingress-action? identityref 612 | | | +--rw egress-action? identityref 613 | | | +--rw log-action? identityref 614 | | +--rw advanced-action 615 | | +--rw content-security-control* identityref 616 | | +--rw attack-mitigation-control* identityref 617 | +--rw rule-group 618 | ... 619 +--rw i2nsf-ipsec? identityref 621 Figure 4: YANG Tree Diagram for an Action Clause 623 This YANG tree diagram shows an action clause of I2NSF security 624 policy rule for generic network security functions. An action is 625 used to control and monitor aspects of flow-based NSFs when the event 626 and condition clauses are satisfied. NSFs provide security services 627 by executing various actions. The action clause is defined as 628 ingress action, egress action, and log action for packet action, and 629 advanced action for additional inspection. The action clause can be 630 extended according to specific vendor action features. The action 631 clause is described in detail in [i2nsf-nsf-cap-im]. 633 4.5. I2NSF Internet Key Exchange 635 This section shows the YANG tree diagram for an I2NSF IPsec. 637 module: ietf-i2nsf-policy-rule-for-nsf 638 +--rw i2nsf-security-policy 639 | ... 640 | +--rw rules* [rule-name] 641 | | ... 642 | | +--rw event-clause-container 643 | | | ... 644 | | +--rw condition-clause-container 645 | | | ... 646 | | +--rw action-clause-container 647 | | ... 648 | +--rw rule-group 649 | ... 650 +--rw i2nsf-ipsec? identityref 652 Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage 654 This YANG tree diagram shows an I2NSF IPsec for an Internet key 655 exchange. An I2NSF IPsec is used to define a method required to 656 manage IPsec parameters for creating IPsec Security Associations 657 between two NSFs through either the IKEv2 protocol or the Security 658 Controller [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec 659 considers two cases such as IKE case (i.e., IPsec through IKE) and 660 IKEless case (i.e., IPsec not through IKE, but through a Security 661 Controller). Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 662 for the detailed description of the I2NSF IPsec. 664 5. YANG Data Module 666 5.1. I2NSF NSF-Facing Interface YANG Data Module 668 This section introduces an YANG data module for configuration of 669 security policy rules on network security functions. 671 file "ietf-i2nsf-policy-rule-for-nsf@2019-06-12.yang" 673 module ietf-i2nsf-policy-rule-for-nsf { 674 yang-version 1.1; 675 namespace 676 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 677 prefix 678 iiprfn; 680 import ietf-inet-types{ 681 prefix inet; 682 reference "RFC 6991"; 683 } 684 import ietf-yang-types{ 685 prefix yang; 686 reference "RFC 6991"; 687 } 689 organization 690 "IETF I2NSF (Interface to Network Security Functions) 691 Working Group"; 693 contact 694 "WG Web: 695 WG List: 697 WG Chair: Adrian Farrel 698 700 WG Chair: Linda Dunbar 701 703 Editor: Jingyong Tim Kim 704 706 Editor: Jaehoon Paul Jeong 707 709 Editor: Susan Hares 710 "; 712 description 713 "This module defines a YANG data module for network security 714 functions. 716 Copyright (c) 2018 IETF Trust and the persons 717 identified as authors of the code. All rights reserved. 719 Redistribution and use in source and binary forms, with or 720 without modification, is permitted pursuant to, and subject 721 to the license terms contained in, the Simplified BSD License 722 set forth in Section 4.c of the IETF Trust's Legal Provisions 723 Relating to IETF Documents 724 (http://trustee.ietf.org/license-info). 726 This version of this YANG module is part of RFC 8341; see 727 the RFC itself for full legal notices."; 729 revision "2019-06-12"{ 730 description "Initial revision."; 731 reference 732 "RFC XXXX: I2NSF Network Security Function-Facing Interface 733 YANG Data Model"; 734 } 736 /* 737 * Identities 738 */ 740 identity priority-usage-type { 741 description 742 "Base identity for priority usage type."; 743 } 745 identity priority-by-order { 746 base priority-usage-type; 747 description 748 "Identity for priority by order"; 749 } 751 identity priority-by-number { 752 base priority-usage-type; 753 description 754 "Identity for priority by number"; 755 } 757 identity event { 758 description 759 "Base identity for event of policy."; 760 reference 761 "draft-hong-i2nsf-nsf-monitoring-data-model-06 762 - Event"; 763 } 765 identity system-event { 766 base event; 767 description 768 "Identity for system event"; 769 reference 770 "draft-hong-i2nsf-nsf-monitoring-data-model-06 771 - System event"; 772 } 774 identity system-alarm { 775 base event; 776 description 777 "Identity for system alarm"; 778 reference 779 "draft-hong-i2nsf-nsf-monitoring-data-model-06 780 - System alarm"; 781 } 783 identity access-violation { 784 base system-event; 785 description 786 "Identity for access violation 787 among system events"; 788 reference 789 "draft-hong-i2nsf-nsf-monitoring-data-model-06 790 - System event"; 791 } 793 identity configuration-change { 794 base system-event; 795 description 796 "Identity for configuration change 797 among system events"; 798 reference 799 "draft-hong-i2nsf-nsf-monitoring-data-model-06 800 - System event"; 801 } 803 identity memory-alarm { 804 base system-alarm; 805 description 806 "Identity for memory alarm 807 among system alarms"; 808 reference 809 "draft-hong-i2nsf-nsf-monitoring-data-model-06 810 - System alarm"; 811 } 813 identity cpu-alarm { 814 base system-alarm; 815 description 816 "Identity for cpu alarm 817 among system alarms"; 818 reference 819 "draft-hong-i2nsf-nsf-monitoring-data-model-06 820 - System alarm"; 821 } 823 identity disk-alarm { 824 base system-alarm; 825 description 826 "Identity for disk alarm 827 among system alarms"; 828 reference 829 "draft-hong-i2nsf-nsf-monitoring-data-model-06 830 - System alarm"; 831 } 833 identity hardware-alarm { 834 base system-alarm; 835 description 836 "Identity for hardware alarm 837 among system alarms"; 838 reference 839 "draft-hong-i2nsf-nsf-monitoring-data-model-06 840 - System alarm"; 841 } 843 identity interface-alarm { 844 base system-alarm; 845 description 846 "Identity for interface alarm 847 among system alarms"; 848 reference 849 "draft-hong-i2nsf-nsf-monitoring-data-model-06 850 - System alarm"; 851 } 853 identity type-of-service { 854 description 855 "Base identity for type of service of IPv4"; 856 reference 857 "RFC 791: Internet Protocol - Type of Service"; 858 } 860 identity traffic-class { 861 description 862 "Base identity for traffic-class of IPv6"; 863 reference 864 "RFC 2460: Internet Protocol, Version 6 (IPv6) 865 Specification - Traffic Class"; 866 } 868 identity normal { 869 base type-of-service; 870 base traffic-class; 871 description 872 "Identity for normal"; 874 reference 875 "RFC 791: Internet Protocol - Type of Service 876 RFC 2460: Internet Protocol, Version 6 (IPv6) 877 Specification - Traffic Class"; 878 } 880 identity minimize-cost { 881 base type-of-service; 882 base traffic-class; 883 description 884 "Identity for minimize cost"; 885 reference 886 "RFC 791: Internet Protocol - Type of Service 887 RFC 2460: Internet Protocol, Version 6 (IPv6) 888 Specification - Traffic Class"; 889 } 891 identity maximize-reliability { 892 base type-of-service; 893 base traffic-class; 894 description 895 "Identity for maximize reliability"; 896 reference 897 "RFC 791: Internet Protocol - Type of Service 898 RFC 2460: Internet Protocol, Version 6 (IPv6) 899 Specification - Traffic Class"; 900 } 902 identity maximize-throughput { 903 base type-of-service; 904 base traffic-class; 905 description 906 "Identity for maximize throughput"; 907 reference 908 "RFC 791: Internet Protocol - Type of Service 909 RFC 2460: Internet Protocol, Version 6 (IPv6) 910 Specification - Traffic Class"; 911 } 913 identity minimize-delay { 914 base type-of-service; 915 base traffic-class; 916 description 917 "Identity for minimize delay"; 918 reference 919 "RFC 791: Internet Protocol - Type of Service 920 RFC 2460: Internet Protocol, Version 6 (IPv6) 921 Specification - Traffic Class"; 923 } 925 identity maximize-security { 926 base type-of-service; 927 base traffic-class; 928 description 929 "Identity for maximize security"; 930 reference 931 "RFC 791: Internet Protocol - Type of Service 932 RFC 2460: Internet Protocol, Version 6 (IPv6) 933 Specification - Traffic Class"; 934 } 936 identity fragmentation-flags-type { 937 description 938 "Base identity for fragmentation flags type"; 939 reference 940 "RFC 791: Internet Protocol - Fragmentation Flags"; 941 } 943 identity fragment { 944 base fragmentation-flags-type; 945 description 946 "Identity for fragment"; 947 reference 948 "RFC 791: Internet Protocol - Fragmentation Flags"; 949 } 951 identity no-fragment { 952 base fragmentation-flags-type; 953 description 954 "Identity for no fragment"; 955 reference 956 "RFC 791: Internet Protocol - Fragmentation Flags"; 957 } 959 identity reserved { 960 base fragmentation-flags-type; 961 description 962 "Identity for reserved"; 963 reference 964 "RFC 791: Internet Protocol - Fragmentation Flags"; 965 } 967 identity protocol { 968 description 969 "Base identity for protocol of IPv4"; 970 reference 971 "RFC 790: Assigned numbers - Assigned Internet 972 Protocol Number 973 RFC 791: Internet Protocol - Protocol"; 974 } 976 identity next-header { 977 description 978 "Base identity for next header of IPv6"; 979 reference 980 "RFC 2460: Internet Protocol, Version 6 (IPv6) 981 Specification - Next Header"; 982 } 984 identity icmp { 985 base protocol; 986 base next-header; 987 description 988 "Identity for icmp"; 989 reference 990 "RFC 790: - Assigned numbers - Assigned Internet 991 Protocol Number 992 RFC 791: Internet Protocol - Type of Service 993 RFC 2460: Internet Protocol, Version 6 (IPv6) 994 Specification - Next Header"; 995 } 997 identity igmp { 998 base protocol; 999 base next-header; 1000 description 1001 "Identity for igmp"; 1002 reference 1003 "RFC 790: - Assigned numbers - Assigned Internet 1004 Protocol Number 1005 RFC 791: Internet Protocol - Type of Service 1006 RFC 2460: Internet Protocol, Version 6 (IPv6) 1007 Specification - Next Header"; 1008 } 1010 identity tcp { 1011 base protocol; 1012 base next-header; 1013 description 1014 "Identity for tcp"; 1015 reference 1016 "RFC 790: - Assigned numbers - Assigned Internet 1017 Protocol Number 1018 RFC 791: Internet Protocol - Type of Service 1019 RFC 2460: Internet Protocol, Version 6 (IPv6) 1020 Specification - Next Header"; 1021 } 1023 identity igrp { 1024 base protocol; 1025 base next-header; 1026 description 1027 "Identity for igrp"; 1028 reference 1029 "RFC 790: - Assigned numbers - Assigned Internet 1030 Protocol Number 1031 RFC 791: Internet Protocol - Type of Service 1032 RFC 2460: Internet Protocol, Version 6 (IPv6) 1033 Specification - Next Header"; 1034 } 1036 identity udp { 1037 base protocol; 1038 base next-header; 1039 description 1040 "Identity for udp"; 1041 reference 1042 "RFC 790: - Assigned numbers - Assigned Internet 1043 Protocol Number 1044 RFC 791: Internet Protocol - Type of Service 1045 RFC 2460: Internet Protocol, Version 6 (IPv6) 1046 Specification - Next Header"; 1047 } 1049 identity gre { 1050 base protocol; 1051 base next-header; 1052 description 1053 "Identity for gre"; 1054 reference 1055 "RFC 790: - Assigned numbers - Assigned Internet 1056 Protocol Number 1057 RFC 791: Internet Protocol - Type of Service 1058 RFC 2460: Internet Protocol, Version 6 (IPv6) 1059 Specification - Next Header"; 1060 } 1062 identity esp { 1063 base protocol; 1064 base next-header; 1065 description 1066 "Identity for esp"; 1068 reference 1069 "RFC 790: - Assigned numbers - Assigned Internet 1070 Protocol Number 1071 RFC 791: Internet Protocol - Type of Service 1072 RFC 2460: Internet Protocol, Version 6 (IPv6) 1073 Specification - Next Header"; 1074 } 1076 identity ah { 1077 base protocol; 1078 base next-header; 1079 description 1080 "Identity for ah"; 1081 reference 1082 "RFC 790: - Assigned numbers - Assigned Internet 1083 Protocol Number 1084 RFC 791: Internet Protocol - Type of Service 1085 RFC 2460: Internet Protocol, Version 6 (IPv6) 1086 Specification - Next Header"; 1087 } 1089 identity mobile { 1090 base protocol; 1091 base next-header; 1092 description 1093 "Identity for mobile"; 1094 reference 1095 "RFC 790: - Assigned numbers - Assigned Internet 1096 Protocol Number 1097 RFC 791: Internet Protocol - Type of Service 1098 RFC 2460: Internet Protocol, Version 6 (IPv6) 1099 Specification - Next Header"; 1100 } 1102 identity tlsp { 1103 base protocol; 1104 base next-header; 1105 description 1106 "Identity for tlsp"; 1107 reference 1108 "RFC 790: - Assigned numbers - Assigned Internet 1109 Protocol Number 1110 RFC 791: Internet Protocol - Type of Service 1111 RFC 2460: Internet