idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 6 instances of too long lines in the document, the longest one being 9 characters in excess of 72. == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 301 has weird spacing: '...-length uin...' == Line 311 has weird spacing: '...-length uin...' == Line 322 has weird spacing: '...-offset uin...' == Line 331 has weird spacing: '...pv4-ttl uin...' == Line 347 has weird spacing: '...address inet:...' == (21 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (November 4, 2019) is 1634 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3688' is mentioned on line 4420, but not defined == Unused Reference: 'RFC1394' is defined on line 4469, but no explicit reference was found in the text == Unused Reference: 'RFC3232' is defined on line 4478, but no explicit reference was found in the text == Unused Reference: 'RFC3261' is defined on line 4481, but no explicit reference was found in the text == Unused Reference: 'RFC6991' is defined on line 4501, but no explicit reference was found in the text == Unused Reference: 'RFC768' is defined on line 4505, but no explicit reference was found in the text == Unused Reference: 'RFC791' is defined on line 4508, but no explicit reference was found in the text == Unused Reference: 'RFC792' is defined on line 4510, but no explicit reference was found in the text == Unused Reference: 'RFC793' is defined on line 4513, but no explicit reference was found in the text == Unused Reference: 'RFC8177' is defined on line 4528, but no explicit reference was found in the text == Unused Reference: 'RFC8200' is defined on line 4533, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1394 ** Downref: Normative reference to an Informational RFC: RFC 3232 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 5 errors (**), 0 flaws (~~), 20 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim 3 Internet-Draft J. Jeong 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: May 7, 2020 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 November 4, 2019 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-08 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF) in the Interface to 19 Network Security Functions (I2NSF) framework. The YANG data model in 20 this document corresponds to the information model for NSF-Facing 21 Interface in the I2NSF framework. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on May 7, 2020. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 61 4. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 62 4.1. General I2NSF Security Policy Rule . . . . . . . . . . . 4 63 4.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 6 64 4.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 7 65 4.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 14 66 4.5. I2NSF Internet Key Exchange . . . . . . . . . . . . . . . 15 67 5. YANG Data Module . . . . . . . . . . . . . . . . . . . . . . 15 68 5.1. I2NSF NSF-Facing Interface YANG Data Module . . . . . . . 15 69 6. XML Configuration Examples of Low-Level Security Policy Rules 86 70 6.1. Security Requirement 1: Block SNS Access during Business 71 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . 86 72 6.2. Security Requirement 2: Block Malicious VoIP/VoLTE 73 Packets Coming to a Company . . . . . . . . . . . . . . . 89 74 6.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 75 Attacks on a Company Web Server . . . . . . . . . . . . . 92 76 7. Security Considerations . . . . . . . . . . . . . . . . . . . 95 77 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 96 78 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 96 79 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 96 80 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 97 81 11.1. Normative References . . . . . . . . . . . . . . . . . . 97 82 11.2. Informative References . . . . . . . . . . . . . . . . . 99 83 Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface- 84 dm-07 . . . . . . . . . . . . . . . . . . . . . . . 100 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 100 87 1. Introduction 89 This document defines a YANG [RFC6020][RFC7950] data model for 90 security policy rule configuration of Network Security Functions 91 (NSF). The YANG data model corresponds to the information model 92 [draft-ietf-i2nsf-capability] for NSF-Facing Interface in Interface 93 to Network Security Functions (I2NSF). The YANG data model in this 94 document focuses on security policy configuration for generic network 95 security functions. Note that security policy configuration for 96 advanced network security functions are defined in 97 [draft-dong-i2nsf-asf-config]. 99 This YANG data model uses an "Event-Condition-Action" (ECA) policy 100 model that is used as the basis for the design of I2NSF Policy 101 described in [RFC8329] and [draft-ietf-i2nsf-capability]. 103 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 104 document provides the following features. 106 o Configuration of general security policy rule for generic network 107 security functions. 109 o Configuration of event clause for generic network security 110 functions. 112 o Configuration of condition clause for generic network security 113 functions. 115 o Configuration of action clause for generic network security 116 functions. 118 2. Requirements Language 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 122 document are to be interpreted as described in [RFC2119][RFC8174]. 124 3. Terminology 126 This document uses the terminology described in [draft-ietf-i2nsf-cap 127 ability][RFC8431][draft-ietf-supa-generic-policy-info-model]. 128 Especially, the following terms are from 129 [draft-ietf-supa-generic-policy-info-model]: 131 o Data Model: A data model is a representation of concepts of 132 interest to an environment in a form that is dependent on data 133 repository, data definition language, query language, 134 implementation language, and protocol. 136 o Information Model: An information model is a representation of 137 concepts of interest to an environment in a form that is 138 independent of data repository, data definition language, query 139 language, implementation language, and protocol. 141 3.1. Tree Diagrams 143 A simplified graphical representation of the data model is used in 144 this document. The meaning of the symbols in these diagrams is 145 referred from [RFC8340]. 147 4. YANG Tree Diagram 149 This section shows a YANG tree diagram of generic network security 150 functions. Note that a detailed data model for the configuration of 151 the advanced network security functions is described in 152 [draft-dong-i2nsf-asf-config]. The section describes the following 153 subjects: 155 o General I2NSF security policy rule of the generic network security 156 function. 158 o An event clause of the generic network security function. 160 o A condition clause of the generic network security function. 162 o An action clause of the generic network security function. 164 4.1. General I2NSF Security Policy Rule 166 This section shows the YANG tree diagram for general I2NSF security 167 policy rules. 169 module: ietf-i2nsf-policy-rule-for-nsf 170 +--rw i2nsf-security-policy 171 | +--rw system-policy* [system-policy-name] 172 | +--rw system-policy-name string 173 | +--rw priority-usage? identityref 174 | +--rw resolution-strategy? identityref 175 | +--rw default-action? identityref 176 | +--rw rules* [rule-name] 177 | | +--rw rule-name string 178 | | +--rw rule-description? string 179 | | +--rw rule-priority? uint8 180 | | +--rw rule-enable? boolean 181 | | +--rw rule-session-aging-time? uint16 182 | | +--rw rule-long-connection 183 | | | +--rw enable? boolean 184 | | | +--rw duration? uint16 185 | | +--rw time-intervals 186 | | | +--rw absolute-time-interval 187 | | | | +--rw start-time? start-time-type 188 | | | | +--rw end-time? end-time-type 189 | | | +--rw periodic-time-interval 190 | | | +--rw day 191 | | | | +--rw every-day? boolean 192 | | | | +--rw specific-day* day-type 193 | | | +--rw month 194 | | | +--rw every-month? boolean 195 | | | +--rw specific-month* month-type 196 | | +--rw event-clause-container 197 | | | ... 198 | | +--rw condition-clause-container 199 | | | ... 200 | | +--rw action-clause-container 201 | | ... 202 | +--rw rule-group 203 | +--rw groups* [group-name] 204 | +--rw group-name string 205 | +--rw rule-range 206 | | +--rw start-rule? string 207 | | +--rw end-rule? string 208 | +--rw enable? boolean 209 | +--rw description? string 210 +--rw i2nsf-ipsec? identityref 212 Figure 1: YANG Tree Diagram for Network Security Policy 214 This YANG tree diagram shows the general I2NSF security policy rule 215 for generic network security functions. 217 The system policy provides for multiple system policies in one NSF, 218 and each system policy is used by one virtual instance of the NSF/ 219 device. The system policy includes system policy name, priority 220 usage, resolutation strategy, default action, and rules. 222 A resolution strategy is used to decide how to resolve conflicts that 223 occur between the actions of the same or different policy rules that 224 are matched and contained in a particular NSF. The resolution 225 strategy is defined as First Matching Rule (FMR), Last Matching Rule 226 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 227 Prioritized Matching Rule with No Errors (PMRN). The resolution 228 strategy can be extended according to specific vendor action 229 features. The resolution strategy is described in detail in 230 [draft-ietf-i2nsf-capability]. 232 A default action is used to execute I2NSF policy rule when no rule 233 matches a packet. The default action is defined as pass, drop, 234 reject, alert, and mirror. The default action can be extended 235 according to specific vendor action features. The default action is 236 described in detail in [draft-ietf-i2nsf-capability]. 238 The rules include rule name, rule description, rule priority, rule 239 enable, time zone, event clause container, condition clause 240 container, and action clause container. 242 4.2. Event Clause 244 This section shows the YANG tree diagram for an event clause for 245 I2NSF security policy rules. 247 module: ietf-i2nsf-policy-rule-for-nsf 248 +--rw i2nsf-security-policy 249 | +--rw system-policy* [system-policy-name] 250 | ... 251 | +--rw rules* [rule-name] 252 | | ... 253 | | +--rw event-clause-container 254 | | | +--rw event-clause-description? string 255 | | | +--rw event-clauses 256 | | | +--rw system-event* identityref 257 | | | +--rw system-alarm* identityref 258 | | +--rw condition-clause-container 259 | | | ... 260 | | +--rw action-clause-container 261 | | ... 262 | +--rw rule-group 263 | ... 264 +--rw i2nsf-ipsec? identityref 266 Figure 2: YANG Tree Diagram for an Event Clause 268 This YANG tree diagram shows an event clause of an I2NSF security 269 policy rule for generic network security functions. An event clause 270 is any important occurrence at a specific time of a change in the 271 system being managed, and/or in the environment of the system being 272 managed. An event clause is used to trigger the evaluation of the 273 condition clause of the I2NSF Policy Rule. The event clause is 274 defined as a system event and system alarm. The event clause can be 275 extended according to specific vendor event features. The event 276 clause is described in detail in [draft-ietf-i2nsf-capability]. 278 4.3. Condition Clause 280 This section shows the YANG tree diagram for a condition clause of 281 I2NSF security policy rules. 283 module: ietf-i2nsf-policy-rule-for-nsf 284 +--rw i2nsf-security-policy 285 | ... 286 | +--rw rules* [rule-name] 287 | | ... 288 | | +--rw event-clause-container 289 | | | ... 290 | | +--rw condition-clause-container 291 | | | +--rw condition-clause-description? string 292 | | | +--rw packet-security-ipv4-condition 293 | | | | +--rw ipv4-description? string 294 | | | | +--rw pkt-sec-ipv4-header-length 295 | | | | | +--rw (match-type)? 296 | | | | | +--:(exact-match) 297 | | | | | | +--rw ipv4-header-length* uint8 298 | | | | | +--:(range-match) 299 | | | | | +--rw range-ipv4-header-length* 300 [start-ipv4-header-length end-ipv4-header-length] 301 | | | | | +--rw start-ipv4-header-length uint8 302 | | | | | +--rw end-ipv4-header-length uint8 303 | | | | +--rw pkt-sec-ipv4-tos* identityref 304 | | | | +--rw pkt-sec-ipv4-total-length 305 | | | | | +--rw (match-type)? 306 | | | | | +--:(exact-match) 307 | | | | | | +--rw ipv4-total-length* uint16 308 | | | | | +--:(range-match) 309 | | | | | +--rw range-ipv4-total-length* 310 [start-ipv4-total-length end-ipv4-total-length] 311 | | | | | +--rw start-ipv4-total-length uint16 312 | | | | | +--rw end-ipv4-total-length uint16 313 | | | | +--rw pkt-sec-ipv4-id* uint16 314 | | | | +--rw pkt-sec-ipv4-fragment-flags* identityref 315 | | | | +--rw pkt-sec-ipv4-fragment-offset 316 | | | | | +--rw (match-type)? 317 | | | | | +--:(exact-match) 318 | | | | | | +--rw ipv4-fragment-offset* uint16 319 | | | | | +--:(range-match) 320 | | | | | +--rw range-ipv4-fragment-offset* 321 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 322 | | | | | +--rw start-ipv4-fragment-offset uint16 323 | | | | | +--rw end-ipv4-fragment-offset uint16 324 | | | | +--rw pkt-sec-ipv4-ttl 325 | | | | | +--rw (match-type)? 326 | | | | | +--:(exact-match) 327 | | | | | | +--rw ipv4-ttl* uint8 328 | | | | | +--:(range-match) 329 | | | | | +--rw range-ipv4-ttl* 330 [start-ipv4-ttl end-ipv4-ttl] 331 | | | | | +--rw start-ipv4-ttl uint8 332 | | | | | +--rw end-ipv4-ttl uint8 333 | | | | +--rw pkt-sec-ipv4-protocol* identityref 334 | | | | +--rw pkt-sec-ipv4-src 335 | | | | | +--rw (match-type)? 336 | | | | | +--:(exact-match) 337 | | | | | | +--rw ipv4-address* [ipv4] 338 | | | | | | +--rw ipv4 inet:ipv4-address 339 | | | | | | +--rw (subnet)? 340 | | | | | | +--:(prefix-length) 341 | | | | | | | +--rw prefix-length? uint8 342 | | | | | | +--:(netmask) 343 | | | | | | +--rw netmask? yang:dotted-quad 344 | | | | | +--:(range-match) 345 | | | | | +--rw range-ipv4-address* 346 [start-ipv4-address end-ipv4-address] 347 | | | | | +--rw start-ipv4-address inet:ipv4-address 348 | | | | | +--rw end-ipv4-address inet:ipv4-address 349 | | | | +--rw pkt-sec-ipv4-dest 350 | | | | | +--rw (match-type)? 351 | | | | | +--:(exact-match) 352 | | | | | | +--rw ipv4-address* [ipv4] 353 | | | | | | +--rw ipv4 inet:ipv4-address 354 | | | | | | +--rw (subnet)? 355 | | | | | | +--:(prefix-length) 356 | | | | | | | +--rw prefix-length? uint8 357 | | | | | | +--:(netmask) 358 | | | | | | +--rw netmask? yang:dotted-quad 359 | | | | | +--:(range-match) 360 | | | | | +--rw range-ipv4-address* 361 [start-ipv4-address end-ipv4-address] 362 | | | | | +--rw start-ipv4-address inet:ipv4-address 363 | | | | | +--rw end-ipv4-address inet:ipv4-address 364 | | | | +--rw pkt-sec-ipv4-ipopts* identityref 365 | | | | +--rw pkt-sec-ipv4-sameip? boolean 366 | | | | +--rw pkt-sec-ipv4-geoip* string 367 | | | +--rw packet-security-ipv6-condition 368 | | | | +--rw ipv6-description? string 369 | | | | +--rw pkt-sec-ipv6-traffic-class* identityref 370 | | | | +--rw pkt-sec-ipv6-flow-label 371 | | | | | +--rw (match-type)? 372 | | | | | +--:(exact-match) 373 | | | | | | +--rw ipv6-flow-label* uint32 374 | | | | | +--:(range-match) 375 | | | | | +--rw range-ipv6-flow-label* 376 [start-ipv6-flow-label end-ipv6-flow-label] 377 | | | | | +--rw start-ipv6-flow-label uint32 378 | | | | | +--rw end-ipv6-flow-label uint32 379 | | | | +--rw pkt-sec-ipv6-payload-length 380 | | | | | +--rw (match-type)? 381 | | | | | +--:(exact-match) 382 | | | | | | +--rw ipv6-payload-length* uint16 383 | | | | | +--:(range-match) 384 | | | | | +--rw range-ipv6-payload-length* 385 [start-ipv6-payload-length end-ipv6-payload-length] 386 | | | | | +--rw start-ipv6-payload-length uint16 387 | | | | | +--rw end-ipv6-payload-length uint16 388 | | | | +--rw pkt-sec-ipv6-next-header* identityref 389 | | | | +--rw pkt-sec-ipv6-hop-limit 390 | | | | | +--rw (match-type)? 