idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 3 characters in excess of 72. == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 301 has weird spacing: '...-length uin...' == Line 311 has weird spacing: '...-length uin...' == Line 322 has weird spacing: '...-offset uin...' == Line 331 has weird spacing: '...pv4-ttl uin...' == Line 347 has weird spacing: '...address inet:...' == (21 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 25, 2019) is 1708 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 4069, but not defined == Unused Reference: 'RFC1394' is defined on line 4128, but no explicit reference was found in the text == Unused Reference: 'RFC3261' is defined on line 4137, but no explicit reference was found in the text == Unused Reference: 'RFC6991' is defined on line 4157, but no explicit reference was found in the text == Unused Reference: 'RFC768' is defined on line 4161, but no explicit reference was found in the text == Unused Reference: 'RFC790' is defined on line 4164, but no explicit reference was found in the text == Unused Reference: 'RFC791' is defined on line 4166, but no explicit reference was found in the text == Unused Reference: 'RFC792' is defined on line 4168, but no explicit reference was found in the text == Unused Reference: 'RFC793' is defined on line 4171, but no explicit reference was found in the text == Unused Reference: 'RFC8200' is defined on line 4186, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1394 ** Obsolete normative reference: RFC 790 (Obsoleted by RFC 820) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 5 errors (**), 0 flaws (~~), 19 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim 3 Internet-Draft J. Jeong 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: January 26, 2020 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 July 25, 2019 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-07 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF) in the Interface to 19 Network Security Functions (I2NSF) framework. The YANG data model in 20 this document corresponds to the information model for NSF-Facing 21 Interface in the I2NSF framework. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 26, 2020. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 62 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 63 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 64 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 7 65 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 66 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 67 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15 68 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 87 70 7. Security Considerations . . . . . . . . . . . . . . . . . . . 87 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 88 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 88 73 8.2. Informative References . . . . . . . . . . . . . . . . . 90 74 Appendix A. Configuration Examples . . . . . . . . . . . . . . . 91 75 A.1. Security Requirement 1: Block SNS Access during Business 76 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 91 77 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE 78 Packets Coming to the Company . . . . . . . . . . . . . . 94 79 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 80 Attacks on a Company Web Server . . . . . . . . . . . . . 97 81 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface- 82 dm-06 . . . . . . . . . . . . . . . . . . . . . . . 100 83 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 100 84 Appendix D. Contributors . . . . . . . . . . . . . . . . . . . . 100 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 87 1. Introduction 89 This document defines a YANG [RFC6020][RFC7950] data model for 90 security policy rule configuration of Network Security Functions 91 (NSF). The YANG data model corresponds to the information model 92 [draft-ietf-i2nsf-capability] for NSF-Facing Interface in Interface 93 to Network Security Functions (I2NSF). The YANG data model in this 94 document focuses on security policy configuration for generic network 95 security functions. Note that security policy configuration for 96 advanced network security functions are defined in 97 [draft-dong-i2nsf-asf-config]. 99 This YANG data model uses an "Event-Condition-Action" (ECA) policy 100 model that is used as the basis for the design of I2NSF Policy 101 described in [RFC8329] and [draft-ietf-i2nsf-capability]. 103 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 104 document provides the following features. 106 o Configuration of general security policy rule for generic network 107 security functions. 109 o Configuration of event clause for generic network security 110 functions. 112 o Configuration of condition clause for generic network security 113 functions. 115 o Configuration of action clause for generic network security 116 functions. 118 2. Requirements Language 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 122 document are to be interpreted as described in [RFC2119][RFC8174]. 124 3. Terminology 126 This document uses the terminology described in [draft-ietf-i2nsf-cap 127 ability][RFC8431][draft-ietf-supa-generic-policy-info-model]. 128 Especially, the following terms are from 129 [draft-ietf-supa-generic-policy-info-model]: 131 o Data Model: A data model is a representation of concepts of 132 interest to an environment in a form that is dependent on data 133 repository, data definition language, query language, 134 implementation language, and protocol. 136 o Information Model: An information model is a representation of 137 concepts of interest to an environment in a form that is 138 independent of data repository, data definition language, query 139 language, implementation language, and protocol. 141 3.1. Tree Diagrams 143 A simplified graphical representation of the data model is used in 144 this document. The meaning of the symbols in these diagrams is 145 referred from [RFC8340]. 147 4. YANG Tree Diagram 149 This section shows a YANG tree diagram of generic network security 150 functions. Note that a detailed data model for the configuration of 151 the advanced network security functions is described in 152 [draft-dong-i2nsf-asf-config]. The section describes the following 153 subjects: 155 o General I2NSF security policy rule of the generic network security 156 function. 158 o An event clause of the generic network security function. 160 o A condition clause of the generic network security function. 162 o An action clause of the generic network security function. 164 4.1. General I2NSF Security Policy Rule 166 This section shows the YANG tree diagram for general I2NSF security 167 policy rules. 169 module: ietf-i2nsf-policy-rule-for-nsf 170 +--rw i2nsf-security-policy 171 | +--rw system-policy* [system-policy-name] 172 | +--rw system-policy-name string 173 | +--rw priority-usage? identityref 174 | +--rw resolution-strategy? identityref 175 | +--rw default-action? identityref 176 | +--rw rules* [rule-name] 177 | | +--rw rule-name string 178 | | +--rw rule-description? string 179 | | +--rw rule-priority? uint8 180 | | +--rw rule-enable? boolean 181 | | +--rw rule-session-aging-time? uint16 182 | | +--rw rule-long-connection 183 | | | +--rw enable? boolean 184 | | | +--rw during? uint16 185 | | +--rw time-intervals 186 | | | +--rw absolute-time-interval 187 | | | | +--rw start-time? start-time-type 188 | | | | +--rw end-time? end-time-type 189 | | | +--rw periodic-time-interval 190 | | | +--rw day 191 | | | | +--rw every-day? boolean 192 | | | | +--rw specific-day* day-type 193 | | | +--rw month 194 | | | +--rw every-month? boolean 195 | | | +--rw specific-month* month-type 196 | | +--rw event-clause-container 197 | | | ... 198 | | +--rw condition-clause-container 199 | | | ... 200 | | +--rw action-clause-container 201 | | ... 202 | +--rw rule-group 203 | +--rw groups* [group-name] 204 | +--rw group-name string 205 | +--rw rule-range 206 | | +--rw start-rule? string 207 | | +--rw end-rule? string 208 | +--rw enable? boolean 209 | +--rw description? string 210 +--rw i2nsf-ipsec? identityref 212 Figure 1: YANG Tree Diagram for Network Security Policy 214 This YANG tree diagram shows the general I2NSF security policy rule 215 for generic network security functions. 217 The system policy provides for multiple system policies in one NSF, 218 and each system policy is used by one virtual instance of the NSF/ 219 device. The system policy includes system policy name, priority 220 usage, resolutation strategy, default action, and rules. 222 A resolution strategy is used to decide how to resolve conflicts that 223 occur between the actions of the same or different policy rules that 224 are matched and contained in a particular NSF. The resolution 225 strategy is defined as First Matching Rule (FMR), Last Matching Rule 226 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 227 Prioritized Matching Rule with No Errors (PMRN). The resolution 228 strategy can be extended according to specific vendor action 229 features. The resolution strategy is described in detail in 230 [draft-ietf-i2nsf-capability]. 232 A default action is used to execute I2NSF policy rule when no rule 233 matches a packet. The default action is defined as pass, drop, 234 reject, alert, and mirror. The default action can be extended 235 according to specific vendor action features. The default action is 236 described in detail in [draft-ietf-i2nsf-capability]. 238 The rules include rule name, rule description, rule priority, rule 239 enable, time zone, event clause container, condition clause 240 container, and action clause container. 242 4.2. Event Clause 244 This section shows the YANG tree diagram for an event clause for 245 I2NSF security policy rules. 247 module: ietf-i2nsf-policy-rule-for-nsf 248 +--rw i2nsf-security-policy 249 | +--rw system-policy* [system-policy-name] 250 | ... 251 | +--rw rules* [rule-name] 252 | | ... 253 | | +--rw event-clause-container 254 | | | +--rw event-clause-description? string 255 | | | +--rw event-clauses 256 | | | +--rw system-event* identityref 257 | | | +--rw system-alarm* identityref 258 | | +--rw condition-clause-container 259 | | | ... 260 | | +--rw action-clause-container 261 | | ... 262 | +--rw rule-group 263 | ... 264 +--rw i2nsf-ipsec? identityref 266 Figure 2: YANG Tree Diagram for an Event Clause 268 This YANG tree diagram shows an event clause of an I2NSF security 269 policy rule for generic network security functions. An event clause 270 is any important occurrence at a specific time of a change in the 271 system being managed, and/or in the environment of the system being 272 managed. An event clause is used to trigger the evaluation of the 273 condition clause of the I2NSF Policy Rule. The event clause is 274 defined as a system event and system alarm. The event clause can be 275 extended according to specific vendor event features. The event 276 clause is described in detail in [draft-ietf-i2nsf-capability]. 278 4.3. Condition Clause 280 This section shows the YANG tree diagram for a condition clause of 281 I2NSF security policy rules. 283 module: ietf-i2nsf-policy-rule-for-nsf 284 +--rw i2nsf-security-policy 285 | ... 286 | +--rw rules* [rule-name] 287 | | ... 288 | | +--rw event-clause-container 289 | | | ... 290 | | +--rw condition-clause-container 291 | | | +--rw condition-clause-description? string 292 | | | +--rw packet-security-ipv4-condition 293 | | | | +--rw ipv4-description? string 294 | | | | +--rw pkt-sec-ipv4-header-length 295 | | | | | +--rw (match-type)? 296 | | | | | +--:(exact-match) 297 | | | | | | +--rw ipv4-header-length* uint8 298 | | | | | +--:(range-match) 299 | | | | | +--rw range-ipv4-header-length* 300 [start-ipv4-header-length end-ipv4-header-length] 301 | | | | | +--rw start-ipv4-header-length uint8 302 | | | | | +--rw end-ipv4-header-length uint8 303 | | | | +--rw pkt-sec-ipv4-tos* identityref 304 | | | | +--rw pkt-sec-ipv4-total-length 305 | | | | | +--rw (match-type)? 306 | | | | | +--:(exact-match) 307 | | | | | | +--rw ipv4-total-length* uint16 308 | | | | | +--:(range-match) 309 | | | | | +--rw range-ipv4-total-length* 310 [start-ipv4-total-length end-ipv4-total-length] 311 | | | | | +--rw start-ipv4-total-length uint16 312 | | | | | +--rw end-ipv4-total-length uint16 313 | | | | +--rw pkt-sec-ipv4-id* uint16 314 | | | | +--rw pkt-sec-ipv4-fragment-flags* identityref 315 | | | | +--rw pkt-sec-ipv4-fragment-offset 316 | | | | | +--rw (match-type)? 317 | | | | | +--:(exact-match) 318 | | | | | | +--rw ipv4-fragment-offset* uint16 319 | | | | | +--:(range-match) 320 | | | | | +--rw range-ipv4-fragment-offset* 321 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 322 | | | | | +--rw start-ipv4-fragment-offset uint16 323 | | | | | +--rw end-ipv4-fragment-offset uint16 324 | | | | +--rw pkt-sec-ipv4-ttl 325 | | | | | +--rw (match-type)? 326 | | | | | +--:(exact-match) 327 | | | | | | +--rw ipv4-ttl* uint8 328 | | | | | +--:(range-match) 329 | | | | | +--rw range-ipv4-ttl* 330 [start-ipv4-ttl end-ipv4-ttl] 331 | | | | | +--rw start-ipv4-ttl uint8 332 | | | | | +--rw end-ipv4-ttl uint8 333 | | | | +--rw pkt-sec-ipv4-protocol* identityref 334 | | | | +--rw pkt-sec-ipv4-src 335 | | | | | +--rw (match-type)? 336 | | | | | +--:(exact-match) 337 | | | | | | +--rw ipv4-address* [ipv4] 338 | | | | | | +--rw ipv4 inet:ipv4-address 339 | | | | | | +--rw (subnet)? 340 | | | | | | +--:(prefix-length) 341 | | | | | | | +--rw prefix-length? uint8 342 | | | | | | +--:(netmask) 343 | | | | | | +--rw netmask? yang:dotted-quad 344 | | | | | +--:(range-match) 345 | | | | | +--rw range-ipv4-address* 346 [start-ipv4-address end-ipv4-address] 347 | | | | | +--rw start-ipv4-address inet:ipv4-address 348 | | | | | +--rw end-ipv4-address inet:ipv4-address 349 | | | | +--rw pkt-sec-ipv4-dest 350 | | | | | +--rw (match-type)? 351 | | | | | +--:(exact-match) 352 | | | | | | +--rw ipv4-address* [ipv4] 353 | | | | | | +--rw ipv4 inet:ipv4-address 354 | | | | | | +--rw (subnet)? 355 | | | | | | +--:(prefix-length) 356 | | | | | | | +--rw prefix-length? uint8 357 | | | | | | +--:(netmask) 358 | | | | | | +--rw netmask? yang:dotted-quad 359 | | | | | +--:(range-match) 360 | | | | | +--rw range-ipv4-address* 361 [start-ipv4-address end-ipv4-address] 362 | | | | | +--rw start-ipv4-address inet:ipv4-address 363 | | | | | +--rw end-ipv4-address inet:ipv4-address 364 | | | | +--rw pkt-sec-ipv4-ipopts* identityref 365 | | | | +--rw pkt-sec-ipv4-sameip? boolean 366 | | | | +--rw pkt-sec-ipv4-geoip* string 367 | | | +--rw packet-security-ipv6-condition 368 | | | | +--rw ipv6-description? string 369 | | | | +--rw pkt-sec-ipv6-traffic-class* identityref 370 | | | | +--rw pkt-sec-ipv6-flow-label 371 | | | | | +--rw (match-type)? 372 | | | | | +--:(exact-match) 373 | | | | | | +--rw ipv6-flow-label* uint32 374 | | | | | +--:(range-match) 375 | | | | | +--rw range-ipv6-flow-label* 376 [start-ipv6-flow-label end-ipv6-flow-label] 377 | | | | | +--rw start-ipv6-flow-label uint32 378 | | | | | +--rw end-ipv6-flow-label uint32 379 | | | | +--rw pkt-sec-ipv6-payload-length 380 | | | | | +--rw (match-type)? 381 | | | | | +--:(exact-match) 382 | | | | | | +--rw ipv6-payload-length* uint16 383 | | | | | +--:(range-match) 384 | | | | | +--rw range-ipv6-payload-length* 385 [start-ipv6-payload-length end-ipv6-payload-length] 386 | | | | | +--rw start-ipv6-payload-length uint16 387 | | | | | +--rw end-ipv6-payload-length uint16 388 | | | | +--rw pkt-sec-ipv6-next-header* identityref 389 | | | | +--rw pkt-sec-ipv6-hop-limit 390 | | | | | +--rw (match-type)? 391 | | | | | +--:(exact-match) 392 | | | | | | +--rw ipv6-hop-limit* uint8 393 | | | | | +--:(range-match) 394 | | | | | +--rw range-ipv6-hop-limit* 395 [start-ipv6-hop-limit end-ipv6-hop-limit] 396 | | | | | +--rw start-ipv6-hop-limit uint8 397 | | | | | +--rw end-ipv6-hop-limit uint8 398 | | | | +--rw pkt-sec-ipv6-src 399 | | | | | +--rw (match-type)? 