Protocol, Version 6 (IPv6) 1112 Specification - Next Header"; 1113 } 1115 identity skip { 1116 base protocol; 1117 base next-header; 1118 description 1119 "Identity for skip"; 1120 reference 1121 "RFC 790: - Assigned numbers - Assigned Internet 1122 Protocol Number 1123 RFC 791: Internet Protocol - Type of Service 1124 RFC 2460: Internet Protocol, Version 6 (IPv6) 1125 Specification - Next Header"; 1126 } 1128 identity ipv6-icmp { 1129 base protocol; 1130 base next-header; 1131 description 1132 "Identity for IPv6 icmp "; 1133 reference 1134 "RFC 790: - Assigned numbers - Assigned Internet 1135 Protocol Number 1136 RFC 791: Internet Protocol - Type of Service 1137 RFC 2460: Internet Protocol, Version 6 (IPv6) 1138 Specification - Next Header"; 1139 } 1141 identity eigrp { 1142 base protocol; 1143 base next-header; 1144 description 1145 "Identity for eigrp"; 1146 reference 1147 "RFC 790: - Assigned numbers - Assigned Internet 1148 Protocol Number 1149 RFC 791: Internet Protocol - Type of Service 1150 RFC 2460: Internet Protocol, Version 6 (IPv6) 1151 Specification - Next Header"; 1152 } 1154 identity ospf { 1155 base protocol; 1156 base next-header; 1157 description 1158 "Identity for ospf"; 1159 reference 1160 "RFC 790: - Assigned numbers - Assigned Internet 1161 Protocol Number 1162 RFC 791: Internet Protocol - Type of Service 1163 RFC 2460: Internet Protocol, Version 6 (IPv6) 1164 Specification - Next Header"; 1165 } 1167 identity l2tp { 1168 base protocol; 1169 base next-header; 1170 description 1171 "Identity for l2tp"; 1172 reference 1173 "RFC 790: - Assigned numbers - Assigned Internet 1174 Protocol Number 1175 RFC 791: Internet Protocol - Type of Service 1176 RFC 2460: Internet Protocol, Version 6 (IPv6) 1177 Specification - Next Header"; 1178 } 1180 identity ipopts { 1181 description 1182 "Base identity for IP options"; 1183 reference 1184 "RFC 791: Internet Protocol - Options"; 1185 } 1187 identity rr { 1188 base ipopts; 1189 description 1190 "Identity for record route"; 1191 reference 1192 "RFC 791: Internet Protocol - Options"; 1193 } 1195 identity eol { 1196 base ipopts; 1197 description 1198 "Identity for end of list"; 1199 reference 1200 "RFC 791: Internet Protocol - Options"; 1201 } 1203 identity nop { 1204 base ipopts; 1205 description 1206 "Identity for no operation"; 1207 reference 1208 "RFC 791: Internet Protocol - Options"; 1209 } 1210 identity ts { 1211 base ipopts; 1212 description 1213 "Identity for time stamp"; 1214 reference 1215 "RFC 791: Internet Protocol - Options"; 1216 } 1218 identity sec { 1219 base ipopts; 1220 description 1221 "Identity for IP security"; 1222 reference 1223 "RFC 791: Internet Protocol - Options"; 1224 } 1226 identity esec { 1227 base ipopts; 1228 description 1229 "Identity for IP extended security"; 1230 reference 1231 "RFC 791: Internet Protocol - Options"; 1232 } 1234 identity lsrr { 1235 base ipopts; 1236 description 1237 "Identity for loose source routing"; 1238 reference 1239 "RFC 791: Internet Protocol - Options"; 1240 } 1242 identity ssrr { 1243 base ipopts; 1244 description 1245 "Identity for strict source routing"; 1246 reference 1247 "RFC 791: Internet Protocol - Options"; 1248 } 1250 identity satid { 1251 base ipopts; 1252 description 1253 "Identity for stream identifier"; 1254 reference 1255 "RFC 791: Internet Protocol - Options"; 1256 } 1257 identity any { 1258 base ipopts; 1259 description 1260 "Identity for which any IP options are set"; 1261 reference 1262 "RFC 791: Internet Protocol - Options"; 1263 } 1265 identity tcp-flags { 1266 description 1267 "Base identity for tcp flags"; 1268 reference 1269 "RFC 793: Transmission Control Protocol - Flags"; 1270 } 1272 identity cwr { 1273 base tcp-flags; 1274 description 1275 "Identity for congestion window reduced"; 1276 reference 1277 "RFC 793: Transmission Control Protocol - Flags"; 1278 } 1280 identity ecn { 1281 base tcp-flags; 1282 description 1283 "Identity for explicit congestion notification"; 1284 reference 1285 "RFC 793: Transmission Control Protocol - Flags"; 1286 } 1288 identity urg { 1289 base tcp-flags; 1290 description 1291 "Identity for urgent"; 1292 reference 1293 "RFC 793: Transmission Control Protocol - Flags"; 1294 } 1296 identity ack { 1297 base tcp-flags; 1298 description 1299 "Identity for acknowledgement"; 1300 reference 1301 "RFC 793: Transmission Control Protocol - Flags"; 1302 } 1304 identity psh { 1305 base tcp-flags; 1306 description 1307 "Identity for push"; 1308 reference 1309 "RFC 793: Transmission Control Protocol - Flags"; 1310 } 1312 identity rst { 1313 base tcp-flags; 1314 description 1315 "Identity for reset"; 1316 reference 1317 "RFC 793: Transmission Control Protocol - Flags"; 1318 } 1320 identity syn { 1321 base tcp-flags; 1322 description 1323 "Identity for synchronize"; 1324 reference 1325 "RFC 793: Transmission Control Protocol - Flags"; 1326 } 1328 identity fin { 1329 base tcp-flags; 1330 description 1331 "Identity for finish"; 1332 reference 1333 "RFC 793: Transmission Control Protocol - Flags"; 1334 } 1336 identity icmp-type { 1337 description 1338 "Base identity for icmp types"; 1339 reference 1340 "RFC 792: Internet Control Message Protocol"; 1341 } 1343 identity echo-reply { 1344 base icmp-type; 1345 description 1346 "Identity for echo reply"; 1347 reference 1348 "RFC 792: Internet Control Message Protocol"; 1349 } 1351 identity destination-unreachable { 1352 base icmp-type; 1353 description 1354 "Identity for destination unreachable"; 1355 reference 1356 "RFC 792: Internet Control Message Protocol"; 1357 } 1359 identity source-quench { 1360 base icmp-type; 1361 description 1362 "Identity for source quench"; 1363 reference 1364 "RFC 792: Internet Control Message Protocol"; 1365 } 1367 identity redirect { 1368 base icmp-type; 1369 description 1370 "Identity for redirect"; 1371 reference 1372 "RFC 792: Internet Control Message Protocol"; 1373 } 1375 identity alternate-host-address { 1376 base icmp-type; 1377 description 1378 "Identity for alternate host address"; 1379 reference 1380 "RFC 792: Internet Control Message Protocol"; 1381 } 1383 identity echo { 1384 base icmp-type; 1385 description 1386 "Identity for echo"; 1387 reference 1388 "RFC 792: Internet Control Message Protocol"; 1389 } 1391 identity router-advertisement { 1392 base icmp-type; 1393 description 1394 "Identity for router advertisement"; 1395 reference 1396 "RFC 792: Internet Control Message Protocol"; 1397 } 1399 identity router-solicitation { 1400 base icmp-type; 1401 description 1402 "Identity for router solicitation"; 1403 reference 1404 "RFC 792: Internet Control Message Protocol"; 1405 } 1407 identity time-exceeded { 1408 base icmp-type; 1409 description 1410 "Identity for time exceeded"; 1411 reference 1412 "RFC 792: Internet Control Message Protocol"; 1413 } 1415 identity parameter-problem { 1416 base icmp-type; 1417 description 1418 "Identity for parameter problem"; 1419 reference 1420 "RFC 792: Internet Control Message Protocol"; 1421 } 1423 identity timestamp { 1424 base icmp-type; 1425 description 1426 "Identity for timestamp"; 1427 reference 1428 "RFC 792: Internet Control Message Protocol"; 1429 } 1431 identity timestamp-reply { 1432 base icmp-type; 1433 description 1434 "Identity for timestamp reply"; 1435 reference 1436 "RFC 792: Internet Control Message Protocol"; 1437 } 1439 identity information-request { 1440 base icmp-type; 1441 description 1442 "Identity for information request"; 1443 reference 1444 "RFC 792: Internet Control Message Protocol"; 1445 } 1447 identity information-reply { 1448 base icmp-type; 1449 description 1450 "Identity for information reply"; 1451 reference 1452 "RFC 792: Internet Control Message Protocol"; 1453 } 1455 identity address-mask-request { 1456 base icmp-type; 1457 description 1458 "Identity for address mask request"; 1459 reference 1460 "RFC 792: Internet Control Message Protocol"; 1461 } 1463 identity address-mask-reply { 1464 base icmp-type; 1465 description 1466 "Identity for address mask reply"; 1467 reference 1468 "RFC 792: Internet Control Message Protocol"; 1469 } 1471 identity traceroute { 1472 base icmp-type; 1473 description 1474 "Identity for traceroute"; 1475 reference 1476 "RFC 792: Internet Control Message Protocol"; 1477 } 1479 identity datagram-conversion-error { 1480 base icmp-type; 1481 description 1482 "Identity for datagram conversion error"; 1483 reference 1484 "RFC 792: Internet Control Message Protocol"; 1485 } 1487 identity mobile-host-redirect { 1488 base icmp-type; 1489 description 1490 "Identity for mobile host redirect"; 1491 reference 1492 "RFC 792: Internet Control Message Protocol"; 1493 } 1495 identity ipv6-where-are-you { 1496 base icmp-type; 1497 description 1498 "Identity for IPv6 where are you"; 1499 reference 1500 "RFC 792: Internet Control Message Protocol"; 1501 } 1503 identity ipv6-i-am-here { 1504 base icmp-type ; 1505 description 1506 "Identity for IPv6 i am here"; 1507 reference 1508 "RFC 792: Internet Control Message Protocol"; 1509 } 1511 identity mobile-registration-request { 1512 base icmp-type; 1513 description 1514 "Identity for mobile registration request"; 1515 reference 1516 "RFC 792: Internet Control Message Protocol"; 1517 } 1519 identity mobile-registration-reply { 1520 base icmp-type; 1521 description 1522 "Identity for mobile registration reply"; 1523 reference 1524 "RFC 792: Internet Control Message Protocol"; 1525 } 1527 identity domain-name-request { 1528 base icmp-type; 1529 description 1530 "Identity for domain name request"; 1531 reference 1532 "RFC 792: Internet Control Message Protocol"; 1533 } 1535 identity domain-name-reply { 1536 base icmp-type; 1537 description 1538 "Identity for domain name reply"; 1539 reference 1540 "RFC 792: Internet Control Message Protocol"; 1541 } 1543 identity iskip { 1544 base icmp-type; 1545 description 1546 "Identity for icmp skip"; 1547 reference 1548 "RFC 792: Internet Control Message Protocol"; 1549 } 1551 identity photuris { 1552 base icmp-type; 1553 description 1554 "Identity for photuris"; 1555 reference 1556 "RFC 792: Internet Control Message Protocol"; 1557 } 1559 identity experimental-mobility-protocols { 1560 base icmp-type; 1561 description 1562 "Identity for experimental mobility protocols"; 1563 reference 1564 "RFC 792: Internet Control Message Protocol"; 1565 } 1567 identity extended-echo-request { 1568 base icmp-type; 1569 description 1570 "Identity for extended echo request"; 1571 reference 1572 "RFC 792: Internet Control Message Protocol 1573 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1574 } 1576 identity extended-echo-reply { 1577 base icmp-type; 1578 description 1579 "Identity for extended echo reply"; 1580 reference 1581 "RFC 792: Internet Control Message Protocol 1582 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1583 } 1585 identity net-unreachable { 1586 base icmp-type; 1587 description 1588 "Identity for net unreachable 1589 in destination unreachable types"; 1590 reference 1591 "RFC 792: Internet Control Message Protocol"; 1592 } 1593 identity host-unreachable { 1594 base icmp-type; 1595 description 1596 "Identity for host unreachable 1597 in destination unreachable types"; 1598 reference 1599 "RFC 792: Internet Control Message Protocol"; 1600 } 1602 identity protocol-unreachable { 1603 base icmp-type; 1604 description 1605 "Identity for protocol unreachable 1606 in destination unreachable types"; 1607 reference 1608 "RFC 792: Internet Control Message Protocol"; 1609 } 1611 identity port-unreachable { 1612 base icmp-type; 1613 description 1614 "Identity for port unreachable 1615 in destination unreachable types"; 1616 reference 1617 "RFC 792: Internet Control Message Protocol"; 1618 } 1620 identity fragment-set { 1621 base icmp-type; 1622 description 1623 "Identity for fragmentation set 1624 in destination unreachable types"; 1625 reference 1626 "RFC 792: Internet Control Message Protocol"; 1627 } 1629 identity source-route-failed { 1630 base icmp-type; 1631 description 1632 "Identity for source route failed 1633 in destination unreachable types"; 1634 reference 1635 "RFC 792: Internet Control Message Protocol"; 1636 } 1638 identity destination-network-unknown { 1639 base icmp-type; 1640 description 1641 "Identity for destination network unknown 1642 in destination unreachable types"; 1643 reference 1644 "RFC 792: Internet Control Message Protocol"; 1645 } 1647 identity destination-host-unknown { 1648 base icmp-type; 1649 description 1650 "Identity for destination host unknown 1651 in destination unreachable types"; 1652 reference 1653 "RFC 792: Internet Control Message Protocol"; 1654 } 1656 identity source-host-isolated { 1657 base icmp-type; 1658 description 1659 "Identity for source host isolated 1660 in destination unreachable types"; 1661 reference 1662 "RFC 