391 | | | | | +--:(exact-match) 392 | | | | | | +--rw ipv6-hop-limit* uint8 393 | | | | | +--:(range-match) 394 | | | | | +--rw range-ipv6-hop-limit* 395 [start-ipv6-hop-limit end-ipv6-hop-limit] 396 | | | | | +--rw start-ipv6-hop-limit uint8 397 | | | | | +--rw end-ipv6-hop-limit uint8 398 | | | | +--rw pkt-sec-ipv6-src 399 | | | | | +--rw (match-type)? 400 | | | | | +--:(exact-match) 401 | | | | | | +--rw ipv6-address* [ipv6] 402 | | | | | | +--rw ipv6 inet:ipv6-address 403 | | | | | | +--rw prefix-length? uint8 404 | | | | | +--:(range-match) 405 | | | | | +--rw range-ipv6-address* 406 [start-ipv6-address end-ipv6-address] 407 | | | | | +--rw start-ipv6-address inet:ipv6-address 408 | | | | | +--rw end-ipv6-address inet:ipv6-address 409 | | | | +--rw pkt-sec-ipv6-dest 410 | | | | +--rw (match-type)? 411 | | | | +--:(exact-match) 412 | | | | | +--rw ipv6-address* [ipv6] 413 | | | | | +--rw ipv6 inet:ipv6-address 414 | | | | | +--rw prefix-length? uint8 415 | | | | +--:(range-match) 416 | | | | +--rw range-ipv6-address* 417 [start-ipv6-address end-ipv6-address] 418 | | | | +--rw start-ipv6-address inet:ipv6-address 419 | | | | +--rw end-ipv6-address inet:ipv6-address 420 | | | +--rw packet-security-tcp-condition 421 | | | | +--rw tcp-description? string 422 | | | | +--rw pkt-sec-tcp-src-port-num 423 | | | | | +--rw (match-type)? 424 | | | | | +--:(exact-match) 425 | | | | | | +--rw port-num* inet:port-number 426 | | | | | +--:(range-match) 427 | | | | | +--rw range-port-num* 428 [start-port-num end-port-num] 429 | | | | | +--rw start-port-num inet:port-number 430 | | | | | +--rw end-port-num inet:port-number 431 | | | | +--rw pkt-sec-tcp-dest-port-num 432 | | | | | +--rw (match-type)? 433 | | | | | +--:(exact-match) 434 | | | | | | +--rw port-num* inet:port-number 435 | | | | | +--:(range-match) 436 | | | | | +--rw range-port-num* 437 [start-port-num end-port-num] 438 | | | | | +--rw start-port-num inet:port-number 439 | | | | | +--rw end-port-num inet:port-number 440 | | | | +--rw pkt-sec-tcp-seq-num 441 | | | | | +--rw (match-type)? 442 | | | | | +--:(exact-match) 443 | | | | | | +--rw tcp-seq-num* uint32 444 | | | | | +--:(range-match) 445 | | | | | +--rw range-tcp-seq-num* 446 [start-tcp-seq-num end-tcp-seq-num] 447 | | | | | +--rw start-tcp-seq-num uint32 448 | | | | | +--rw end-tcp-seq-num uint32 449 | | | | +--rw pkt-sec-tcp-ack-num 450 | | | | | +--rw (match-type)? 451 | | | | | +--:(exact-match) 452 | | | | | | +--rw tcp-ack-num* uint32 453 | | | | | +--:(range-match) 454 | | | | | +--rw range-tcp-ack-num* 455 [start-tcp-ack-num end-tcp-ack-num] 456 | | | | | +--rw start-tcp-ack-num uint32 457 | | | | | +--rw end-tcp-ack-num uint32 458 | | | | +--rw pkt-sec-tcp-window-size 459 | | | | | +--rw (match-type)? 460 | | | | | +--:(exact-match) 461 | | | | | | +--rw tcp-window-size* uint16 462 | | | | | +--:(range-match) 463 | | | | | +--rw range-tcp-window-size* 464 [start-tcp-window-size end-tcp-window-size] 465 | | | | | +--rw start-tcp-window-size uint16 466 | | | | | +--rw end-tcp-window-size uint16 467 | | | | +--rw pkt-sec-tcp-flags* identityref 468 | | | +--rw packet-security-udp-condition 469 | | | | +--rw udp-description? string 470 | | | | +--rw pkt-sec-udp-src-port-num 471 | | | | | +--rw (match-type)? 472 | | | | | +--:(exact-match) 473 | | | | | | +--rw port-num* inet:port-number 474 | | | | | +--:(range-match) 475 | | | | | +--rw range-port-num* 476 [start-port-num end-port-num] 477 | | | | | +--rw start-port-num inet:port-number 478 | | | | | +--rw end-port-num inet:port-number 479 | | | | +--rw pkt-sec-udp-dest-port-num 480 | | | | | +--rw (match-type)? 481 | | | | | +--:(exact-match) 482 | | | | | | +--rw port-num* inet:port-number 483 | | | | | +--:(range-match) 484 | | | | | +--rw range-port-num* 485 [start-port-num end-port-num] 486 | | | | | +--rw start-port-num inet:port-number 487 | | | | | +--rw end-port-num inet:port-number 488 | | | | +--rw pkt-sec-udp-total-length 489 | | | | +--rw (match-type)? 490 | | | | +--:(exact-match) 491 | | | | | +--rw udp-total-length* uint32 492 | | | | +--:(range-match) 493 | | | | +--rw range-udp-total-length* 494 [start-udp-total-length end-udp-total-length] 495 | | | | +--rw start-udp-total-length uint32 496 | | | | +--rw end-udp-total-length uint32 497 | | | +--rw packet-security-icmp-condition 498 | | | | +--rw icmp-description? string 499 | | | | +--rw pkt-sec-icmp-type-and-code* identityref 500 | | | +--rw packet-security-url-category-condition 501 | | | | +--rw url-category-description? string 502 | | | | +--rw pre-defined-category* string 503 | | | | +--rw user-defined-category* string 504 | | | +--rw packet-security-voice-condition 505 | | | | +--rw voice-description? string 506 | | | | +--rw pkt-sec-src-voice-id* string 507 | | | | +--rw pkt-sec-dest-voice-id* string 508 | | | | +--rw pkt-sec-user-agent* string 509 | | | +--rw packet-security-ddos-condition 510 | | | | +--rw ddos-description? string 511 | | | | +--rw pkt-sec-alert-rate? uint32 512 | | | +--rw packet-security-payload-condition 513 | | | | +--rw packet-payload-description? string 514 | | | | +--rw pkt-payload-content* string 515 | | | +--rw context-condition 516 | | | +--rw context-description? string 517 | | | +--rw application-condition 518 | | | | +--rw application-description? string 519 | | | | +--rw application-object* string 520 | | | | +--rw application-group* string 521 | | | | +--rw application-label* string 522 | | | | +--rw category 523 | | | | +--rw application-category* 524 [name application-subcategory] 525 | | | | +--rw name string 526 | | | | +--rw application-subcategory string 527 | | | +--rw target-condition 528 | | | | +--rw target-description? string 529 | | | | +--rw device-sec-context-cond 530 | | | | +--rw target-device* identityref 531 | | | +--rw users-condition 532 | | | | +--rw users-description? string 533 | | | | +--rw user 534 | | | | | +--rw (user-name)? 535 | | | | | +--:(tenant) 536 | | | | | | +--rw tenant uint8 537 | | | | | +--:(vn-id) 538 | | | | | +--rw vn-id uint8 539 | | | | +--rw group 540 | | | | | +--rw (group-name)? 541 | | | | | +--:(tenant) 542 | | | | | | +--rw tenant uint8 543 | | | | | +--:(vn-id) 544 | | | | | +--rw vn-id uint8 545 | | | | +--rw security-group string 546 | | | +--rw gen-context-condition 547 | | | +--rw gen-context-description? string 548 | | | +--rw geographic-location 549 | | | +--rw src-geographic-location* uint32 550 | | | +--rw dest-geographic-location* uint32 551 | | +--rw action-clause-container 552 | | ... 553 | +--rw rule-group 554 | ... 555 +--rw i2nsf-ipsec? identityref 557 Figure 3: YANG Tree Diagram for a Condition Clause 559 This YANG tree diagram shows a condition clause for an I2NSF security 560 policy rule for generic network security functions. A condition 561 clause is defined as a set of attributes, features, and/or values 562 that are to be compared with a set of known attributes, features, 563 and/or values in order to determine whether or not the set of actions 564 in that (imperative) I2NSF policy rule can be executed or not. A 565 condition clause is classified as a conditions of generic network 566 security functions, advanced network security functions, or context. 567 A condition clause of generic network security functions is defined 568 as packet security IPv4 condition, packet security IPv6 condition, 569 packet security tcp condition, and packet security icmp condition. A 570 condition clause of advanced network security functions is defined as 571 packet security url category condition, packet security voice 572 condition, packet security DDoS condition, or packet security payload 573 condition. A condition clause of context is defined as ACL number 574 condition, application condition, target condition, user condition, 575 and geography condition. Note that this document deals only with 576 simple conditions of advanced network security functions. A 577 condition clauses of advanced network security functions are 578 described in detail in [draft-dong-i2nsf-asf-config]. A condition 579 clause can be extended according to specific vendor condition 580 features. A condition clause is described in detail in 581 [draft-ietf-i2nsf-capability]. 583 4.4. Action Clause 585 This section shows the YANG tree diagram for an action clause of an 586 I2NSF security policy rule. 588 module: ietf-i2nsf-policy-rule-for-nsf 589 +--rw i2nsf-security-policy 590 | ... 591 | +--rw rules* [rule-name] 592 | | ... 593 | | +--rw event-clause-container 594 | | | ... 595 | | +--rw condition-clause-container 596 | | | ... 597 | | +--rw action-clause-container 598 | | +--rw action-clause-description? string 599 | | +--rw packet-action 600 | | | +--rw ingress-action? identityref 601 | | | +--rw egress-action? identityref 602 | | | +--rw log-action? identityref 603 | | +--rw advanced-action 604 | | +--rw content-security-control* identityref 605 | | +--rw attack-mitigation-control* identityref 606 | +--rw rule-group 607 | ... 608 +--rw i2nsf-ipsec? identityref 610 Figure 4: YANG Tree Diagram for an Action Clause 612 This YANG tree diagram shows an action clause of an I2NSF security 613 policy rule for generic network security functions. An action is 614 used to control and monitor aspects of flow-based NSFs when the 615 policy rule event and condition clauses are satisfied. NSFs provide 616 security services by executing various actions. The action clause is 617 defined as ingress action, egress action, or log action for packet 618 action, and advanced action for additional inspection. The action 619 clause can be extended according to specific vendor action features. 620 The action clause is described in detail in 621 [draft-ietf-i2nsf-capability]. 623 4.5. I2NSF Internet Key Exchange 625 This section shows the YANG tree diagram for an I2NSF IPsec. 627 module: ietf-i2nsf-policy-rule-for-nsf 628 +--rw i2nsf-security-policy 629 | ... 630 | +--rw rules* [rule-name] 631 | | ... 632 | | +--rw event-clause-container 633 | | | ... 634 | | +--rw condition-clause-container 635 | | | ... 636 | | +--rw action-clause-container 637 | | ... 638 | +--rw rule-group 639 | ... 640 +--rw i2nsf-ipsec? identityref 642 Figure 5: YANG Tree Diagram for I2NSF Internet Key Exchnage 644 This YANG tree diagram shows an I2NSF IPsec specification for an 645 Internet Key Exchange IKE). An I2NSF IPsec specification is used to 646 define a method required to manage IPsec parameters for creating 647 IPsec Security Associations (SAs) between two NSFs through either the 648 IKEv2 protocol or the Security Controller 649 [draft-ietf-i2nsf-sdn-ipsec-flow-protection]. I2NSF IPsec considers 650 two cases, theIKE case (i.e., IPsec through IKE) and IKE-less case 651 (i.e., IPsec not through IKE, but through a Security Controller). 652 Refer to [draft-ietf-i2nsf-sdn-ipsec-flow-protection] for the 653 detailed description of the I2NSF IPsec. 655 5. YANG Data Module 657 5.1. I2NSF NSF-Facing Interface YANG Data Module 659 This section contains a YANG data module for configuration of 660 security policy rules on network security functions. 662 file "ietf-i2nsf-policy-rule-for-nsf@2019-11-04.yang" 664 module ietf-i2nsf-policy-rule-for-nsf { 665 yang-version 1.1; 666 namespace 667 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 668 prefix 669 nsfintf; 671 import ietf-inet-types{ 672 prefix inet; 673 reference "RFC 6991"; 674 } 675 import ietf-yang-types{ 676 prefix yang; 677 reference "RFC 6991"; 678 } 679 import ietf-key-chain{ 680 prefix key-chain; 681 reference "RFC 8177"; 682 } 684 organization 685 "IETF I2NSF (Interface to Network Security Functions) 686 Working Group"; 688 contact 689 "WG Web: 690 WG List: 692 WG Chair: Linda Dunbar 693 695 WG Chair: Yoav Nir 696 698 Editor: Jingyong Tim Kim 699 701 Editor: Jaehoon Paul Jeong 702 704 Editor: Susan Hares 705 "; 707 description 708 "This module defines a YANG data module for the Network Security 709 Functions (NSF) facing interface. 711 Copyright (c) 2019 IETF Trust and the persons 712 identified as authors of the code. All rights reserved. 714 Redistribution and use in source and binary forms, with or 715 without modification, is permitted pursuant to, and subject 716 to the license terms contained in, the Simplified BSD License 717 set forth in Section 4.c of the IETF Trust's Legal Provisions 718 Relating to IETF Documents 719 (http://trustee.ietf.org/license-info). 721 This version of this YANG module is part of RFC XXXX; see 722 the RFC itself for full legal notices."; 724 revision "2019-11-04"{ 725 description "The latest revision."; 726 reference 727 "RFC XXXX: I2NSF Network Security Function-Facing Interface 728 YANG Data Model"; 729 } 731 /* 732 * Identities 733 */ 735 identity priority-usage-type { 736 description 737 "Base identity for priority usage type."; 738 } 740 identity priority-by-order { 741 base priority-usage-type; 742 description 743 "Identity for priority by order"; 744 } 746 identity priority-by-number { 747 base priority-usage-type; 748 description 749 "Identity for priority by number"; 750 } 752 identity event { 753 description 754 "Base identity for policy events"; 755 reference 756 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 757 - Event"; 758 } 760 identity system-event { 761 base event; 762 description 763 "Identity for system events"; 765 reference 766 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 767 - System event"; 768 } 770 identity system-alarm { 771 base event; 772 description 773 "Identity for system alarms"; 774 reference 775 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 776 - System alarm"; 777 } 779 identity access-violation { 780 base system-event; 781 description 782 "Identity for access violation 783 system events"; 784 reference 785 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 786 - System event"; 787 } 789 identity configuration-change { 790 base system-event; 791 description 792 "Identity for configuration change 793 system events"; 794 reference 795 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 796 - System event"; 797 } 799 identity memory-alarm { 800 base system-alarm; 801 description 802 "Identity for memory alarm 803 system alarms"; 804 reference 805 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 806 - System alarm"; 807 } 809 identity cpu-alarm { 810 base system-alarm; 811 description 812 "Identity for CPU alarm 813 system alarms"; 814 reference 815 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 816 - System alarm"; 817 } 819 identity disk-alarm { 820 base system-alarm; 821 description 822 "Identity for disk alarm 823 system alarms"; 824 reference 825 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 826 - System alarm"; 827 } 829 identity hardware-alarm { 830 base system-alarm; 831 description 832 "Identity for hardware alarm 833 system alarms"; 834 reference 835 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 836 - System alarm"; 837 } 839 identity interface-alarm { 840 base system-alarm; 841 description 842 "Identity for interface alarm 843 system alarms"; 844 reference 845 "draft-ietf-i2nsf-nsf-monitoring-data-model-02 846 - System alarm"; 847 } 849 identity type-of-service { 850 description 851 "Base identity for type of service of IPv4"; 852 reference 853 "RFC 791: Internet Protocol - Type of Service"; 854 } 856 identity traffic-class { 857 description 858 "Base identity for traffic-class of IPv6"; 859 reference 860 "RFC 8200: Internet Protocol, Version 6 (IPv6) 861 Specification - Traffic Class"; 862 } 864 identity normal { 865 base type-of-service; 866 base traffic-class; 867 description 868 "Identity for normal IPv4 TOS and IPv6 Traffic Class"; 869 reference 870 "RFC 791: Internet Protocol - Type of Service 871 RFC 8200: Internet Protocol, Version 6 (IPv6) 872 