400 | | | | | +--:(exact-match) 401 | | | | | | +--rw ipv6-address* [ipv6] 402 | | | | | | +--rw ipv6 inet:ipv6-address 403 | | | | | | +--rw prefix-length? uint8 404 | | | | | +--:(range-match) 405 | | | | | +--rw range-ipv6-address* 406 [start-ipv6-address end-ipv6-address] 407 | | | | | +--rw start-ipv6-address inet:ipv6-address 408 | | | | | +--rw end-ipv6-address inet:ipv6-address 409 | | | | +--rw pkt-sec-ipv6-dest 410 | | | | +--rw (match-type)? 411 | | | | +--:(exact-match) 412 | | | | | +--rw ipv6-address* [ipv6] 413 | | | | | +--rw ipv6 inet:ipv6-address 414 | | | | | +--rw prefix-length? uint8 415 | | | | +--:(range-match) 416 | | | | +--rw range-ipv6-address* 417 [start-ipv6-address end-ipv6-address] 418 | | | | +--rw start-ipv6-address inet:ipv6-address 419 | | | | +--rw end-ipv6-address inet:ipv6-address 420 | | | +--rw packet-security-tcp-condition 421 | | | | +--rw tcp-description? string 422 | | | | +--rw pkt-sec-tcp-src-port-num 423 | | | | | +--rw (match-type)? 424 | | | | | +--:(exact-match) 425 | | | | | | +--rw port-num* inet:port-number 426 | | | | | +--:(range-match) 427 | | | | | +--rw range-port-num* 428 [start-port-num end-port-num] 429 | | | | | +--rw start-port-num inet:port-number 430 | | | | | +--rw end-port-num inet:port-number 431 | | | | +--rw pkt-sec-tcp-dest-port-num 432 | | | | | +--rw (match-type)? 433 | | | | | +--:(exact-match) 434 | | | | | | +--rw port-num* inet:port-number 435 | | | | | +--:(range-match) 436 | | | | | +--rw range-port-num* 437 [start-port-num end-port-num] 438 | | | | | +--rw start-port-num inet:port-number 439 | | | | | +--rw end-port-num inet:port-number 440 | | | | +--rw pkt-sec-tcp-seq-num 441 | | | | | +--rw (match-type)? 442 | | | | | +--:(exact-match) 443 | | | | | | +--rw tcp-seq-num* uint32 444 | | | | | +--:(range-match) 445 | | | | | +--rw range-tcp-seq-num* 446 [start-tcp-seq-num end-tcp-seq-num] 447 | | | | | +--rw start-tcp-seq-num uint32 448 | | | | | +--rw end-tcp-seq-num uint32 449 | | | | +--rw pkt-sec-tcp-ack-num 450 | | | | | +--rw (match-type)? 451 | | | | | +--:(exact-match) 452 | | | | | | +--rw tcp-ack-num* uint32 453 | | | | | +--:(range-match) 454 | | | | | +--rw range-tcp-ack-num* 455 [start-tcp-ack-num end-tcp-ack-num] 456 | | | | | +--rw start-tcp-ack-num uint32 457 | | | | | +--rw end-tcp-ack-num uint32 458 | | | | +--rw pkt-sec-tcp-window-size 459 | | | | | +--rw (match-type)? 460 | | | | | +--:(exact-match) 461 | | | | | | +--rw tcp-window-size* uint16 462 | | | | | +--:(range-match) 463 | | | | | +--rw range-tcp-window-size* 464 [start-tcp-window-size end-tcp-window-size] 465 | | | | | +--rw start-tcp-window-size uint16 466 | | | | | +--rw end-tcp-window-size uint16 467 | | | | +--rw pkt-sec-tcp-flags* identityref 468 | | | +--rw packet-security-udp-condition 469 | | | | +--rw udp-description? string 470 | | | | +--rw pkt-sec-udp-src-port-num 471 | | | | | +--rw (match-type)? 472 | | | | | +--:(exact-match) 473 | | | | | | +--rw port-num* inet:port-number 474 | | | | | +--:(range-match) 475 | | | | | +--rw range-port-num* 476 [start-port-num end-port-num] 477 | | | | | +--rw start-port-num inet:port-number 478 | | | | | +--rw end-port-num inet:port-number 479 | | | | +--rw pkt-sec-udp-dest-port-num 480 | | | | | +--rw (match-type)? 481 | | | | | +--:(exact-match) 482 | | | | | | +--rw port-num* inet:port-number 483 | | | | | +--:(range-match) 484 | | | | | +--rw range-port-num* 485 [start-port-num end-port-num] 486 | | | | | +--rw start-port-num inet:port-number 487 | | | | | +--rw end-port-num inet:port-number 488 | | | | +--rw pkt-sec-udp-total-length 489 | | | | +--rw (match-type)? 490 | | | | +--:(exact-match) 491 | | | | | +--rw udp-total-length* uint32 492 | | | | +--:(range-match) 493 | | | | +--rw range-udp-total-length* 494 [start-udp-total-length end-udp-total-length] 495 | | | | +--rw start-udp-total-length uint32 496 | | | | +--rw end-udp-total-length uint32 497 | | | +--rw packet-security-icmp-condition 498 | | | | +--rw icmp-description? string 499 | | | | +--rw pkt-sec-icmp-type-and-code* identityref 500 | | | +--rw packet-security-url-category-condition 501 | | | | +--rw url-category-description? string 502 | | | | +--rw pre-defined-category* string 503 | | | | +--rw user-defined-category* string 504 | | | +--rw packet-security-voice-condition 505 | | | | +--rw voice-description? string 506 | | | | +--rw pkt-sec-src-voice-id* string 507 | | | | +--rw pkt-sec-dest-voice-id* string 508 | | | | +--rw pkt-sec-user-agent* string 509 | | | +--rw packet-security-ddos-condition 510 | | | | +--rw ddos-description? string 511 | | | | +--rw pkt-sec-alert-rate? uint32 512 | | | +--rw packet-security-payload-condition 513 | | | | +--rw packet-payload-description? string 514 | | | | +--rw pkt-payload-content* string 515 | | | +--rw context-condition 516 | | | +--rw context-description? string 517 | | | +--rw application-condition 518 | | | | +--rw application-description? string 519 | | | | +--rw application-object* string 520 | | | | +--rw application-group* string 521 | | | | +--rw application-label* string 522 | | | | +--rw category 523 | | | | +--rw application-category* 524 [name application-subcategory] 525 | | | | +--rw name string 526 | | | | +--rw application-subcategory string 527 | | | +--rw target-condition 528 | | | | +--rw target-description? string 529 | | | | +--rw device-sec-context-cond 530 | | | | +--rw target-device* identityref 531 | | | +--rw users-condition 532 | | | | +--rw users-description? string 533 | | | | +--rw user 534 | | | | | +--rw (user-name)? 535 | | | | | +--:(tenant) 536 | | | | | | +--rw tenant uint8 537 | | | | | +--:(vn-id) 538 | | | | | +--rw vn-id uint8 539 | | | | +--rw group 540 | | | | | +--rw (group-name)? 541 | | | | | +--:(tenant) 542 | | | | | | +--rw tenant uint8 543 | | | | | +--:(vn-id) 544 | | | | | +--rw vn-id uint8 545 | | | | +--rw security-grup string 546 | | | +--rw gen-context-condition 547 | | | +--rw gen-context-description? string 548 | | | +--rw geographic-location 549 | | | +--rw src-geographic-location* uint32 550 | | | +--rw dest-geographic-location* uint32 551 | | +--rw action-clause-container 552 | | ... 553 | +--rw rule-group 554 | ... 555 +--rw i2nsf-ipsec? identityref 557 Figure 3: YANG Tree Diagram for a Condition Clause 559 This YANG tree diagram shows a condition clause for an I2NSF security 560 policy rule for generic network security functions. A condition 561 clause is defined as a set of attributes, features, and/or values 562 that are to be compared with a set of known attributes, features, 563 and/or values in order to determine whether or not the set of actions 564 in that (imperative) I2NSF policy rule can be executed or not. A 565 condition clause is classified as a conditions of generic network 566 security functions, advanced network security functions, or context. 567 A condition clause of generic network security functions is defined 568 as packet security IPv4 condition, packet security IPv6 condition, 569 packet security tcp condition, and packet security icmp condition. A 570 condition clause of advanced network security functions is defined as 571 packet security url category condition, packet security voice 572 condition, packet security DDoS condition, or packet security payload 573 condition. A condition clause of context is defined as ACL number 574 condition, application condition, target condition, user condition, 575 and geography condition. Note that this document deals only with 576 simple conditions of advanced network security functions. A 577 condition clauses of advanced network security functions are 578 described in detail in [draft-dong-i2nsf-asf-config]. A condition 579 clause can be extended according to specific vendor condition 580 features. A condition clause is described in detail in 581 [draft-ietf-i2nsf-capability]. 583 4.4. Action Clause 585 This section shows the YANG tree diagram for an action clause of an 586 I2NSF security policy rule. 588 module: ietf-i2nsf-policy-rule-for-nsf 589 +--rw i2nsf-security-policy 590 | ... 591 | +--rw rules* [rule-name] 592 | | ... 593 | | +--rw event-clause-container 594 | | | ... 595 | | +--rw condition-clause-container 596 | | | ... 597 | | +--rw action-clause-container 598 | | +--rw action-clause-description? string 599 | | +--rw packet-action 600 | | | +--rw ingress-action? identityref 601 | | | +--rw egress-action? identityref 602 | | | +--rw log-action? identityref 603 | | +--rw advanced-action 604 | | +--rw content-security-control* identityref 605 | | +--rw attack-mitigation-control* identityref 606 | +--rw rule-group 607 | ... 608 +--rw i2nsf-ipsec? identityref 610 Figure 4: YANG Tree Diagram for an Action Clause 612 This YANG tree diagram shows an action clause of an I2NSF security 613 policy rule for generic network security functions. An action is 614 used to control and monitor aspects of flow-based NSFs when the 615 policy rule event and condition clauses are satisfied. NSFs provide 616 security services by executing various actions. The action clause is 617 defined as ingress action, egress action, or log action for packet 618 action, and advanced action for additional inspection. The action 619 clause can be extended according to specific vendor action features. 620 The action clause is described in detail in 621 [draft-ietf-i2nsf-capability]. 623 4.5. I2NSF Internet Key Exchange 625 This section shows the YANG tree diagram for an I2NSF IPsec. 627 module: ietf-i2nsf-policy-rule-for-nsf 628 +--rw i2nsf-security-policy 629 | ... 630 | +--rw rules* [rule-name] 631 | | ... 632 | | +--rw event-clause-container 633 | | | ... 634 | | +--rw condition-clause-container 635 | | | ... 636 | | +--rw action-clause-container 637 | | ... 638 | +--rw rule-group 639 | ... 640 +--rw i2nsf-ipsec? identityref 642 Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage 644 This YANG tree diagram shows an I2NSF IPsec specification for an 645 Internet Key Exchange IKE). An I2NSF IPsec specification is used to 646 define a method required to manage IPsec parameters for creating 647 IPsec Security Associations (SAs) between two NSFs through either the 648 IKEv2 protocol or the Security Controller 649 [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec considers 650 two cases, theIKE case (i.e., IPsec through IKE) and IKE-less case 651 (i.e., IPsec not through IKE, but through a Security Controller). 652 Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for the 653 detailed description of the I2NSF IPsec. 655 5. YANG Data Module 657 5.1. I2NSF NSF-Facing Interface YANG Data Module 659 This section contains a YANG data module for configuration of 660 security policy rules on network security functions. 662 file "ietf-i2nsf-policy-rule-for-nsf@2019-07-25.yang" 664 module ietf-i2nsf-policy-rule-for-nsf { 665 yang-version 1.1; 666 namespace 667 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 668 prefix 669 nsfintf; 671 import ietf-inet-types{ 672 prefix inet; 673 reference "RFC 6991"; 674 } 675 import ietf-yang-types{ 676 prefix yang; 677 reference "RFC 6991"; 678 } 680 organization 681 "IETF I2NSF (Interface to Network Security Functions) 682 Working Group"; 684 contact 685 "WG Web: 686 WG List: 688 WG Chair: Linda Dunbar 689 691 WG Chair: Yoav Nir 692 694 Editor: Jingyong Tim Kim 695 697 Editor: Jaehoon Paul Jeong 698 700 Editor: Susan Hares 701 "; 703 description 704 "This module defines a YANG data module for the Network Security 705 Functions (NSF) facing interface. 707 Copyright (c) 2018 IETF Trust and the persons 708 identified as authors of the code. All rights reserved. 710 Redistribution and use in source and binary forms, with or 711 without modification, is permitted pursuant to, and subject 712 to the license terms contained in, the Simplified BSD License 713 set forth in Section 4.c of the IETF Trust's Legal Provisions 714 Relating to IETF Documents 715 (http://trustee.ietf.org/license-info). 716 This version of this YANG module is part of RFC 8341; see 717 the RFC itself for full legal notices."; 719 revision "2019-07-25"{ 720 description "Initial revision."; 721 reference 722 "RFC XXXX: I2NSF Network Security Function-Facing Interface 723 YANG Data Model"; 724 } 726 /* 727 * Identities 728 */ 730 identity priority-usage-type { 731 description 732 "Base identity for priority usage type."; 733 } 735 identity priority-by-order { 736 base priority-usage-type; 737 description 738 "Identity for priority by order"; 739 } 741 identity priority-by-number { 742 base priority-usage-type; 743 description 744 "Identity for priority by number"; 745 } 747 identity event { 748 description 749 "Base identity for policy events"; 750 reference 751 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 752 - Event"; 753 } 755 identity system-event { 756 base event; 757 description 758 "Identity for system events"; 759 reference 760 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 761 - System event"; 762 } 763 identity system-alarm { 764 base event; 765 description 766 "Identity for system alarms"; 767 reference 768 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 769 - System alarm"; 770 } 772 identity access-violation { 773 base system-event; 774 description 775 "Identity for access violation 776 system events"; 777 reference 778 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 779 - System event"; 780 } 782 identity configuration-change { 783 base system-event; 784 description 785 "Identity for configuration change 786 system events"; 787 reference 788 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 789 - System event"; 790 } 792 identity memory-alarm { 793 base system-alarm; 794 description 795 "Identity for memory alarm 796 system alarms"; 797 reference 798 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 799 - System alarm"; 800 } 802 identity cpu-alarm { 803 base system-alarm; 804 description 805 "Identity for CPU alarm 806 system alarms"; 807 reference 808 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 809 - System alarm"; 810 } 811 identity disk-alarm { 812 base system-alarm; 813 description 814 "Identity for disk alarm 815 system alarms"; 816 reference 817 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 818 - System alarm"; 819 } 821 identity hardware-alarm { 822 base system-alarm; 823 description 824 "Identity for hardware alarm 825 system alarms"; 826 reference 827 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 828 - System alarm"; 829 } 831 identity interface-alarm { 832 base system-alarm; 833 description 834 "Identity for interface alarm 835 system alarms"; 836 reference 837 "draft-ietf-i2nsf-nsf-monitoring-data-model-01 838 - System alarm"; 839 } 841 identity type-of-service { 842 description 843 "Base identity for type of service of IPv4"; 844 reference 845 "RFC 791: Internet Protocol - Type of Service"; 846 } 848 identity traffic-class { 849 description 850 "Base identity for traffic-class of IPv6"; 851 reference 852 "RFC 8200: Internet Protocol, Version 6 (IPv6) 853 Specification - Traffic Class"; 854 } 856 identity normal { 857 base type-of-service; 858 base traffic-class; 859 description 860 "Identity for normal IPv4 TOS and IPv6 Traffic Class"; 861 reference 862 "RFC 791: Internet Protocol - Type of Service 863 RFC 8200: Internet Protocol, Version 6 (IPv6) 864 Specification - Traffic Class"; 865 } 867 identity minimize-cost { 868 base type-of-service; 869 base traffic-class; 870 description 871 "Identity for 'minimize monetary cost' IPv4 TOS and 872 IPv6 Traffic Class"; 873 reference 874 "RFC 791: Internet Protocol - Type of Service 875 RFC 8200: Internet Protocol, Version 6 (IPv6) 876 Specification - Traffic Class"; 