792: Internet Control Message Protocol"; 1663 } 1665 identity communication-prohibited-with-destination-network { 1666 base icmp-type; 1667 description 1668 "Identity for which communication with destination network 1669 is administratively prohibited in destination unreachable 1670 types"; 1671 reference 1672 "RFC 792: Internet Control Message Protocol"; 1673 } 1675 identity communication-prohibited-with-destination-host { 1676 base icmp-type; 1677 description 1678 "Identity for which communication with destination host 1679 is administratively prohibited in destination unreachable 1680 types"; 1681 reference 1682 "RFC 792: Internet Control Message Protocol"; 1683 } 1685 identity destination-network-unreachable-for-tos { 1686 base icmp-type; 1687 description 1688 "Identity for destination network unreachable 1689 for type of service in destination unreachable types"; 1690 reference 1691 "RFC 792: Internet Control Message Protocol"; 1692 } 1694 identity destination-host-unreachable-for-tos { 1695 base icmp-type; 1696 description 1697 "Identity for destination host unreachable 1698 for type of service in destination unreachable types"; 1699 reference 1700 "RFC 792: Internet Control Message Protocol"; 1701 } 1703 identity communication-prohibited { 1704 base icmp-type; 1705 description 1706 "Identity for communication administratively prohibited 1707 in destination unreachable types"; 1708 reference 1709 "RFC 792: Internet Control Message Protocol"; 1710 } 1712 identity host-precedence-violation { 1713 base icmp-type; 1714 description 1715 "Identity for host precedence violation 1716 in destination unreachable types"; 1717 reference 1718 "RFC 792: Internet Control Message Protocol"; 1719 } 1721 identity precedence-cutoff-in-effect { 1722 base icmp-type; 1723 description 1724 "Identity for precedence cutoff in effect 1725 in destination unreachable types"; 1726 reference 1727 "RFC 792: Internet Control Message Protocol"; 1728 } 1730 identity redirect-datagram-for-the-network { 1731 base icmp-type; 1732 description 1733 "Identity for redirect datagram for the network 1734 (or subnet) in redirect types"; 1735 reference 1736 "RFC 792: Internet Control Message Protocol"; 1738 } 1740 identity redirect-datagram-for-the-host { 1741 base icmp-type; 1742 description 1743 "Identity for redirect datagram for the host 1744 in redirect types"; 1745 reference 1746 "RFC 792: Internet Control Message Protocol"; 1747 } 1749 identity redirect-datagram-for-the-tos-and-network { 1750 base icmp-type; 1751 description 1752 "Identity for redirect datagram for the type of 1753 service and network in redirect types"; 1754 reference 1755 "RFC 792: Internet Control Message Protocol"; 1756 } 1758 identity redirect-datagram-for-the-tos-and-host { 1759 base icmp-type; 1760 description 1761 "Identity for redirect datagram for the type of 1762 service and host in redirect types"; 1763 reference 1764 "RFC 792: Internet Control Message Protocol"; 1765 } 1767 identity normal-router-advertisement { 1768 base icmp-type; 1769 description 1770 "Identity for normal router advertisement 1771 in router advertisement types"; 1772 reference 1773 "RFC 792: Internet Control Message Protocol"; 1774 } 1776 identity does-not-route-common-traffic { 1777 base icmp-type; 1778 description 1779 "Identity for does not route common traffic 1780 in router advertisement types"; 1781 reference 1782 "RFC 792: Internet Control Message Protocol"; 1783 } 1785 identity time-to-live-exceeded-in-transit { 1786 base icmp-type; 1787 description 1788 "Identity for time to live exceeded in transit 1789 in time exceeded types"; 1790 reference 1791 "RFC 792: Internet Control Message Protocol"; 1792 } 1794 identity fragment-reassembly-time-exceeded { 1795 base icmp-type; 1796 description 1797 "Identity for fragment reassembly time exceeded 1798 in time exceeded types"; 1799 reference 1800 "RFC 792: Internet Control Message Protocol"; 1801 } 1803 identity pointer-indicates-the-error { 1804 base icmp-type; 1805 description 1806 "Identity for pointer indicates the error 1807 in parameter problem types"; 1808 reference 1809 "RFC 792: Internet Control Message Protocol"; 1810 } 1812 identity missing-a-required-option { 1813 base icmp-type; 1814 description 1815 "Identity for missing a required option 1816 in parameter problem types"; 1817 reference 1818 "RFC 792: Internet Control Message Protocol"; 1819 } 1821 identity bad-length { 1822 base icmp-type; 1823 description 1824 "Identity for bad length 1825 in parameter problem types"; 1826 reference 1827 "RFC 792: Internet Control Message Protocol"; 1828 } 1830 identity bad-spi { 1831 base icmp-type; 1832 description 1833 "Identity for bad spi 1834 in photuris types"; 1835 reference 1836 "RFC 792: Internet Control Message Protocol"; 1837 } 1839 identity authentication-failed { 1840 base icmp-type; 1841 description 1842 "Identity for authentication failed 1843 in photuris types"; 1844 reference 1845 "RFC 792: Internet Control Message Protocol"; 1846 } 1848 identity decompression-failed { 1849 base icmp-type; 1850 description 1851 "Identity for decompression failed 1852 in photuris types"; 1853 reference 1854 "RFC 792: Internet Control Message Protocol"; 1855 } 1857 identity decryption-failed { 1858 base icmp-type; 1859 description 1860 "Identity for decryption failed 1861 in photuris types"; 1862 reference 1863 "RFC 792: Internet Control Message Protocol"; 1864 } 1866 identity need-authentication { 1867 base icmp-type; 1868 description 1869 "Identity for need authentication 1870 in photuris types"; 1871 reference 1872 "RFC 792: Internet Control Message Protocol"; 1873 } 1875 identity need-authorization { 1876 base icmp-type; 1877 description 1878 "Identity for need authorization 1879 in photuris types"; 1880 reference 1881 "RFC 792: Internet Control Message Protocol"; 1883 } 1885 identity req-no-error { 1886 base icmp-type; 1887 description 1888 "Identity for request with no error 1889 in extended echo request types"; 1890 reference 1891 "RFC 792: Internet Control Message Protocol 1892 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1893 } 1895 identity rep-no-error { 1896 base icmp-type; 1897 description 1898 "Identity for reply with no error 1899 in extended echo reply types"; 1900 reference 1901 "RFC 792: Internet Control Message Protocol 1902 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1903 } 1905 identity malformed-query { 1906 base icmp-type; 1907 description 1908 "Identity for malformed query 1909 in extended echo reply types"; 1910 reference 1911 "RFC 792: Internet Control Message Protocol 1912 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1913 } 1915 identity no-such-interface { 1916 base icmp-type; 1917 description 1918 "Identity for no such interface 1919 in extended echo reply types"; 1920 reference 1921 "RFC 792: Internet Control Message Protocol 1922 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1923 } 1925 identity no-such-table-entry { 1926 base icmp-type; 1927 description 1928 "Identity for no such table entry 1929 in extended echo reply types"; 1930 reference 1931 "RFC 792: Internet Control Message Protocol 1932 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1933 } 1935 identity multiple-interfaces-satisfy-query { 1936 base icmp-type; 1937 description 1938 "Identity for multiple interfaces satisfy query 1939 in extended echo reply types"; 1940 reference 1941 "RFC 792: Internet Control Message Protocol 1942 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1943 } 1945 identity target-device { 1946 description 1947 "Base identity for target devices"; 1948 reference 1949 "draft-ietf-i2nsf-capability-04: Information Model 1950 of NSFs Capabilities"; 1951 } 1953 identity pc { 1954 base target-device; 1955 description 1956 "Identity for pc"; 1957 } 1959 identity mobile-phone { 1960 base target-device; 1961 description 1962 "Identity for mobile-phone"; 1963 } 1965 identity voip-volte-phone { 1966 base target-device; 1967 description 1968 "Identity for voip-volte-phone"; 1969 } 1971 identity tablet { 1972 base target-device; 1973 description 1974 "Identity for tablet"; 1975 } 1977 identity iot { 1978 base target-device; 1979 description 1980 "Identity for IoT"; 1981 } 1983 identity vehicle { 1984 base target-device; 1985 description 1986 "Identity for vehicle"; 1987 } 1989 identity content-security-control { 1990 description 1991 "Base identity for content security control"; 1992 reference 1993 "RFC 8329: Framework for Interface to 1994 Network Security Functions - Differences 1995 from ACL Data Models 1996 draft-ietf-i2nsf-capability-04: Information Model 1997 of NSFs Capabilities"; 1998 } 2000 identity antivirus { 2001 base content-security-control; 2002 description 2003 "Identity for antivirus"; 2004 } 2006 identity ips { 2007 base content-security-control; 2008 description 2009 "Identity for ips"; 2010 } 2012 identity ids { 2013 base content-security-control; 2014 description 2015 "Identity for ids"; 2016 } 2018 identity url-filtering { 2019 base content-security-control; 2020 description 2021 "Identity for url filtering"; 2022 } 2024 identity mail-filtering { 2025 base content-security-control; 2026 description 2027 "Identity for mail filtering"; 2028 } 2030 identity file-blocking { 2031 base content-security-control; 2032 description 2033 "Identity for file blocking"; 2034 } 2036 identity file-isolate { 2037 base content-security-control; 2038 description 2039 "Identity for file isolate"; 2040 } 2042 identity pkt-capture { 2043 base content-security-control; 2044 description 2045 "Identity for packet capture"; 2046 } 2048 identity application-control { 2049 base content-security-control; 2050 description 2051 "Identity for application control"; 2052 } 2054 identity voip-volte { 2055 base content-security-control; 2056 description 2057 "Identity for voip and volte"; 2058 } 2060 identity attack-mitigation-control { 2061 description 2062 "Base identity for attack mitigation control"; 2063 reference 2064 "RFC 8329: Framework for Interface to 2065 Network Security Functions - Differences 2066 from ACL Data Models 2067 draft-ietf-i2nsf-capability-04: Information Model 2068 of NSFs Capabilities"; 2069 } 2071 identity syn-flood { 2072 base attack-mitigation-control; 2073 description 2074 "Identity for syn flood"; 2076 } 2078 identity udp-flood { 2079 base attack-mitigation-control; 2080 description 2081 "Identity for udp flood"; 2082 } 2084 identity icmp-flood { 2085 base attack-mitigation-control; 2086 description 2087 "Identity for icmp flood"; 2088 } 2090 identity ip-frag-flood { 2091 base attack-mitigation-control; 2092 description 2093 "Identity for ip frag flood"; 2094 } 2096 identity ipv6-related { 2097 base attack-mitigation-control; 2098 description 2099 "Identity for ipv6 related"; 2100 } 2102 identity http-and-https-flood { 2103 base attack-mitigation-control; 2104 description 2105 "Identity for http and https flood"; 2106 } 2108 identity dns-flood { 2109 base attack-mitigation-control; 2110 description 2111 "Identity for dns flood"; 2112 } 2114 identity dns-amp-flood { 2115 base attack-mitigation-control; 2116 description 2117 "Identity for dns amp flood"; 2118 } 2120 identity ssl-ddos { 2121 base attack-mitigation-control; 2122 description 2123 "Identity for ssl ddos"; 2125 } 2127 identity ip-sweep { 2128 base attack-mitigation-control; 2129 description 2130 "Identity for ip sweep"; 2131 } 2133 identity port-scanning { 2134 base attack-mitigation-control; 2135 description 2136 "Identity for port scanning"; 2137 } 2139 identity ping-of-death { 2140 base attack-mitigation-control; 2141 description 2142 "Identity for ping of death"; 2143 } 2145 identity teardrop { 2146 base attack-mitigation-control; 2147 description 2148 "Identity for teardrop"; 2149 } 2151 identity oversized-icmp { 2152 base attack-mitigation-control; 2153 description 2154 "Identity for oversized icmp"; 2155 } 2157 identity tracert { 2158 base attack-mitigation-control; 2159 description 2160 "Identity for tracert"; 2161 } 2163 identity ingress-action { 2164 description 2165 "Base identity for action"; 2166 reference 2167 "draft-ietf-i2nsf-capability-04: Information Model 2168 of NSFs Capabilities - Ingress Action"; 2169 } 2171 identity egress-action { 2172 description 2173 "Base identity for egress action"; 2174 reference 2175 "draft-ietf-i2nsf-capability-04: Information Model 2176 of NSFs Capabilities - Egress action"; 2177 } 2179 identity default-action { 2180 description 2181 "Base identity for default action"; 2182 reference 2183 "draft-ietf-i2nsf-capability-04: Information Model 2184 of NSFs Capabilities - Default action"; 2185 } 2187 identity pass { 2188 base ingress-action; 2189 base egress-action; 2190 base default-action; 2191 description 2192 "Identity for pass"; 