Specification - Traffic Class"; 873 } 875 identity minimize-cost { 876 base type-of-service; 877 base traffic-class; 878 description 879 "Identity for 'minimize monetary cost' IPv4 TOS and 880 IPv6 Traffic Class"; 881 reference 882 "RFC 791: Internet Protocol - Type of Service 883 RFC 8200: Internet Protocol, Version 6 (IPv6) 884 Specification - Traffic Class"; 885 } 887 identity maximize-reliability { 888 base type-of-service; 889 base traffic-class; 890 description 891 "Identity for 'maximize reliability' IPv4 TOS and 892 IPv6 Traffic Class"; 893 reference 894 "RFC 791: Internet Protocol - Type of Service 895 RFC 8200: Internet Protocol, Version 6 (IPv6) 896 Specification - Traffic Class"; 897 } 899 identity maximize-throughput { 900 base type-of-service; 901 base traffic-class; 902 description 903 "Identity for 'maximize throughput' IPv4 TOS and 904 IPv6 Traffic Class"; 905 reference 906 "RFC 791: Internet Protocol - Type of Service 907 RFC 8200: Internet Protocol, Version 6 (IPv6) 908 Specification - Traffic Class"; 910 } 912 identity minimize-delay { 913 base type-of-service; 914 base traffic-class; 915 description 916 "Identity for 'minimize delay' IPv4 TOS and 917 IPv6 Traffic Class"; 918 reference 919 "RFC 791: Internet Protocol - Type of Service 920 RFC 8200: Internet Protocol, Version 6 (IPv6) 921 Specification - Traffic Class"; 922 } 924 identity maximize-security { 925 base type-of-service; 926 base traffic-class; 927 description 928 "Identity for 'maximize security' IPv4 TOS and 929 IPv6 Traffic Class"; 930 reference 931 "RFC 791: Internet Protocol - Type of Service 932 RFC 8200: Internet Protocol, Version 6 (IPv6) 933 Specification - Traffic Class"; 934 } 936 identity fragmentation-flags-type { 937 description 938 "Base identity for fragmentation flags type"; 939 reference 940 "RFC 791: Internet Protocol - Fragmentation Flags"; 941 } 943 identity fragment { 944 base fragmentation-flags-type; 945 description 946 "Identity for 'More fragment' flag"; 947 reference 948 "RFC 791: Internet Protocol - Fragmentation Flags"; 949 } 951 identity no-fragment { 952 base fragmentation-flags-type; 953 description 954 "Identity for 'Do not fragment' flag"; 955 reference 956 "RFC 791: Internet Protocol - Fragmentation Flags"; 957 } 958 identity reserved { 959 base fragmentation-flags-type; 960 description 961 "Identity for reserved flags"; 962 reference 963 "RFC 791: Internet Protocol - Fragmentation Flags"; 964 } 966 identity protocol { 967 description 968 "Base identity for protocol of IPv4"; 969 reference 970 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 971 On-line Database 972 RFC 791: Internet Protocol - Protocol"; 973 } 975 identity next-header { 976 description 977 "Base identity for IPv6 next header"; 978 reference 979 "RFC 8200: Internet Protocol, Version 6 (IPv6) 980 Specification - Next Header"; 981 } 983 identity icmp { 984 base protocol; 985 base next-header; 986 description 987 "Identity for ICMP IPv4 protocol and 988 IPv6 nett header"; 989 reference 990 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 991 On-line Database 992 RFC 791: Internet Protocol - Protocol 993 RFC 8200: Internet Protocol, Version 6 (IPv6) 994 Specification - Next Header"; 995 } 997 identity igmp { 998 base protocol; 999 base next-header; 1000 description 1001 "Identity for IGMP IPv4 protocol and 1002 IPv6 next header"; 1003 reference 1004 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1005 On-line Database 1007 RFC 791: Internet Protocol - Protocol 1008 RFC 8200: Internet Protocol, Version 6 (IPv6) 1009 Specification - Next Header"; 1010 } 1012 identity tcp { 1013 base protocol; 1014 base next-header; 1015 description 1016 "Identity for TCP protocol"; 1017 reference 1018 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1019 On-line Database 1020 RFC 791: Internet Protocol - Protocol 1021 RFC 8200: Internet Protocol, Version 6 (IPv6) 1022 Specification - Next Header"; 1023 } 1025 identity igrp { 1026 base protocol; 1027 base next-header; 1028 description 1029 "Identity for IGRP IPv4 protocol 1030 and IPv6 next header"; 1031 reference 1032 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1033 On-line Database 1034 RFC 791: Internet Protocol - Protocol 1035 RFC 8200: Internet Protocol, Version 6 (IPv6) 1036 Specification - Next Header"; 1037 } 1039 identity udp { 1040 base protocol; 1041 base next-header; 1042 description 1043 "Identity for UDP IPv4 protocol 1044 and IPv6 next header"; 1045 reference 1046 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1047 On-line Database 1048 RFC 791: Internet Protocol - Protocol 1049 RFC 8200: Internet Protocol, Version 6 (IPv6) 1050 Specification - Next Header"; 1051 } 1053 identity gre { 1054 base protocol; 1055 base next-header; 1056 description 1057 "Identity for GRE IPv4 protocol 1058 and IPv6 next header"; 1059 reference 1060 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1061 On-line Database 1062 RFC 791: Internet Protocol - Protocol 1063 RFC 8200: Internet Protocol, Version 6 (IPv6) 1064 Specification - Next Header"; 1065 } 1067 identity esp { 1068 base protocol; 1069 base next-header; 1070 description 1071 "Identity for ESP IPv4 protocol 1072 and IPv6 next header"; 1073 reference 1074 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1075 On-line Database 1076 RFC 791: Internet Protocol - Protocol 1077 RFC 8200: Internet Protocol, Version 6 (IPv6) 1078 Specification - Next Header"; 1079 } 1081 identity ah { 1082 base protocol; 1083 base next-header; 1084 description 1085 "Identity for AH IPv4 protocol 1086 and IPv6 next header"; 1087 reference 1088 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1089 On-line Database 1090 RFC 791: Internet Protocol - Protocol 1091 RFC 8200: Internet Protocol, Version 6 (IPv6) 1092 Specification - Next Header"; 1093 } 1095 identity mobile { 1096 base protocol; 1097 base next-header; 1098 description 1099 "Identity for mobile IPv4 protocol 1100 and IPv6 next header"; 1101 reference 1102 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1103 On-line Database 1104 RFC 791: Internet Protocol - Protocol 1105 RFC 8200: Internet Protocol, Version 6 (IPv6) 1106 Specification - Next Header"; 1107 } 1109 identity tlsp { 1110 base protocol; 1111 base next-header; 1112 description 1113 "Identity for TLSP IPv4 protocol 1114 and IPv6 next header"; 1115 reference 1116 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1117 On-line Database 1118 RFC 791: Internet Protocol - Protocol 1119 RFC 8200: Internet Protocol, Version 6 (IPv6) 1120 Specification - Next Header"; 1121 } 1123 identity skip { 1124 base protocol; 1125 base next-header; 1126 description 1127 "Identity for skip IPv4 protocol 1128 and IPv6 next header"; 1129 reference 1130 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1131 On-line Database 1132 RFC 791: Internet Protocol - Protocol 1133 RFC 8200: Internet Protocol, Version 6 (IPv6) 1134 Specification - Next Header"; 1135 } 1137 identity ipv6-icmp { 1138 base protocol; 1139 base next-header; 1140 description 1141 "Identity for IPv6 ICMP next header"; 1142 reference 1143 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1144 On-line Database 1145 RFC 4443: Internet Control Message Protocol (ICMPv6) 1146 for the Internet Protocol Version 6 (IPv6) Specification 1147 RFC 8200: Internet Protocol, Version 6 (IPv6) 1148 Specification - Next Header"; 1149 } 1150 identity eigrp { 1151 base protocol; 1152 base next-header; 1153 description 1154 "Identity for EIGRP IPv4 protocol 1155 and IPv6 next header"; 1156 reference 1157 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1158 On-line Database 1159 RFC 791: Internet Protocol - Protocol 1160 RFC 8200: Internet Protocol, Version 6 (IPv6) 1161 Specification - Next Header"; 1162 } 1164 identity ospf { 1165 base protocol; 1166 base next-header; 1167 description 1168 "Identity for OSPF IPv4 protocol 1169 and IPv6 next header"; 1170 reference 1171 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1172 On-line Database 1173 RFC 791: Internet Protocol - Protocol 1174 RFC 8200: Internet Protocol, Version 6 (IPv6) 1175 Specification - Next Header"; 1176 } 1178 identity l2tp { 1179 base protocol; 1180 base next-header; 1181 description 1182 "Identity for L2TP IPv4 protocol 1183 and IPv6 next header"; 1184 reference 1185 "RFC 3232: Assigned Numbers: RFC 1700 is Replaced by an 1186 On-line Database 1187 RFC 791: Internet Protocol - Protocol 1188 RFC 8200: Internet Protocol, Version 6 (IPv6) 1189 Specification - Next Header"; 1190 } 1192 identity ipopts { 1193 description 1194 "Base identity for IP options"; 1195 reference 1196 "RFC 791: Internet Protocol - Options"; 1198 } 1200 identity rr { 1201 base ipopts; 1202 description 1203 "Identity for 'Record Route' IP Option"; 1204 reference 1205 "RFC 791: Internet Protocol - Options"; 1206 } 1208 identity eol { 1209 base ipopts; 1210 description 1211 "Identity for 'End of List' IP Option"; 1212 reference 1213 "RFC 791: Internet Protocol - Options"; 1214 } 1216 identity nop { 1217 base ipopts; 1218 description 1219 "Identity for 'No Operation' IP Option"; 1220 reference 1221 "RFC 791: Internet Protocol - Options"; 1222 } 1224 identity ts { 1225 base ipopts; 1226 description 1227 "Identity for 'Timestamp' IP Option"; 1228 reference 1229 "RFC 791: Internet Protocol - Options"; 1230 } 1232 identity sec { 1233 base ipopts; 1234 description 1235 "Identity for 'IP security' IP Option"; 1236 reference 1237 "RFC 791: Internet Protocol - Options"; 1238 } 1240 identity esec { 1241 base ipopts; 1242 description 1243 "Identity for 'IP extended security' IP Option"; 1244 reference 1245 "RFC 791: Internet Protocol - Options"; 1247 } 1249 identity lsrr { 1250 base ipopts; 1251 description 1252 "Identity for 'Loose Source Routing' IP Option"; 1253 reference 1254 "RFC 791: Internet Protocol - Options"; 1255 } 1257 identity ssrr { 1258 base ipopts; 1259 description 1260 "Identity for 'Strict Source Routing' IP Option"; 1261 reference 1262 "RFC 791: Internet Protocol - Options"; 1263 } 1265 identity satid { 1266 base ipopts; 1267 description 1268 "Identity for 'Stream Identifier' IP Option"; 1269 reference 1270 "RFC 791: Internet Protocol - Options"; 1271 } 1273 identity any { 1274 base ipopts; 1275 description 1276 "Identity for 'any IP options 1277 included in IPv4 packet"; 1278 reference 1279 "RFC 791: Internet Protocol - Options"; 1280 } 1282 identity tcp-flags { 1283 description 1284 "Base identity for TCP flags"; 1285 reference 1286 "RFC 793: Transmission Control Protocol - Flags"; 1287 } 1289 identity cwr { 1290 base tcp-flags; 1291 description 1292 "Identity for 'Congestion Window Reduced' TCP flag"; 1293 reference 1294 "RFC 793: Transmission Control Protocol - Flags"; 1296 } 1298 identity ecn { 1299 base tcp-flags; 1300 description 1301 "Identity for 'Explicit Congestion Notification' 1302 TCP flag"; 1303 reference 1304 "RFC 793: Transmission Control Protocol - Flags"; 1305 } 1307 identity urg { 1308 base tcp-flags; 1309 description 1310 "Identity for 'Urgent' TCP flag"; 1311 reference 1312 "RFC 793: Transmission Control Protocol - Flags"; 1313 } 1315 identity ack { 1316 base tcp-flags; 1317 description 1318 "Identity for 'acknowledgement' TCP flag"; 1319 reference 1320 "RFC 793: Transmission Control Protocol - Flags"; 1321 } 1323 identity psh { 1324 base tcp-flags; 1325 description 1326 "Identity for 'Push' TCP flag"; 1327 reference 1328 "RFC 793: Transmission Control Protocol - Flags"; 1329 } 1331 identity rst { 1332 base tcp-flags; 1333 description 1334 "Identity for 'Reset' TCP flag"; 1335 reference 1336 "RFC 793: Transmission Control Protocol - Flags"; 1337 } 1339 identity syn { 1340 base tcp-flags; 1341 description 1342 "Identity for 'Synchronize' TCP flag"; 1343 reference 1344 "RFC 793: Transmission Control Protocol - Flags"; 1345 } 1347 identity fin { 1348 base tcp-flags; 1349 description 1350 "Identity for 'Finish' TCP flag"; 1351 reference 1352 "RFC 793: Transmission Control Protocol - Flags"; 1353 } 1355 identity icmp-type { 1356 description 1357 "Base identity for ICMP Message types"; 1358 reference 1359 "RFC 792: Internet Control Message Protocol"; 1360 } 1362 identity echo-reply { 1363 base icmp-type; 1364 description 1365 "Identity for 'Echo Reply' ICMP message type"; 1366 reference 1367 "RFC 792: Internet Control Message Protocol"; 1368 } 1370 identity destination-unreachable { 1371 base icmp-type; 1372 description 1373 "Identity for 'Destination Unreachable' 1374 ICMP message type"; 1375 reference 1376 "RFC 792: Internet Control Message Protocol"; 1377 } 1379 identity redirect { 1380 base icmp-type; 1381 description 1382 "Identity for 'Redirect' ICMP message type"; 1383 reference 1384 "RFC 792: Internet Control Message Protocol"; 1385 } 1387 identity echo { 1388 base icmp-type; 1389 description 1390 "Identity for 'Echo' ICMP message type"; 1392 reference 1393 "RFC 792: Internet Control Message Protocol"; 1394 } 1396 identity router-advertisement { 1397 base icmp-type; 1398 description 1399 "Identity for 'Router Advertisement' 1400 ICMP message type"; 1401 reference 1402 "RFC 792: Internet Control Message Protocol"; 1403 } 1405 identity router-solicitation { 1406 base icmp-type; 1407 description 1408 "Identity for 'Router Solicitation' 1409 ICMP message type"; 1410 reference 1411 "RFC 792: Internet Control Message Protocol"; 1412 } 1414 identity time-exceeded { 1415 base icmp-type; 1416 description 1417 "Identity for 'Time exceeded' ICMP message type"; 1418 reference 1419 "RFC 792: Internet Control Message Protocol"; 1420 } 1422 identity parameter-problem { 1423 base icmp-type; 1424 description 1425 "Identity for 'Parameter Problem' 1426 ICMP message type"; 1427 reference 1428 "RFC 792: Internet Control Message Protocol"; 1429 } 1431 identity timestamp { 1432 base icmp-type; 1433 description 1434 "Identity for 'Timestamp' ICMP message type"; 1435 reference 1436 "RFC 792: Internet Control Message Protocol"; 1437 } 1439 identity timestamp-reply { 1440 base icmp-type; 1441 description 1442 "Identity for 'Timestamp Reply' 1443 ICMP message type"; 1444 reference 1445 "RFC 792: Internet Control Message Protocol"; 1446 } 1448 identity datagram-conversion-error { 1449 base icmp-type; 1450 description 1451 "Identity for 'Datagram Conversion Error' 1452 ICMP message type"; 1453 reference 1454 "RFC 792: Internet Control Message Protocol"; 1455 } 1457 identity experimental-mobility-protocols { 1458 base icmp-type; 1459 description 1460 "Identity for 'Experimental Mobility Protocols' 1461 ICMP message type"; 1462 reference 1463 "RFC 792: Internet Control Message Protocol"; 1464 } 1466 identity extended-echo-request { 1467 base icmp-type; 1468 description 1469 "Identity for 'Extended Echo Request' 1470 ICMP message type"; 1471 reference 1472 "RFC 792: Internet Control Message Protocol 1473 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1474 } 1476 identity extended-echo-reply { 1477 base icmp-type; 1478 description 1479 "Identity for 'Extended Echo Reply' 1480 ICMP message type"; 1481 reference 1482 "RFC 792: Internet Control Message Protocol 1483 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1484 } 1486 identity net-unreachable { 1487 base icmp-type; 1488 description 1489 "Identity for net unreachable 1490 in destination unreachable types"; 1491 reference 1492 "RFC 792: Internet Control Message Protocol"; 1493 } 1495 identity host-unreachable { 1496 base icmp-type; 1497 description 1498 "Identity for host unreachable 1499 in destination unreachable types"; 1500 reference 1501 "RFC 792: Internet Control Message Protocol"; 1502 } 1504 identity protocol-unreachable { 1505 base icmp-type; 1506 description 1507 "Identity for protocol unreachable 1508 in destination unreachable types"; 1509 reference 1510 "RFC 792: Internet Control Message Protocol"; 1511 } 1513 identity port-unreachable { 1514 base icmp-type; 1515 description 