877 } 879 identity maximize-reliability { 880 base type-of-service; 881 base traffic-class; 882 description 883 "Identity for 'maximize reliability' IPv4 TOS and 884 IPv6 Traffic Class"; 885 reference 886 "RFC 791: Internet Protocol - Type of Service 887 RFC 8200: Internet Protocol, Version 6 (IPv6) 888 Specification - Traffic Class"; 889 } 891 identity maximize-throughput { 892 base type-of-service; 893 base traffic-class; 894 description 895 "Identity for 'maximize throughput' IPv4 TOS and 896 IPv6 Traffic Class"; 897 reference 898 "RFC 791: Internet Protocol - Type of Service 899 RFC 8200: Internet Protocol, Version 6 (IPv6) 900 Specification - Traffic Class"; 901 } 903 identity minimize-delay { 904 base type-of-service; 905 base traffic-class; 906 description 907 "Identity for 'minimize delay' IPv4 TOS and 908 IPv6 Traffic Class"; 909 reference 910 "RFC 791: Internet Protocol - Type of Service 911 RFC 8200: Internet Protocol, Version 6 (IPv6) 912 Specification - Traffic Class"; 913 } 915 identity maximize-security { 916 base type-of-service; 917 base traffic-class; 918 description 919 "Identity for 'maximize security' IPv4 TOS and 920 IPv6 Traffic Class"; 921 reference 922 "RFC 791: Internet Protocol - Type of Service 923 RFC 8200: Internet Protocol, Version 6 (IPv6) 924 Specification - Traffic Class"; 925 } 927 identity fragmentation-flags-type { 928 description 929 "Base identity for fragmentation flags type"; 930 reference 931 "RFC 791: Internet Protocol - Fragmentation Flags"; 932 } 934 identity fragment { 935 base fragmentation-flags-type; 936 description 937 "Identity for 'More fragment' flag"; 938 reference 939 "RFC 791: Internet Protocol - Fragmentation Flags"; 940 } 942 identity no-fragment { 943 base fragmentation-flags-type; 944 description 945 "Identity for 'Do not fragment' flag"; 946 reference 947 "RFC 791: Internet Protocol - Fragmentation Flags"; 948 } 950 identity reserved { 951 base fragmentation-flags-type; 952 description 953 "Identity for reserved flags"; 954 reference 955 "RFC 791: Internet Protocol - Fragmentation Flags"; 956 } 958 identity protocol { 959 description 960 "Base identity for protocol of IPv4"; 961 reference 962 "RFC 790: Assigned numbers - Assigned Internet 963 Protocol Number 964 RFC 791: Internet Protocol - Protocol"; 965 } 967 identity next-header { 968 description 969 "Base identity for IPv6 next header"; 970 reference 971 "RFC 8200: Internet Protocol, Version 6 (IPv6) 972 Specification - Next Header"; 973 } 975 identity icmp { 976 base protocol; 977 base next-header; 978 description 979 "Identity for ICMP IPv4 protocol and 980 IPv6 nett header"; 981 reference 982 "RFC 790: - Assigned numbers - Assigned Internet 983 Protocol Number 984 RFC 791: Internet Protocol - Protocol 985 RFC 8200: Internet Protocol, Version 6 (IPv6) 986 Specification - Next Header"; 987 } 989 identity igmp { 990 base protocol; 991 base next-header; 992 description 993 "Identity for IGMP IPv4 protocol and 994 IPv6 next header"; 995 reference 996 "RFC 790: - Assigned numbers - Assigned Internet 997 Protocol Number 998 RFC 791: Internet Protocol - Protocol 999 RFC 8200: Internet Protocol, Version 6 (IPv6) 1000 Specification - Next Header"; 1001 } 1002 identity tcp { 1003 base protocol; 1004 base next-header; 1005 description 1006 "Identity for TCP protocol"; 1007 reference 1008 "RFC 790: - Assigned numbers - Assigned Internet 1009 Protocol Number 1010 RFC 791: Internet Protocol - Protocol 1011 RFC 8200: Internet Protocol, Version 6 (IPv6) 1012 Specification - Next Header"; 1013 } 1015 identity igrp { 1016 base protocol; 1017 base next-header; 1018 description 1019 "Identity for IGRP IPv4 protocol 1020 and IPv6 next header"; 1021 reference 1022 "RFC 790: - Assigned numbers - Assigned Internet 1023 Protocol Number 1024 RFC 791: Internet Protocol - Protocol 1025 RFC 8200: Internet Protocol, Version 6 (IPv6) 1026 Specification - Next Header"; 1027 } 1029 identity udp { 1030 base protocol; 1031 base next-header; 1032 description 1033 "Identity for UDP IPv4 protocol 1034 and IPv6 next header"; 1035 reference 1036 "RFC 790: - Assigned numbers - Assigned Internet 1037 Protocol Number 1038 RFC 791: Internet Protocol - Protocol 1039 RFC 8200: Internet Protocol, Version 6 (IPv6) 1040 Specification - Next Header"; 1041 } 1043 identity gre { 1044 base protocol; 1045 base next-header; 1046 description 1047 "Identity for GRE IPv4 protocol 1048 and IPv6 next header"; 1049 reference 1050 "RFC 790: - Assigned numbers - Assigned Internet 1051 Protocol Number 1052 RFC 791: Internet Protocol - Protocol 1053 RFC 8200: Internet Protocol, Version 6 (IPv6) 1054 Specification - Next Header"; 1055 } 1057 identity esp { 1058 base protocol; 1059 base next-header; 1060 description 1061 "Identity for ESP IPv4 protocol 1062 and IPv6 next header"; 1063 reference 1064 "RFC 790: - Assigned numbers - Assigned Internet 1065 Protocol Number 1066 RFC 791: Internet Protocol - Protocol 1067 RFC 8200: Internet Protocol, Version 6 (IPv6) 1068 Specification - Next Header"; 1069 } 1071 identity ah { 1072 base protocol; 1073 base next-header; 1074 description 1075 "Identity for AH IPv4 protocol 1076 and IPv6 next header"; 1077 reference 1078 "RFC 790: - Assigned numbers - Assigned Internet 1079 Protocol Number 1080 RFC 791: Internet Protocol - Protocol 1081 RFC 8200: Internet Protocol, Version 6 (IPv6) 1082 Specification - Next Header"; 1083 } 1085 identity mobile { 1086 base protocol; 1087 base next-header; 1088 description 1089 "Identity for mobile IPv4 protocol 1090 and IPv6 next header"; 1091 reference 1092 "RFC 790: - Assigned numbers - Assigned Internet 1093 Protocol Number 1094 RFC 791: Internet Protocol - Protocol 1095 RFC 8200: Internet Protocol, Version 6 (IPv6) 1096 Specification - Next Header"; 1097 } 1098 identity tlsp { 1099 base protocol; 1100 base next-header; 1101 description 1102 "Identity for TLSP IPv4 protocol 1103 and IPv6 next header"; 1104 reference 1105 "RFC 790: - Assigned numbers - Assigned Internet 1106 Protocol Number 1107 RFC 791: Internet Protocol - Protocol 1108 RFC 8200: Internet Protocol, Version 6 (IPv6) 1109 Specification - Next Header"; 1110 } 1112 identity skip { 1113 base protocol; 1114 base next-header; 1115 description 1116 "Identity for skip IPv4 protocol 1117 and IPv6 next header"; 1118 reference 1119 "RFC 790: - Assigned numbers - Assigned Internet 1120 Protocol Number 1121 RFC 791: Internet Protocol - Protocol 1122 RFC 8200: Internet Protocol, Version 6 (IPv6) 1123 Specification - Next Header"; 1124 } 1126 identity ipv6-icmp { 1127 base protocol; 1128 base next-header; 1129 description 1130 "Identity for IPv6 ICMP next header"; 1131 reference 1132 "RFC 790: - Assigned numbers - Assigned Internet 1133 Protocol Number 1134 RFC 8200: Internet Protocol, Version 6 (IPv6) 1135 Specification - Next Header"; 1136 } 1138 identity eigrp { 1139 base protocol; 1140 base next-header; 1141 description 1142 "Identity for EIGRP IPv4 protocol 1143 and IPv6 next header"; 1144 reference 1145 "RFC 790: - Assigned numbers - Assigned Internet 1146 Protocol Number 1147 RFC 791: Internet Protocol - Protocol 1148 RFC 8200: Internet Protocol, Version 6 (IPv6) 1149 Specification - Next Header"; 1150 } 1152 identity ospf { 1153 base protocol; 1154 base next-header; 1155 description 1156 "Identity for OSPF IPv4 protocol 1157 and IPv6 next header"; 1158 reference 1159 "RFC 790: - Assigned numbers - Assigned Internet 1160 Protocol Number 1161 RFC 791: Internet Protocol - Protocol 1162 RFC 8200: Internet Protocol, Version 6 (IPv6) 1163 Specification - Next Header"; 1164 } 1166 identity l2tp { 1167 base protocol; 1168 base next-header; 1169 description 1170 "Identity for L2TP IPv4 protocol 1171 and IPv6 next header"; 1172 reference 1173 "RFC 790: - Assigned numbers - Assigned Internet 1174 Protocol Number 1175 RFC 791: Internet Protocol - Protocol 1176 RFC 8200: Internet Protocol, Version 6 (IPv6) 1177 Specification - Next Header"; 1178 } 1180 identity ipopts { 1181 description 1182 "Base identity for IP options"; 1183 reference 1184 "RFC 791: Internet Protocol - Options"; 1185 } 1187 identity rr { 1188 base ipopts; 1189 description 1190 "Identity for 'Record Route' IP Option"; 1191 reference 1192 "RFC 791: Internet Protocol - Options"; 1193 } 1195 identity eol { 1196 base ipopts; 1197 description 1198 "Identity for 'End of List' IP Option"; 1199 reference 1200 "RFC 791: Internet Protocol - Options"; 1201 } 1203 identity nop { 1204 base ipopts; 1205 description 1206 "Identity for 'No Operation' IP Option"; 1207 reference 1208 "RFC 791: Internet Protocol - Options"; 1209 } 1211 identity ts { 1212 base ipopts; 1213 description 1214 "Identity for 'Timestamp' IP Option"; 1215 reference 1216 "RFC 791: Internet Protocol - Options"; 1217 } 1219 identity sec { 1220 base ipopts; 1221 description 1222 "Identity for 'IP security' IP Option"; 1223 reference 1224 "RFC 791: Internet Protocol - Options"; 1225 } 1227 identity esec { 1228 base ipopts; 1229 description 1230 "Identity for 'IP extended security' IP Option"; 1231 reference 1232 "RFC 791: Internet Protocol - Options"; 1233 } 1235 identity lsrr { 1236 base ipopts; 1237 description 1238 "Identity for 'Loose Source Routing' IP Option"; 1239 reference 1240 "RFC 791: Internet Protocol - Options"; 1241 } 1243 identity ssrr { 1244 base ipopts; 1245 description 1246 "Identity for 'Strict Source Routing' IP Option"; 1247 reference 1248 "RFC 791: Internet Protocol - Options"; 1249 } 1251 identity satid { 1252 base ipopts; 1253 description 1254 "Identity for 'Stream Identifier' IP Option"; 1255 reference 1256 "RFC 791: Internet Protocol - Options"; 1257 } 1259 identity any { 1260 base ipopts; 1261 description 1262 "Identity for 'any IP options 1263 included in IPv4 packet"; 1264 reference 1265 "RFC 791: Internet Protocol - Options"; 1266 } 1268 identity tcp-flags { 1269 description 1270 "Base identity for TCP flags"; 1271 reference 1272 "RFC 793: Transmission Control Protocol - Flags"; 1273 } 1275 identity cwr { 1276 base tcp-flags; 1277 description 1278 "Identity for 'Congestion Window Reduced' TCP flag"; 1279 reference 1280 "RFC 793: Transmission Control Protocol - Flags"; 1281 } 1283 identity ecn { 1284 base tcp-flags; 1285 description 1286 "Identity for 'Explicit Congestion Notification' 1287 TCP flag"; 1289 reference 1290 "RFC 793: Transmission Control Protocol - Flags"; 1291 } 1293 identity urg { 1294 base tcp-flags; 1295 description 1296 "Identity for 'Urgent' TCP flag"; 1297 reference 1298 "RFC 793: Transmission Control Protocol - Flags"; 1299 } 1301 identity ack { 1302 base tcp-flags; 1303 description 1304 "Identity for 'acknowledgement' TCP flag"; 1305 reference 1306 "RFC 793: Transmission Control Protocol - Flags"; 1307 } 1309 identity psh { 1310 base tcp-flags; 1311 description 1312 "Identity for 'Push' TCP flag"; 1313 reference 1314 "RFC 793: Transmission Control Protocol - Flags"; 1315 } 1317 identity rst { 1318 base tcp-flags; 1319 description 1320 "Identity for 'Reset' TCP flag"; 1321 reference 1322 "RFC 793: Transmission Control Protocol - Flags"; 1323 } 1325 identity syn { 1326 base tcp-flags; 1327 description 1328 "Identity for 'Synchronize' TCP flag"; 1329 reference 1330 "RFC 793: Transmission Control Protocol - Flags"; 1331 } 1333 identity fin { 1334 base tcp-flags; 1335 description 1336 "Identity for 'Finish' TCP flag"; 1338 reference 1339 "RFC 793: Transmission Control Protocol - Flags"; 1340 } 1342 identity icmp-type { 1343 description 1344 "Base identity for ICMP Message types"; 1345 reference 1346 "RFC 792: Internet Control Message Protocol"; 1347 } 1349 identity echo-reply { 1350 base icmp-type; 1351 description 1352 "Identity for 'Echo Reply' ICMP message type"; 1353 reference 1354 "RFC 792: Internet Control Message Protocol"; 1355 } 1357 identity destination-unreachable { 1358 base icmp-type; 1359 description 1360 "Identity for 'Destination Unreachable' 1361 ICMP message type"; 1362 reference 1363 "RFC 792: Internet Control Message Protocol"; 1364 } 1366 identity redirect { 1367 base icmp-type; 1368 description 1369 "Identity for 'Redirect' ICMP message type"; 1370 reference 1371 "RFC 792: Internet Control Message Protocol"; 1372 } 1374 identity echo { 1375 base icmp-type; 1376 description 1377 "Identity for 'Echo' ICMP message type"; 1378 reference 1379 "RFC 792: Internet Control Message Protocol"; 1380 } 1382 identity router-advertisement { 1383 base icmp-type; 1384 description 1385 "Identity for 'Router Advertisement' 1386 ICMP message type"; 1387 reference 1388 "RFC 792: Internet Control Message Protocol"; 1389 } 1391 identity router-solicitation { 1392 base icmp-type; 1393 description 1394 "Identity for 'Router Solicitation' 1395 ICMP message type"; 1396 reference 1397 "RFC 792: Internet Control Message Protocol"; 1398 } 1400 identity time-exceeded { 1401 base icmp-type; 1402 description 1403 "Identity for 'Time exceeded' ICMP message type"; 1404 reference 1405 "RFC 792: Internet Control Message Protocol"; 1406 } 1408 identity parameter-problem { 1409 base icmp-type; 1410 description 1411 "Identity for 'Parameter Problem' 1412 ICMP message type"; 1413 reference 1414 "RFC 792: Internet Control Message Protocol"; 1415 } 1417 identity timestamp { 1418 base icmp-type; 1419 description 1420 "Identity for 'Timestamp' ICMP message type"; 1421 reference 1422 "RFC 792: Internet Control Message Protocol"; 1423 } 1425 identity timestamp-reply { 1426 base icmp-type; 1427 description 1428 "Identity for 'Timestamp Reply' 1429 ICMP message type"; 1430 reference 1431 "RFC 792: Internet Control Message Protocol"; 1432 } 1433 identity datagram-conversion-error { 1434 base icmp-type; 1435 description 1436 "Identity for 'Datagram Conversion Error' 1437 ICMP message type"; 1438 reference 1439 "RFC 792: Internet Control Message Protocol"; 1440 } 1442 identity experimental-mobility-protocols { 1443 base icmp-type; 1444 description 1445 "Identity for 'Experimental Mobility Protocols' 1446 ICMP message type"; 1447 reference 1448 "RFC 792: Internet Control Message Protocol"; 1449 } 1451 identity extended-echo-request { 1452 base icmp-type; 1453 description 1454 "Identity for 'Extended Echo Request' 1455 ICMP message type"; 1456 reference 1457 "RFC 792: Internet Control Message Protocol 1458 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1459 } 1461 identity extended-echo-reply { 1462 base icmp-type; 1463 description 1464 "Identity for 'Extended Echo Reply' 1465 ICMP message type"; 1466 reference 1467 "RFC 792: Internet Control Message Protocol 1468 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1469 } 1471 identity net-unreachable { 1472 base icmp-type; 1473 description 1474 "Identity for net unreachable 1475 in destination unreachable types"; 1476 reference 1477 "RFC 792: Internet Control Message Protocol"; 1478 } 1480 identity host-unreachable { 1481 base icmp-type; 1482 description 1483 "Identity for host unreachable 1484 in destination unreachable types"; 1485 reference 1486 "RFC 792: Internet Control Message Protocol"; 1487 } 1489 identity protocol-unreachable { 1490 base icmp-type; 1491 description 1492 "Identity for protocol unreachable 1493 in destination unreachable types"; 1494 reference 1495 "RFC 792: Internet Control Message Protocol"; 1496 } 1498 identity port-unreachable { 1499 base icmp-type; 1500 description 1501 "Identity for port unreachable 1502 in destination unreachable types"; 1503 reference 1504 "RFC 792: Internet Control Message Protocol"; 1505 } 1507 identity fragment-set { 1508 base icmp-type; 1509 description 1510 "Identity for fragmentation set 1511 in destination unreachable types"; 1512 reference 1513 "RFC 792: Internet Control Message Protocol"; 1514 } 1516 identity source-route-failed { 1517 base icmp-type; 1518 description 1519 "Identity for source route failed 1520 in destination unreachable