2193 reference 2194 "draft-ietf-i2nsf-capability-04: Information Model 2195 of NSFs Capabilities - Actions and 2196 default action"; 2197 } 2199 identity drop { 2200 base ingress-action; 2201 base egress-action; 2202 base default-action; 2203 description 2204 "Identity for drop"; 2205 reference 2206 "draft-ietf-i2nsf-capability-04: Information Model 2207 of NSFs Capabilities - Actions and 2208 default action"; 2209 } 2211 identity reject { 2212 base ingress-action; 2213 base egress-action; 2214 base default-action; 2215 description 2216 "Identity for reject"; 2217 reference 2218 "draft-ietf-i2nsf-capability-04: Information Model 2219 of NSFs Capabilities - Actions and 2220 default action"; 2222 } 2224 identity alert { 2225 base ingress-action; 2226 base egress-action; 2227 base default-action; 2228 description 2229 "Identity for alert"; 2230 reference 2231 "draft-ietf-i2nsf-capability-04: Information Model 2232 of NSFs Capabilities - Actions and 2233 default action"; 2234 } 2236 identity mirror { 2237 base ingress-action; 2238 base egress-action; 2239 base default-action; 2240 description 2241 "Identity for mirror"; 2242 reference 2243 "draft-ietf-i2nsf-capability-04: Information Model 2244 of NSFs Capabilities - Actions and 2245 default action"; 2246 } 2248 identity log-action { 2249 description 2250 "Base identity for log action"; 2251 } 2253 identity rule-log { 2254 base log-action; 2255 description 2256 "Identity for rule log"; 2257 } 2259 identity session-log { 2260 base log-action; 2261 description 2262 "Identity for session log"; 2263 } 2265 identity invoke-signaling { 2266 base egress-action; 2267 description 2268 "Identity for invoke signaling"; 2269 } 2270 identity tunnel-encapsulation { 2271 base egress-action; 2272 description 2273 "Identity for tunnel encapsulation"; 2274 } 2276 identity forwarding { 2277 base egress-action; 2278 description 2279 "Identity for forwarding"; 2280 } 2282 identity redirection { 2283 base egress-action; 2284 description 2285 "Identity for redirection"; 2287 } 2289 identity resolution-strategy { 2290 description 2291 "Base identity for resolution strategy"; 2292 reference 2293 "draft-ietf-i2nsf-capability-04: Information Model 2294 of NSFs Capabilities - Resolution Strategy"; 2295 } 2297 identity fmr { 2298 base resolution-strategy; 2299 description 2300 "Identity for First Matching Rule (FMR)"; 2301 reference 2302 "draft-ietf-i2nsf-capability-04: Information Model 2303 of NSFs Capabilities - Resolution Strategy"; 2304 } 2306 identity lmr { 2307 base resolution-strategy; 2308 description 2309 "Identity for Last Matching Rule (LMR)"; 2310 reference 2311 "draft-ietf-i2nsf-capability-04: Information Model 2312 of NSFs Capabilities - Resolution Strategy"; 2313 } 2315 identity pmr { 2316 base resolution-strategy; 2317 description 2318 "Identity for Prioritized Matching Rule (PMR)"; 2319 reference 2320 "draft-ietf-i2nsf-capability-04: Information Model 2321 of NSFs Capabilities - Resolution Strategy"; 2322 } 2324 identity pmre { 2325 base resolution-strategy; 2326 description 2327 "Identity for Prioritized Matching Rule 2328 with Errors (PMRE)"; 2329 reference 2330 "draft-ietf-i2nsf-capability-04: Information Model 2331 of NSFs Capabilities - Resolution Strategy"; 2332 } 2334 identity pmrn { 2335 base resolution-strategy; 2336 description 2337 "Identity for Prioritized Matching Rule 2338 with No Errors (PMRN)"; 2339 reference 2340 "draft-ietf-i2nsf-capability-04: Information Model 2341 of NSFs Capabilities - Resolution Strategy"; 2342 } 2344 identity i2nsf-ipsec { 2345 description 2346 "Internet Key Exchnage for NSFs 2347 in the I2NSF framework"; 2348 reference 2349 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2350 - i2nsf-ipsec"; 2351 } 2353 identity ike { 2354 base i2nsf-ipsec; 2355 description 2356 "IKE case: IPsec with IKE in the NSF"; 2357 reference 2358 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2359 - ike"; 2360 } 2362 identity ikeless { 2363 base i2nsf-ipsec; 2364 description 2365 "IKEless case: IPsec without IKEv2 in the NSF"; 2367 reference 2368 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2369 - ikeless"; 2370 } 2372 /* 2373 * Typedefs 2374 */ 2376 typedef start-time-type { 2377 type union { 2378 type string { 2379 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2380 + '(Z|[\+\-]\d{2}:\d{2})'; 2381 } 2383 type enumeration { 2384 enum right-away { 2385 description 2386 "Immediate rule execution 2387 in the system."; 2388 } 2389 } 2390 } 2392 description 2393 "Start time when the rules are applied."; 2394 } 2396 typedef end-time-type { 2397 type union { 2398 type string { 2399 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2400 + '(Z|[\+\-]\d{2}:\d{2})'; 2401 } 2403 type enumeration { 2404 enum infinitely { 2405 description 2406 "Infinite rule execution 2407 in the system."; 2408 } 2409 } 2410 } 2411 description 2412 "End time when the rules are applied."; 2413 } 2414 typedef day-type { 2415 type enumeration { 2416 enum sunday { 2417 description 2418 "Sunday for periodic day"; 2419 } 2420 enum monday { 2421 description 2422 "Monday for periodic day"; 2423 } 2424 enum tuesday { 2425 description 2426 "Tuesday for periodic day"; 2427 } 2428 enum wednesday { 2429 description 2430 "Wednesday for periodic day"; 2431 } 2432 enum thursday { 2433 description 2434 "Thursday for periodic day"; 2435 } 2436 enum friday { 2437 description 2438 "Friday for periodic day"; 2439 } 2440 enum saturday { 2441 description 2442 "Saturday for periodic day"; 2443 } 2444 } 2445 description 2446 "This can be used for the rules to be applied 2447 according to periodic day"; 2448 } 2450 typedef month-type { 2451 type enumeration { 2452 enum january { 2453 description 2454 "January for periodic month"; 2455 } 2456 enum february { 2457 description 2458 "February for periodic month"; 2459 } 2460 enum march { 2461 description 2462 "March for periodic month"; 2463 } 2464 enum april { 2465 description 2466 "April for periodic month"; 2467 } 2468 enum may { 2469 description 2470 "May for periodic month"; 2471 } 2472 enum june { 2473 description 2474 "June for periodic month"; 2475 } 2476 enum july { 2477 description 2478 "July for periodic month"; 2479 } 2480 enum august { 2481 description 2482 "August for periodic month"; 2483 } 2484 enum september { 2485 description 2486 "September for periodic month"; 2487 } 2488 enum october { 2489 description 2490 "October for periodic month"; 2491 } 2492 enum november { 2493 description 2494 "November for periodic month"; 2495 } 2496 enum december { 2497 description 2498 "December for periodic month"; 2499 } 2500 } 2501 description 2502 "This can be used for the rules to be applied 2503 according to periodic month"; 2504 } 2506 /* 2507 * Groupings 2508 */ 2510 grouping ipv4 { 2511 list ipv4-address { 2512 key "ipv4"; 2513 description 2514 "The list of IPv4 address."; 2516 leaf ipv4 { 2517 type inet:ipv4-address; 2518 description 2519 "The value of IPv4 address."; 2520 } 2521 choice subnet { 2522 description 2523 "The subnet can be specified as a prefix length or 2524 netmask."; 2525 leaf prefix-length { 2526 type uint8 { 2527 range "0..32"; 2528 } 2529 description 2530 "The length of the subnet prefix."; 2531 } 2532 leaf netmask { 2533 type yang:dotted-quad; 2534 description 2535 "The subnet specified as a netmask."; 2536 } 2537 } 2538 } 2539 description 2540 "Grouping for an IPv4 address"; 2542 reference 2543 "RFC 791: Internet Protocol - IPv4 address 2544 RFC 8344: A YANG Data Model for IP Management"; 2545 } 2547 grouping ipv6 { 2548 list ipv6-address { 2549 key "ipv6"; 2550 description 2551 "The list of IPv6 address."; 2553 leaf ipv6 { 2554 type inet:ipv6-address; 2555 description 2556 "The value of IPv6 address."; 2557 } 2558 leaf prefix-length { 2559 type uint8 { 2560 range "0..128"; 2561 } 2562 description 2563 "The length of the subnet prefix."; 2564 } 2565 } 2566 description 2567 "Grouping for an IPv6 address"; 2569 reference 2570 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2571 Specification - IPv6 address 2572 RFC 8344: A YANG Data Model for IP Management"; 2573 } 2575 grouping pkt-sec-ipv4 { 2576 choice match-type { 2577 description 2578 "There are two types to configure a security policy 2579 for IPv4 address, such as exact match and range match."; 2580 case exact-match { 2581 uses ipv4; 2582 description 2583 "Exact match for an IPv4 address."; 2584 } 2585 case range-match { 2586 list range-ipv4-address { 2587 key "start-ipv4-address end-ipv4-address"; 2588 leaf start-ipv4-address { 2589 type inet:ipv4-address; 2590 description 2591 "Start IPv4 address for a range match."; 2592 } 2594 leaf end-ipv4-address { 2595 type inet:ipv4-address; 2596 description 2597 "End IPv4 address for a range match."; 2598 } 2599 description 2600 "Range match for an IPv4 address."; 2601 } 2602 } 2603 } 2604 description 2605 "Grouping for an IPv4 address."; 2607 reference 2608 "RFC 791: Internet Protocol - IPv4 address"; 2609 } 2611 grouping pkt-sec-ipv6 { 2612 choice match-type { 2613 description 2614 "There are two types to configure a security policy 2615 for IPv6 address, such as exact match and range match."; 2616 case exact-match { 2617 uses ipv6; 2618 description 2619 "Exact match for an IPv6 address."; 2620 } 2621 case range-match { 2622 list range-ipv6-address { 2623 key "start-ipv6-address end-ipv6-address"; 2624 leaf start-ipv6-address { 2625 type inet:ipv6-address; 2626 description 2627 "Start IPv6 address for a range match."; 2628 } 2630 leaf end-ipv6-address { 2631 type inet:ipv6-address; 2632 description 2633 "End IPv6 address for a range match."; 2634 } 2635 description 2636 "Range match for an IPv6 address."; 2637 } 2638 } 2639 } 2640 description 2641 "Grouping for IPv6 address."; 2643 reference 2644 "RFC 2460: Internet Protocol, Version 6 (IPv6) 2645 Specification - IPv6 address"; 2646 } 2648 grouping pkt-sec-port-number { 2649 choice match-type { 2650 description 2651 "There are two types to configure a security policy 2652 for a port number, such as exact match and range match."; 2653 case exact-match { 2654 leaf-list port-num { 2655 type inet:port-number; 2656 description 2657 "Exact match for a port number."; 2658 } 2659 } 2660 case range-match { 2661 list range-port-num { 2662 key "start-port-num end-port-num"; 2663 leaf start-port-num { 2664 type inet:port-number; 2665 description 2666 "Start port number for a range match."; 2667 } 2668 leaf end-port-num { 2669 type inet:port-number; 2670 description 2671 "Start port number for a range match."; 2672 } 2673 description 2674 "Range match for a port number."; 2675 } 2676 } 2677 } 2678 description 2679 "Grouping for port number."; 2681 reference 2682 "RFC 793: Transmission Control Protocol - Port number 2683 RFC 768: User Datagram Protocol - Port Number"; 2684 } 2686 /* 2687 * Data nodes 2688 */ 2690 container i2nsf-security-policy { 2691 description 2692 "Container for security policy 2693 including a set of security rules according to certain logic, 2694 i.e., their similarity or mutual relations, etc. The network 2695 security policy is able to apply over both the unidirectional 2696 and bidirectional traffic across the NSF. 2697 The I2NSF security policies use the Event-Condition-Action 2698 (ECA) policy model "; 2700 reference 2701 "RFC 8329: Framework for Interface to Network Security 2702 Functions - I2NSF Flow Security Policy Structure 2703 draft-ietf-i2nsf-capability-04: Information Model 2704 of NSFs Capabilities - Design Principles and ECA Policy Model 2705 Overview"; 2707 list system-policy { 2708 key "system-policy-name"; 2709 description 2710 "The system-policy represents there could be multiple system 2711 policies in one NSF, and each system policy is used by 2712 one virtual instance of the NSF/device."; 2714 leaf system-policy-name { 2715 type string; 2716 mandatory true; 2717 description 2718 "The name of the policy. 