1516 "Identity for port unreachable 1517 in destination unreachable types"; 1518 reference 1519 "RFC 792: Internet Control Message Protocol"; 1520 } 1522 identity fragment-set { 1523 base icmp-type; 1524 description 1525 "Identity for fragmentation set 1526 in destination unreachable types"; 1527 reference 1528 "RFC 792: Internet Control Message Protocol"; 1529 } 1531 identity source-route-failed { 1532 base icmp-type; 1533 description 1534 "Identity for source route failed 1535 in destination unreachable types"; 1537 reference 1538 "RFC 792: Internet Control Message Protocol"; 1539 } 1541 identity destination-network-unknown { 1542 base icmp-type; 1543 description 1544 "Identity for destination network unknown 1545 in destination unreachable types"; 1546 reference 1547 "RFC 792: Internet Control Message Protocol"; 1548 } 1550 identity destination-host-unknown { 1551 base icmp-type; 1552 description 1553 "Identity for destination host unknown 1554 in destination unreachable types"; 1555 reference 1556 "RFC 792: Internet Control Message Protocol"; 1557 } 1559 identity source-host-isolated { 1560 base icmp-type; 1561 description 1562 "Identity for source host isolated 1563 in destination unreachable types"; 1564 reference 1565 "RFC 792: Internet Control Message Protocol"; 1566 } 1568 identity communication-prohibited-with-destination-network { 1569 base icmp-type; 1570 description 1571 "Identity for which communication with destination network 1572 is administratively prohibited in destination unreachable 1573 types"; 1574 reference 1575 "RFC 792: Internet Control Message Protocol"; 1576 } 1578 identity communication-prohibited-with-destination-host { 1579 base icmp-type; 1580 description 1581 "Identity for which communication with destination host 1582 is administratively prohibited in destination unreachable 1583 types"; 1584 reference 1585 "RFC 792: Internet Control Message Protocol"; 1586 } 1588 identity destination-network-unreachable-for-tos { 1589 base icmp-type; 1590 description 1591 "Identity for destination network unreachable 1592 for type of service in destination unreachable types"; 1593 reference 1594 "RFC 792: Internet Control Message Protocol"; 1595 } 1597 identity destination-host-unreachable-for-tos { 1598 base icmp-type; 1599 description 1600 "Identity for destination host unreachable 1601 for type of service in destination unreachable types"; 1602 reference 1603 "RFC 792: Internet Control Message Protocol"; 1604 } 1606 identity communication-prohibited { 1607 base icmp-type; 1608 description 1609 "Identity for communication administratively prohibited 1610 in destination unreachable types"; 1611 reference 1612 "RFC 792: Internet Control Message Protocol"; 1613 } 1615 identity host-precedence-violation { 1616 base icmp-type; 1617 description 1618 "Identity for host precedence violation 1619 in destination unreachable types"; 1620 reference 1621 "RFC 792: Internet Control Message Protocol"; 1622 } 1624 identity precedence-cutoff-in-effect { 1625 base icmp-type; 1626 description 1627 "Identity for precedence cutoff in effect 1628 in destination unreachable types"; 1629 reference 1630 "RFC 792: Internet Control Message Protocol"; 1631 } 1632 identity redirect-datagram-for-the-network { 1633 base icmp-type; 1634 description 1635 "Identity for redirect datagram for the network 1636 (or subnet) in redirect types"; 1637 reference 1638 "RFC 792: Internet Control Message Protocol"; 1639 } 1641 identity redirect-datagram-for-the-host { 1642 base icmp-type; 1643 description 1644 "Identity for redirect datagram for the host 1645 in redirect types"; 1646 reference 1647 "RFC 792: Internet Control Message Protocol"; 1648 } 1650 identity redirect-datagram-for-the-tos-and-network { 1651 base icmp-type; 1652 description 1653 "Identity for redirect datagram for the type of 1654 service and network in redirect types"; 1655 reference 1656 "RFC 792: Internet Control Message Protocol"; 1657 } 1659 identity redirect-datagram-for-the-tos-and-host { 1660 base icmp-type; 1661 description 1662 "Identity for redirect datagram for the type of 1663 service and host in redirect types"; 1664 reference 1665 "RFC 792: Internet Control Message Protocol"; 1666 } 1668 identity normal-router-advertisement { 1669 base icmp-type; 1670 description 1671 "Identity for normal router advertisement 1672 in router advertisement types"; 1673 reference 1674 "RFC 792: Internet Control Message Protocol"; 1675 } 1677 identity does-not-route-common-traffic { 1678 base icmp-type; 1679 description 1680 "Identity for does not route common traffic 1681 in router advertisement types"; 1682 reference 1683 "RFC 792: Internet Control Message Protocol"; 1684 } 1686 identity time-to-live-exceeded-in-transit { 1687 base icmp-type; 1688 description 1689 "Identity for time to live exceeded in transit 1690 in time exceeded types"; 1691 reference 1692 "RFC 792: Internet Control Message Protocol"; 1693 } 1695 identity fragment-reassembly-time-exceeded { 1696 base icmp-type; 1697 description 1698 "Identity for fragment reassembly time exceeded 1699 in time exceeded types"; 1700 reference 1701 "RFC 792: Internet Control Message Protocol"; 1702 } 1704 identity pointer-indicates-the-error { 1705 base icmp-type; 1706 description 1707 "Identity for pointer indicates the error 1708 in parameter problem types"; 1709 reference 1710 "RFC 792: Internet Control Message Protocol"; 1711 } 1713 identity missing-a-required-option { 1714 base icmp-type; 1715 description 1716 "Identity for missing a required option 1717 in parameter problem types"; 1718 reference 1719 "RFC 792: Internet Control Message Protocol"; 1720 } 1722 identity bad-length { 1723 base icmp-type; 1724 description 1725 "Identity for bad length 1726 in parameter problem types"; 1727 reference 1728 "RFC 792: Internet Control Message Protocol"; 1729 } 1731 identity bad-spi { 1732 base icmp-type; 1733 description 1734 "Identity for bad spi"; 1735 reference 1736 "RFC 792: Internet Control Message Protocol"; 1737 } 1739 identity authentication-failed { 1740 base icmp-type; 1741 description 1742 "Identity for authentication failed"; 1743 reference 1744 "RFC 792: Internet Control Message Protocol"; 1745 } 1747 identity decompression-failed { 1748 base icmp-type; 1749 description 1750 "Identity for decompression failed"; 1751 reference 1752 "RFC 792: Internet Control Message Protocol"; 1753 } 1755 identity decryption-failed { 1756 base icmp-type; 1757 description 1758 "Identity for decryption failed"; 1759 reference 1760 "RFC 792: Internet Control Message Protocol"; 1761 } 1763 identity need-authentication { 1764 base icmp-type; 1765 description 1766 "Identity for need authentication"; 1767 reference 1768 "RFC 792: Internet Control Message Protocol"; 1769 } 1771 identity need-authorization { 1772 base icmp-type; 1773 description 1774 "Identity for need authorization"; 1775 reference 1776 "RFC 792: Internet Control Message Protocol"; 1777 } 1779 identity req-no-error { 1780 base icmp-type; 1781 description 1782 "Identity for request with no error 1783 in extended echo request types"; 1784 reference 1785 "RFC 792: Internet Control Message Protocol 1786 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1787 } 1789 identity rep-no-error { 1790 base icmp-type; 1791 description 1792 "Identity for reply with no error 1793 in extended echo reply types"; 1794 reference 1795 "RFC 792: Internet Control Message Protocol 1796 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1797 } 1799 identity malformed-query { 1800 base icmp-type; 1801 description 1802 "Identity for malformed query 1803 in extended echo reply types"; 1804 reference 1805 "RFC 792: Internet Control Message Protocol 1806 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1807 } 1809 identity no-such-interface { 1810 base icmp-type; 1811 description 1812 "Identity for no such interface 1813 in extended echo reply types"; 1814 reference 1815 "RFC 792: Internet Control Message Protocol 1816 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1817 } 1819 identity no-such-table-entry { 1820 base icmp-type; 1821 description 1822 "Identity for no such table entry 1823 in extended echo reply types"; 1825 reference 1826 "RFC 792: Internet Control Message Protocol 1827 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1828 } 1830 identity multiple-interfaces-satisfy-query { 1831 base icmp-type; 1832 description 1833 "Identity for multiple interfaces satisfy query 1834 in extended echo reply types"; 1835 reference 1836 "RFC 792: Internet Control Message Protocol 1837 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1838 } 1840 identity target-device { 1841 description 1842 "Base identity for target devices"; 1843 reference 1844 "draft-ietf-i2nsf-capability-05: Information Model 1845 of NSFs Capabilities"; 1846 } 1848 identity pc { 1849 base target-device; 1850 description 1851 "Identity for pc"; 1852 } 1854 identity mobile-phone { 1855 base target-device; 1856 description 1857 "Identity for mobile-phone"; 1858 } 1860 identity voip-volte-phone { 1861 base target-device; 1862 description 1863 "Identity for voip-volte-phone"; 1864 } 1866 identity tablet { 1867 base target-device; 1868 description 1869 "Identity for tablet"; 1870 } 1872 identity iot { 1873 base target-device; 1874 description 1875 "Identity for IoT"; 1876 } 1878 identity vehicle { 1879 base target-device; 1880 description 1881 "Identity for vehicle"; 1882 } 1884 identity content-security-control { 1885 description 1886 "Base identity for content security control"; 1887 reference 1888 "RFC 8329: Framework for Interface to 1889 Network Security Functions - Differences 1890 from ACL Data Models 1891 draft-ietf-i2nsf-capability-05: Information Model 1892 of NSFs Capabilities"; 1893 } 1895 identity antivirus { 1896 base content-security-control; 1897 description 1898 "Identity for antivirus"; 1899 } 1901 identity ips { 1902 base content-security-control; 1903 description 1904 "Identity for ips"; 1905 } 1907 identity ids { 1908 base content-security-control; 1909 description 1910 "Identity for ids"; 1911 } 1913 identity url-filtering { 1914 base content-security-control; 1915 description 1916 "Identity for url filtering"; 1917 } 1919 identity mail-filtering { 1920 base content-security-control; 1921 description 1922 "Identity for mail filtering"; 1923 } 1925 identity file-blocking { 1926 base content-security-control; 1927 description 1928 "Identity for file blocking"; 1929 } 1931 identity file-isolate { 1932 base content-security-control; 1933 description 1934 "Identity for file isolate"; 1935 } 1937 identity pkt-capture { 1938 base content-security-control; 1939 description 1940 "Identity for packet capture"; 1941 } 1943 identity application-control { 1944 base content-security-control; 1945 description 1946 "Identity for application control"; 1947 } 1949 identity voip-volte { 1950 base content-security-control; 1951 description 1952 "Identity for voip and volte"; 1953 } 1955 identity attack-mitigation-control { 1956 description 1957 "Base identity for attack mitigation control"; 1958 reference 1959 "RFC 8329: Framework for Interface to 1960 Network Security Functions - Differences 1961 from ACL Data Models 1962 draft-ietf-i2nsf-capability-05: Information Model 1963 of NSFs Capabilities"; 1964 } 1966 identity syn-flood { 1967 base attack-mitigation-control; 1968 description 1969 "Identity for syn flood"; 1970 } 1972 identity udp-flood { 1973 base attack-mitigation-control; 1974 description 1975 "Identity for udp flood"; 1976 } 1978 identity icmp-flood { 1979 base attack-mitigation-control; 1980 description 1981 "Identity for icmp flood"; 1982 } 1984 identity ip-frag-flood { 1985 base attack-mitigation-control; 1986 description 1987 "Identity for ip frag flood"; 1988 } 1990 identity ipv6-related { 1991 base attack-mitigation-control; 1992 description 1993 "Identity for ipv6 related"; 1994 } 1996 identity http-and-https-flood { 1997 base attack-mitigation-control; 1998 description 1999 "Identity for http and https flood"; 2000 } 2002 identity dns-flood { 2003 base attack-mitigation-control; 2004 description 2005 "Identity for dns flood"; 2006 } 2008 identity dns-amp-flood { 2009 base attack-mitigation-control; 2010 description 2011 "Identity for dns amp flood"; 2012 } 2014 identity ssl-ddos { 2015 base attack-mitigation-control; 2016 description 2017 "Identity for ssl ddos"; 2018 } 2020 identity ip-sweep { 2021 base attack-mitigation-control; 2022 description 2023 "Identity for ip sweep"; 2024 } 2026 identity port-scanning { 2027 base attack-mitigation-control; 2028 description 2029 "Identity for port scanning"; 2030 } 2032 identity ping-of-death { 2033 base attack-mitigation-control; 2034 description 2035 "Identity for ping of death"; 2036 } 2038 identity teardrop { 2039 base attack-mitigation-control; 2040 description 2041 "Identity for teardrop"; 2042 } 2044 identity oversized-icmp { 2045 base attack-mitigation-control; 2046 description 2047 "Identity for oversized icmp"; 2048 } 2050 identity tracert { 2051 base attack-mitigation-control; 2052 description 2053 "Identity for tracert"; 2054 } 2056 identity ingress-action { 2057 description 2058 "Base identity for action"; 2059 reference 2060 "draft-ietf-i2nsf-capability-05: Information Model 2061 of NSFs Capabilities - Ingress Action"; 2062 } 2064 identity egress-action { 2065 description 2066 "Base identity for egress action"; 2067 reference 2068 "draft-ietf-i2nsf-capability-05: Information Model 2069 of NSFs Capabilities - Egress action"; 2070 } 2072 identity default-action { 2073 description 2074 "Base identity for default action"; 2075 reference 2076 "draft-ietf-i2nsf-capability-05: Information Model 2077 of NSFs Capabilities - Default action"; 2078 } 2080 identity pass { 2081 base ingress-action; 2082 base egress-action; 2083 base default-action; 2084 description 2085 "Identity for pass"; 2086 reference 2087 "draft-ietf-i2nsf-capability-05: Information Model 2088 of NSFs Capabilities - Actions and 2089 default action"; 2090 } 2092 identity drop { 2093 base ingress-action; 2094 base egress-action; 2095 base default-action; 2096 description 2097 "Identity for drop"; 2098 reference 2099 "draft-ietf-i2nsf-capability-05: Information Model 2100 of NSFs Capabilities - Actions and 2101 default action"; 2102 } 2104 identity reject { 2105 base ingress-action; 2106 base egress-action; 2107 base default-action; 2108 description 2109 "Identity for reject"; 2110 reference 2111 "draft-ietf-i2nsf-capability-05: Information Model 2112 of NSFs Capabilities - Actions and 2113 default action"; 2114 } 2116 identity alert { 2117 base ingress-action; 2118 base egress-action; 2119 base default-action; 2120 description 2121 "Identity for alert"; 2122 reference 2123 "draft-ietf-i2nsf-capability-05: Information Model 2124 of NSFs Capabilities - Actions and 2125 default action"; 2126 } 2128 identity mirror { 2129 base ingress-action; 2130 base egress-action; 2131 base default-action; 2132 description 2133 "Identity for mirror"; 2134 reference 2135 "draft-ietf-i2nsf-capability-05: Information Model 2136 of NSFs Capabilities - Actions and 2137 default action"; 2138 } 2140 identity log-action { 2141 description 2142 "Base identity for log action"; 2143 } 2145 identity rule-log { 2146 base log-action; 2147 description 2148 "Identity for rule log"; 2149 } 2151 identity session-log { 2152 base log-action; 2153 description 2154 "Identity for session log"; 2155 } 2157 identity invoke-signaling { 2158 base egress-action; 2159 description 2160 "Identity for invoke signaling"; 2162 } 2164 identity tunnel-encapsulation { 2165 base egress-action; 2166 description 2167 "Identity for tunnel encapsulation"; 2168 } 2170 identity forwarding { 2171 base egress-action; 2172 description 2173 "Identity for forwarding"; 2174 } 2176 identity redirection { 2177 base egress-action; 2178 description 2179 "Identity