types"; 1521 reference 1522 "RFC 792: Internet Control Message Protocol"; 1523 } 1525 identity destination-network-unknown { 1526 base icmp-type; 1527 description 1528 "Identity for destination network unknown 1529 in destination unreachable types"; 1530 reference 1531 "RFC 792: Internet Control Message Protocol"; 1532 } 1534 identity destination-host-unknown { 1535 base icmp-type; 1536 description 1537 "Identity for destination host unknown 1538 in destination unreachable types"; 1539 reference 1540 "RFC 792: Internet Control Message Protocol"; 1541 } 1543 identity source-host-isolated { 1544 base icmp-type; 1545 description 1546 "Identity for source host isolated 1547 in destination unreachable types"; 1548 reference 1549 "RFC 792: Internet Control Message Protocol"; 1550 } 1552 identity communication-prohibited-with-destination-network { 1553 base icmp-type; 1554 description 1555 "Identity for which communication with destination network 1556 is administratively prohibited in destination unreachable 1557 types"; 1558 reference 1559 "RFC 792: Internet Control Message Protocol"; 1560 } 1562 identity communication-prohibited-with-destination-host { 1563 base icmp-type; 1564 description 1565 "Identity for which communication with destination host 1566 is administratively prohibited in destination unreachable 1567 types"; 1568 reference 1569 "RFC 792: Internet Control Message Protocol"; 1570 } 1572 identity destination-network-unreachable-for-tos { 1573 base icmp-type; 1574 description 1575 "Identity for destination network unreachable 1576 for type of service in destination unreachable types"; 1578 reference 1579 "RFC 792: Internet Control Message Protocol"; 1580 } 1582 identity destination-host-unreachable-for-tos { 1583 base icmp-type; 1584 description 1585 "Identity for destination host unreachable 1586 for type of service in destination unreachable types"; 1587 reference 1588 "RFC 792: Internet Control Message Protocol"; 1589 } 1591 identity communication-prohibited { 1592 base icmp-type; 1593 description 1594 "Identity for communication administratively prohibited 1595 in destination unreachable types"; 1596 reference 1597 "RFC 792: Internet Control Message Protocol"; 1598 } 1600 identity host-precedence-violation { 1601 base icmp-type; 1602 description 1603 "Identity for host precedence violation 1604 in destination unreachable types"; 1605 reference 1606 "RFC 792: Internet Control Message Protocol"; 1607 } 1609 identity precedence-cutoff-in-effect { 1610 base icmp-type; 1611 description 1612 "Identity for precedence cutoff in effect 1613 in destination unreachable types"; 1614 reference 1615 "RFC 792: Internet Control Message Protocol"; 1616 } 1618 identity redirect-datagram-for-the-network { 1619 base icmp-type; 1620 description 1621 "Identity for redirect datagram for the network 1622 (or subnet) in redirect types"; 1623 reference 1624 "RFC 792: Internet Control Message Protocol"; 1625 } 1626 identity redirect-datagram-for-the-host { 1627 base icmp-type; 1628 description 1629 "Identity for redirect datagram for the host 1630 in redirect types"; 1631 reference 1632 "RFC 792: Internet Control Message Protocol"; 1633 } 1635 identity redirect-datagram-for-the-tos-and-network { 1636 base icmp-type; 1637 description 1638 "Identity for redirect datagram for the type of 1639 service and network in redirect types"; 1640 reference 1641 "RFC 792: Internet Control Message Protocol"; 1642 } 1644 identity redirect-datagram-for-the-tos-and-host { 1645 base icmp-type; 1646 description 1647 "Identity for redirect datagram for the type of 1648 service and host in redirect types"; 1649 reference 1650 "RFC 792: Internet Control Message Protocol"; 1651 } 1653 identity normal-router-advertisement { 1654 base icmp-type; 1655 description 1656 "Identity for normal router advertisement 1657 in router advertisement types"; 1658 reference 1659 "RFC 792: Internet Control Message Protocol"; 1660 } 1662 identity does-not-route-common-traffic { 1663 base icmp-type; 1664 description 1665 "Identity for does not route common traffic 1666 in router advertisement types"; 1667 reference 1668 "RFC 792: Internet Control Message Protocol"; 1669 } 1671 identity time-to-live-exceeded-in-transit { 1672 base icmp-type; 1673 description 1674 "Identity for time to live exceeded in transit 1675 in time exceeded types"; 1676 reference 1677 "RFC 792: Internet Control Message Protocol"; 1678 } 1680 identity fragment-reassembly-time-exceeded { 1681 base icmp-type; 1682 description 1683 "Identity for fragment reassembly time exceeded 1684 in time exceeded types"; 1685 reference 1686 "RFC 792: Internet Control Message Protocol"; 1687 } 1689 identity pointer-indicates-the-error { 1690 base icmp-type; 1691 description 1692 "Identity for pointer indicates the error 1693 in parameter problem types"; 1694 reference 1695 "RFC 792: Internet Control Message Protocol"; 1696 } 1698 identity missing-a-required-option { 1699 base icmp-type; 1700 description 1701 "Identity for missing a required option 1702 in parameter problem types"; 1703 reference 1704 "RFC 792: Internet Control Message Protocol"; 1705 } 1707 identity bad-length { 1708 base icmp-type; 1709 description 1710 "Identity for bad length 1711 in parameter problem types"; 1712 reference 1713 "RFC 792: Internet Control Message Protocol"; 1714 } 1716 identity bad-spi { 1717 base icmp-type; 1718 description 1719 "Identity for bad spi 1720 in photuris types"; 1721 reference 1722 "RFC 792: Internet Control Message Protocol"; 1723 } 1725 identity authentication-failed { 1726 base icmp-type; 1727 description 1728 "Identity for authentication failed 1729 in photuris types"; 1730 reference 1731 "RFC 792: Internet Control Message Protocol"; 1732 } 1734 identity decompression-failed { 1735 base icmp-type; 1736 description 1737 "Identity for decompression failed 1738 in photuris types"; 1739 reference 1740 "RFC 792: Internet Control Message Protocol"; 1741 } 1743 identity decryption-failed { 1744 base icmp-type; 1745 description 1746 "Identity for decryption failed 1747 in photuris types"; 1748 reference 1749 "RFC 792: Internet Control Message Protocol"; 1750 } 1752 identity need-authentication { 1753 base icmp-type; 1754 description 1755 "Identity for need authentication 1756 in photuris types"; 1757 reference 1758 "RFC 792: Internet Control Message Protocol"; 1759 } 1761 identity need-authorization { 1762 base icmp-type; 1763 description 1764 "Identity for need authorization 1765 in photuris types"; 1766 reference 1767 "RFC 792: Internet Control Message Protocol"; 1768 } 1769 identity req-no-error { 1770 base icmp-type; 1771 description 1772 "Identity for request with no error 1773 in extended echo request types"; 1774 reference 1775 "RFC 792: Internet Control Message Protocol 1776 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1777 } 1779 identity rep-no-error { 1780 base icmp-type; 1781 description 1782 "Identity for reply with no error 1783 in extended echo reply types"; 1784 reference 1785 "RFC 792: Internet Control Message Protocol 1786 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1787 } 1789 identity malformed-query { 1790 base icmp-type; 1791 description 1792 "Identity for malformed query 1793 in extended echo reply types"; 1794 reference 1795 "RFC 792: Internet Control Message Protocol 1796 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1797 } 1799 identity no-such-interface { 1800 base icmp-type; 1801 description 1802 "Identity for no such interface 1803 in extended echo reply types"; 1804 reference 1805 "RFC 792: Internet Control Message Protocol 1806 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1807 } 1809 identity no-such-table-entry { 1810 base icmp-type; 1811 description 1812 "Identity for no such table entry 1813 in extended echo reply types"; 1814 reference 1815 "RFC 792: Internet Control Message Protocol 1816 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1818 } 1820 identity multiple-interfaces-satisfy-query { 1821 base icmp-type; 1822 description 1823 "Identity for multiple interfaces satisfy query 1824 in extended echo reply types"; 1825 reference 1826 "RFC 792: Internet Control Message Protocol 1827 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1828 } 1830 identity target-device { 1831 description 1832 "Base identity for target devices"; 1833 reference 1834 "draft-ietf-i2nsf-capability-05: Information Model 1835 of NSFs Capabilities"; 1836 } 1838 identity pc { 1839 base target-device; 1840 description 1841 "Identity for pc"; 1842 } 1844 identity mobile-phone { 1845 base target-device; 1846 description 1847 "Identity for mobile-phone"; 1848 } 1850 identity voip-volte-phone { 1851 base target-device; 1852 description 1853 "Identity for voip-volte-phone"; 1854 } 1856 identity tablet { 1857 base target-device; 1858 description 1859 "Identity for tablet"; 1860 } 1862 identity iot { 1863 base target-device; 1864 description 1865 "Identity for IoT"; 1867 } 1869 identity vehicle { 1870 base target-device; 1871 description 1872 "Identity for vehicle"; 1873 } 1875 identity content-security-control { 1876 description 1877 "Base identity for content security control"; 1878 reference 1879 "RFC 8329: Framework for Interface to 1880 Network Security Functions - Differences 1881 from ACL Data Models 1882 draft-ietf-i2nsf-capability-05: Information Model 1883 of NSFs Capabilities"; 1884 } 1886 identity antivirus { 1887 base content-security-control; 1888 description 1889 "Identity for antivirus"; 1890 } 1892 identity ips { 1893 base content-security-control; 1894 description 1895 "Identity for ips"; 1896 } 1898 identity ids { 1899 base content-security-control; 1900 description 1901 "Identity for ids"; 1902 } 1904 identity url-filtering { 1905 base content-security-control; 1906 description 1907 "Identity for url filtering"; 1908 } 1910 identity mail-filtering { 1911 base content-security-control; 1912 description 1913 "Identity for mail filtering"; 1914 } 1915 identity file-blocking { 1916 base content-security-control; 1917 description 1918 "Identity for file blocking"; 1919 } 1921 identity file-isolate { 1922 base content-security-control; 1923 description 1924 "Identity for file isolate"; 1925 } 1927 identity pkt-capture { 1928 base content-security-control; 1929 description 1930 "Identity for packet capture"; 1931 } 1933 identity application-control { 1934 base content-security-control; 1935 description 1936 "Identity for application control"; 1937 } 1939 identity voip-volte { 1940 base content-security-control; 1941 description 1942 "Identity for voip and volte"; 1943 } 1945 identity attack-mitigation-control { 1946 description 1947 "Base identity for attack mitigation control"; 1948 reference 1949 "RFC 8329: Framework for Interface to 1950 Network Security Functions - Differences 1951 from ACL Data Models 1952 draft-ietf-i2nsf-capability-05: Information Model 1953 of NSFs Capabilities"; 1954 } 1956 identity syn-flood { 1957 base attack-mitigation-control; 1958 description 1959 "Identity for syn flood"; 1960 } 1962 identity udp-flood { 1963 base attack-mitigation-control; 1964 description 1965 "Identity for udp flood"; 1966 } 1968 identity icmp-flood { 1969 base attack-mitigation-control; 1970 description 1971 "Identity for icmp flood"; 1972 } 1974 identity ip-frag-flood { 1975 base attack-mitigation-control; 1976 description 1977 "Identity for ip frag flood"; 1978 } 1980 identity ipv6-related { 1981 base attack-mitigation-control; 1982 description 1983 "Identity for ipv6 related"; 1984 } 1986 identity http-and-https-flood { 1987 base attack-mitigation-control; 1988 description 1989 "Identity for http and https flood"; 1990 } 1992 identity dns-flood { 1993 base attack-mitigation-control; 1994 description 1995 "Identity for dns flood"; 1996 } 1998 identity dns-amp-flood { 1999 base attack-mitigation-control; 2000 description 2001 "Identity for dns amp flood"; 2002 } 2004 identity ssl-ddos { 2005 base attack-mitigation-control; 2006 description 2007 "Identity for ssl ddos"; 2008 } 2010 identity ip-sweep { 2011 base attack-mitigation-control; 2012 description 2013 "Identity for ip sweep"; 2014 } 2016 identity port-scanning { 2017 base attack-mitigation-control; 2018 description 2019 "Identity for port scanning"; 2020 } 2022 identity ping-of-death { 2023 base attack-mitigation-control; 2024 description 2025 "Identity for ping of death"; 2026 } 2028 identity teardrop { 2029 base attack-mitigation-control; 2030 description 2031 "Identity for teardrop"; 2032 } 2034 identity oversized-icmp { 2035 base attack-mitigation-control; 2036 description 2037 "Identity for oversized icmp"; 2038 } 2040 identity tracert { 2041 base attack-mitigation-control; 2042 description 2043 "Identity for tracert"; 2044 } 2046 identity ingress-action { 2047 description 2048 "Base identity for action"; 2049 reference 2050 "draft-ietf-i2nsf-capability-05: Information Model 2051 of NSFs Capabilities - Ingress Action"; 2052 } 2054 identity egress-action { 2055 description 2056 "Base identity for egress action"; 2057 reference 2058 "draft-ietf-i2nsf-capability-05: Information Model 2059 of NSFs Capabilities - Egress action"; 2060 } 2062 identity default-action { 2063 description 2064 "Base identity for default action"; 2065 reference 2066 "draft-ietf-i2nsf-capability-05: Information Model 2067 of NSFs Capabilities - Default action"; 2068 } 2070 identity pass { 2071 base ingress-action; 2072 base egress-action; 2073 base default-action; 2074 description 2075 "Identity for pass"; 2076 reference 2077 "draft-ietf-i2nsf-capability-05: Information Model 2078 of NSFs Capabilities - Actions and 2079 default action"; 2080 } 2082 identity drop { 2083 base ingress-action; 2084 base egress-action; 2085 base default-action; 2086 description 2087 "Identity for drop"; 2088 reference 2089 "draft-ietf-i2nsf-capability-05: Information Model 2090 of NSFs Capabilities - Actions and 2091 default action"; 2092 } 2094 identity reject { 2095 base ingress-action; 2096 base egress-action; 2097 base default-action; 2098 description 2099 "Identity for reject"; 2100 reference 2101 "draft-ietf-i2nsf-capability-05: Information Model 2102 of NSFs Capabilities - Actions and 2103 default action"; 2104 } 2106 identity alert { 2107 base ingress-action; 2108 base egress-action; 2109 base default-action; 2110 description 2111 "Identity for alert"; 2112 reference 2113 "draft-ietf-i2nsf-capability-05: Information Model 2114 of NSFs Capabilities - Actions and 2115 default action"; 2116 } 2118 identity mirror { 2119 base ingress-action; 2120 base egress-action; 2121 base default-action; 2122 description 2123 "Identity for mirror"; 2124 reference 2125 "draft-ietf-i2nsf-capability-05: Information Model 2126 of NSFs Capabilities - Actions and 2127 default action"; 2128 } 2130 identity log-action { 2131 description 2132 "Base identity for log action"; 2133 } 2135 identity rule-log { 2136 base log-action; 2137 description 2138 "Identity for rule log"; 2139 } 2141 identity session-log { 2142 base log-action; 2143 description 2144 "Identity for session log"; 2145 } 2147 identity invoke-signaling { 2148 base egress-action; 2149 description 2150 "Identity for invoke signaling"; 2151 } 2153 identity tunnel-encapsulation { 2154 base egress-action; 2155 description 2156 "Identity for tunnel encapsulation"; 2157 } 2159 identity forwarding { 2160 base egress-action; 2161 description 2162 "Identity for forwarding"; 2163 } 2165 identity redirection { 2166 base egress-action; 2167 description 2168 "Identity for redirection"; 2170 } 2172 identity resolution-strategy { 2173 description 2174 "Base identity for resolution strategy"; 2175 reference 2176 "draft-ietf-i2nsf-capability-05: Information Model 2177 of NSFs Capabilities - Resolution Strategy"; 2178 } 2180 identity fmr { 2181 base resolution-strategy; 2182 