2719 This must be unique."; 2720 } 2722 leaf priority-usage { 2723 type identityref { 2724 base priority-usage-type; 2725 } 2726 default priority-by-order; 2727 description 2728 "Priority usage type for security policy rule: 2729 priority by order and priority by number"; 2730 } 2732 leaf resolution-strategy { 2733 type identityref { 2734 base resolution-strategy; 2735 } 2736 default fmr; 2737 description 2738 "The resolution strategies can be used to 2739 specify how to resolve conflicts that occur between 2740 the actions of the same or different policy rules that 2741 are matched and contained in this particular NSF"; 2743 reference 2744 "draft-ietf-i2nsf-capability-04: Information Model 2745 of NSFs Capabilities - Resolution strategy"; 2746 } 2748 leaf default-action { 2749 type identityref { 2750 base default-action; 2751 } 2752 default alert; 2753 description 2754 "This default action can be used to specify a predefined 2755 action when no other alternative action was matched 2756 by the currently executing I2NSF Policy Rule. An analogy 2757 is the use of a default statement in a C switch statement."; 2759 reference 2760 "draft-ietf-i2nsf-capability-04: Information Model 2761 of NSFs Capabilities - Default action"; 2762 } 2764 list rules { 2765 key "rule-name"; 2766 description 2767 "This is a rule for network security functions."; 2769 leaf rule-name { 2770 type string; 2771 mandatory true; 2772 description 2773 "The name of the rule. 2774 This must be unique."; 2775 } 2777 leaf rule-description { 2778 type string; 2779 description 2780 "This description gives more information about 2781 rules."; 2782 } 2784 leaf rule-priority { 2785 type uint8 { 2786 range "1..255"; 2787 } 2788 description 2789 "The priority keyword comes with a mandatory 2790 numeric value which can range from 1 till 255."; 2791 } 2793 leaf rule-enable { 2794 type boolean; 2795 description 2796 "True is enable. 2797 False is not enbale."; 2798 } 2800 leaf session-aging-time { 2801 type uint16; 2802 description 2803 "This is session aging time."; 2804 } 2806 container long-connection { 2807 description 2808 "This is long-connection"; 2810 leaf enable { 2811 type boolean; 2812 description 2813 "True is enable. 2814 False is not enbale."; 2815 } 2817 leaf during { 2818 type uint16; 2819 description 2820 "This is during time."; 2821 } 2822 } 2824 container time-zone { 2825 description 2826 "Time zone when the rules are applied"; 2827 container absolute-time-zone { 2828 description 2829 "Rule execution according to absolute time"; 2831 leaf start-time { 2832 type start-time-type; 2833 default right-away; 2834 description 2835 "Start time when the rules are applied"; 2836 } 2837 leaf end-time { 2838 type end-time-type; 2839 default infinitely; 2840 description 2841 "End time when the rules are applied"; 2842 } 2843 } 2844 container periodic-time-zone { 2845 description 2846 "Rule execution according to periodic time"; 2848 container day { 2849 description 2850 "Rule execution according to day."; 2851 leaf every-day { 2852 type boolean; 2853 default true; 2854 description 2855 "Rule execution every day"; 2856 } 2858 leaf-list specific-day { 2859 when "../every-day = 'false'"; 2860 type day-type; 2861 description 2862 "Rule execution according 2863 to specific day"; 2864 } 2865 } 2867 container month { 2868 description 2869 "Rule execution according to month."; 2870 leaf every-month { 2871 type boolean; 2872 default true; 2873 description 2874 "Rule execution every day"; 2875 } 2877 leaf-list specific-month { 2878 when "../every-month = 'false'"; 2879 type month-type; 2880 description 2881 "Rule execution according 2882 to month day"; 2883 } 2884 } 2885 } 2886 } 2888 container event-clause-container { 2889 description 2890 "An event is defined as any important 2891 occurrence in time of a change in the system being 2892 managed, and/or in the environment of the system being 2893 managed. When used in the context of policy rules for 2894 a flow-based NSF, it is used to determine whether the 2895 Condition clause of the Policy Rule can be evaluated 2896 or not. Examples of an I2NSF event include time and 2897 user actions (e.g., logon, logoff, and actions that 2898 violate any ACL.)."; 2900 reference 2901 "RFC 8329: Framework for Interface to Network Security 2902 Functions - I2NSF Flow Security Policy Structure 2903 draft-ietf-i2nsf-capability-04: Information Model 2904 of NSFs Capabilities - Design Principles and ECA 2905 Policy Model Overview 2906 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2907 Data Model for Monitoring I2NSF Network Security 2908 Functions - System Alarm and System Events"; 2910 leaf event-clause-description { 2911 type string; 2912 description 2913 "Description for an event clause"; 2914 } 2916 container event-clauses { 2917 description 2918 "It has two event types such as 2919 system event and system alarm."; 2920 reference 2921 "RFC 8329: Framework for Interface to Network Security 2922 Functions - I2NSF Flow Security Policy Structure 2923 draft-ietf-i2nsf-capability-04: Information Model 2924 of NSFs Capabilities - Design Principles and ECA Policy 2925 Model Overview 2926 draft-hong-i2nsf-nsf-monitoring-data-model-06: A YANG 2927 Data Model for Monitoring I2NSF Network Security 2928 Functions - System Alarm and System Events"; 2930 leaf-list system-event { 2931 type identityref { 2932 base system-event; 2933 } 2934 description 2935 "The security policy rule according to 2936 system events."; 2937 } 2938 leaf-list system-alarm { 2939 type identityref { 2940 base system-alarm; 2941 } 2942 description 2943 "The security policy rule according to 2944 system alarms."; 2945 } 2946 } 2947 } 2949 container condition-clause-container { 2950 description 2951 "A condition is defined as a set 2952 of attributes, features, and/or values that are to be 2953 compared with a set of known attributes, features, 2954 and/or values in order to determine whether or not the 2955 set of Actions in that (imperative) I2NSF Policy Rule 2956 can be executed or not. Examples of I2NSF Conditions 2957 include matching attributes of a packet or flow, and 2958 comparing the internal state of an NSF to a desired 2959 state."; 2960 reference 2961 "RFC 8329: Framework for Interface to Network Security 2962 Functions - I2NSF Flow Security Policy Structure 2963 draft-ietf-i2nsf-capability-04: Information Model 2964 of NSFs Capabilities - Design Principles and ECA Policy 2965 Model Overview"; 2967 leaf condition-clause-description { 2968 type string; 2969 description 2970 "Description for a condition clause."; 2971 } 2973 container packet-security-ipv4-condition { 2974 description 2975 "The purpose of this container is to represent IPv4 2976 packet header information to determine if the set 2977 of policy actions in this ECA policy rule should be 2978 executed or not."; 2979 reference 2980 "RFC 791: Internet Protocol"; 2982 leaf ipv4-description { 2983 type string; 2984 description 2985 "This is description for ipv4 condition."; 2987 } 2989 container pkt-sec-ipv4-header-length { 2990 choice match-type { 2991 description 2992 "There are two types to configure a security 2993 policy for IPv4 header length, such as exact match 2994 and range match."; 2995 case exact-match { 2996 leaf-list ipv4-header-length { 2997 type uint8 { 2998 range "5..15"; 2999 } 3000 description 3001 "Exact match for an IPv4 header length."; 3002 } 3003 } 3004 case range-match { 3005 list range-ipv4-header-length { 3006 key "start-ipv4-header-length 3007 end-ipv4-header-length"; 3008 leaf start-ipv4-header-length { 3009 type uint8 { 3010 range "5..15"; 3011 } 3012 description 3013 "Start IPv4 header length for a range match."; 3014 } 3016 leaf end-ipv4-header-length { 3017 type uint8 { 3018 range "5..15"; 3019 } 3020 description 3021 "End IPv4 header length for a range match."; 3022 } 3023 description 3024 "Range match for an IPv4 header length."; 3025 } 3026 } 3027 } 3028 description 3029 "The security policy rule according to 3030 IPv4 header length."; 3031 reference 3032 "RFC 791: Internet Protocol - Header length"; 3033 } 3034 leaf-list pkt-sec-ipv4-tos { 3035 type identityref { 3036 base type-of-service; 3037 } 3038 description 3039 "The security policy rule according to 3040 IPv4 type of service."; 3041 reference 3042 "RFC 791: Internet Protocol - Type of service"; 3043 } 3045 container pkt-sec-ipv4-total-length { 3046 choice match-type { 3047 description 3048 "There are two types to configure a security 3049 policy for IPv4 total length, such as exact match 3050 and range match."; 3051 case exact-match { 3052 leaf-list ipv4-total-length { 3053 type uint16; 3054 description 3055 "Exact match for an IPv4 total length."; 3056 } 3057 } 3058 case range-match { 3059 list range-ipv4-total-length { 3060 key "start-ipv4-total-length end-ipv4-total-length"; 3061 leaf start-ipv4-total-length { 3062 type uint16; 3063 description 3064 "Start IPv4 total length for a range match."; 3065 } 3066 leaf end-ipv4-total-length { 3067 type uint16; 3068 description 3069 "End IPv4 total length for a range match."; 3070 } 3071 description 3072 "Range match for an IPv4 total length."; 3073 } 3074 } 3075 } 3076 description 3077 "The security policy rule according to 3078 IPv4 total length."; 3079 reference 3080 "RFC 791: Internet Protocol - Total length"; 3081 } 3082 leaf-list pkt-sec-ipv4-id { 3083 type uint16; 3084 description 3085 "The security policy rule according to 3086 IPv4 identification."; 3087 reference 3088 "RFC 791: Internet Protocol - Identification"; 3089 } 3091 leaf-list pkt-sec-ipv4-fragment-flags { 3092 type identityref { 3093 base fragmentation-flags-type; 3094 } 3095 description 3096 "The security policy rule according to 3097 IPv4 fragment flags."; 3098 reference 3099 "RFC 791: Internet Protocol - Fragment flags"; 3100 } 3102 container pkt-sec-ipv4-fragment-offset { 3103 choice match-type { 3104 description 3105 "There are two types to configure a security 3106 policy for IPv4 fragment offset, such as exact match 3107 and range match."; 3108 case exact-match { 3109 leaf-list ipv4-fragment-offset { 3110 type uint16 { 3111 range "0..16383"; 3112 } 3113 description 3114 "Exact match for an IPv4 fragment offset."; 3115 } 3116 } 3117 case range-match { 3118 list range-ipv4-fragment-offset { 3119 key "start-ipv4-fragment-offset 3120 end-ipv4-fragment-offset"; 3121 leaf start-ipv4-fragment-offset { 3122 type uint16 { 3123 range "0..16383"; 3124 } 3125 description 3126 "Start IPv4 fragment offset for a range match."; 3127 } 3128 leaf end-ipv4-fragment-offset { 3129 type uint16 { 3130 range "0..16383"; 3131 } 3132 description 3133 "End IPv4 fragment offset for a range match."; 3134 } 3135 description 3136 "Range match for an IPv4 fragment offset."; 3137 } 3138 } 3139 } 3140 description 3141 "The security policy rule according to 3142 IPv4 fragment offset."; 3143 reference 3144 "RFC 791: Internet Protocol - Fragment offset"; 3145 } 3147 container pkt-sec-ipv4-ttl { 3148 choice match-type { 3149 description 3150 "There are two types to configure a security 3151 policy for IPv4 TTL, such as exact match 3152 and range match."; 3153 case exact-match { 3154 leaf-list ipv4-ttl { 3155 type uint8; 3156 description 3157 "Exact match for an IPv4 TTL."; 3158 } 3159 } 3160 case range-match { 3161 list range-ipv4-ttl { 3162 key "start-ipv4-ttl end-ipv4-ttl"; 3163 leaf start-ipv4-ttl { 3164 type uint8; 3165 description 3166 "Start IPv4 TTL for a range match."; 3167 } 3168 leaf end-ipv4-ttl { 3169 type uint8; 3170 description 3171 "End IPv4 TTL for a range match."; 3172 } 3173 description 3174 "Range match for an IPv4 TTL."; 3175 } 3176 } 3177 } 3178 description 3179 "The security policy rule according to 3180 IPv4 time-to-live (TTL)."; 3181 reference 3182 "RFC 791: Internet Protocol - Time to live"; 3183 } 3185 leaf-list pkt-sec-ipv4-protocol { 3186 type identityref { 3187 base protocol; 3188 } 3189 description 3190 "The security policy rule according to 3191 IPv4 protocol."; 3192 reference 3193 "RFC 791: Internet Protocol - Protocol"; 3194 } 3196 container pkt-sec-ipv4-src { 3197 uses pkt-sec-ipv4; 3198 description 3199 "The security policy rule according to 3200 IPv4 source address."; 3201 reference 3202 "RFC 791: Internet Protocol - IPv4 Address"; 3203 } 3205 container pkt-sec-ipv4-dest { 3206 uses pkt-sec-ipv4; 3207 description 3208 "The security policy rule according to 3209 IPv4 destination address."; 3210 reference 3211 "RFC 791: Internet Protocol - IPv4 Address"; 3212 } 3214 leaf-list pkt-sec-ipv4-ipopts { 3215 type identityref { 3216 base ipopts; 3217 } 3218 description 3219 "The security policy rule according to 3220 IPv4 options."; 3221 reference 3222 "RFC 791: Internet Protocol - Options"; 3223 } 3224 leaf pkt-sec-ipv4-sameip { 3225 type boolean; 3226 description 3227 "Every packet has a source IP-address and 3228 a destination IP-address. It can be that 3229 the source IP is the same as 3230 the destination IP."; 3231 } 3233 leaf-list pkt-sec-ipv4-geoip { 3234 type string; 3235 description 3236 "The geoip keyword enables you to match on 3237 the source, destination or source and destination 3238 IP addresses of network traffic and to see to 3239 which country it belongs. To do this, Suricata 3240 uses GeoIP API with MaxMind database format."; 3241 } 3242 } 3244 container packet-security-ipv6-condition { 3245 description 3246 "The purpose of this container is to represent 3247 IPv6 packet header information to determine 3248 if the set of policy actions in this ECA policy 3249 rule should be executed or not."; 3250 reference 3251 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3252 Specification"; 3254 leaf