for redirection"; 2181 } 2183 identity resolution-strategy { 2184 description 2185 "Base identity for resolution strategy"; 2186 reference 2187 "draft-ietf-i2nsf-capability-05: Information Model 2188 of NSFs Capabilities - Resolution Strategy"; 2189 } 2191 identity fmr { 2192 base resolution-strategy; 2193 description 2194 "Identity for First Matching Rule (FMR)"; 2195 reference 2196 "draft-ietf-i2nsf-capability-05: Information Model 2197 of NSFs Capabilities - Resolution Strategy"; 2198 } 2200 identity lmr { 2201 base resolution-strategy; 2202 description 2203 "Identity for Last Matching Rule (LMR)"; 2204 reference 2205 "draft-ietf-i2nsf-capability-05: Information Model 2206 of NSFs Capabilities - Resolution Strategy"; 2207 } 2209 identity pmr { 2210 base resolution-strategy; 2211 description 2212 "Identity for Prioritized Matching Rule (PMR)"; 2213 reference 2214 "draft-ietf-i2nsf-capability-05: Information Model 2215 of NSFs Capabilities - Resolution Strategy"; 2216 } 2218 identity pmre { 2219 base resolution-strategy; 2220 description 2221 "Identity for Prioritized Matching Rule 2222 with Errors (PMRE)"; 2223 reference 2224 "draft-ietf-i2nsf-capability-05: Information Model 2225 of NSFs Capabilities - Resolution Strategy"; 2226 } 2228 identity pmrn { 2229 base resolution-strategy; 2230 description 2231 "Identity for Prioritized Matching Rule 2232 with No Errors (PMRN)"; 2233 reference 2234 "draft-ietf-i2nsf-capability-05: Information Model 2235 of NSFs Capabilities - Resolution Strategy"; 2236 } 2238 identity i2nsf-ipsec { 2239 description 2240 "Internet Key Exchnage for NSFs 2241 in the I2NSF framework"; 2242 reference 2243 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2244 - i2nsf-ipsec"; 2245 } 2247 identity ike { 2248 base i2nsf-ipsec; 2249 description 2250 "IKE case: IPsec with IKE in the NSF"; 2251 reference 2252 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2253 - ike"; 2254 } 2256 identity ikeless { 2257 base i2nsf-ipsec; 2258 description 2259 "IKEless case: IPsec without IKEv2 in the NSF"; 2260 reference 2261 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 2262 - ikeless"; 2263 } 2265 /* 2266 * Typedefs 2267 */ 2269 typedef day-type { 2270 type enumeration { 2271 enum sunday { 2272 description 2273 "Sunday for periodic day"; 2274 } 2275 enum monday { 2276 description 2277 "Monday for periodic day"; 2278 } 2279 enum tuesday { 2280 description 2281 "Tuesday for periodic day"; 2282 } 2283 enum wednesday { 2284 description 2285 "Wednesday for periodic day"; 2286 } 2287 enum thursday { 2288 description 2289 "Thursday for periodic day"; 2290 } 2291 enum friday { 2292 description 2293 "Friday for periodic day"; 2294 } 2295 enum saturday { 2296 description 2297 "Saturday for periodic day"; 2298 } 2299 } 2300 description 2301 "This can be used for the rules to be applied 2302 according to periodic day"; 2303 } 2304 typedef month-type { 2305 type enumeration { 2306 enum january { 2307 description 2308 "January for periodic month"; 2309 } 2310 enum february { 2311 description 2312 "February for periodic month"; 2313 } 2314 enum march { 2315 description 2316 "March for periodic month"; 2317 } 2318 enum april { 2319 description 2320 "April for periodic month"; 2321 } 2322 enum may { 2323 description 2324 "May for periodic month"; 2325 } 2326 enum june { 2327 description 2328 "June for periodic month"; 2329 } 2330 enum july { 2331 description 2332 "July for periodic month"; 2333 } 2334 enum august { 2335 description 2336 "August for periodic month"; 2337 } 2338 enum september { 2339 description 2340 "September for periodic month"; 2341 } 2342 enum october { 2343 description 2344 "October for periodic month"; 2345 } 2346 enum november { 2347 description 2348 "November for periodic month"; 2349 } 2350 enum december { 2351 description 2352 "December for periodic month"; 2353 } 2354 } 2355 description 2356 "This can be used for the rules to be applied 2357 according to periodic month"; 2358 } 2360 /* 2361 * Groupings 2362 */ 2364 grouping ipv4 { 2365 list ipv4-address { 2366 key "ipv4"; 2367 description 2368 "The list of IPv4 addresses."; 2370 leaf ipv4 { 2371 type inet:ipv4-address; 2372 description 2373 "The value of IPv4 address."; 2374 } 2375 choice subnet { 2376 description 2377 "The subnet can be specified as a prefix length or 2378 netmask."; 2379 leaf prefix-length { 2380 type uint8 { 2381 range "0..32"; 2382 } 2383 description 2384 "The length of the subnet prefix."; 2385 } 2386 leaf netmask { 2387 type yang:dotted-quad; 2388 description 2389 "The subnet specified as a netmask."; 2390 } 2391 } 2392 } 2393 description 2394 "Grouping for an IPv4 address"; 2396 reference 2397 "RFC 791: Internet Protocol - IPv4 address 2398 RFC 8344: A YANG Data Model for IP Management"; 2399 } 2400 grouping ipv6 { 2401 list ipv6-address { 2402 key "ipv6"; 2403 description 2404 "The list of IPv6 addresses."; 2406 leaf ipv6 { 2407 type inet:ipv6-address; 2408 description 2409 "The value of IPv6 address."; 2410 } 2412 leaf prefix-length { 2413 type uint8 { 2414 range "0..128"; 2415 } 2416 description 2417 "The length of the subnet prefix."; 2418 } 2419 } 2420 description 2421 "Grouping for an IPv6 address"; 2423 reference 2424 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2425 Specification - IPv6 address 2426 RFC 8344: A YANG Data Model for IP Management"; 2427 } 2429 grouping pkt-sec-ipv4 { 2430 choice match-type { 2431 description 2432 "There are two types of security policy IPv4 address 2433 matching - exact match and range match."; 2434 case exact-match { 2435 uses ipv4; 2436 description 2437 "Exact match for an IPv4 address."; 2438 } 2439 case range-match { 2440 list range-ipv4-address { 2441 key "start-ipv4-address end-ipv4-address"; 2442 leaf start-ipv4-address { 2443 type inet:ipv4-address; 2444 description 2445 "Starting IPv4 address for a range match."; 2446 } 2447 leaf end-ipv4-address { 2448 type inet:ipv4-address; 2449 description 2450 "Ending IPv4 address for a range match."; 2451 } 2452 description 2453 "Range match for an IPv4 address."; 2454 } 2455 } 2456 } 2457 description 2458 "Grouping for an IPv4 address."; 2460 reference 2461 "RFC 791: Internet Protocol - IPv4 address"; 2462 } 2464 grouping pkt-sec-ipv6 { 2465 choice match-type { 2466 description 2467 "There are two types of security policy IPv6 address 2468 matching - exact match and range match."; 2469 case exact-match { 2470 uses ipv6; 2471 description 2472 "Exact match for an IPv6 address."; 2473 } 2474 case range-match { 2475 list range-ipv6-address { 2476 key "start-ipv6-address end-ipv6-address"; 2477 leaf start-ipv6-address { 2478 type inet:ipv6-address; 2479 description 2480 "Starting IPv6 address for a range match."; 2481 } 2483 leaf end-ipv6-address { 2484 type inet:ipv6-address; 2485 description 2486 "Ending IPv6 address for a range match."; 2487 } 2488 description 2489 "Range match for an IPv6 address."; 2490 } 2491 } 2492 } 2493 description 2494 "Grouping for IPv6 address."; 2496 reference 2497 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2498 Specification - IPv6 address"; 2499 } 2501 grouping pkt-sec-port-number { 2502 choice match-type { 2503 description 2504 "There are two types of security policy TCP/UDP port 2505 matching - exact match and range match."; 2506 case exact-match { 2507 leaf-list port-num { 2508 type inet:port-number; 2509 description 2510 "Exact match for a port number."; 2511 } 2512 } 2513 case range-match { 2514 list range-port-num { 2515 key "start-port-num end-port-num"; 2516 leaf start-port-num { 2517 type inet:port-number; 2518 description 2519 "Starting port number for a range match."; 2520 } 2521 leaf end-port-num { 2522 type inet:port-number; 2523 description 2524 "Ending port number for a range match."; 2525 } 2526 description 2527 "Range match for a port number."; 2528 } 2529 } 2530 } 2531 description 2532 "Grouping for port number."; 2534 reference 2535 "RFC 793: Transmission Control Protocol - Port number 2536 RFC 768: User Datagram Protocol - Port Number"; 2537 } 2539 /* 2540 * Data nodes 2541 */ 2543 container i2nsf-security-policy { 2544 description 2545 "Container for security policy 2546 including a set of security rules according to certain logic, 2547 i.e., their similarity or mutual relations, etc. The network 2548 security policy can be applied to both the unidirectional 2549 and bidirectional traffic across the NSF. 2550 The I2NSF security policies use the Event-Condition-Action 2551 (ECA) policy model "; 2553 reference 2554 "RFC 8329: Framework for Interface to Network Security 2555 Functions - I2NSF Flow Security Policy Structure 2556 draft-ietf-i2nsf-capability-05: Information Model 2557 of NSFs Capabilities - Design Principles and ECA Policy Model 2558 Overview"; 2560 list system-policy { 2561 key "system-policy-name"; 2562 description 2563 "The system-policy represents there could be multiple system 2564 policies in one NSF, and each system policy is used by 2565 one virtual instance of the NSF/device."; 2567 leaf system-policy-name { 2568 type string; 2569 description 2570 "The name of the policy. 2571 This must be unique."; 2572 } 2574 leaf priority-usage { 2575 type identityref { 2576 base priority-usage-type; 2577 } 2578 default priority-by-order; 2579 description 2580 "Priority usage type for security policy rule: 2581 priority by order and priority by number"; 2582 } 2584 leaf resolution-strategy { 2585 type identityref { 2586 base resolution-strategy; 2587 } 2588 default fmr; 2589 description 2590 "The resolution strategies that can be used to 2591 specify how to resolve conflicts that occur between 2592 actions of the same or different policy rules that 2593 are matched and contained in this particular NSF"; 2595 reference 2596 "draft-ietf-i2nsf-capability-05: Information Model 2597 of NSFs Capabilities - Resolution strategy"; 2598 } 2600 leaf default-action { 2601 type identityref { 2602 base default-action; 2603 } 2604 default alert; 2605 description 2606 "This default action can be used to specify a predefined 2607 action when no other alternative action was matched 2608 by the currently executing I2NSF Policy Rule. An analogy 2609 is the use of a default statement in a C switch statement."; 2611 reference 2612 "draft-ietf-i2nsf-capability-05: Information Model 2613 of NSFs Capabilities - Default action"; 2614 } 2616 list rules { 2617 key "rule-name"; 2618 description 2619 "This is a rule for network security functions."; 2621 leaf rule-name { 2622 type string; 2623 description 2624 "The name of the rule."; 2625 } 2627 leaf rule-description { 2628 type string; 2629 description 2630 "This description gives more information about 2631 rules."; 2632 } 2634 leaf rule-priority { 2635 type uint8 { 2636 range "1..255"; 2638 } 2639 description 2640 "The priority keyword comes with a mandatory 2641 numeric value which can range from 1 till 255."; 2642 } 2644 leaf rule-enable { 2645 type boolean; 2646 description 2647 "True is enable. 2648 False is not enable."; 2649 } 2651 leaf session-aging-time { 2652 type uint16; 2653 description 2654 "This is session aging time."; 2655 } 2657 container long-connection { 2658 description 2659 "This is long-connection"; 2661 leaf enable { 2662 type boolean; 2663 description 2664 "True is enable. 2665 False is not enbale."; 2666 } 2668 leaf duration { 2669 type uint16; 2670 description 2671 "This is the duration of the long-connection."; 2672 } 2673 } 2675 container time-intervals { 2676 description 2677 "Time zone when the rules are applied"; 2678 container absolute-time-interval { 2679 description 2680 "Rule execution according to the absolute time. 2681 The absolute time interval means the exact time to 2682 start or end."; 2684 container start-time { 2685 uses "key-chain:lifetime"; 2686 description 2687 "Start time when the rules are applied"; 2688 reference 2689 "RFC 8177: YANG Data Model for Key Chains 2690 - lifetime"; 2691 } 2692 container end-time { 2693 uses "key-chain:lifetime"; 2694 description 2695 "End time when the rules are applied"; 2696 reference 2697 "RFC 8177: YANG Data Model for Key Chains 2698 - lifetime"; 2699 } 2700 } 2702 container periodic-time-interval { 2703 description 2704 "Rule execution according to the periodic time. 2705 The periodic time interval means the repeated time 2706 such as a day, week, or month."; 2708 container day { 2709 description 2710 "Rule execution according to day."; 2711 leaf every-day { 2712 type boolean; 2713 default true; 2714 description 2715 "Rule execution every day"; 2716 } 2718 leaf-list specific-day { 2719 when "../every-day = 'false'"; 2720 type day-type; 2721 description 2722 "Rule execution according 2723 to specific day"; 2724 } 2725 } 2727 container month { 2728 description 2729 "Rule execution according to month."; 2730 leaf every-month { 2731 type boolean; 2732 default true; 2733 description 2734 "Rule execution every day"; 2735 } 2737 leaf-list specific-month { 2738 when "../every-month = 'false'"; 2739 type month-type; 2740 description 2741 "Rule execution according 2742 to month day"; 2743 } 2744 } 2745 } 2746 } 2748 container event-clause-container { 2749 description 2750 "An event is defined as any important 2751 occurrence in time of a change in the system being 2752 managed, and/or in the environment of the system being 2753 managed. When used in the context of policy rules for 2754 a flow-based NSF, it is used to determine whether the 2755 Condition clause of the Policy Rule can be evaluated 2756 or not. Examples of an I2NSF event include time and 2757 user actions (e.g., logon, logoff, and actions that 2758 violate any ACL.)