description 2183 "Identity for First Matching Rule (FMR)"; 2184 reference 2185 "draft-ietf-i2nsf-capability-05: Information Model 2186 of NSFs Capabilities - Resolution Strategy"; 2187 } 2189 identity lmr { 2190 base resolution-strategy; 2191 description 2192 "Identity for Last Matching Rule (LMR)"; 2193 reference 2194 "draft-ietf-i2nsf-capability-05: Information Model 2195 of NSFs Capabilities - Resolution Strategy"; 2196 } 2198 identity pmr { 2199 base resolution-strategy; 2200 description 2201 "Identity for Prioritized Matching Rule (PMR)"; 2202 reference 2203 "draft-ietf-i2nsf-capability-05: Information Model 2204 of NSFs Capabilities - Resolution Strategy"; 2205 } 2207 identity pmre { 2208 base resolution-strategy; 2209 description 2210 "Identity for Prioritized Matching Rule 2211 with Errors (PMRE)"; 2212 reference 2213 "draft-ietf-i2nsf-capability-05: Information Model 2214 of NSFs Capabilities - Resolution Strategy"; 2215 } 2217 identity pmrn { 2218 base resolution-strategy; 2219 description 2220 "Identity for Prioritized Matching Rule 2221 with No Errors (PMRN)"; 2222 reference 2223 "draft-ietf-i2nsf-capability-05: Information Model 2224 of NSFs Capabilities - Resolution Strategy"; 2225 } 2227 identity i2nsf-ipsec { 2228 description 2229 "Internet Key Exchnage for NSFs 2230 in the I2NSF framework"; 2231 reference 2232 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2233 - i2nsf-ipsec"; 2234 } 2236 identity ike { 2237 base i2nsf-ipsec; 2238 description 2239 "IKE case: IPsec with IKE in the NSF"; 2240 reference 2241 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2242 - ike"; 2243 } 2245 identity ikeless { 2246 base i2nsf-ipsec; 2247 description 2248 "IKEless case: IPsec without IKEv2 in the NSF"; 2249 reference 2250 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2251 - ikeless"; 2252 } 2254 /* 2255 * Typedefs 2256 */ 2258 typedef start-time-type { 2259 type union { 2260 type yang:date-and-time; 2262 type enumeration { 2263 enum right-away { 2264 description 2265 "Immediate rule execution 2266 in the system."; 2267 } 2268 } 2269 } 2271 description 2272 "Start time when the rules are applied."; 2273 } 2275 typedef end-time-type { 2276 type union { 2277 type yang:date-and-time; 2279 type enumeration { 2280 enum infinitely { 2281 description 2282 "Infinite rule execution 2283 in the system."; 2284 } 2285 } 2286 } 2287 description 2288 "End time when the rules are applied."; 2289 } 2291 typedef day-type { 2292 type enumeration { 2293 enum sunday { 2294 description 2295 "Sunday for periodic day"; 2296 } 2297 enum monday { 2298 description 2299 "Monday for periodic day"; 2300 } 2301 enum tuesday { 2302 description 2303 "Tuesday for periodic day"; 2304 } 2305 enum wednesday { 2306 description 2307 "Wednesday for periodic day"; 2308 } 2309 enum thursday { 2310 description 2311 "Thursday for periodic day"; 2312 } 2313 enum friday { 2314 description 2315 "Friday for periodic day"; 2316 } 2317 enum saturday { 2318 description 2319 "Saturday for periodic day"; 2320 } 2321 } 2322 description 2323 "This can be used for the rules to be applied 2324 according to periodic day"; 2325 } 2327 typedef month-type { 2328 type enumeration { 2329 enum january { 2330 description 2331 "January for periodic month"; 2332 } 2333 enum february { 2334 description 2335 "February for periodic month"; 2336 } 2337 enum march { 2338 description 2339 "March for periodic month"; 2340 } 2341 enum april { 2342 description 2343 "April for periodic month"; 2344 } 2345 enum may { 2346 description 2347 "May for periodic month"; 2348 } 2349 enum june { 2350 description 2351 "June for periodic month"; 2352 } 2353 enum july { 2354 description 2355 "July for periodic month"; 2356 } 2357 enum august { 2358 description 2359 "August for periodic month"; 2360 } 2361 enum september { 2362 description 2363 "September for periodic month"; 2364 } 2365 enum october { 2366 description 2367 "October for periodic month"; 2368 } 2369 enum november { 2370 description 2371 "November for periodic month"; 2372 } 2373 enum december { 2374 description 2375 "December for periodic month"; 2376 } 2377 } 2378 description 2379 "This can be used for the rules to be applied 2380 according to periodic month"; 2381 } 2383 /* 2384 * Groupings 2385 */ 2387 grouping ipv4 { 2388 list ipv4-address { 2389 key "ipv4"; 2390 description 2391 "The list of IPv4 addresses."; 2393 leaf ipv4 { 2394 type inet:ipv4-address; 2395 description 2396 "The value of IPv4 address."; 2397 } 2398 choice subnet { 2399 description 2400 "The subnet can be specified as a prefix length or 2401 netmask."; 2402 leaf prefix-length { 2403 type uint8 { 2404 range "0..32"; 2405 } 2406 description 2407 "The length of the subnet prefix."; 2408 } 2409 leaf netmask { 2410 type yang:dotted-quad; 2411 description 2412 "The subnet specified as a netmask."; 2413 } 2414 } 2415 } 2416 description 2417 "Grouping for an IPv4 address"; 2419 reference 2420 "RFC 791: Internet Protocol - IPv4 address 2421 RFC 8344: A YANG Data Model for IP Management"; 2422 } 2424 grouping ipv6 { 2425 list ipv6-address { 2426 key "ipv6"; 2427 description 2428 "The list of IPv6 addresses."; 2430 leaf ipv6 { 2431 type inet:ipv6-address; 2432 description 2433 "The value of IPv6 address."; 2434 } 2436 leaf prefix-length { 2437 type uint8 { 2438 range "0..128"; 2439 } 2440 description 2441 "The length of the subnet prefix."; 2442 } 2444 } 2445 description 2446 "Grouping for an IPv6 address"; 2448 reference 2449 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2450 Specification - IPv6 address 2451 RFC 8344: A YANG Data Model for IP Management"; 2452 } 2454 grouping pkt-sec-ipv4 { 2455 choice match-type { 2456 description 2457 "There are two types of security policy IPv4 address 2458 matching - exact match and range match."; 2459 case exact-match { 2460 uses ipv4; 2461 description 2462 "Exact match for an IPv4 address."; 2463 } 2464 case range-match { 2465 list range-ipv4-address { 2466 key "start-ipv4-address end-ipv4-address"; 2467 leaf start-ipv4-address { 2468 type inet:ipv4-address; 2469 description 2470 "Starting IPv4 address for a range match."; 2471 } 2473 leaf end-ipv4-address { 2474 type inet:ipv4-address; 2475 description 2476 "Ending IPv4 address for a range match."; 2477 } 2478 description 2479 "Range match for an IPv4 address."; 2480 } 2481 } 2482 } 2483 description 2484 "Grouping for an IPv4 address."; 2486 reference 2487 "RFC 791: Internet Protocol - IPv4 address"; 2488 } 2490 grouping pkt-sec-ipv6 { 2491 choice match-type { 2492 description 2493 "There are two types of security policy IPv6 address 2494 matching - exact match and range match."; 2495 case exact-match { 2496 uses ipv6; 2497 description 2498 "Exact match for an IPv6 address."; 2499 } 2500 case range-match { 2501 list range-ipv6-address { 2502 key "start-ipv6-address end-ipv6-address"; 2503 leaf start-ipv6-address { 2504 type inet:ipv6-address; 2505 description 2506 "Starting IPv6 address for a range match."; 2507 } 2509 leaf end-ipv6-address { 2510 type inet:ipv6-address; 2511 description 2512 "Ending IPv6 address for a range match."; 2513 } 2514 description 2515 "Range match for an IPv6 address."; 2516 } 2517 } 2518 } 2519 description 2520 "Grouping for IPv6 address."; 2522 reference 2523 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2524 Specification - IPv6 address"; 2525 } 2527 grouping pkt-sec-port-number { 2528 choice match-type { 2529 description 2530 "There are two types of security policy TCP/UDP port 2531 matching - exact match and range match."; 2532 case exact-match { 2533 leaf-list port-num { 2534 type inet:port-number; 2535 description 2536 "Exact match for a port number."; 2537 } 2538 } 2539 case range-match { 2540 list range-port-num { 2541 key "start-port-num end-port-num"; 2542 leaf start-port-num { 2543 type inet:port-number; 2544 description 2545 "Starting port number for a range match."; 2546 } 2547 leaf end-port-num { 2548 type inet:port-number; 2549 description 2550 "Ending port number for a range match."; 2551 } 2552 description 2553 "Range match for a port number."; 2554 } 2555 } 2556 } 2557 description 2558 "Grouping for port number."; 2560 reference 2561 "RFC 793: Transmission Control Protocol - Port number 2562 RFC 768: User Datagram Protocol - Port Number"; 2563 } 2565 /* 2566 * Data nodes 2567 */ 2569 container i2nsf-security-policy { 2570 description 2571 "Container for security policy 2572 including a set of security rules according to certain logic, 2573 i.e., their similarity or mutual relations, etc. The network 2574 security policy can be applied to both the unidirectional 2575 and bidirectional traffic across the NSF. 2576 The I2NSF security policies use the Event-Condition-Action 2577 (ECA) policy model "; 2579 reference 2580 "RFC 8329: Framework for Interface to Network Security 2581 Functions - I2NSF Flow Security Policy Structure 2582 draft-ietf-i2nsf-capability-05: Information Model 2583 of NSFs Capabilities - Design Principles and ECA Policy Model 2584 Overview"; 2586 list system-policy { 2587 key "system-policy-name"; 2588 description 2589 "The system-policy represents there could be multiple system 2590 policies in one NSF, and each system policy is used by 2591 one virtual instance of the NSF/device."; 2593 leaf system-policy-name { 2594 type string; 2595 description 2596 "The name of the policy. 2597 This must be unique."; 2598 } 2600 leaf priority-usage { 2601 type identityref { 2602 base priority-usage-type; 2603 } 2604 default priority-by-order; 2605 description 2606 "Priority usage type for security policy rule: 2607 priority by order and priority by number"; 2608 } 2610 leaf resolution-strategy { 2611 type identityref { 2612 base resolution-strategy; 2613 } 2614 default fmr; 2615 description 2616 "The resolution strategies that can be used to 2617 specify how to resolve conflicts that occur between 2618 actions of the same or different policy rules that 2619 are matched and contained in this particular NSF"; 2621 reference 2622 "draft-ietf-i2nsf-capability-05: Information Model 2623 of NSFs Capabilities - Resolution strategy"; 2624 } 2626 leaf default-action { 2627 type identityref { 2628 base default-action; 2629 } 2630 default alert; 2631 description 2632 "This default action can be used to specify a predefined 2633 action when no other alternative action was matched 2634 by the currently executing I2NSF Policy Rule. An analogy 2635 is the use of a default statement in a C switch statement."; 2637 reference 2638 "draft-ietf-i2nsf-capability-05: Information Model 2639 of NSFs Capabilities - Default action"; 2640 } 2642 list rules { 2643 key "rule-name"; 2644 description 2645 "This is a rule for network security functions."; 2647 leaf rule-name { 2648 type string; 2649 description 2650 "The name of the rule."; 2651 } 2653 leaf rule-description { 2654 type string; 2655 description 2656 "This description gives more information about 2657 rules."; 2658 } 2660 leaf rule-priority { 2661 type uint8 { 2662 range "1..255"; 2663 } 2664 description 2665 "The priority keyword comes with a mandatory 2666 numeric value which can range from 1 till 255."; 2667 } 2669 leaf rule-enable { 2670 type boolean; 2671 description 2672 "True is enable. 2673 False is not enable."; 2674 } 2676 leaf session-aging-time { 2677 type uint16; 2678 description 2679 "This is session aging time."; 2680 } 2681 container long-connection { 2682 description 2683 "This is long-connection"; 2685 leaf enable { 2686 type boolean; 2687 description 2688 "True is enable. 2689 False is not enbale."; 2690 } 2692 leaf during { 2693 type uint16; 2694 description 2695 "This has long-connection during a time."; 2696 } 2697 } 2699 container time-intervals { 2700 description 2701 "Time zone when the rules are applied"; 2702 container absolute-time-interval { 2703 description 2704 "Rule execution according to absolute time. 2705 The absolute time intervals mean the exact time to 2706 start or end."; 2708 leaf start-time { 2709 type start-time-type; 2710 default right-away; 2711 description 2712 "Start time when the rules are applied"; 2713 } 2714 leaf end-time { 2715 type end-time-type; 2716 default infinitely; 2717 description 2718 "End time when the rules are applied"; 2719 } 2720 } 2722 container periodic-time-interval { 2723 description 2724 "Rule execution according to periodic time. 2725 The periodic time intervals mean repeated time like 2726 day, week, or month."; 2728 container day { 2729 description 2730 "Rule execution according to day."; 2731 leaf every-day { 2732 type boolean; 2733 default true; 2734 description 2735 "Rule execution every day"; 2736 } 2738 leaf-list specific-day { 2739 when "../every-day = 'false'"; 2740 type day-type; 2741 description 2742 "Rule execution according 2743 to specific day"; 2744 } 2745 } 2747 container month { 2748 description 2749 "Rule execution according to month."; 2750 leaf every-month { 2751 type boolean; 2752 default true; 2753 description 2754 "Rule execution every day"; 2755 } 2757 leaf-list specific-month { 2758 when "../every-month = 'false'"; 2759 type month-type; 2760 description 2761 "Rule execution according 2762 to month day"; 2763 } 2764 } 2765 } 2766 } 2768 container event-clause-container { 2769 description 2770 "An event is defined as any important 2771 occurrence in time of a change in the system being 2772 managed, and/or in the environment of the system being 2773 managed. When used in the context of policy rules for 2774 a flow-based NSF, it is used to determine whether the 2775 Condition clause of the Policy Rule can be evaluated 2776 or not. Examples of an I2NSF event include time and 2777 user actions (e.g., logon, logoff, and actions that 2778 violate any ACL.)