ipv6-description { 3255 type string; 3256 description 3257 "This is description for ipv6 condition."; 3258 } 3260 leaf-list pkt-sec-ipv6-traffic-class { 3261 type identityref { 3262 base traffic-class; 3263 } 3264 description 3265 "The security policy rule according to 3266 IPv6 traffic class."; 3267 reference 3268 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3269 Specification - Traffic class"; 3270 } 3271 container pkt-sec-ipv6-flow-label { 3272 choice match-type { 3273 description 3274 "There are two types to configure a security 3275 policy for IPv6 flow label, such as exact match 3276 and range match."; 3277 case exact-match { 3278 leaf-list ipv6-flow-label { 3279 type uint32 { 3280 range "0..1048575"; 3281 } 3282 description 3283 "Exact match for an IPv6 flow label."; 3284 } 3285 } 3286 case range-match { 3287 list range-ipv6-flow-label { 3288 key "start-ipv6-flow-label end-ipv6-flow-label"; 3289 leaf start-ipv6-flow-label { 3290 type uint32 { 3291 range "0..1048575"; 3292 } 3293 description 3294 "Start IPv6 flow label for a range match."; 3295 } 3296 leaf end-ipv6-flow-label { 3297 type uint32 { 3298 range "0..1048575"; 3299 } 3300 description 3301 "End IPv6 flow label for a range match."; 3302 } 3303 description 3304 "Range match for an IPv6 flow label."; 3305 } 3306 } 3307 } 3308 description 3309 "The security policy rule according to 3310 IPv6 flow label."; 3311 reference 3312 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3313 Specification - Flow label"; 3314 } 3316 container pkt-sec-ipv6-payload-length { 3317 choice match-type { 3318 description 3319 "There are two types to configure a security 3320 policy for IPv6 payload length, such as 3321 exact match and range match."; 3322 case exact-match { 3323 leaf-list ipv6-payload-length { 3324 type uint16; 3325 description 3326 "Exact match for an IPv6 payload length."; 3327 } 3328 } 3329 case range-match { 3330 list range-ipv6-payload-length { 3331 key "start-ipv6-payload-length 3332 end-ipv6-payload-length"; 3333 leaf start-ipv6-payload-length { 3334 type uint16; 3335 description 3336 "Start IPv6 payload length for a range match."; 3337 } 3338 leaf end-ipv6-payload-length { 3339 type uint16; 3340 description 3341 "End IPv6 payload length for a range match."; 3342 } 3343 description 3344 "Range match for an IPv6 payload length."; 3345 } 3346 } 3347 } 3348 description 3349 "The security policy rule according to 3350 IPv6 payload length."; 3351 reference 3352 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3353 Specification - Payload length"; 3354 } 3356 leaf-list pkt-sec-ipv6-next-header { 3357 type identityref { 3358 base next-header; 3359 } 3360 description 3361 "The security policy rule according to 3362 IPv6 next header."; 3363 reference 3364 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3365 Specification - Next header"; 3366 } 3367 container pkt-sec-ipv6-hop-limit { 3368 choice match-type { 3369 description 3370 "There are two types to configure a security 3371 policy for IPv6 hop limit, such as exact match 3372 and range match."; 3373 case exact-match { 3374 leaf-list ipv6-hop-limit { 3375 type uint8; 3376 description 3377 "Exact match for an IPv6 hop limit."; 3378 } 3379 } 3380 case range-match { 3381 list range-ipv6-hop-limit { 3382 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3383 leaf start-ipv6-hop-limit { 3384 type uint8; 3385 description 3386 "Start IPv6 hop limit for a range match."; 3387 } 3388 leaf end-ipv6-hop-limit { 3389 type uint8; 3390 description 3391 "End IPv6 hop limit for a range match."; 3392 } 3393 description 3394 "Range match for an IPv6 hop limit."; 3395 } 3396 } 3397 } 3398 description 3399 "The security policy rule according to 3400 IPv6 hop limit."; 3401 reference 3402 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3403 Specification - Hop limit"; 3404 } 3406 container pkt-sec-ipv6-src { 3407 uses pkt-sec-ipv6; 3408 description 3409 "The security policy rule according to 3410 IPv6 source address."; 3411 reference 3412 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3413 Specification - IPv6 address"; 3414 } 3415 container pkt-sec-ipv6-dest { 3416 uses pkt-sec-ipv6; 3417 description 3418 "The security policy rule according to 3419 IPv6 destination address."; 3420 reference 3421 "RFC 2460: Internet Protocol, Version 6 (IPv6) 3422 Specification - IPv6 address"; 3423 } 3425 } 3427 container packet-security-tcp-condition { 3428 description 3429 "The purpose of this container is to represent 3430 TCP packet header information to determine 3431 if the set of policy actions in this ECA policy 3432 rule should be executed or not."; 3433 reference 3434 "RFC 793: Transmission Control Protocol"; 3436 leaf tcp-description { 3437 type string; 3438 description 3439 "This is description for tcp condition."; 3440 } 3442 container pkt-sec-tcp-src-port-num { 3443 uses pkt-sec-port-number; 3444 description 3445 "The security policy rule according to 3446 tcp source port number."; 3447 reference 3448 "RFC 793: Transmission Control Protocol 3449 - Port number"; 3450 } 3452 container pkt-sec-tcp-dest-port-num { 3453 uses pkt-sec-port-number; 3454 description 3455 "The security policy rule according to 3456 tcp destination port number."; 3457 reference 3458 "RFC 793: Transmission Control Protocol 3459 - Port number"; 3460 } 3461 container pkt-sec-tcp-seq-num { 3462 choice match-type { 3463 description 3464 "There are two types to configure a security 3465 policy for tcp sequence number, 3466 such as exact match and range match."; 3467 case exact-match { 3468 leaf-list tcp-seq-num { 3469 type uint32; 3470 description 3471 "Exact match for an tcp sequence number."; 3472 } 3473 } 3474 case range-match { 3475 list range-tcp-seq-num { 3476 key "start-tcp-seq-num end-tcp-seq-num"; 3477 leaf start-tcp-seq-num { 3478 type uint32; 3479 description 3480 "Start tcp sequence number for a range match."; 3481 } 3482 leaf end-tcp-seq-num { 3483 type uint32; 3484 description 3485 "End tcp sequence number for a range match."; 3486 } 3487 description 3488 "Range match for a tcp sequence number."; 3489 } 3490 } 3491 } 3492 description 3493 "The security policy rule according to 3494 tcp sequence number."; 3495 reference 3496 "RFC 793: Transmission Control Protocol 3497 - Sequence number"; 3498 } 3500 container pkt-sec-tcp-ack-num { 3501 choice match-type { 3502 description 3503 "There are two types to configure a security 3504 policy for tcp acknowledgement number, 3505 such as exact match and range match."; 3506 case exact-match { 3507 leaf-list tcp-ack-num { 3508 type uint32; 3509 description 3510 "Exact match for an tcp acknowledgement number."; 3511 } 3512 } 3513 case range-match { 3514 list range-tcp-ack-num { 3515 key "start-tcp-ack-num end-tcp-ack-num"; 3516 leaf start-tcp-ack-num { 3517 type uint32; 3518 description 3519 "Start tcp acknowledgement number 3520 for a range match."; 3521 } 3522 leaf end-tcp-ack-num { 3523 type uint32; 3524 description 3525 "End tcp acknowledgement number 3526 for a range match."; 3527 } 3528 description 3529 "Range match for a tcp acknowledgement number."; 3530 } 3531 } 3532 } 3533 description 3534 "The security policy rule according to 3535 tcp acknowledgement number."; 3536 reference 3537 "RFC 793: Transmission Control Protocol 3538 - Acknowledgement number"; 3539 } 3541 container pkt-sec-tcp-window-size { 3542 choice match-type { 3543 description 3544 "There are two types to configure a security 3545 policy for tcp window size, 3546 such as exact match and range match."; 3547 case exact-match { 3548 leaf-list tcp-window-size { 3549 type uint16; 3550 description 3551 "Exact match for an tcp window size."; 3552 } 3553 } 3554 case range-match { 3555 list range-tcp-window-size { 3556 key "start-tcp-window-size end-tcp-window-size"; 3557 leaf start-tcp-window-size { 3558 type uint16; 3559 description 3560 "Start tcp window size for a range match."; 3561 } 3562 leaf end-tcp-window-size { 3563 type uint16; 3564 description 3565 "End tcp window size for a range match."; 3566 } 3567 description 3568 "Range match for a tcp window size."; 3569 } 3570 } 3571 } 3572 description 3573 "The security policy rule according to 3574 tcp window size."; 3575 reference 3576 "RFC 793: Transmission Control Protocol 3577 - Window size"; 3578 } 3580 leaf-list pkt-sec-tcp-flags { 3581 type identityref { 3582 base tcp-flags; 3583 } 3584 description 3585 "The security policy rule according to 3586 tcp flags."; 3587 reference 3588 "RFC 793: Transmission Control Protocol 3589 - Flags"; 3590 } 3591 } 3593 container packet-security-udp-condition { 3594 description 3595 "The purpose of this container is to represent 3596 UDP packet header information to determine 3597 if the set of policy actions in this ECA policy 3598 rule should be executed or not."; 3599 reference 3600 "RFC 793: Transmission Control Protocol"; 3602 leaf udp-description { 3603 type string; 3604 description 3605 "This is description for udp condition."; 3606 } 3608 container pkt-sec-udp-src-port-num { 3609 uses pkt-sec-port-number; 3610 description 3611 "The security policy rule according to 3612 udp source port number."; 3613 reference 3614 "RFC 793: Transmission Control Protocol 3615 - Port number"; 3616 } 3618 container pkt-sec-udp-dest-port-num { 3619 uses pkt-sec-port-number; 3620 description 3621 "The security policy rule according to 3622 udp destination port number."; 3623 reference 3624 "RFC 768: User Datagram Protocol 3625 - Total Length"; 3626 } 3628 container pkt-sec-udp-total-length { 3629 choice match-type { 3630 description 3631 "There are two types to configure a security 3632 policy for udp sequence number, 3633 such as exact match and range match."; 3634 case exact-match { 3635 leaf-list udp-total-length { 3636 type uint32; 3637 description 3638 "Exact match for an udp-total-length."; 3639 } 3640 } 3641 case range-match { 3642 list range-udp-total-length { 3643 key "start-udp-total-length end-udp-total-length"; 3644 leaf start-udp-total-length { 3645 type uint32; 3646 description 3647 "Start udp total length for a range match."; 3648 } 3649 leaf end-udp-total-length { 3650 type uint32; 3651 description 3652 "End udp total length for a range match."; 3653 } 3654 description 3655 "Range match for a udp total length."; 3656 } 3657 } 3658 } 3659 description 3660 "The security policy rule according to 3661 udp total length."; 3662 reference 3663 "RFC 768: User Datagram Protocol 3664 - Total Length"; 3665 } 3666 } 3668 container packet-security-icmp-condition { 3669 description 3670 "The purpose of this container is to represent 3671 ICMP packet header information to determine 3672 if the set of policy actions in this ECA policy 3673 rule should be executed or not."; 3674 reference 3675 "RFC 792: Internet Control Message Protocol 3676 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3678 leaf icmp-description { 3679 type string; 3680 description 3681 "This is description for icmp condition."; 3682 } 3684 leaf-list pkt-sec-icmp-type-and-code { 3685 type identityref { 3686 base icmp-type; 3687 } 3688 description 3689 "The security policy rule according to 3690 ICMP parameters."; 3691 reference 3692 "RFC 792: Internet Control Message Protocol 3693 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3694 } 3695 } 3697 container packet-security-url-category-condition { 3698 description 3699 "Condition for url category"; 3700 leaf url-category-description { 3701 type string; 3702 description 3703 "This is description for url category condition. 3704 Vendors can write instructions for context condition 3705 that vendor made"; 3706 } 3708 leaf-list pre-defined-category { 3709 type string; 3710 description 3711 "This is pre-defined-category."; 3712 } 3713 leaf-list user-defined-category { 3714 type string; 3715 description 3716 "This user-defined-category."; 3717 } 3718 } 3720 container packet-security-voice-condition { 3721 description 3722 "For the VoIP/VoLTE security system, a VoIP/ 3723 VoLTE security system can monitor each 3724 VoIP/VoLTE flow and manage VoIP/VoLTE 3725 security rules controlled by a centralized 3726 server for VoIP/VoLTE security service 3727 (called VoIP IPS). The VoIP/VoLTE security 3728 system controls each switch for the 3729 VoIP/VoLTE call flow management by 3730 manipulating the rules that can be added, 3731 deleted, or modified dynamically."; 3732 reference 3733 "RFC 3261: SIP: Session Initiation Protocol"; 3735 leaf voice-description { 3736 type string; 3737 description 3738 "This is description for voice condition."; 3739 } 3741 leaf-list pkt-sec-src-voice-id { 3742 type string; 3743 description 3744 "The security policy rule according to 3745 a source voice ID for VoIP and VoLTE."; 3747 } 3749 leaf-list pkt-sec-dest-voice-id { 3750 type string; 3751 description 3752 "The security policy rule according to 3753 a destination voice ID for VoIP and VoLTE."; 3754 } 3756 leaf-list pkt-sec-user-agent { 3757 type string; 3758 description 3759 "The security policy rule according to 3760 an user agent for VoIP and VoLTE."; 3761 } 3762 } 3764 container packet-security-ddos-condition { 3765 description 3766 "Condition for DDoS attack."; 3768 leaf ddos-description { 3769 type string; 3770 description 3771 "This is description for ddos condition."; 3772 } 3774 leaf pkt-sec-alert-rate { 3775 type uint32; 3776 description 3777 "The alert rate of flood detect for 3778 same packets."; 3779 } 3780 } 3782 container packet-security-payload-condition { 3783 description 3784 "Condition for packet payload"; 3785 leaf packet-payload-description { 3786 type string; 3787 description 3788 "This is description for payload condition. 