."; 2760 reference 2761 "RFC 8329: Framework for Interface to Network Security 2762 Functions - I2NSF Flow Security Policy Structure 2763 draft-ietf-i2nsf-capability-05: Information Model 2764 of NSFs Capabilities - Design Principles and ECA 2765 Policy Model Overview 2766 draft-ietf-i2nsf-nsf-monitoring-data-model-02: I2NSF 2767 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 2768 and Counters"; 2770 leaf event-clause-description { 2771 type string; 2772 description 2773 "Description for an event clause"; 2774 } 2776 container event-clauses { 2777 description 2778 "System Event Clause - either a system event or 2779 system alarm"; 2780 reference 2781 "RFC 8329: Framework for Interface to Network Security 2782 Functions - I2NSF Flow Security Policy Structure 2783 draft-ietf-i2nsf-capability-05: Information Model 2784 of NSFs Capabilities - Design Principles and ECA Policy 2785 Model Overview 2786 draft-ietf-i2nsf-nsf-monitoring-data-model-02: I2NSF 2787 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 2788 and Counters"; 2790 leaf-list system-event { 2791 type identityref { 2792 base system-event; 2793 } 2794 description 2795 "The security policy rule according to 2796 system events."; 2797 } 2799 leaf-list system-alarm { 2800 type identityref { 2801 base system-alarm; 2802 } 2803 description 2804 "The security policy rule according to 2805 system alarms."; 2806 } 2807 } 2808 } 2810 container condition-clause-container { 2811 description 2812 "A condition is defined as a set 2813 of attributes, features, and/or values that are to be 2814 compared with a set of known attributes, features, 2815 and/or values in order to determine whether or not the 2816 set of Actions in that (imperative) I2NSF Policy Rule 2817 can be executed or not. Examples of I2NSF Conditions 2818 include matching attributes of a packet or flow, and 2819 comparing the internal state of an NSF to a desired 2820 state."; 2821 reference 2822 "RFC 8329: Framework for Interface to Network Security 2823 Functions - I2NSF Flow Security Policy Structure 2824 draft-ietf-i2nsf-capability-05: Information Model 2825 of NSFs Capabilities - Design Principles and ECA Policy 2826 Model Overview"; 2828 leaf condition-clause-description { 2829 type string; 2830 description 2831 "Description for a condition clause."; 2832 } 2834 container packet-security-ipv4-condition { 2835 description 2836 "The purpose of this container is to represent IPv4 2837 packet header information to determine if the set 2838 of policy actions in this ECA policy rule should be 2839 executed or not."; 2840 reference 2841 "RFC 791: Internet Protocol"; 2843 leaf ipv4-description { 2844 type string; 2845 description 2846 "ipv4 condition texual description."; 2847 } 2849 container pkt-sec-ipv4-header-length { 2850 choice match-type { 2851 description 2852 "Security policy IPv4 Header length match - 2853 exact match and range match."; 2854 case exact-match { 2855 leaf-list ipv4-header-length { 2856 type uint8 { 2857 range "5..15"; 2858 } 2859 description 2860 "Exact match for an IPv4 header length."; 2861 } 2862 } 2863 case range-match { 2864 list range-ipv4-header-length { 2865 key "start-ipv4-header-length 2866 end-ipv4-header-length"; 2867 leaf start-ipv4-header-length { 2868 type uint8 { 2869 range "5..15"; 2870 } 2871 description 2872 "Starting IPv4 header length for a range match."; 2873 } 2875 leaf end-ipv4-header-length { 2876 type uint8 { 2877 range "5..15"; 2878 } 2879 description 2880 "Ending IPv4 header length for a range match."; 2881 } 2882 description 2883 "Range match for an IPv4 header length."; 2884 } 2885 } 2886 } 2887 description 2888 "The security policy rule according to 2889 IPv4 header length."; 2890 reference 2891 "RFC 791: Internet Protocol - Header length"; 2892 } 2894 leaf-list pkt-sec-ipv4-tos { 2895 type identityref { 2896 base type-of-service; 2897 } 2898 description 2899 "The security policy rule according to 2900 IPv4 type of service."; 2901 reference 2902 "RFC 1394: Internet Protocol - Type of service"; 2903 } 2905 container pkt-sec-ipv4-total-length { 2906 choice match-type { 2907 description 2908 "Security policy IPv4 total length matching 2909 - exact match and range match."; 2910 case exact-match { 2911 leaf-list ipv4-total-length { 2912 type uint16; 2913 description 2914 "Exact match for an IPv4 total length."; 2915 } 2916 } 2917 case range-match { 2918 list range-ipv4-total-length { 2919 key "start-ipv4-total-length end-ipv4-total-length"; 2920 leaf start-ipv4-total-length { 2921 type uint16; 2922 description 2923 "Starting IPv4 total length for a range match."; 2924 } 2925 leaf end-ipv4-total-length { 2926 type uint16; 2927 description 2928 "Ending IPv4 total length for a range match."; 2929 } 2930 description 2931 "Range match for an IPv4 total length."; 2932 } 2933 } 2934 } 2935 description 2936 "The security policy rule according to 2937 IPv4 total length."; 2938 reference 2939 "RFC 791: Internet Protocol - Total length"; 2940 } 2942 leaf-list pkt-sec-ipv4-id { 2943 type uint16; 2944 description 2945 "The security policy rule according to 2946 IPv4 identification."; 2947 reference 2948 "RFC 791: Internet Protocol - Identification"; 2949 } 2951 leaf-list pkt-sec-ipv4-fragment-flags { 2952 type identityref { 2953 base fragmentation-flags-type; 2954 } 2955 description 2956 "The security policy rule according to 2957 IPv4 fragment flags."; 2958 reference 2959 "RFC 791: Internet Protocol - Fragment flags"; 2960 } 2962 container pkt-sec-ipv4-fragment-offset { 2963 choice match-type { 2964 description 2965 "There are two types to configure a security 2966 policy for IPv4 fragment offset, such as exact match 2967 and range match."; 2968 case exact-match { 2969 leaf-list ipv4-fragment-offset { 2970 type uint16 { 2971 range "0..16383"; 2972 } 2973 description 2974 "Exact match for an IPv4 fragment offset."; 2975 } 2976 } 2977 case range-match { 2978 list range-ipv4-fragment-offset { 2979 key "start-ipv4-fragment-offset 2980 end-ipv4-fragment-offset"; 2981 leaf start-ipv4-fragment-offset { 2982 type uint16 { 2983 range "0..16383"; 2984 } 2985 description 2986 "Starting IPv4 fragment offset for a range match."; 2987 } 2988 leaf end-ipv4-fragment-offset { 2989 type uint16 { 2990 range "0..16383"; 2991 } 2992 description 2993 "Ending IPv4 fragment offset for a range match."; 2994 } 2995 description 2996 "Range match for an IPv4 fragment offset."; 2997 } 2998 } 2999 } 3000 description 3001 "The security policy rule according to 3002 IPv4 fragment offset."; 3003 reference 3004 "RFC 791: Internet Protocol - Fragment offset"; 3005 } 3007 container pkt-sec-ipv4-ttl { 3008 choice match-type { 3009 description 3010 "There are two types to configure a security 3011 policy for IPv4 TTL, such as exact match 3012 and range match."; 3013 case exact-match { 3014 leaf-list ipv4-ttl { 3015 type uint8; 3016 description 3017 "Exact match for an IPv4 TTL."; 3018 } 3019 } 3020 case range-match { 3021 list range-ipv4-ttl { 3022 key "start-ipv4-ttl end-ipv4-ttl"; 3023 leaf start-ipv4-ttl { 3024 type uint8; 3025 description 3026 "Starting IPv4 TTL for a range match."; 3027 } 3028 leaf end-ipv4-ttl { 3029 type uint8; 3030 description 3031 "Ending IPv4 TTL for a range match."; 3032 } 3033 description 3034 "Range match for an IPv4 TTL."; 3035 } 3036 } 3037 } 3038 description 3039 "The security policy rule according to 3040 IPv4 time-to-live (TTL)."; 3041 reference 3042 "RFC 791: Internet Protocol - Time to live"; 3043 } 3045 leaf-list pkt-sec-ipv4-protocol { 3046 type identityref { 3047 base protocol; 3048 } 3049 description 3050 "The security policy rule according to 3051 IPv4 protocol."; 3052 reference 3053 "RFC 791: Internet Protocol - Protocol"; 3054 } 3056 container pkt-sec-ipv4-src { 3057 uses pkt-sec-ipv4; 3058 description 3059 "The security policy rule according to 3060 IPv4 source address."; 3061 reference 3062 "RFC 791: Internet Protocol - IPv4 Address"; 3063 } 3065 container pkt-sec-ipv4-dest { 3066 uses pkt-sec-ipv4; 3067 description 3068 "The security policy rule according to 3069 IPv4 destination address."; 3070 reference 3071 "RFC 791: Internet Protocol - IPv4 Address"; 3072 } 3074 leaf-list pkt-sec-ipv4-ipopts { 3075 type identityref { 3076 base ipopts; 3077 } 3078 description 3079 "The security policy rule according to 3080 IPv4 options."; 3081 reference 3082 "RFC 791: Internet Protocol - Options"; 3083 } 3085 leaf pkt-sec-ipv4-same-ip { 3086 type boolean; 3087 description 3088 "Match on packets with the same IPv4 source 3089 and IPv4 destination address."; 3090 } 3092 leaf-list pkt-sec-ipv4-geo-ip { 3093 type string; 3094 description 3095 "The geo-ip keyword enables you to match on 3096 the source, destination or source and destination 3097 IP addresses of network traffic and to see to 3098 which country it belongs. To do this, Suricata 3099 uses GeoIP API with MaxMind database format."; 3100 } 3101 } 3103 container packet-security-ipv6-condition { 3104 description 3105 "The purpose of this container is to represent 3106 IPv6 packet header information to determine 3107 if the set of policy actions in this ECA policy 3108 rule should be executed or not."; 3109 reference 3110 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3111 Specification"; 3113 leaf ipv6-description { 3114 type string; 3115 description 3116 "This is description for ipv6 condition."; 3117 } 3119 leaf-list pkt-sec-ipv6-traffic-class { 3120 type identityref { 3121 base traffic-class; 3122 } 3123 description 3124 "The security policy rule according to 3125 IPv6 traffic class."; 3126 reference 3127 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3128 Specification - Traffic class"; 3129 } 3131 container pkt-sec-ipv6-flow-label { 3132 choice match-type { 3133 description 3134 "There are two types to configure a security 3135 policy for IPv6 flow label, such as exact match 3136 and range match."; 3137 case exact-match { 3138 leaf-list ipv6-flow-label { 3139 type uint32 { 3140 range "0..1048575"; 3141 } 3142 description 3143 "Exact match for an IPv6 flow label."; 3144 } 3145 } 3146 case range-match { 3147 list range-ipv6-flow-label { 3148 key "start-ipv6-flow-label end-ipv6-flow-label"; 3149 leaf start-ipv6-flow-label { 3150 type uint32 { 3151 range "0..1048575"; 3152 } 3153 description 3154 "Starting IPv6 flow label for a range match."; 3155 } 3156 leaf end-ipv6-flow-label { 3157 type uint32 { 3158 range "0..1048575"; 3159 } 3160 description 3161 "Ending IPv6 flow label for a range match."; 3162 } 3163 description 3164 "Range match for an IPv6 flow label."; 3165 } 3166 } 3167 } 3168 description 3169 "The security policy rule according to 3170 IPv6 flow label."; 3171 reference 3172 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3173 Specification - Flow label"; 3174 } 3176 container pkt-sec-ipv6-payload-length { 3177 choice match-type { 3178 description 3179 "There are two types to configure a security 3180 policy for IPv6 payload length, such as 3181 exact match and range match."; 3182 case exact-match { 3183 leaf-list ipv6-payload-length { 3184 type uint16; 3185 description 3186 "Exact match for an IPv6 payload length."; 3187 } 3188 } 3189 case range-match { 3190 list range-ipv6-payload-length { 3191 key "start-ipv6-payload-length 3192 end-ipv6-payload-length"; 3193 leaf start-ipv6-payload-length { 3194 type uint16; 3195 description 3196 "Starting IPv6 payload length for a range match."; 3197 } 3198 leaf end-ipv6-payload-length { 3199 type uint16; 3200 description 3201 "Ending IPv6 payload length for a range match."; 3202 } 3203 description 3204 "Range match for an IPv6 payload length."; 3205 } 3206 } 3207 } 3208 description 3209 "The security policy rule according to 3210 IPv6 payload length."; 3212 reference 3213 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3214 Specification - Payload length"; 3215 } 3217 leaf-list pkt-sec-ipv6-next-header { 3218 type identityref { 3219 base next-header; 3220 } 3221 description 3222 "The security policy rule according to 3223 IPv6 next header."; 3224 reference 3225 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3226 Specification - Next header"; 3227 } 3229 container pkt-sec-ipv6-hop-limit { 3230 choice match-type { 3231 description 3232 "There are two types to configure a security 3233 policy for IPv6 hop limit, such as exact match 3234 and range match."; 3235 case exact-match { 3236 leaf-list ipv6-hop-limit { 3237 type uint8; 3238 description 3239 "Exact match for an IPv6 hop limit."; 3240 } 3241 } 3242 case range-match { 3243 list range-ipv6-hop-limit { 3244 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3245 leaf start-ipv6-hop-limit { 3246 type uint8; 3247 description 3248 "Start IPv6 hop limit for a range match."; 3249 } 3250 leaf end-ipv6-hop-limit { 3251 type uint8; 3252 description 3253 "End IPv6 hop limit for a range match."; 3254 } 3255 description 3256 "Range match for an IPv6 hop limit."; 3257 } 3258 } 3259 } 3260 description 3261 "The security policy rule according to 3262 IPv6 hop limit."; 3263 reference 3264 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3265 Specification - Hop limit"; 3266 } 3268 container pkt-sec-ipv6-src { 3269 uses pkt-sec-ipv6; 3270 description 3271 "The security policy rule according to 3272 IPv6 source address."; 3273 reference 3274 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3275 Specification - IPv6 address"; 3276 } 3278 container pkt-sec-ipv6-dest { 3279 uses pkt-sec-ipv6; 3280 description 3281 "The security policy rule according to 3282 IPv6 destination address."; 3283 reference 3284 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3285 Specification - IPv6 address"; 3286 } 3288 } 3290 container packet-security-tcp-condition { 3291 description 3292 "The purpose of this container is to represent 3293 TCP packet header information to determine 3294 if the set of policy actions in this ECA policy 3295 rule should be executed or not."; 3296 reference 3297 "RFC 793: Transmission Control Protocol"; 3299 leaf tcp-description { 3300 type string; 3301 description 3302 "This is description for tcp condition."; 3303 } 3305 container pkt-sec-tcp-src-port-num { 3306 uses pkt-sec-port-number; 3307 description 3308 "The security policy rule according to 3309 tcp source port number."; 3310 reference 3311 "RFC 793: Transmission Control Protocol 3312 - Port number"; 3313 } 3315 container pkt-sec-tcp-dest-port-num { 3316 uses pkt-sec-port-number; 3317 description 3318 "The security policy rule according to 3319 tcp destination port number."; 3320 reference 3321 "RFC 793: Transmission Control Protocol 3322 - Port number"; 3323 } 3325 container pkt-sec-tcp-seq-num { 3326 choice match-type { 3327 description 3328 "There are two types to configure a security 3329 policy for tcp sequence number, 3330 such as exact match and range match."; 3331 case exact-match { 3332 leaf-list tcp-seq-num { 3333 type uint32; 3334 description 3335 "Exact match for an tcp sequence number."; 3336 } 3337 } 3338 case range-match { 3339 list range-tcp-seq-num { 3340 key "start-tcp-seq-num end-tcp-seq-num"; 3341 leaf start-tcp-seq-num { 3342 type uint32; 3343 description 3344 "Start tcp sequence number for a range match."; 3345 } 3346 leaf end-tcp-seq-num { 3347 type uint32; 3348 description 3349 "End tcp sequence number for a range match."; 3350 } 3351 description 3352 "Range match for a tcp sequence number."; 3353 } 3354 } 3356 } 3357 description 3358 "The security policy rule according to 3359 tcp sequence number."; 3360 reference 3361 "RFC 793: Transmission Control Protocol 3362 - Sequence number"; 3363 } 3365 container pkt-sec-tcp-ack-num { 3366 choice match-type { 3367 description 3368 "There are two types to configure a security 3369 policy for tcp acknowledgement number, 3370 such as exact match and range match."; 3371 case exact-match { 3372 leaf-list tcp-ack-num { 3373 type uint32; 3374 description 3375 "Exact match for an tcp acknowledgement number."; 3376 } 3377 } 3378 case range-match { 3379 list range-tcp-ack-num { 3380 key "start-tcp-ack-num end-tcp-ack-num"; 3381 leaf start-tcp-ack-num { 3382 type uint32; 3383 description 3384 "Start tcp acknowledgement number 3385 for a range match."; 3386 } 3387 leaf end-tcp-ack-num { 3388 type uint32; 3389 description 3390 "End tcp acknowledgement number 3391 for a range match."; 3392 } 3393 description 3394 "Range match for a tcp acknowledgement number."; 3395 } 3396 } 3397 } 3398 description 3399 "The security policy rule according to 3400 tcp acknowledgement number."; 3401 reference 3402 "RFC 793: Transmission Control Protocol 3403 - Acknowledgement number"; 3405 } 3407 container pkt-sec-tcp-window-size { 3408 choice match-type { 3409 description 3410 "There are two types to configure a security 3411 policy for tcp window size, 3412 such as exact match and range match."; 3413 case exact-match { 3414 leaf-list tcp-window-size { 3415 type uint16; 3416 description 3417 "Exact match for an tcp window size."; 3418 } 3419 } 3420 case range-match { 3421 list range-tcp-window-size { 3422 key "start-tcp-window-size end-tcp-window-size"; 3423 leaf start-tcp-window-size { 3424 type uint16; 3425 description 3426 "Start tcp window size for a range match."; 3427 } 3428 leaf end-tcp-window-size { 3429 type uint16; 3430 description 3431 "End tcp window size for a range match."; 3432 } 3433 description 3434 "Range match for a tcp window size."; 3435 } 3436 } 3437 } 3438 description 3439 "The security policy rule according to 3440 tcp window size."; 3441 reference 3442 "RFC 793: Transmission Control Protocol 3443 - Window size"; 3444 } 3446 leaf-list pkt-sec-tcp-flags { 3447 type identityref { 3448 base tcp-flags; 3449 } 3450 description 3451 "The security policy rule according to 3452 tcp flags."; 3453 reference 3454 "RFC 793: Transmission Control Protocol 3455 - Flags"; 3456 } 3457 } 3459 container packet-security-udp-condition { 3460 description 3461 "The purpose of this container is to represent 3462 UDP packet header information to determine 3463 if the set of policy actions in this ECA policy 3464 rule should be executed or not."; 3465 reference 3466 "RFC 793: Transmission Control Protocol"; 3468 leaf udp-description { 3469 type string; 3470 description 3471 "This is description for udp condition."; 3472 } 3474 container pkt-sec-udp-src-port-num { 3475 uses pkt-sec-port-number; 3476 description 3477 "The security policy rule according to 3478 udp source port number."; 3479 reference 3480 "RFC 793: Transmission Control Protocol 3481 - Port number"; 3482 } 3484 container pkt-sec-udp-dest-port-num { 3485 uses pkt-sec-port-number; 3486 description 3487 "The security policy rule according to 3488 udp destination port number."; 3489 reference 3490 "RFC 768: User Datagram Protocol 3491 - Total Length"; 3492 } 3494 container pkt-sec-udp-total-length { 3495 choice match-type { 3496 description 3497 "There are two types to configure a security 3498 policy for udp sequence number, 3499 such as exact match and range match."; 3500 case exact-match { 3501 leaf-list udp-total-length { 3502 type uint32; 3503 description 3504 "Exact match for an udp-total-length."; 3505 } 3506 } 3507 case range-match { 3508 list range-udp-total-length { 3509 key "start-udp-total-length end-udp-total-length"; 3510 leaf start-udp-total-length { 3511 type uint32; 3512 description 3513 "Start udp total length for a range match."; 3514 } 3515 leaf end-udp-total-length { 3516 type uint32; 3517 description 3518 "End udp total length for a range match."; 3519 } 3520 description 3521 "Range match for a udp total length."; 3522 } 3523 } 3524 } 3525 description 3526 "The security policy rule according to 3527 udp total length."; 3528 reference 3529 "RFC 768: User Datagram Protocol 3530 - Total Length"; 3531 } 3532 } 3534 container packet-security-icmp-condition { 3535 description 3536 "The purpose of this container is to represent 3537 ICMP packet header information to determine 3538 if the set of policy actions in this ECA policy 3539 rule should be executed or not."; 3540 reference 3541 "RFC 792: Internet Control Message Protocol 3542 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3544 leaf icmp-description { 3545 type string; 3546 description 3547 "This is description for icmp condition."; 3548 } 3550 leaf-list pkt-sec-icmp-type-and-code { 3551 type identityref { 3552 base icmp-type; 3553 } 3554 description 3555 "The security policy rule according to 3556 ICMP parameters."; 3557 reference 3558 "RFC 792: Internet Control Message Protocol 3559 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3560 } 3561 } 3563 container packet-security-url-category-condition { 3564 description 3565 "Condition for url category"; 3566 leaf url-category-description { 3567 type string; 3568 description 3569 "This is description for url category condition. 3570 Vendors can write instructions for context condition 3571 that vendor made"; 3572 } 3574 leaf-list pre-defined-category { 3575 type string; 3576 description 3577 "This is pre-defined-category."; 3578 } 3579 leaf-list user-defined-category { 3580 type string; 3581 description 3582 "This user-defined-category."; 3583 } 3584 } 3586 container packet-security-voice-condition { 3587 description 3588 "For the VoIP/VoLTE security system, a VoIP/ 3589 VoLTE security system can monitor each 3590 VoIP/VoLTE flow and manage VoIP/VoLTE 3591 security rules controlled by a centralized 3592 server for VoIP/VoLTE security service 3593 (called VoIP IPS). The VoIP/VoLTE security 3594 system controls each switch for the 3595 VoIP/VoLTE call flow management by 3596 manipulating the rules that can be added, 3597 deleted, or modified dynamically."; 3598 reference 3599 "RFC 3261: SIP: Session Initiation Protocol"; 3601 leaf voice-description { 3602 type string; 3603 description 3604 "This is description for voice condition."; 3605 } 3607 leaf-list pkt-sec-src-voice-id { 3608 type string; 3609 description 3610 "The security policy rule according to 3611 a source voice ID for VoIP and VoLTE."; 3612 } 3614 leaf-list pkt-sec-dest-voice-id { 3615 type string; 3616 description 3617 "The security policy rule according to 3618 a destination voice ID for VoIP and VoLTE."; 3619 } 3621 leaf-list pkt-sec-user-agent { 3622 type string; 3623 description 3624 "The security policy rule according to 3625 an user agent for VoIP and VoLTE."; 3626 } 3627 } 3629 container packet-security-ddos-condition { 3630 description 3631 "Condition for DDoS attack."; 3633 leaf ddos-description { 3634 type string; 3635 description 3636 "This is description for ddos condition."; 3637 } 3639 leaf pkt-sec-alert-rate { 3640 type uint32; 3641 description 3642 "The alert rate of flood detect for 3643 same packets."; 3644 } 3645 } 3647 container packet-security-payload-condition { 3648 description 3649 "Condition for packet payload"; 3650 leaf packet-payload-description { 3651 type string; 3652 description 3653 "This is description for payload condition. 3654 Vendors can write instructions for payload condition 3655 that vendor made"; 3656 } 3657 leaf-list pkt-payload-content { 3658 type string; 3659 description 3660 "The content keyword is very important in 3661 signatures. Between the quotation marks you 3662 can write on what you would like the 3663 signature to match."; 3664 } 3665 } 3667 container context-condition { 3668 description 3669 "Condition for context"; 3670 leaf context-description { 3671 type string; 3672 description 3673 "This is description for context condition. 3674 Vendors can write instructions for context condition 3675 that vendor made"; 3676 } 3678 container application-condition { 3679 description 3680 "Condition for application"; 3681 leaf application-description { 3682 type string; 3683 description 3684 "This is description for application condition."; 3685 } 3686 leaf-list application-object { 3687 type string; 3688 description 3689 "This is application object."; 3691 } 3692 leaf-list application-group { 3693 type string; 3694 description 3695 "This is application group."; 3696 } 3697 leaf-list application-label { 3698 type string; 3699 description 3700 "This is application label."; 3701 } 3702 container category { 3703 description 3704 "This is application category"; 3705 list application-category { 3706 key "name application-subcategory"; 3707 description 3708 "This is application category list"; 3709 leaf name { 3710 type string; 3711 description 3712 "This is name for application category."; 3713 } 3714 leaf application-subcategory { 3715 type string; 3716 description 3717 "This is application subcategory."; 3718 } 3719 } 3720 } 3721 } 3723 container target-condition { 3724 description 3725 "Condition for target"; 3726 leaf target-description { 3727 type string; 3728 description 3729 "This is description for target condition. 3730 Vendors can write instructions for target condition 3731 that vendor made"; 3732 } 3734 container device-sec-context-cond { 3735 description 3736 "The device attribute that can identify a device, 3737 including the device type (i.e., router, switch, 3738 pc, ios, or android) and the device's owner as 3739 well."; 3741 leaf-list target-device { 3742 type identityref { 3743 base target-device; 3744 } 3745 description 3746 "Leaf list for target devices"; 3747 } 3748 } 3749 } 3751 container users-condition { 3752 description 3753 "Condition for users"; 3754 leaf users-description { 3755 type string; 3756 description 3757 "This is description for user condition. 3758 Vendors can write instructions for user condition 3759 that vendor made"; 3760 } 3761 container user{ 3762 description 3763 "The user (or user group) information with which 3764 network flow is associated: The user has many 3765 attributes such as name, id, password, type, 3766 authentication mode and so on. Name/id is often 3767 used in the security policy to identify the user. 3768 Besides, NSF is aware of the IP address of the 3769 user provided by a unified user management system 3770 via network. Based on name-address association, 3771 NSF is able to enforce the security functions 3772 over the given user (or user group)"; 3774 choice user-name { 3775 description 3776 "The name of the user."; 3778 case tenant { 3779 description 3780 "Tenant information."; 3782 leaf tenant { 3783 type uint8; 3784 description 3785 "User's tenant information."; 3786 } 3788 } 3790 case vn-id { 3791 description 3792 "VN-ID information."; 3794 leaf vn-id { 3795 type uint8; 3796 description 3797 "User's VN-ID information."; 3798 } 3799 } 3800 } 3801 } 3803 container group { 3804 description 3805 "The user (or user group) information with which 3806 network flow is associated: The user has many 3807 attributes such as name, id, password, type, 3808 authentication mode and so on. Name/id is often 3809 used in the security policy to identify the user. 3810 Besides, NSF is aware of the IP address of the 3811 user provided by a unified user management system 3812 via network. Based on name-address association, 3813 NSF is able to enforce the security functions 3814 over the given user (or user group)"; 3816 choice group-name { 3817 description 3818 "The name of the user."; 3820 case tenant { 3821 description 3822 "Tenant information."; 3824 leaf tenant { 3825 type uint8; 3826 description 3827 "User's tenant information."; 3828 } 3829 } 3831 case vn-id { 3832 description 3833 "VN-ID information."; 3835 leaf vn-id { 3836 type uint8; 3837 description 3838 "User's VN-ID information."; 3839 } 3840 } 3841 } 3842 } 3844 leaf security-group { 3845 type string; 3846 description 3847 "security-group."; 3848 } 3849 } 3851 container gen-context-condition { 3852 description 3853 "Condition for generic context"; 3854 leaf gen-context-description { 3855 type string; 3856 description 3857 "This is description for generic context condition. 3858 Vendors can write instructions for generic context 3859 condition that vendor made"; 3860 } 3862 container geographic-location { 3863 description 3864 "The location where network traffic is associated 3865 with. The region can be the geographic location 3866 such as country, province, and city, 3867 as well as the logical network location such as 3868 IP address, network section, and network domain."; 3870 leaf-list src-geographic-location { 3871 type uint32; 3872 description 3873 "This is mapped to ip address. We can acquire 3874 source region through ip address stored in the 3875 database."; 3876 } 3877 leaf-list dest-geographic-location { 3878 type uint32; 3879 description 3880 "This is mapped to ip address. We can acquire 3881 destination region through ip address stored 3882 in the database."; 3883 } 3885 } 3886 } 3887 } 3888 } 3890 container action-clause-container { 3891 description 3892 "An action is used to control and monitor aspects of 3893 flow-based NSFs when the event and condition clauses 3894 are satisfied. NSFs provide security functions by 3895 executing various Actions. Examples of I2NSF Actions 3896 include providing intrusion detection and/or protection, 3897 web and flow filtering, and deep packet inspection 3898 for packets and flows."; 3899 reference 3900 "RFC 8329: Framework for Interface to Network Security 3901 Functions - I2NSF Flow Security Policy Structure 3902 draft-ietf-i2nsf-capability-05: Information Model 3903 of NSFs Capabilities - Design Principles and ECA Policy 3904 Model Overview"; 3906 leaf action-clause-description { 3907 type string; 3908 description 3909 "Description for an action clause."; 3910 } 3912 container packet-action { 3913 description 3914 "Action for packets"; 3915 reference 3916 "RFC 8329: Framework for Interface to Network Security 3917 Functions - I2NSF Flow Security Policy Structure 3918 draft-ietf-i2nsf-capability-05: Information Model 3919 of NSFs Capabilities - Design Principles and ECA 3920 Policy Model Overview"; 3922 leaf ingress-action { 3923 type identityref { 3924 base ingress-action; 3925 } 3926 description 3927 "Action: pass, drop, reject, alert, and mirror."; 3928 } 3930 leaf egress-action { 3931 type identityref { 3932 base egress-action; 3933 } 3934 description 3935 "Egress action: pass, drop, reject, alert, mirror, 3936 invoke-signaling, tunnel-encapsulation, 3937 forwarding, and redirection."; 3938 } 3940 leaf log-action { 3941 type identityref { 3942 base log-action; 3943 } 3944 description 3945 "Log action: rule log and session log"; 3946 } 3948 } 3950 container advanced-action { 3951 description 3952 "If the packet need be additionally inspected, 3953 the packet are passed to advanced network 3954 security functions according to the profile."; 3955 reference 3956 "RFC 8329: Framework for Interface to Network Security 3957 Functions - Differences from ACL Data Models"; 3959 leaf-list content-security-control { 3960 type identityref { 3961 base content-security-control; 3962 } 3963 description 3964 "The Profile is divided into content security 3965 control and attack-mitigation-control. 3966 Content security control: antivirus, ips, ids, 3967 url filtering, mail filtering, file blocking, 3968 file isolate, packet capture, application control, 3969 voip and volte."; 3970 } 3972 leaf-list attack-mitigation-control { 3973 type identityref { 3974 base attack-mitigation-control; 3975 } 3976 description 3977 "The Profile is divided into content security 3978 control and attack-mitigation-control. 3980 Attack mitigation control: syn flood, udp flood, 3981 icmp flood, ip frag flood, ipv6 related, http flood, 3982 https flood, dns flood, dns amp flood, ssl ddos, 3983 ip sweep, port scanning, ping of death, teardrop, 3984 oversized icmp, tracert."; 3985 } 3986 } 3987 } 3988 } 3989 container rule-group { 3990 description 3991 "This is rule group"; 3993 list groups { 3994 key "group-name"; 3995 description 3996 "This is a group for rules"; 3998 leaf group-name { 3999 type string; 4000 description 4001 "This is a group for rules"; 4002 } 4004 container rule-range { 4005 description 4006 "This is a rule range."; 4008 leaf start-rule { 4009 type string; 4010 description 4011 "This is a start rule"; 4012 } 4013 leaf end-rule { 4014 type string; 4015 description 4016 "This is a end rule"; 4017 } 4018 } 4019 leaf enable { 4020 type boolean; 4021 description 4022 "This is enable 4023 False is not enable."; 4024 } 4025 leaf description { 4026 type string; 4027 description 4028 "This is a desription for rule-group"; 4029 } 4030 } 4031 } 4032 } 4033 } 4035 leaf i2nsf-ipsec { 4036 type identityref { 4037 base i2nsf-ipsec; 4038 } 4039 description 4040 "Internet Key Exchnage for NSFs 4041 in the I2NSF framework"; 4043 reference 4044 "draft-ietf-i2nsf-sdn-ipsec-flow-protection-04 4045 - i2nsf-ipsec"; 4046 } 4047 } 4049 4051 Figure 6: YANG Data Module of I2NSF NSF-Facing-Interface 4053 6. XML Configuration Examples of Low-Level Security Policy Rules 4055 This section shows XML configuration examples of low-level security 4056 policy rules that are delivered from the Security Controller to NSFs 4057 over the NSF-Facing Interface. For security requirements, we assume 4058 that the NSFs (i.e., General firewall, Time-based firewall, URL 4059 filter, VoIP/VoLTE filter, and http and https flood mitigation ) 4060 described in Appendix A. Configuration Examples of 4061 [draft-ietf-i2nsf-capability-data-model] are registered in I2NSF 4062 framework. With the registed NSFs, we show configuration examples 4063 for security policy rules of network security functions according to 4064 the following three security requirements: (i) Block SNS access 4065 during business hours, (ii) Block malicious VoIP/VoLTE packets coming 4066 to the company, and (iii) Mitigate http and https flood attacks on 4067 company web server. 4069 6.1. Security Requirement 1: Block SNS Access during Business Hours 4071 This section shows a configuration example for blocking SNS access 4072 during business hours. 