."; 2780 reference 2781 "RFC 8329: Framework for Interface to Network Security 2782 Functions - I2NSF Flow Security Policy Structure 2783 draft-ietf-i2nsf-capability-05: Information Model 2784 of NSFs Capabilities - Design Principles and ECA 2785 Policy Model Overview 2786 draft-ietf-i2nsf-nsf-monitoring-data-model-01: A YANG 2787 Data Model for Monitoring I2NSF Network Security 2788 Functions - System Alarm and System Events"; 2790 leaf event-clause-description { 2791 type string; 2792 description 2793 "Description for an event clause"; 2794 } 2796 container event-clauses { 2797 description 2798 "System Event Clause - either a system event or 2799 system alarm"; 2800 reference 2801 "RFC 8329: Framework for Interface to Network Security 2802 Functions - I2NSF Flow Security Policy Structure 2803 draft-ietf-i2nsf-capability-05: Information Model 2804 of NSFs Capabilities - Design Principles and ECA Policy 2805 Model Overview 2806 draft-ietf-i2nsf-nsf-monitoring-data-model-01: A YANG 2807 Data Model for Monitoring I2NSF Network Security 2808 Functions - System Alarm and System Events"; 2810 leaf-list system-event { 2811 type identityref { 2812 base system-event; 2813 } 2814 description 2815 "The security policy rule according to 2816 system events."; 2817 } 2819 leaf-list system-alarm { 2820 type identityref { 2821 base system-alarm; 2822 } 2823 description 2824 "The security policy rule according to 2825 system alarms."; 2826 } 2827 } 2828 } 2830 container condition-clause-container { 2831 description 2832 "A condition is defined as a set 2833 of attributes, features, and/or values that are to be 2834 compared with a set of known attributes, features, 2835 and/or values in order to determine whether or not the 2836 set of Actions in that (imperative) I2NSF Policy Rule 2837 can be executed or not. Examples of I2NSF Conditions 2838 include matching attributes of a packet or flow, and 2839 comparing the internal state of an NSF to a desired 2840 state."; 2841 reference 2842 "RFC 8329: Framework for Interface to Network Security 2843 Functions - I2NSF Flow Security Policy Structure 2844 draft-ietf-i2nsf-capability-05: Information Model 2845 of NSFs Capabilities - Design Principles and ECA Policy 2846 Model Overview"; 2848 leaf condition-clause-description { 2849 type string; 2850 description 2851 "Description for a condition clause."; 2852 } 2854 container packet-security-ipv4-condition { 2855 description 2856 "The purpose of this container is to represent IPv4 2857 packet header information to determine if the set 2858 of policy actions in this ECA policy rule should be 2859 executed or not."; 2860 reference 2861 "RFC 791: Internet Protocol"; 2863 leaf ipv4-description { 2864 type string; 2865 description 2866 "ipv4 condition texual description."; 2867 } 2869 container pkt-sec-ipv4-header-length { 2870 choice match-type { 2871 description 2872 "Security policy IPv4 Header length match - 2873 exact match and range match."; 2874 case exact-match { 2875 leaf-list ipv4-header-length { 2876 type uint8 { 2877 range "5..15"; 2878 } 2879 description 2880 "Exact match for an IPv4 header length."; 2881 } 2882 } 2883 case range-match { 2884 list range-ipv4-header-length { 2885 key "start-ipv4-header-length 2886 end-ipv4-header-length"; 2887 leaf start-ipv4-header-length { 2888 type uint8 { 2889 range "5..15"; 2890 } 2891 description 2892 "Starting IPv4 header length for a range match."; 2893 } 2895 leaf end-ipv4-header-length { 2896 type uint8 { 2897 range "5..15"; 2898 } 2899 description 2900 "Ending IPv4 header length for a range match."; 2901 } 2902 description 2903 "Range match for an IPv4 header length."; 2904 } 2905 } 2906 } 2907 description 2908 "The security policy rule according to 2909 IPv4 header length."; 2910 reference 2911 "RFC 791: Internet Protocol - Header length"; 2912 } 2914 leaf-list pkt-sec-ipv4-tos { 2915 type identityref { 2916 base type-of-service; 2917 } 2918 description 2919 "The security policy rule according to 2920 IPv4 type of service."; 2921 reference 2922 "RFC 1394: Internet Protocol - Type of service"; 2923 } 2925 container pkt-sec-ipv4-total-length { 2926 choice match-type { 2927 description 2928 "Security policy IPv4 total length matching 2929 - exact match and range match."; 2930 case exact-match { 2931 leaf-list ipv4-total-length { 2932 type uint16; 2933 description 2934 "Exact match for an IPv4 total length."; 2935 } 2936 } 2937 case range-match { 2938 list range-ipv4-total-length { 2939 key "start-ipv4-total-length end-ipv4-total-length"; 2940 leaf start-ipv4-total-length { 2941 type uint16; 2942 description 2943 "Starting IPv4 total length for a range match."; 2944 } 2945 leaf end-ipv4-total-length { 2946 type uint16; 2947 description 2948 "Ending IPv4 total length for a range match."; 2949 } 2950 description 2951 "Range match for an IPv4 total length."; 2952 } 2953 } 2954 } 2955 description 2956 "The security policy rule according to 2957 IPv4 total length."; 2958 reference 2959 "RFC 791: Internet Protocol - Total length"; 2960 } 2962 leaf-list pkt-sec-ipv4-id { 2963 type uint16; 2964 description 2965 "The security policy rule according to 2966 IPv4 identification."; 2967 reference 2968 "RFC 791: Internet Protocol - Identification"; 2969 } 2971 leaf-list pkt-sec-ipv4-fragment-flags { 2972 type identityref { 2973 base fragmentation-flags-type; 2974 } 2975 description 2976 "The security policy rule according to 2977 IPv4 fragment flags."; 2978 reference 2979 "RFC 791: Internet Protocol - Fragment flags"; 2980 } 2982 container pkt-sec-ipv4-fragment-offset { 2983 choice match-type { 2984 description 2985 "There are two types to configure a security 2986 policy for IPv4 fragment offset, such as exact match 2987 and range match."; 2988 case exact-match { 2989 leaf-list ipv4-fragment-offset { 2990 type uint16 { 2991 range "0..16383"; 2992 } 2993 description 2994 "Exact match for an IPv4 fragment offset."; 2995 } 2996 } 2997 case range-match { 2998 list range-ipv4-fragment-offset { 2999 key "start-ipv4-fragment-offset 3000 end-ipv4-fragment-offset"; 3001 leaf start-ipv4-fragment-offset { 3002 type uint16 { 3003 range "0..16383"; 3004 } 3005 description 3006 "Starting IPv4 fragment offset for a range match."; 3007 } 3008 leaf end-ipv4-fragment-offset { 3009 type uint16 { 3010 range "0..16383"; 3011 } 3012 description 3013 "Ending IPv4 fragment offset for a range match."; 3014 } 3015 description 3016 "Range match for an IPv4 fragment offset."; 3017 } 3018 } 3019 } 3020 description 3021 "The security policy rule according to 3022 IPv4 fragment offset."; 3023 reference 3024 "RFC 791: Internet Protocol - Fragment offset"; 3025 } 3027 container pkt-sec-ipv4-ttl { 3028 choice match-type { 3029 description 3030 "There are two types to configure a security 3031 policy for IPv4 TTL, such as exact match 3032 and range match."; 3033 case exact-match { 3034 leaf-list ipv4-ttl { 3035 type uint8; 3036 description 3037 "Exact match for an IPv4 TTL."; 3038 } 3039 } 3040 case range-match { 3041 list range-ipv4-ttl { 3042 key "start-ipv4-ttl end-ipv4-ttl"; 3043 leaf start-ipv4-ttl { 3044 type uint8; 3045 description 3046 "Starting IPv4 TTL for a range match."; 3047 } 3048 leaf end-ipv4-ttl { 3049 type uint8; 3050 description 3051 "Ending IPv4 TTL for a range match."; 3052 } 3053 description 3054 "Range match for an IPv4 TTL."; 3055 } 3056 } 3057 } 3058 description 3059 "The security policy rule according to 3060 IPv4 time-to-live (TTL)."; 3061 reference 3062 "RFC 791: Internet Protocol - Time to live"; 3063 } 3064 leaf-list pkt-sec-ipv4-protocol { 3065 type identityref { 3066 base protocol; 3067 } 3068 description 3069 "The security policy rule according to 3070 IPv4 protocol."; 3071 reference 3072 "RFC 791: Internet Protocol - Protocol"; 3073 } 3075 container pkt-sec-ipv4-src { 3076 uses pkt-sec-ipv4; 3077 description 3078 "The security policy rule according to 3079 IPv4 source address."; 3080 reference 3081 "RFC 791: Internet Protocol - IPv4 Address"; 3082 } 3084 container pkt-sec-ipv4-dest { 3085 uses pkt-sec-ipv4; 3086 description 3087 "The security policy rule according to 3088 IPv4 destination address."; 3089 reference 3090 "RFC 791: Internet Protocol - IPv4 Address"; 3091 } 3093 leaf-list pkt-sec-ipv4-ipopts { 3094 type identityref { 3095 base ipopts; 3096 } 3097 description 3098 "The security policy rule according to 3099 IPv4 options."; 3100 reference 3101 "RFC 791: Internet Protocol - Options"; 3102 } 3104 leaf pkt-sec-ipv4-same-ip { 3105 type boolean; 3106 description 3107 "Match on packets with the same IPv4 source 3108 and IPv4 destination address."; 3109 } 3111 leaf-list pkt-sec-ipv4-geo-ip { 3112 type string; 3113 description 3114 "The geo-ip keyword enables you to match on 3115 the source, destination or source and destination 3116 IP addresses of network traffic and to see to 3117 which country it belongs. To do this, Suricata 3118 uses GeoIP API with MaxMind database format."; 3119 } 3120 } 3122 container packet-security-ipv6-condition { 3123 description 3124 "The purpose of this container is to represent 3125 IPv6 packet header information to determine 3126 if the set of policy actions in this ECA policy 3127 rule should be executed or not."; 3128 reference 3129 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3130 Specification"; 3132 leaf ipv6-description { 3133 type string; 3134 description 3135 "This is description for ipv6 condition."; 3136 } 3138 leaf-list pkt-sec-ipv6-traffic-class { 3139 type identityref { 3140 base traffic-class; 3141 } 3142 description 3143 "The security policy rule according to 3144 IPv6 traffic class."; 3145 reference 3146 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3147 Specification - Traffic class"; 3148 } 3150 container pkt-sec-ipv6-flow-label { 3151 choice match-type { 3152 description 3153 "There are two types to configure a security 3154 policy for IPv6 flow label, such as exact match 3155 and range match."; 3156 case exact-match { 3157 leaf-list ipv6-flow-label { 3158 type uint32 { 3159 range "0..1048575"; 3160 } 3161 description 3162 "Exact match for an IPv6 flow label."; 3163 } 3164 } 3165 case range-match { 3166 list range-ipv6-flow-label { 3167 key "start-ipv6-flow-label end-ipv6-flow-label"; 3168 leaf start-ipv6-flow-label { 3169 type uint32 { 3170 range "0..1048575"; 3171 } 3172 description 3173 "Starting IPv6 flow label for a range match."; 3174 } 3175 leaf end-ipv6-flow-label { 3176 type uint32 { 3177 range "0..1048575"; 3178 } 3179 description 3180 "Ending IPv6 flow label for a range match."; 3181 } 3182 description 3183 "Range match for an IPv6 flow label."; 3184 } 3185 } 3186 } 3187 description 3188 "The security policy rule according to 3189 IPv6 flow label."; 3190 reference 3191 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3192 Specification - Flow label"; 3193 } 3195 container pkt-sec-ipv6-payload-length { 3196 choice match-type { 3197 description 3198 "There are two types to configure a security 3199 policy for IPv6 payload length, such as 3200 exact match and range match."; 3201 case exact-match { 3202 leaf-list ipv6-payload-length { 3203 type uint16; 3204 description 3205 "Exact match for an IPv6 payload length."; 3206 } 3208 } 3209 case range-match { 3210 list range-ipv6-payload-length { 3211 key "start-ipv6-payload-length 3212 end-ipv6-payload-length"; 3213 leaf start-ipv6-payload-length { 3214 type uint16; 3215 description 3216 "Starting IPv6 payload length for a range match."; 3217 } 3218 leaf end-ipv6-payload-length { 3219 type uint16; 3220 description 3221 "Ending IPv6 payload length for a range match."; 3222 } 3223 description 3224 "Range match for an IPv6 payload length."; 3225 } 3226 } 3227 } 3228 description 3229 "The security policy rule according to 3230 IPv6 payload length."; 3231 reference 3232 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3233 Specification - Payload length"; 3234 } 3236 leaf-list pkt-sec-ipv6-next-header { 3237 type identityref { 3238 base next-header; 3239 } 3240 description 3241 "The security policy rule according to 3242 IPv6 next header."; 3243 reference 3244 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3245 Specification - Next header"; 3246 } 3248 container pkt-sec-ipv6-hop-limit { 3249 choice match-type { 3250 description 3251 "There are two types to configure a security 3252 policy for IPv6 hop limit, such as exact match 3253 and range match."; 3254 case exact-match { 3255 leaf-list ipv6-hop-limit { 3256 type uint8; 3257 description 3258 "Exact match for an IPv6 hop limit."; 3259 } 3260 } 3261 case range-match { 3262 list range-ipv6-hop-limit { 3263 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3264 leaf start-ipv6-hop-limit { 3265 type uint8; 3266 description 3267 "Start IPv6 hop limit for a range match."; 3268 } 3269 leaf end-ipv6-hop-limit { 3270 type uint8; 3271 description 3272 "End IPv6 hop limit for a range match."; 3273 } 3274 description 3275 "Range match for an IPv6 hop limit."; 3276 } 3277 } 3278 } 3279 description 3280 "The security policy rule according to 3281 IPv6 hop limit."; 3282 reference 3283 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3284 Specification - Hop limit"; 3285 } 3287 container pkt-sec-ipv6-src { 3288 uses pkt-sec-ipv6; 3289 description 3290 "The security policy rule according to 3291 IPv6 source address."; 3292 reference 3293 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3294 Specification - IPv6 address"; 3295 } 3297 container pkt-sec-ipv6-dest { 3298 uses pkt-sec-ipv6; 3299 description 3300 "The security policy rule according to 3301 IPv6 destination address."; 3302 reference 3303 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3304 Specification - IPv6 address"; 3305 } 3307 } 3309 container packet-security-tcp-condition { 3310 description 3311 "The purpose of this container is to represent 3312 TCP packet header information to determine 3313 if the set of policy actions in this ECA policy 3314 rule should be executed or not."; 3315 reference 3316 "RFC 793: Transmission Control Protocol"; 3318 leaf tcp-description { 3319 type string; 3320 description 3321 "This is description for tcp condition."; 3322 } 3324 container pkt-sec-tcp-src-port-num { 3325 uses pkt-sec-port-number; 3326 description 3327 "The security policy rule according to 3328 tcp source port number."; 3329 reference 3330 "RFC 793: Transmission Control Protocol 3331 - Port number"; 3332 } 3334 container pkt-sec-tcp-dest-port-num { 3335 uses pkt-sec-port-number; 3336 description 3337 "The security policy rule according to 3338 tcp destination port number."; 3339 reference 3340 "RFC 793: Transmission Control Protocol 3341 - Port number"; 3342 } 3344 container pkt-sec-tcp-seq-num { 3345 choice match-type { 3346 description 3347 "There are two types to configure a security 3348 policy for tcp sequence number, 3349 such as exact match and range match."; 3350 case exact-match { 3351 leaf-list tcp-seq-num { 3352 type uint32; 3353 description 3354 "Exact match for an tcp sequence number."; 3355 } 3356 } 3357 case range-match { 3358 list range-tcp-seq-num { 3359 key "start-tcp-seq-num end-tcp-seq-num"; 3360 leaf start-tcp-seq-num { 3361 type uint32; 3362 description 3363 "Start tcp sequence number for a range match."; 3364 } 3365 leaf end-tcp-seq-num { 3366 type uint32; 3367 description 3368 "End tcp sequence number for a range match."; 3369 } 3370 description 3371 "Range match for a tcp sequence number."; 3372 } 3373 } 3374 } 3375 description 3376 "The security policy rule according to 3377 tcp sequence number."; 3378 reference 3379 "RFC 793: Transmission Control Protocol 3380 - Sequence number"; 3381 } 3383 container pkt-sec-tcp-ack-num { 3384 choice match-type { 3385 description 3386 "There are two types to configure a security 3387 policy for tcp acknowledgement number, 3388 such as exact match and range match."; 3389 case exact-match { 3390 leaf-list tcp-ack-num { 3391 type uint32; 3392 description 3393 "Exact match for an tcp acknowledgement number."; 3394 } 3395 } 3396 case range-match { 3397 list range-tcp-ack-num { 3398 key "start-tcp-ack-num end-tcp-ack-num"; 3399 leaf start-tcp-ack-num { 3400 type uint32; 3401 description 3402 "Start tcp acknowledgement number 3403 for a range match."; 3404 } 3405 leaf end-tcp-ack-num { 3406 type uint32; 3407 description 3408 "End tcp acknowledgement number 3409 for a range match."; 3410 } 3411 description 3412 "Range match for a tcp acknowledgement number."; 3413 } 3414 } 3415 } 3416 description 3417 "The security policy rule according to 3418 tcp acknowledgement number."; 3419 reference 3420 "RFC 793: Transmission Control Protocol 3421 - Acknowledgement number"; 3422 } 3424 container pkt-sec-tcp-window-size { 3425 choice match-type { 3426 description 3427 "There are two types to configure a security 3428 policy for tcp window size, 3429 such as exact match and range match."; 3430 case exact-match { 3431 leaf-list tcp-window-size { 3432 type uint16; 3433 description 3434 "Exact match for an tcp window size."; 3435 } 3436 } 3437 case range-match { 3438 list range-tcp-window-size { 3439 key "start-tcp-window-size end-tcp-window-size"; 3440 leaf start-tcp-window-size { 3441 type uint16; 3442 description 3443 "Start tcp window size for a range match."; 3444 } 3445 leaf end-tcp-window-size { 3446 type uint16; 3447 description 3448 "End tcp window size for a range match."; 3449 } 3450 description 3451 "Range match for a tcp window size."; 3452 } 3453 } 3454 } 3455 description 3456 "The security policy rule according to 3457 tcp window size."; 3458 reference 3459 "RFC 793: Transmission Control Protocol 3460 - Window size"; 3461 } 3463 leaf-list pkt-sec-tcp-flags { 3464 type identityref { 3465 base tcp-flags; 3466 } 3467 description 3468 "The security policy rule according to 3469 tcp flags."; 3470 reference 3471 "RFC 793: Transmission Control Protocol 3472 - Flags"; 3473 } 3474 } 3476 container packet-security-udp-condition { 3477 