3789 Vendors can write instructions for payload condition 3790 that vendor made"; 3791 } 3792 leaf-list pkt-payload-content { 3793 type string; 3794 description 3795 "The content keyword is very important in 3796 signatures. Between the quotation marks you 3797 can write on what you would like the 3798 signature to match."; 3799 } 3800 } 3802 container context-condition { 3803 description 3804 "Condition for context"; 3805 leaf context-description { 3806 type string; 3807 description 3808 "This is description for context condition. 3809 Vendors can write instructions for context condition 3810 that vendor made"; 3811 } 3813 leaf-list acl-number { 3814 type uint32; 3815 description 3816 "This is acl-number."; 3817 } 3819 container application-condition { 3820 description 3821 "Condition for application"; 3822 leaf application-description { 3823 type string; 3824 description 3825 "This is description for application condition."; 3826 } 3827 leaf-list application-object { 3828 type string; 3829 description 3830 "This is application object."; 3831 } 3832 leaf-list application-group { 3833 type string; 3834 description 3835 "This is application group."; 3836 } 3837 leaf-list application-label { 3838 type string; 3839 description 3840 "This is application label."; 3841 } 3842 container category { 3843 description 3844 "This is application category"; 3845 list application-category { 3846 key "name application-subcategory"; 3847 description 3848 "This is application category list"; 3849 leaf name { 3850 type string; 3851 description 3852 "This is name for application category."; 3853 } 3854 leaf application-subcategory { 3855 type string; 3856 description 3857 "This is application subcategory."; 3858 } 3859 } 3860 } 3861 } 3863 container target-condition { 3864 description 3865 "Condition for target"; 3866 leaf target-description { 3867 type string; 3868 description 3869 "This is description for target condition. 3870 Vendors can write instructions for target condition 3871 that vendor made"; 3872 } 3874 container device-sec-context-cond { 3875 description 3876 "The device attribute that can identify a device, 3877 including the device type (i.e., router, switch, 3878 pc, ios, or android) and the device's owner as 3879 well."; 3881 leaf-list target-device { 3882 type identityref { 3883 base target-device; 3884 } 3885 description 3886 "Leaf list for target devices"; 3887 } 3888 } 3889 } 3890 container users-condition { 3891 description 3892 "Condition for users"; 3893 leaf users-description { 3894 type string; 3895 description 3896 "This is description for user condition. 3897 Vendors can write instructions for user condition 3898 that vendor made"; 3899 } 3900 container user{ 3901 description 3902 "The user (or user group) information with which 3903 network flow is associated: The user has many 3904 attributes such as name, id, password, type, 3905 authentication mode and so on. Name/id is often 3906 used in the security policy to identify the user. 3907 Besides, NSF is aware of the IP address of the 3908 user provided by a unified user management system 3909 via network. Based on name-address association, 3910 NSF is able to enforce the security functions 3911 over the given user (or user group)"; 3913 choice user-name { 3914 description 3915 "The name of the user. 3916 This must be unique."; 3918 case tenant { 3919 description 3920 "Tenant information."; 3922 leaf tenant { 3923 type uint8; 3924 mandatory true; 3925 description 3926 "User's tenant information."; 3927 } 3928 } 3930 case vn-id { 3931 description 3932 "VN-ID information."; 3934 leaf vn-id { 3935 type uint8; 3936 mandatory true; 3937 description 3938 "User's VN-ID information."; 3939 } 3940 } 3941 } 3942 } 3944 container group { 3945 description 3946 "The user (or user group) information with which 3947 network flow is associated: The user has many 3948 attributes such as name, id, password, type, 3949 authentication mode and so on. Name/id is often 3950 used in the security policy to identify the user. 3951 Besides, NSF is aware of the IP address of the 3952 user provided by a unified user management system 3953 via network. Based on name-address association, 3954 NSF is able to enforce the security functions 3955 over the given user (or user group)"; 3957 choice group-name { 3958 description 3959 "The name of the user. 3960 This must be unique."; 3962 case tenant { 3963 description 3964 "Tenant information."; 3966 leaf tenant { 3967 type uint8; 3968 mandatory true; 3969 description 3970 "User's tenant information."; 3971 } 3972 } 3974 case vn-id { 3975 description 3976 "VN-ID information."; 3978 leaf vn-id { 3979 type uint8; 3980 mandatory true; 3981 description 3982 "User's VN-ID information."; 3983 } 3984 } 3985 } 3987 } 3989 leaf security-grup { 3990 type string; 3991 mandatory true; 3992 description 3993 "security-grup."; 3994 } 3995 } 3997 container gen-context-condition { 3998 description 3999 "Condition for generic context"; 4000 leaf gen-context-description { 4001 type string; 4002 description 4003 "This is description for generic context condition. 4004 Vendors can write instructions for generic context 4005 condition that vendor made"; 4006 } 4008 container geographic-location { 4009 description 4010 "The location where network traffic is associated 4011 with. The region can be the geographic location 4012 such as country, province, and city, 4013 as well as the logical network location such as 4014 IP address, network section, and network domain."; 4016 leaf-list src-geographic-location { 4017 type uint32; 4018 description 4019 "This is mapped to ip address. We can acquire 4020 source region through ip address stored in the 4021 database."; 4022 } 4023 leaf-list dest-geographic-location { 4024 type uint32; 4025 description 4026 "This is mapped to ip address. We can acquire 4027 destination region through ip address stored 4028 in the database."; 4029 } 4030 } 4031 } 4032 } 4033 } 4034 container action-clause-container { 4035 description 4036 "An action is used to control and monitor aspects of 4037 flow-based NSFs when the event and condition clauses 4038 are satisfied. NSFs provide security functions by 4039 executing various Actions. Examples of I2NSF Actions 4040 include providing intrusion detection and/or protection, 4041 web and flow filtering, and deep packet inspection 4042 for packets and flows."; 4043 reference 4044 "RFC 8329: Framework for Interface to Network Security 4045 Functions - I2NSF Flow Security Policy Structure 4046 draft-ietf-i2nsf-capability-04: Information Model 4047 of NSFs Capabilities - Design Principles and ECA Policy 4048 Model Overview"; 4050 leaf action-clause-description { 4051 type string; 4052 description 4053 "Description for an action clause."; 4054 } 4056 container packet-action { 4057 description 4058 "Action for packets"; 4059 reference 4060 "RFC 8329: Framework for Interface to Network Security 4061 Functions - I2NSF Flow Security Policy Structure 4062 draft-ietf-i2nsf-capability-04: Information Model 4063 of NSFs Capabilities - Design Principles and ECA 4064 Policy Model Overview"; 4066 leaf ingress-action { 4067 type identityref { 4068 base ingress-action; 4069 } 4070 description 4071 "Action: pass, drop, reject, alert, and mirror."; 4072 } 4074 leaf egress-action { 4075 type identityref { 4076 base egress-action; 4077 } 4078 description 4079 "Egress action: pass, drop, reject, alert, mirror, 4080 invoke-signaling, tunnel-encapsulation, 4081 forwarding, and redirection."; 4083 } 4085 leaf log-action { 4086 type identityref { 4087 base log-action; 4088 } 4089 description 4090 "Log action: rule log and session log"; 4091 } 4093 } 4095 container advanced-action { 4096 description 4097 "If the packet need be additionally inspected, 4098 the packet are passed to advanced network 4099 security functions according to the profile."; 4100 reference 4101 "RFC 8329: Framework for Interface to Network Security 4102 Functions - Differences from ACL Data Models"; 4104 leaf-list content-security-control { 4105 type identityref { 4106 base content-security-control; 4107 } 4108 description 4109 "The Profile is divided into content security 4110 control and attack-mitigation-control. 4111 Content security control: antivirus, ips, ids, 4112 url filtering, mail filtering, file blocking, 4113 file isolate, packet capture, application control, 4114 voip and volte."; 4115 } 4117 leaf-list attack-mitigation-control { 4118 type identityref { 4119 base attack-mitigation-control; 4120 } 4121 description 4122 "The Profile is divided into content security 4123 control and attack-mitigation-control. 4124 Attack mitigation control: syn flood, udp flood, 4125 icmp flood, ip frag flood, ipv6 related, http flood, 4126 https flood, dns flood, dns amp flood, ssl ddos, 4127 ip sweep, port scanning, ping of death, teardrop, 4128 oversized icmp, tracert."; 4129 } 4130 } 4132 } 4133 } 4134 container rule-group { 4135 description 4136 "This is rule group"; 4138 list groups { 4139 key "group-name"; 4140 description 4141 "This is a group for rules"; 4143 leaf group-name { 4144 type string; 4145 description 4146 "This is a group for rules"; 4147 } 4149 container rule-range { 4150 description 4151 "This is a rule range."; 4153 leaf start-rule { 4154 type string; 4155 description 4156 "This is a start rule"; 4157 } 4158 leaf end-rule { 4159 type string; 4160 description 4161 "This is a end rule"; 4162 } 4163 } 4164 leaf enable { 4165 type boolean; 4166 description 4167 "This is enable 4168 False is not enable."; 4169 } 4170 leaf description { 4171 type string; 4172 description 4173 "This is a desription for rule-group"; 4174 } 4175 } 4176 } 4177 } 4178 } 4179 leaf i2nsf-ipsec { 4180 type identityref { 4181 base i2nsf-ipsec; 4182 } 4183 description 4184 "Internet Key Exchnage for NSFs 4185 in the I2NSF framework"; 4187 reference 4188 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 4189 - i2nsf-ipsec"; 4190 } 4191 } 4193 4195 Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface 4197 6. IANA Considerations 4199 This document requests IANA to register the following URI in the 4200 "IETF XML Registry" [RFC3688]: 4202 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4204 Registrant Contact: The IESG. 4206 XML: N/A; the requested URI is an XML namespace. 4208 This document requests IANA to register the following YANG module in 4209 the "YANG Module Names" registry [RFC7950]. 4211 name: ietf-i2nsf-policy-rule-for-nsf 4213 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- 4214 nsf 4216 prefix: iiprfn 4218 reference: RFC XXXX 4220 7. Security Considerations 4222 The YANG module specified in this document defines a data schema 4223 designed to be accessed through network management protocols such as 4224 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 4225 the secure transport layer, and the required secure transport is 4226 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 4227 and the required secure transport is TLS [RFC8446]. 4229 The NETCONF access control model [RFC8341] provides a means of 4230 restricting access to specific NETCONF or RESTCONF users to a 4231 preconfigured subset of all available NETCONF or RESTCONF protocol 4232 operations and content. 4234 8. References 4236 8.1. Normative References 4238 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4239 Requirement Levels", BCP 14, RFC 2119, 4240 DOI 10.17487/RFC2119, March 1997, 4241 . 4243 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 4244 the Network Configuration Protocol (NETCONF)", RFC 6020, 4245 DOI 10.17487/RFC6020, October 2010, 4246 . 4248 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4249 and A. Bierman, Ed., "Network Configuration Protocol 4250 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4251 . 4253 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4254 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4255 . 