4074 4076 4077 sns_access 4078 4079 block_sns_access_during_operation_time 4080 4081 4082 2019-08-01T09:00:00Z 4083 2019-12-31T18:00:00Z 4084 4085 4086 4087 4088 4089 4090 221.159.112.1 4091 221.159.112.90 4092 4093 4094 4095 4096 4097 4098 url-filtering 4099 4100 4101 4102 4103 4105 Figure 7: Configuration XML for Time-based Firewall to Block SNS 4106 Access during Business Hours 4108 4110 4111 sns_access 4112 4113 block_sns_access_during_operation_time 4114 4115 4116 facebook 4117 instagram 4118 4119 4120 4121 4122 drop 4123 4124 4125 4126 4127 4129 Figure 8: Configuration XML for Web Filter to Block SNS Access during 4130 Business Hours 4132 Figure 7 and Figure 8 show the configuration XML documents for time- 4133 based firewall and web filter to block SNS access during business 4134 hours. For the security requirement, two NSFs (i.e., a time-based 4135 firewall and a web filter) were used because one NSF cannot meet the 4136 security requirement. The instances of XML documents for the time- 4137 based firewall and the web filter are as follows: Note that a 4138 detailed data model for the configuration of the advanced network 4139 security function (i.e., web filter) is described in 4140 [draft-dong-i2nsf-asf-config]. 4142 Time-based Firewall is as follows: 4144 1. The name of the system policy is sns_access. 4146 2. The name of the rule is block_sns_access_during_operation_time. 4148 3. The rule is operated during the business hours (i.e., from 9 a.m. 4149 to 6 p.m.). 4151 4. The rule inspects a source IPv4 address (i.e., from 221.159.112.1 4152 to 221.159.112.90) to inspect the outgoing packets of employees. 4154 5. If the outgoing packets match the rules above, the time-based 4155 firewall sends the packets to url filtering for additional 4156 inspection because the time-based firewall can not inspect 4157 contents of the packets for the SNS URL. 4159 Web Filter is as follows: 4161 1. The name of the system policy is sns_access. 4163 2. The name of the rule is block_facebook_and_instagram. 4165 3. The rule inspects URL address to block the access packets to the 4166 facebook or the instagram. 4168 4. If the outgoing packets match the rules above, the packets are 4169 blocked. 4171 6.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 4172 to a Company 4174 This section shows a configuration example for blocking malicious 4175 VoIP/VoLTE packets coming to a company. 4177 4179 4180 voip_volte_inspection 4181 4182 block_malicious_voice_id 4183 4184 4185 4186 4187 221.159.112.1 4188 221.159.112.90 4189 4190 4191 4192 4193 4194 5060 4195 5061 4196 4197 4198 4199 4200 4201 voip-volte 4202 4203 4204 4205 4206 4208 Figure 9: Configuration XML for General Firewall to Block Malicious 4209 VoIP/VoLTE Packets Coming to a Company 4211 4213 4214 voip_volte_inspection 4215 4216 block_malicious_voice_id 4217 4218 4219 11111@voip.black.com 4220 22222@voip.black.com 4221 4222 4223 4224 4225 drop 4226 4227 4228 4229 4230 4232 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious 4233 VoIP/VoLTE Packets Coming to a Company 4235 Figure 9 and Figure 10 show the configuration XML documents for 4236 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 4237 packets coming to a company. For the security requirement, two NSFs 4238 (i.e., a general firewall and a VoIP/VoLTE filter) were used because 4239 one NSF can not meet the security requirement. The instances of XML 4240 documents for the general firewall and the VoIP/VoLTE filter are as 4241 follows: Note that a detailed data model for the configuration of the 4242 advanced network security function (i.e., VoIP/VoLTE filter) is 4243 described in [draft-dong-i2nsf-asf-config]. 4245 General Firewall is as follows: 4247 1. The name of the system policy is voip_volte_inspection. 4249 2. The name of the rule is block_malicious_voip_volte_packets. 4251 3. The rule inspects a destination IPv4 address (i.e., from 4252 221.159.112.1 to 221.159.112.90) to inspect the packets coming 4253 into the company. 4255 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 4256 VoIP/VoLTE packet. 4258 5. If the incoming packets match the rules above, the general 4259 firewall sends the packets to VoIP/VoLTE filter for additional 4260 inspection because the general firewall can not inspect contents 4261 of the VoIP/VoLTE packets. 4263 VoIP/VoLTE Filter is as follows: 4265 1. The name of the system policy is malicious_voice_id. 4267 2. The name of the rule is block_malicious_voice_id. 4269 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 4270 the malicious VoIP/VoLTE packets (i.e., 11111@voip.black.com and 4271 22222@voip.black.com). 4273 4. If the incoming packets match the rules above, the packets are 4274 blocked. 4276 6.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 4277 Company Web Server 4279 This section shows a configuration example for mitigating http and 4280 https flood attacks on a company web server. 4282 4284 4285 flood_attack_mitigation 4286 4287 mitigate_http_and_https_flood_attack 4288 4289 4290 4291 4292 221.159.112.95 4293 4294 4295 4296 4297 4298 80 4299 443 4300 4301 4302 4303 4304 4305 http-and-https-flood 4306 4307 4308 4309 4310 4311 4313 Figure 11: Configuration XML for General Firewall to Mitigate HTTP 4314 and HTTPS Flood Attacks on a Company Web Server 4316 4318 4319 flood_attack_mitigation 4320 4321 mitigate_http_and_https_flood_attack 4322 4323 4324 100 4325 4326 4327 4328 4329 drop 4330 4331 4332 4333 4334 4336 Figure 12: Configuration XML for HTTP and HTTPS Flood Attack 4337 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4338 Server 4340 Figure 11 and Figure 12 show the configuration XML documents for 4341 general firewall and http and https flood attack mitigation to 4342 mitigate http and https flood attacks on a company web server. For 4343 the security requirement, two NSFs (i.e., a general firewall and a 4344 http and https flood attack mitigation) were used because one NSF can 4345 not meet the security requirement. The instances of XML documents 4346 for the general firewall and http and https flood attack mitigation 4347 are as follows: Note that a detailed data model for the configuration 4348 of the advanced network security function (i.e., http and https flood 4349 attack mitigation) is described in [draft-dong-i2nsf-asf-config]. 4351 General Firewall is as follows: 4353 1. The name of the system policy is flood_attack_mitigation. 4355 2. The name of the rule is mitigate_http_and_https_flood_attack. 4357 3. The rule inspects a destination IPv4 address (i.e., 4358 221.159.112.95) to inspect the access packets coming into the 4359 company web server. 4361 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4362 http and https packet. 4364 5. If the packets match the rules above, the general firewall sends 4365 the packets to http and https flood attack mitigation for 4366 additional inspection because the general firewall can not contrl 4367 the amount of packets for http and https packets. 4369 HTTP and HTTPS Flood Attack Mitigation is as follows: 4371 1. The name of the system policy is 4372 http_and_https_flood_attack_mitigation. 4374 2. The name of the rule is 100_per_second. 4376 3. The rule controls the http and https packets according to the 4377 amount of incoming packets. 4379 4. If the incoming packets match the rules above, the packets are 4380 blocked. 4382 7. Security Considerations 4384 The YANG module specified in this document defines a data schema 4385 designed to be accessed through network management protocols such as 4386 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 4387 the secure transport layer, and the required secure transport is 4388 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 4389 and the required secure transport is TLS [RFC8446]. 4391 The NETCONF access control model [RFC8341] provides a means of 4392 restricting access to specific NETCONF or RESTCONF users to a 4393 preconfigured subset of all available NETCONF or RESTCONF protocol 4394 operations and content. 4396 There are a number of data nodes defined in this YANG module that are 4397 writable/creatable/deletable (i.e., config true, which is the 4398 default). These data nodes may be considered sensitive or vulnerable 4399 in some network environments. Write operations (e.g., edit-config) 4400 to these data nodes without proper protection can have a negative 4401 effect on network operations. These are the subtrees and data nodes 4402 and their sensitivity/vulnerability: 4404 o ietf-i2nsf-policy-rule-for-nsf: The attacker may provide incorrect 4405 policy information of any target NSFs by illegally modifying this. 4407 Some of the readable data nodes in this YANG module may be considered 4408 sensitive or vulnerable in some network environments. It is thus 4409 important to control read access (e.g., via get, get-config, or 4410 notification) to these data nodes. These are the subtrees and data 4411 nodes and their sensitivity/vulnerability: 4413 o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the 4414 security policy information of any target NSFs and misuse the 4415 security policy information for subsequent attacks. 4417 8. IANA Considerations 4419 This document requests IANA to register the following URI in the 4420 "IETF XML Registry" [RFC3688]: 4422 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4424 Registrant Contact: The IESG. 4426 XML: N/A; the requested URI is an XML namespace. 4428 This document requests IANA to register the following YANG module in 4429 the "YANG Module Names" registry [RFC7950]. 4431 name: ietf-i2nsf-policy-rule-for-nsf 4433 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for- 4434 nsf 4436 prefix: nsfintf 4438 reference: RFC XXXX 4440 9. Acknowledgments 4442 This work was supported by Institute of Information & Communications 4443 Technology Planning & Evaluation (IITP) grant funded by the Korea 4444 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 4445 Security Intelligence Technology Development for the Customized 4446 Security Service Provisioning). 4448 10. Contributors 4450 This document is made by the group effort of I2NSF working group. 4451 Many people actively contributed to this document. The following are 4452 considered co-authors: 4454 o Hyoungshick Kim (Sungkyunkwan University) 4456 o Daeyoung Hyun (Sungkyunkwan University) 4458 o Dongjin Hong (Sungkyunkwan University) 4460 o Liang Xia (Huawei) 4461 o Tae-Jin Ahn (Korea Telecom) 4463 o Se-Hui Lee (Korea Telecom) 4465 11. References 4467 11.1. Normative References 4469 [RFC1394] Robinson, P., "Relationship of Telex Answerback Codes to 4470 Internet Domains", RFC 1394, DOI 10.17487/RFC1394, January 4471 1993, . 4473 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4474 Requirement Levels", BCP 14, RFC 2119, 4475 DOI 10.17487/RFC2119, March 1997, 4476 . 4478 [RFC3232] Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by 4479 an On-line Database", RFC 3232, January 2002. 4481 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 4482 A., Peterson, J., Sparks, R., Handley, M., and E. 4483 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 4484 DOI 10.17487/RFC3261, June 2002, 4485 . 4487 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 4488 the Network Configuration Protocol (NETCONF)", RFC 6020, 4489 DOI 10.17487/RFC6020, October 2010, 4490 . 4492 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4493 and A. Bierman, Ed., "Network Configuration Protocol 4494 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4495 . 4497 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4498 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4499 . 4501 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4502 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4503 . 4505 [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 4506 1980. 4508 [RFC791] Postel, J., "Internet Protocol", RFC 791, September 1981. 4510 [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, 4511 September 1981. 4513 [RFC793] Postel, J., "Transmission Control Protocol", RFC 793, 4514 September 1981. 4516 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4517 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4518 . 4520 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4521 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4522 . 4524 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4525 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4526 May 2017, . 4528 [RFC8177] Lindem, A., Ed., Qu, Y., Yeung, D., Chen, I., and J. 4529 Zhang, "YANG Data Model for Key Chains", RFC 8177, 4530 DOI 10.17487/RFC8177, June 2017, 4531 . 4533 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4534 (IPv6) Specification", STD 86, RFC 8200, 4535 DOI 10.17487/RFC8200, July 2017, 4536 . 4538 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4539 Kumar, "Framework for Interface to Network Security 4540 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4541 . 4543 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4544 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4545 . 4547 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4548 Access Control Model", STD 91, RFC 8341, 4549 DOI 10.17487/RFC8341, March 2018, 4550 . 4552 [RFC8431] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 4553 S., and N. Bahadur, "A YANG Data Model for the Routing 4554 Information Base (RIB)", RFC 8431, DOI 10.17487/RFC8431, 4555 September 2018, . 4557 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4558 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4559 . 4561 11.2. Informative References 4563 [draft-dong-i2nsf-asf-config] 4564 Pan, W. and L. Xia, "Configuration of Advanced Security 4565 Functions with I2NSF Security Controller", draft-dong- 4566 i2nsf-asf-config-01 (work in progress), October 2018. 4568 [draft-ietf-i2nsf-capability] 4569 Xia, L., Strassner, J., Basile, C., and D. Lopez, 4570 "Information Model of NSFs Capabilities", draft-ietf- 4571 i2nsf-capability-05 (work in progress), April 2019. 4573 [draft-ietf-i2nsf-capability-data-model] 4574 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 4575 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 4576 capability-data-model-05 (work in progress), July 2019. 4578 [draft-ietf-i2nsf-sdn-ipsec-flow-protection] 4579 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 4580 Garcia, "Software-Defined Networking (SDN)-based IPsec 4581 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 4582 protection-07 (work in progress), August 2019. 4584 [draft-ietf-supa-generic-policy-info-model] 4585 Strassner, J., Halpern, J., and S. Meer, "Generic Policy 4586 Information Model for Simplified Use of Policy 4587 Abstractions (SUPA)", draft-ietf-supa-generic-policy-info- 4588 model-03 (work in progress), May 2017. 4590 Appendix A. Changes from draft-ietf-i2nsf-nsf-facing-interface-dm-07 4592 The following changes are made from draft-ietf-i2nsf-nsf-facing- 4593 interface-dm-07: 4595 o The version is revised according to the comments from Acee Lindem 4596 who is a YANG doctor for review. 4598 Authors' Addresses 4600 Jinyong Tim Kim 4601 Department of Electronic, Electrical and Computer Engineering 4602 Sungkyunkwan University 4603 2066 Seobu-Ro, Jangan-Gu 4604 Suwon, Gyeonggi-Do 16419 4605 Republic of Korea 4607 Phone: +82 10 8273 0930 4608 EMail: timkim@skku.edu 4610 Jaehoon Paul Jeong 4611 Department of Computer Science and Engineering 4612 Sungkyunkwan University 4613 2066 Seobu-Ro, Jangan-Gu 4614 Suwon, Gyeonggi-Do 16419 4615 Republic of Korea 4617 Phone: +82 31 299 4957 4618 Fax: +82 31 290 7996 4619 EMail: pauljeong@skku.edu 4620 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4622 Jung-Soo Park 4623 Electronics and Telecommunications Research Institute 4624 218 Gajeong-Ro, Yuseong-Gu 4625 Daejeon 34129 4626 Republic of Korea 4628 Phone: +82 42 860 6514 4629 EMail: pjs@etri.re.kr 4630 Susan Hares 4631 Huawei 4632 7453 Hickory Hill 4633 Saline, MI 48176 4634 USA 4636 Phone: +1-734-604-0332 4637 EMail: shares@ndzh.com 4639 Qiushi Lin 4640 Huawei 4641 Huawei Industrial Base 4642 Shenzhen, Guangdong 518129 4643 China 4645 EMail: linqiushi@huawei.com