description 3478 "The purpose of this container is to represent 3479 UDP packet header information to determine 3480 if the set of policy actions in this ECA policy 3481 rule should be executed or not."; 3482 reference 3483 "RFC 793: Transmission Control Protocol"; 3485 leaf udp-description { 3486 type string; 3487 description 3488 "This is description for udp condition."; 3489 } 3491 container pkt-sec-udp-src-port-num { 3492 uses pkt-sec-port-number; 3493 description 3494 "The security policy rule according to 3495 udp source port number."; 3496 reference 3497 "RFC 793: Transmission Control Protocol 3498 - Port number"; 3499 } 3501 container pkt-sec-udp-dest-port-num { 3502 uses pkt-sec-port-number; 3503 description 3504 "The security policy rule according to 3505 udp destination port number."; 3506 reference 3507 "RFC 768: User Datagram Protocol 3508 - Total Length"; 3509 } 3511 container pkt-sec-udp-total-length { 3512 choice match-type { 3513 description 3514 "There are two types to configure a security 3515 policy for udp sequence number, 3516 such as exact match and range match."; 3517 case exact-match { 3518 leaf-list udp-total-length { 3519 type uint32; 3520 description 3521 "Exact match for an udp-total-length."; 3522 } 3523 } 3524 case range-match { 3525 list range-udp-total-length { 3526 key "start-udp-total-length end-udp-total-length"; 3527 leaf start-udp-total-length { 3528 type uint32; 3529 description 3530 "Start udp total length for a range match."; 3531 } 3532 leaf end-udp-total-length { 3533 type uint32; 3534 description 3535 "End udp total length for a range match."; 3536 } 3537 description 3538 "Range match for a udp total length."; 3539 } 3540 } 3542 } 3543 description 3544 "The security policy rule according to 3545 udp total length."; 3546 reference 3547 "RFC 768: User Datagram Protocol 3548 - Total Length"; 3549 } 3550 } 3552 container packet-security-icmp-condition { 3553 description 3554 "The purpose of this container is to represent 3555 ICMP packet header information to determine 3556 if the set of policy actions in this ECA policy 3557 rule should be executed or not."; 3558 reference 3559 "RFC 792: Internet Control Message Protocol 3560 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3562 leaf icmp-description { 3563 type string; 3564 description 3565 "This is description for icmp condition."; 3566 } 3568 leaf-list pkt-sec-icmp-type-and-code { 3569 type identityref { 3570 base icmp-type; 3571 } 3572 description 3573 "The security policy rule according to 3574 ICMP parameters."; 3575 reference 3576 "RFC 792: Internet Control Message Protocol 3577 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3578 } 3579 } 3581 container packet-security-url-category-condition { 3582 description 3583 "Condition for url category"; 3584 leaf url-category-description { 3585 type string; 3586 description 3587 "This is description for url category condition. 3588 Vendors can write instructions for context condition 3589 that vendor made"; 3590 } 3592 leaf-list pre-defined-category { 3593 type string; 3594 description 3595 "This is pre-defined-category."; 3596 } 3597 leaf-list user-defined-category { 3598 type string; 3599 description 3600 "This user-defined-category."; 3601 } 3602 } 3604 container packet-security-voice-condition { 3605 description 3606 "For the VoIP/VoLTE security system, a VoIP/ 3607 VoLTE security system can monitor each 3608 VoIP/VoLTE flow and manage VoIP/VoLTE 3609 security rules controlled by a centralized 3610 server for VoIP/VoLTE security service 3611 (called VoIP IPS). The VoIP/VoLTE security 3612 system controls each switch for the 3613 VoIP/VoLTE call flow management by 3614 manipulating the rules that can be added, 3615 deleted, or modified dynamically."; 3616 reference 3617 "RFC 3261: SIP: Session Initiation Protocol"; 3619 leaf voice-description { 3620 type string; 3621 description 3622 "This is description for voice condition."; 3623 } 3625 leaf-list pkt-sec-src-voice-id { 3626 type string; 3627 description 3628 "The security policy rule according to 3629 a source voice ID for VoIP and VoLTE."; 3630 } 3632 leaf-list pkt-sec-dest-voice-id { 3633 type string; 3634 description 3635 "The security policy rule according to 3636 a destination voice ID for VoIP and VoLTE."; 3638 } 3640 leaf-list pkt-sec-user-agent { 3641 type string; 3642 description 3643 "The security policy rule according to 3644 an user agent for VoIP and VoLTE."; 3645 } 3646 } 3648 container packet-security-ddos-condition { 3649 description 3650 "Condition for DDoS attack."; 3652 leaf ddos-description { 3653 type string; 3654 description 3655 "This is description for ddos condition."; 3656 } 3658 leaf pkt-sec-alert-rate { 3659 type uint32; 3660 description 3661 "The alert rate of flood detect for 3662 same packets."; 3663 } 3664 } 3666 container packet-security-payload-condition { 3667 description 3668 "Condition for packet payload"; 3669 leaf packet-payload-description { 3670 type string; 3671 description 3672 "This is description for payload condition. 3673 Vendors can write instructions for payload condition 3674 that vendor made"; 3675 } 3676 leaf-list pkt-payload-content { 3677 type string; 3678 description 3679 "The content keyword is very important in 3680 signatures. Between the quotation marks you 3681 can write on what you would like the 3682 signature to match."; 3683 } 3684 } 3685 container context-condition { 3686 description 3687 "Condition for context"; 3688 leaf context-description { 3689 type string; 3690 description 3691 "This is description for context condition. 3692 Vendors can write instructions for context condition 3693 that vendor made"; 3694 } 3696 container application-condition { 3697 description 3698 "Condition for application"; 3699 leaf application-description { 3700 type string; 3701 description 3702 "This is description for application condition."; 3703 } 3704 leaf-list application-object { 3705 type string; 3706 description 3707 "This is application object."; 3708 } 3709 leaf-list application-group { 3710 type string; 3711 description 3712 "This is application group."; 3713 } 3714 leaf-list application-label { 3715 type string; 3716 description 3717 "This is application label."; 3718 } 3719 container category { 3720 description 3721 "This is application category"; 3722 list application-category { 3723 key "name application-subcategory"; 3724 description 3725 "This is application category list"; 3726 leaf name { 3727 type string; 3728 description 3729 "This is name for application category."; 3730 } 3731 leaf application-subcategory { 3732 type string; 3733 description 3734 "This is application subcategory."; 3735 } 3736 } 3737 } 3738 } 3740 container target-condition { 3741 description 3742 "Condition for target"; 3743 leaf target-description { 3744 type string; 3745 description 3746 "This is description for target condition. 3747 Vendors can write instructions for target condition 3748 that vendor made"; 3749 } 3751 container device-sec-context-cond { 3752 description 3753 "The device attribute that can identify a device, 3754 including the device type (i.e., router, switch, 3755 pc, ios, or android) and the device's owner as 3756 well."; 3758 leaf-list target-device { 3759 type identityref { 3760 base target-device; 3761 } 3762 description 3763 "Leaf list for target devices"; 3764 } 3765 } 3766 } 3768 container users-condition { 3769 description 3770 "Condition for users"; 3771 leaf users-description { 3772 type string; 3773 description 3774 "This is description for user condition. 3775 Vendors can write instructions for user condition 3776 that vendor made"; 3777 } 3778 container user{ 3779 description 3780 "The user (or user group) information with which 3781 network flow is associated: The user has many 3782 attributes such as name, id, password, type, 3783 authentication mode and so on. Name/id is often 3784 used in the security policy to identify the user. 3785 Besides, NSF is aware of the IP address of the 3786 user provided by a unified user management system 3787 via network. Based on name-address association, 3788 NSF is able to enforce the security functions 3789 over the given user (or user group)"; 3791 choice user-name { 3792 description 3793 "The name of the user."; 3795 case tenant { 3796 description 3797 "Tenant information."; 3799 leaf tenant { 3800 type uint8; 3801 description 3802 "User's tenant information."; 3803 } 3804 } 3806 case vn-id { 3807 description 3808 "VN-ID information."; 3810 leaf vn-id { 3811 type uint8; 3812 description 3813 "User's VN-ID information."; 3814 } 3815 } 3816 } 3817 } 3819 container group { 3820 description 3821 "The user (or user group) information with which 3822 network flow is associated: The user has many 3823 attributes such as name, id, password, type, 3824 authentication mode and so on. Name/id is often 3825 used in the security policy to identify the user. 3826 Besides, NSF is aware of the IP address of the 3827 user provided by a unified user management system 3828 via network. Based on name-address association, 3829 NSF is able to enforce the security functions 3830 over the given user (or user group)"; 3832 choice group-name { 3833 description 3834 "The name of the user."; 3836 case tenant { 3837 description 3838 "Tenant information."; 3840 leaf tenant { 3841 type uint8; 3842 description 3843 "User's tenant information."; 3844 } 3845 } 3847 case vn-id { 3848 description 3849 "VN-ID information."; 3851 leaf vn-id { 3852 type uint8; 3853 description 3854 "User's VN-ID information."; 3855 } 3856 } 3857 } 3858 } 3860 leaf security-group { 3861 type string; 3862 description 3863 "security-group."; 3864 } 3865 } 3867 container gen-context-condition { 3868 description 3869 "Condition for generic context"; 3870 leaf gen-context-description { 3871 type string; 3872 description 3873 "This is description for generic context condition. 3874 Vendors can write instructions for generic context 3875 condition that vendor made"; 3876 } 3877 container geographic-location { 3878 description 3879 "The location where network traffic is associated 3880 with. The region can be the geographic location 3881 such as country, province, and city, 3882 as well as the logical network location such as 3883 IP address, network section, and network domain."; 3885 leaf-list src-geographic-location { 3886 type uint32; 3887 description 3888 "This is mapped to ip address. We can acquire 3889 source region through ip address stored in the 3890 database."; 3891 } 3892 leaf-list dest-geographic-location { 3893 type uint32; 3894 description 3895 "This is mapped to ip address. We can acquire 3896 destination region through ip address stored 3897 in the database."; 3898 } 3899 } 3900 } 3901 } 3902 } 3904 container action-clause-container { 3905 description 3906 "An action is used to control and monitor aspects of 3907 flow-based NSFs when the event and condition clauses 3908 are satisfied. NSFs provide security functions by 3909 executing various Actions. Examples of I2NSF Actions 3910 include providing intrusion detection and/or protection, 3911 web and flow filtering, and deep packet inspection 3912 for packets and flows."; 3913 reference 3914 "RFC 8329: Framework for Interface to Network Security 3915 Functions - I2NSF Flow Security Policy Structure 3916 draft-ietf-i2nsf-capability-05: Information Model 3917 of NSFs Capabilities - Design Principles and ECA Policy 3918 Model Overview"; 3920 leaf action-clause-description { 3921 type string; 3922 description 3923 "Description for an action clause."; 3924 } 3926 container packet-action { 3927 description 3928 "Action for packets"; 3929 reference 3930 "RFC 8329: Framework for Interface to Network Security 3931 Functions - I2NSF Flow Security Policy Structure 3932 draft-ietf-i2nsf-capability-05: Information Model 3933 of NSFs Capabilities - Design Principles and ECA 3934 Policy Model Overview"; 3936 leaf ingress-action { 3937 type identityref { 3938 base ingress-action; 3939 } 3940 description 3941 "Action: pass, drop, reject, alert, and mirror."; 3942 } 3944 leaf egress-action { 3945 type identityref { 3946 base egress-action; 3947 } 3948 description 3949 "Egress action: pass, drop, reject, alert, mirror, 3950 invoke-signaling, tunnel-encapsulation, 3951 forwarding, and redirection."; 3952 } 3954 leaf log-action { 3955 type identityref { 3956 base log-action; 3957 } 3958 description 3959 "Log action: rule log and session log"; 3960 } 3962 } 3964 container advanced-action { 3965 description 3966 "If the packet need be additionally inspected, 3967 the packet are passed to advanced network 3968 security functions according to the profile."; 3969 reference 3970 "RFC 8329: Framework for Interface to Network Security 3971 Functions - Differences from ACL Data Models"; 3973 leaf-list content-security-control { 3974 type identityref { 3975 base content-security-control; 3976 } 3977 description 3978 "The Profile is divided into content security 3979 control and attack-mitigation-control. 3980 Content security control: antivirus, ips, ids, 3981 url filtering, mail filtering, file blocking, 3982 file isolate, packet capture, application control, 3983 voip and volte."; 3984 } 3986 leaf-list attack-mitigation-control { 3987 type identityref { 3988 base attack-mitigation-control; 3989 } 3990 description 3991 "The Profile is divided into content security 3992 control and attack-mitigation-control. 3993 Attack mitigation control: syn flood, udp flood, 3994 icmp flood, ip frag flood, ipv6 related, http flood, 3995 https flood, dns flood, dns amp flood, ssl ddos, 3996 ip sweep, port scanning, ping of death, teardrop, 3997 oversized icmp, tracert."; 3998 } 3999 } 4000 } 4001 } 4002 container rule-group { 4003 description 4004 "This is rule group"; 4006 list groups { 4007 key "group-name"; 4008 description 4009 "This is a group for rules"; 4011 leaf group-name { 4012 type string; 4013 description 4014 "This is a group for rules"; 4015 } 4017 container rule-range { 4018 description 4019 "This is a rule range."; 4021 leaf start-rule { 4022 type string; 4023 description 4024 "This is a start rule"; 4025 } 4026 leaf end-rule { 4027 type string; 4028 description 4029 "This is a end rule"; 4030 } 4031 } 4032 leaf enable { 4033 type boolean; 4034 description 4035 "This is enable 4036 False is not enable."; 4037 } 4038 leaf description { 4039 type string; 4040 description 4041 "This is a desription for rule-group"; 4042 } 4043 } 4044 } 4045 } 4046 } 4048 leaf i2nsf-ipsec { 4049 type identityref { 4050 base i2nsf-ipsec; 4051 } 4052 description 4053 "Internet Key Exchnage for NSFs 4054 in the I2NSF framework"; 4056 reference 4057 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 4058 - i2nsf-ipsec"; 4059 } 4060 } 4062 4064 Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface 4066 6. IANA Considerations 4068 This document requests IANA to register the following URI in the 4069 "IETF XML Registry" [RFC3688]: 4071 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4073 Registrant Contact: The IESG. 4075 XML: N/A; the requested URI is an XML namespace. 4077 This document requests IANA to register the following YANG module in 4078 the "YANG Module Names" registry [RFC7950]. 4080 name: ietf-i2nsf-policy-rule-for-nsf 4082 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- 4083 nsf 4085 prefix: nsfintf 4087 reference: RFC XXXX 4089 7. Security Considerations 4091 The YANG module specified in this document defines a data schema 4092 designed to be accessed through network management protocols such as 4093 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 4094 the secure transport layer, and the required secure transport is 4095 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 4096 and the required secure transport is TLS [RFC8446]. 