4257 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4258 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4259 . 4261 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4262 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4263 . 4265 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4266 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4267 . 4269 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4270 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4271 May 2017, . 4273 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4274 Kumar, "Framework for Interface to Network Security 4275 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4276 . 4278 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4279 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4280 . 4282 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4283 Access Control Model", STD 91, RFC 8341, 4284 DOI 10.17487/RFC8341, March 2018, 4285 . 4287 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 4288 S., and N. Bahadur, "A YANG Data Model for the Routing 4289 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 4290 September 2018, . 4292 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4293 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4294 . 4296 8.2. Informative References 4298 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 4299 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 4300 Garcia, "Software-Defined Networking (SDN)-based IPsec 4301 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 4302 protection-04 (work in progress), March 2019. 4304 [i2nsf-advanced-nsf-dm] 4305 Pan, W. and L. Xia, "Configuration of Advanced Security 4306 Functions with I2NSF Security Controller", draft-dong- 4307 i2nsf-asf-config-01 (work in progress), October 2018. 4309 [i2nsf-nsf-cap-dm] 4310 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 4311 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 4312 capability-data-model-05 (work in progress), June 2019. 4314 [i2nsf-nsf-cap-im] 4315 Xia, L., Strassner, J., Basile, C., and D. Lopez, 4316 "Information Model of NSFs Capabilities", draft-ietf- 4317 i2nsf-capability-05 (work in progress), April 2019. 4319 [supa-policy-info-model] 4320 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 4321 Information Model for Simplified Use of Policy 4322 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 4323 model-03 (work in progress), May 2017. 4325 Appendix A. Configuration Examples 4327 This section shows configuration examples of "ietf-i2nsf-policy-rule- 4328 for-nsf" module for security policy rules of network security 4329 devices. For security requirements, we assume that the NSFs (i.e., 4330 General firewall, Time based firewall, URL filter, VoIP/VoLTE filter, 4331 and http and https flood mitigation ) described in Appendix A. 4332 Configuration Examples of [i2nsf-nsf-cap-dm] are registered in I2NSF 4333 framework. With the registed NSFs, we show configuration examples 4334 for security policy rules of network security functions according to 4335 the following three security requirements: (i) Block SNS access 4336 during business hours, (ii) Block malicious VoIP/VoLTE packets coming 4337 to the company, and (iii) Mitigate http and https flood attacks on 4338 company web server. 4340 A.1. Security Requirement 1: Block SNS Access during Business Hours 4342 This section shows a configuration example for blocking SNS access 4343 during business hours. 4345 4347 4348 sns_access 4349 4350 block_sns_access_during_operation_time 4351 4352 4353 09:00:00Z 4354 18:00:00Z 4355 4356 4357 4358 4359 4360 4361 221.159.112.1 4362 221.159.112.90 4363 4364 4365 4366 4367 4368 4369 url-filtering 4370 4371 4372 4373 4374 4376 Figure 7: Configuration XML for Time based Firewall to Block SNS 4377 Access during Business Hours 4379 4381 4382 sns_access 4383 4384 block_sns_access_during_operation_time 4385 4386 4387 facebook 4388 instagram 4389 4390 4391 4392 4393 drop 4394 4395 4396 4397 4398 4400 Figure 8: Configuration XML for Web Filter to Block SNS Access during 4401 Business Hours 4403 Figure 7 and Figure 8 show the configuration XML documents for time 4404 based firewall and web filter to block SNS access during business 4405 hours. For the security requirement, two NSFs (i.e., a time based 4406 firewall and a web filter) were used because one NSF can not meet the 4407 security requirement. The instances of XML documents for the time 4408 based firewall and the web filter are as follows: Note that a 4409 detailed data model for the configuration of the advanced network 4410 security function (i.e., web filter) is described in 4411 [i2nsf-advanced-nsf-dm]. 4413 Time based Firewall 4415 1. The name of the system policy is sns_access. 4417 2. The name of the rule is block_sns_access_during_operation_time. 4419 3. The rule is operated during the business hours (i.e., from 9 a.m. 4420 to 6 p.m.). 4422 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 4423 to 221.159.112.90) to inspect the outgoing packets of employees. 4425 5. If the outgoing packets match the rules above, the time based 4426 firewall sends the packets to url filtering for additional 4427 inspection because the time based firewall can not inspect 4428 contents of the packets for the SNS URL. 4430 Web Filter 4432 1. The name of the system policy is sns_access. 4434 2. The name of the rule is block_facebook_and_instagram. 4436 3. The rule inspects URL address to block the access packets to the 4437 facebook or the instagram. 4439 4. If the outgoing packets match the rules above, the packets are 4440 blocked. 4442 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 4443 to the Company 4445 This section shows a configuration example for blocking malicious 4446 VoIP/VoLTE packets coming to the company. 4448 4450 4451 voip_volte_inspection 4452 4453 block_malicious_voice_id 4454 4455 4456 4457 4458 221.159.112.1 4459 221.159.112.90 4460 4461 4462 4463 4464 4465 5060 4466 5061 4467 4468 4469 4470 4471 4472 voip-volte 4473 4474 4475 4476 4477 4479 Figure 9: Configuration XML for General Firewall to Block Malicious 4480 VoIP/VoLTE Packets Coming to the Company 4482 4484 4485 voip_volte_inspection 4486 4487 block_malicious_voice_id 4488 4489 4490 11111@voip.black.com 4491 22222@voip.black.com 4492 4493 4494 4495 4496 drop 4497 4498 4499 4500 4501 4503 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious 4504 VoIP/VoLTE Packets Coming to the Company 4506 Figure 9 and Figure 10 show the configuration XML documents for 4507 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 4508 packets coming to the company. For the security requirement, two 4509 NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used 4510 because one NSF can not meet the security requirement. The instances 4511 of XML documents for the general firewall and the VoIP/VoLTE filter 4512 are as follows: Note that a detailed data model for the configuration 4513 of the advanced network security function (i.e., VoIP/VoLTE filter) 4514 is described in [i2nsf-advanced-nsf-dm]. 4516 General Firewall 4518 1. The name of the system policy is voip_volte_inspection. 4520 2. The name of the rule is block_malicious_voip_volte_packets. 4522 3. The rule inspects a destination IPv4 address (i.e., from 4523 221.159.112.1 to 221.159.112.90) to inspect the packets coming 4524 into the company. 4526 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 4527 VoIP/VoLTE packet. 4529 5. If the incoming packets match the rules above, the general 4530 firewall sends the packets to VoIP/VoLTE filter for additional 4531 inspection because the general firewall can not inspect contents 4532 of the VoIP/VoLTE packets. 4534 VoIP/VoLTE Filter 4536 1. The name of the system policy is malicious_voice_id. 4538 2. The name of the rule is block_malicious_voice_id. 4540 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 4541 the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and 4542 22222@voip.black.com). 4544 4. If the incoming packets match the rules above, the packets are 4545 blocked. 4547 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 4548 Company Web Server 4550 This section shows a configuration example for mitigating http and 4551 https flood attacks on a company web server. 4553 4555 4556 flood_attack_mitigation 4557 4558 mitigate_http_and_https_flood_attack 4559 4560 4561 4562 4563 221.159.112.95 4564 4565 4566 4567 4568 4569 80 4570 443 4571 4572 4573 4574 4575 4576 http-and-https-flood 4577 4578 4579 4580 4581 4582 4584 Figure 11: Configuration XML for General Firewall to Mitigate HTTP 4585 and HTTPS Flood Attacks on a Company Web Server 4587 4589 4590 flood_attack_mitigation 4591 4592 mitigate_http_and_https_flood_attack 4593 4594 4595 100 4596 4597 4598 4599 4600 drop 4601 4602 4603 4604 4605 4607 Figure 12: Configuration XML for HTTP and HTTPS Flood Attack 4608 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4609 Server 4611 Figure 11 and Figure 12 show the configuration XML documents for 4612 general firewall and http and https flood attack mitigation to 4613 mitigate http and https flood attacks on a company web server. For 4614 the security requirement, two NSFs (i.e., a general firewall and a 4615 http and https flood attack mitigation) were used because one NSF can 4616 not meet the security requirement. The instances of XML documents 4617 for the general firewall and http and https flood attack mitigation 4618 are as follows: Note that a detailed data model for the configuration 4619 of the advanced network security function (i.e., http and https flood 4620 attack mitigation) is described in [i2nsf-advanced-nsf-dm]. 4622 General Firewall 4624 1. The name of the system policy is flood_attack_mitigation. 4626 2. The name of the rule is mitigate_http_and_https_flood_attack. 4628 3. The rule inspects a destination IPv4 address (i.e., 4629 221.159.112.95) to inspect the access packets coming into the 4630 company web server. 4632 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4633 http and https packet. 4635 5. If the packets match the rules above, the general firewall sends 4636 the packets to http and https flood attack mitigation for 4637 additional inspection because the general firewall can not contrl 4638 the amount of packets for http and https packets. 4640 HTTP and HTTPS Flood Attack Mitigation 4642 1. The name of the system policy is 4643 http_and_https_flood_attack_mitigation. 4645 2. The name of the rule is 100_per_second. 4647 3. The rule controls the http and https packets according to the 4648 amount of incoming packets. 4650 4. If the incoming packets match the rules above, the packets are 4651 blocked. 4653 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-05 4655 The following changes are made from draft-ietf-i2nsf-nsf-facing- 4656 interface-dm-05: 4658 o We added an I2NSF IPsec field for IPsec management (e.g., ike and 4659 ikeless). 4661 Appendix C. Acknowledgments 4663 This work was supported by Institute for Information & communications 4664 Technology Promotion (IITP) grant funded by the Korea government 4665 (MSIP)(No. R-20160222-002755, Cloud based Security Intelligence 4666 Technology Development for the Customized Security Service 4667 Provisioning). 4669 Appendix D. Contributors 4671 This document is made by the group effort of I2NSF working group. 4672 Many people actively contributed to this document. The following are 4673 considered co-authors: 4675 o Hyoungshick Kim (Sungkyunkwan University) 4677 o Daeyoung Hyun (Sungkyunkwan University) 4679 o Dongjin Hong (Sungkyunkwan University) 4681 o Liang Xia (Huawei) 4682 o Tae-Jin Ahn (Korea Telecom) 4684 o Se-Hui Lee (Korea Telecom) 4686 Authors' Addresses 4688 Jinyong Tim Kim 4689 Department of Electronic, Electrical and Computer Engineering 4690 Sungkyunkwan University 4691 2066 Seobu-Ro, Jangan-Gu 4692 Suwon, Gyeonggi-Do 16419 4693 Republic of Korea 4695 Phone: +82 10 8273 0930 4696 EMail: timkim@skku.edu 4698 Jaehoon Paul Jeong 4699 Department of Computer Science and Engineering 4700 Sungkyunkwan University 4701 2066 Seobu-Ro, Jangan-Gu 4702 Suwon, Gyeonggi-Do 16419 4703 Republic of Korea 4705 Phone: +82 31 299 4957 4706 Fax: +82 31 290 7996 4707 EMail: pauljeong@skku.edu 4708 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4710 Jung-Soo Park 4711 Electronics and Telecommunications Research Institute 4712 218 Gajeong-Ro, Yuseong-Gu 4713 Daejeon 34129 4714 Republic of Korea 4716 Phone: +82 42 860 6514 4717 EMail: pjs@etri.re.kr 4719 Susan Hares 4720 Huawei 4721 7453 Hickory Hill 4722 Saline, MI 48176 4723 USA 4725 Phone: +1-734-604-0332 4726 EMail: shares@ndzh.com 4727 Qiushi Lin 4728 Huawei 4729 Huawei Industrial Base 4730 Shenzhen, Guangdong 518129 4731 China 4733 EMail: linqiushi@huawei.com