4098 The NETCONF access control model [RFC8341] provides a means of 4099 restricting access to specific NETCONF or RESTCONF users to a 4100 preconfigured subset of all available NETCONF or RESTCONF protocol 4101 operations and content. 4103 There are a number of data nodes defined in this YANG module that are 4104 writable/creatable/deletable (i.e., config true, which is the 4105 default). These data nodes may be considered sensitive or vulnerable 4106 in some network environments. Write operations (e.g., edit-config) 4107 to these data nodes without proper protection can have a negative 4108 effect on network operations. These are the subtrees and data nodes 4109 and their sensitivity/vulnerability: 4111 o ietf-i2nsf-policy-rule-for-nsf: The attacker may provide incorrect 4112 policy information of any target NSFs by illegally modifying this. 4114 Some of the readable data nodes in this YANG module may be considered 4115 sensitive or vulnerable in some network environments. It is thus 4116 important to control read access (e.g., via get, get-config, or 4117 notification) to these data nodes. These are the subtrees and data 4118 nodes and their sensitivity/vulnerability: 4120 o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the 4121 security policy information of any target NSFs and misuse the 4122 security policy information for subsequent attacks. 4124 8. References 4126 8.1. Normative References 4128 [RFC1394] Robinson, P., "Relationship of Telex Answerback Codes to 4129 Internet Domains", RFC 1394, DOI 10.17487/RFC1394, January 4130 1993, . 4132 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4133 Requirement Levels", BCP 14, RFC 2119, 4134 DOI 10.17487/RFC2119, March 1997, 4135 . 4137 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 4138 A., Peterson, J., Sparks, R., Handley, M., and E. 4139 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 4140 DOI 10.17487/RFC3261, June 2002, 4141 . 4143 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 4144 the Network Configuration Protocol (NETCONF)", RFC 6020, 4145 DOI 10.17487/RFC6020, October 2010, 4146 . 4148 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4149 and A. Bierman, Ed., "Network Configuration Protocol 4150 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4151 . 4153 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4154 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4155 . 4157 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4158 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4159 . 4161 [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 4162 1980. 4164 [RFC790] Postel, J., "Assigned Numbers", RFC 790, September 1981. 4166 [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. 4168 [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, 4169 September 1981. 4171 [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, 4172 September 1981. 4174 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4175 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4176 . 4178 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4179 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4180 . 4182 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4183 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4184 May 2017, . 4186 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4187 (IPv6) Specification", STD 86, RFC 8200, 4188 DOI 10.17487/RFC8200, July 2017, 4189 . 4191 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4192 Kumar, "Framework for Interface to Network Security 4193 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4194 . 4196 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4197 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4198 . 4200 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4201 Access Control Model", STD 91, RFC 8341, 4202 DOI 10.17487/RFC8341, March 2018, 4203 . 4205 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 4206 S., and N. Bahadur, "A YANG Data Model for the Routing 4207 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 4208 September 2018, . 4210 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4211 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4212 . 4214 8.2. Informative References 4216 [draft-dong-i2nsf-asf-config] 4217 Pan, W. and L. Xia, "Configuration of Advanced Security 4218 Functions with I2NSF Security Controller", draft-dong- 4219 i2nsf-asf-config-01 (work in progress), October 2018. 4221 [draft-ietf-i2nsf-capability] 4222 Xia, L., Strassner, J., Basile, C., and D. Lopez, 4223 "Information Model of NSFs Capabilities", draft-ietf- 4224 i2nsf-capability-05 (work in progress), April 2019. 4226 [draft-ietf-i2nsf-capability-data-model] 4227 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 4228 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 4229 capability-data-model-05 (work in progress), July 2019. 4231 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 4232 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 4233 Garcia, "Software-Defined Networking (SDN)-based IPsec 4234 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 4235 protection-05 (work in progress), July 2019. 4237 [draft-ietf-supa-generic-policy-info-model] 4238 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 4239 Information Model for Simplified Use of Policy 4240 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 4241 model-03 (work in progress), May 2017. 4243 Appendix A. Configuration Examples 4245 This section shows configuration examples of "ietf-i2nsf-policy-rule- 4246 for-nsf" module for security policy rules of network security 4247 devices. For security requirements, we assume that the NSFs (i.e., 4248 General firewall, Time based firewall, URL filter, VoIP/VoLTE filter, 4249 and http and https flood mitigation ) described in Appendix A. 4250 Configuration Examples of [draft-ietf-i2nsf-capability-data-model] 4251 are registered in I2NSF framework. With the registed NSFs, we show 4252 configuration examples for security policy rules of network security 4253 functions according to the following three security requirements: (i) 4254 Block SNS access during business hours, (ii) Block malicious VoIP/ 4255 VoLTE packets coming to the company, and (iii) Mitigate http and 4256 https flood attacks on company web server. 4258 A.1. Security Requirement 1: Block SNS Access during Business Hours 4260 This section shows a configuration example for blocking SNS access 4261 during business hours. 4263 4265 4266 sns_access 4267 4268 block_sns_access_during_operation_time 4269 4270 4271 09:00:00Z 4272 18:00:00Z 4273 4274 4275 4276 4277 4278 4279 221.159.112.1 4280 221.159.112.90 4281 4282 4283 4284 4285 4286 4287 url-filtering 4288 4289 4290 4291 4292 4294 Figure 7: Configuration XML for Time based Firewall to Block SNS 4295 Access during Business Hours 4297 4299 4300 sns_access 4301 4302 block_sns_access_during_operation_time 4303 4304 4305 facebook 4306 instagram 4307 4308 4309 4310 4311 drop 4312 4313 4314 4315 4316 4318 Figure 8: Configuration XML for Web Filter to Block SNS Access during 4319 Business Hours 4321 Figure 7 and Figure 8 show the configuration XML documents for time 4322 based firewall and web filter to block SNS access during business 4323 hours. For the security requirement, two NSFs (i.e., a time based 4324 firewall and a web filter) were used because one NSF can not meet the 4325 security requirement. The instances of XML documents for the time 4326 based firewall and the web filter are as follows: Note that a 4327 detailed data model for the configuration of the advanced network 4328 security function (i.e., web filter) is described in 4329 [draft-dong-i2nsf-asf-config]. 4331 Time based Firewall 4333 1. The name of the system policy is sns_access. 4335 2. The name of the rule is block_sns_access_during_operation_time. 4337 3. The rule is operated during the business hours (i.e., from 9 a.m. 4338 to 6 p.m.). 4340 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 4341 to 221.159.112.90) to inspect the outgoing packets of employees. 4343 5. If the outgoing packets match the rules above, the time based 4344 firewall sends the packets to url filtering for additional 4345 inspection because the time based firewall can not inspect 4346 contents of the packets for the SNS URL. 4348 Web Filter 4350 1. The name of the system policy is sns_access. 4352 2. The name of the rule is block_facebook_and_instagram. 4354 3. The rule inspects URL address to block the access packets to the 4355 facebook or the instagram. 4357 4. If the outgoing packets match the rules above, the packets are 4358 blocked. 4360 A.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 4361 to the Company 4363 This section shows a configuration example for blocking malicious 4364 VoIP/VoLTE packets coming to the company. 4366 4368 4369 voip_volte_inspection 4370 4371 block_malicious_voice_id 4372 4373 4374 4375 4376 221.159.112.1 4377 221.159.112.90 4378 4379 4380 4381 4382 4383 5060 4384 5061 4385 4386 4387 4388 4389 4390 voip-volte 4391 4392 4393 4394 4395 4397 Figure 9: Configuration XML for General Firewall to Block Malicious 4398 VoIP/VoLTE Packets Coming to the Company 4400 4402 4403 voip_volte_inspection 4404 4405 block_malicious_voice_id 4406 4407 4408 11111@voip.black.com 4409 22222@voip.black.com 4410 4411 4412 4413 4414 drop 4415 4416 4417 4418 4419 4421 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious 4422 VoIP/VoLTE Packets Coming to the Company 4424 Figure 9 and Figure 10 show the configuration XML documents for 4425 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 4426 packets coming to the company. For the security requirement, two 4427 NSFs (i.e., a general firewall and a VoIP/VoLTE filter) were used 4428 because one NSF can not meet the security requirement. The instances 4429 of XML documents for the general firewall and the VoIP/VoLTE filter 4430 are as follows: Note that a detailed data model for the configuration 4431 of the advanced network security function (i.e., VoIP/VoLTE filter) 4432 is described in [draft-dong-i2nsf-asf-config]. 4434 General Firewall 4436 1. The name of the system policy is voip_volte_inspection. 4438 2. The name of the rule is block_malicious_voip_volte_packets. 4440 3. The rule inspects a destination IPv4 address (i.e., from 4441 221.159.112.1 to 221.159.112.90) to inspect the packets coming 4442 into the company. 4444 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 4445 VoIP/VoLTE packet. 4447 5. If the incoming packets match the rules above, the general 4448 firewall sends the packets to VoIP/VoLTE filter for additional 4449 inspection because the general firewall can not inspect contents 4450 of the VoIP/VoLTE packets. 4452 VoIP/VoLTE Filter 4454 1. The name of the system policy is malicious_voice_id. 4456 2. The name of the rule is block_malicious_voice_id. 4458 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 4459 the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and 4460 22222@voip.black.com). 4462 4. If the incoming packets match the rules above, the packets are 4463 blocked. 4465 A.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 4466 Company Web Server 4468 This section shows a configuration example for mitigating http and 4469 https flood attacks on a company web server. 4471 4473 4474 flood_attack_mitigation 4475 4476 mitigate_http_and_https_flood_attack 4477 4478 4479 4480 4481 221.159.112.95 4482 4483 4484 4485 4486 4487 80 4488 443 4489 4490 4491 4492 4493 4494 http-and-https-flood 4495 4496 4497 4498 4499 4500 4502 Figure 11: Configuration XML for General Firewall to Mitigate HTTP 4503 and HTTPS Flood Attacks on a Company Web Server 4505 4507 4508 flood_attack_mitigation 4509 4510 mitigate_http_and_https_flood_attack 4511 4512 4513 100 4514 4515 4516 4517 4518 drop 4519 4520 4521 4522 4523 4525 Figure 12: Configuration XML for HTTP and HTTPS Flood Attack 4526 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4527 Server 4529 Figure 11 and Figure 12 show the configuration XML documents for 4530 general firewall and http and https flood attack mitigation to 4531 mitigate http and https flood attacks on a company web server. For 4532 the security requirement, two NSFs (i.e., a general firewall and a 4533 http and https flood attack mitigation) were used because one NSF can 4534 not meet the security requirement. The instances of XML documents 4535 for the general firewall and http and https flood attack mitigation 4536 are as follows: Note that a detailed data model for the configuration 4537 of the advanced network security function (i.e., http and https flood 4538 attack mitigation) is described in [draft-dong-i2nsf-asf-config]. 4540 General Firewall 4542 1. The name of the system policy is flood_attack_mitigation. 4544 2. The name of the rule is mitigate_http_and_https_flood_attack. 4546 3. The rule inspects a destination IPv4 address (i.e., 4547 221.159.112.95) to inspect the access packets coming into the 4548 company web server. 4550 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4551 http and https packet. 4553 5. If the packets match the rules above, the general firewall sends 4554 the packets to http and https flood attack mitigation for 4555 additional inspection because the general firewall can not contrl 4556 the amount of packets for http and https packets. 4558 HTTP and HTTPS Flood Attack Mitigation 4560 1. The name of the system policy is 4561 http_and_https_flood_attack_mitigation. 4563 2. The name of the rule is 100_per_second. 4565 3. The rule controls the http and https packets according to the 4566 amount of incoming packets. 4568 4. If the incoming packets match the rules above, the packets are 4569 blocked. 4571 Appendix B. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-06 4573 The following changes are made from draft-ietf-i2nsf-nsf-facing- 4574 interface-dm-06: 4576 o The version is revised according to the comments from Acee Lindem 4577 who is a YANG doctor for review. 4579 Appendix C. Acknowledgments 4581 This work was supported by Institute of Information & Communications 4582 Technology Planning & Evaluation (IITP) grant funded by the Korea 4583 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 4584 Security Intelligence Technology Development for the Customized 4585 Security Service Provisioning). 4587 Appendix D. Contributors 4589 This document is made by the group effort of I2NSF working group. 4590 Many people actively contributed to this document. The following are 4591 considered co-authors: 4593 o Hyoungshick Kim (Sungkyunkwan University) 4595 o Daeyoung Hyun (Sungkyunkwan University) 4597 o Dongjin Hong (Sungkyunkwan University) 4599 o Liang Xia (Huawei) 4600 o Tae-Jin Ahn (Korea Telecom) 4602 o Se-Hui Lee (Korea Telecom) 4604 Authors' Addresses 4606 Jinyong Tim Kim 4607 Department of Electronic, Electrical and Computer Engineering 4608 Sungkyunkwan University 4609 2066 Seobu-Ro, Jangan-Gu 4610 Suwon, Gyeonggi-Do 16419 4611 Republic of Korea 4613 Phone: +82 10 8273 0930 4614 EMail: timkim@skku.edu 4616 Jaehoon Paul Jeong 4617 Department of Computer Science and Engineering 4618 Sungkyunkwan University 4619 2066 Seobu-Ro, Jangan-Gu 4620 Suwon, Gyeonggi-Do 16419 4621 Republic of Korea 4623 Phone: +82 31 299 4957 4624 Fax: +82 31 290 7996 4625 EMail: pauljeong@skku.edu 4626 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4628 Jung-Soo Park 4629 Electronics and Telecommunications Research Institute 4630 218 Gajeong-Ro, Yuseong-Gu 4631 Daejeon 34129 4632 Republic of Korea 4634 Phone: +82 42 860 6514 4635 EMail: pjs@etri.re.kr 4637 Susan Hares 4638 Huawei 4639 7453 Hickory Hill 4640 Saline, MI 48176 4641 USA 4643 Phone: +1-734-604-0332 4644 EMail: shares@ndzh.com 4645 Qiushi Lin 4646 Huawei 4647 Huawei Industrial Base 4648 Shenzhen, Guangdong 518129 4649 China 4651 EMail: linqiushi@huawei.com