idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 9 instances of too long lines in the document, the longest one being 9 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 266 has weird spacing: '...-length uin...' == Line 276 has weird spacing: '...-length uin...' == Line 287 has weird spacing: '...-offset uin...' == Line 296 has weird spacing: '...pv4-ttl uin...' == Line 312 has weird spacing: '...address inet:...' == (22 more instances...) -- The document date (February 2, 2021) is 1178 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-i2nsf-sdn-ipsec-flow-protection' is defined on line 4571, but no explicit reference was found in the text == Unused Reference: 'RFC8335' is defined on line 4640, but no explicit reference was found in the text == Outdated reference: A later version (-32) exists of draft-ietf-i2nsf-capability-data-model-15 == Outdated reference: A later version (-14) exists of draft-ietf-i2nsf-sdn-ipsec-flow-protection-12 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-04 Summary: 2 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim, Ed. 3 Internet-Draft J. Jeong, Ed. 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: August 6, 2021 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 February 2, 2021 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-11 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF) in the Interface to 19 Network Security Functions (I2NSF) framework. The YANG data model in 20 this document corresponds to the information model for NSF-Facing 21 Interface in the I2NSF framework. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 6, 2021. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3 61 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5 62 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6 63 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12 64 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 13 65 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 14 66 5. XML Configuration Examples of Low-Level Security Policy Rules 85 67 5.1. Security Requirement 1: Block Social Networking Service 68 (SNS) Access during Business Hours . . . . . . . . . . . 85 69 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE 70 Packets Coming to a Company . . . . . . . . . . . . . . . 89 71 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 72 Attacks on a Company Web Server . . . . . . . . . . . . . 92 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 95 74 7. Security Considerations . . . . . . . . . . . . . . . . . . . 95 75 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 96 76 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 97 77 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 98 78 10.1. Normative References . . . . . . . . . . . . . . . . . . 98 79 10.2. Informative References . . . . . . . . . . . . . . . . . 101 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 82 1. Introduction 84 This document defines a YANG [RFC6020][RFC7950] data model for 85 security policy rule configuration of Network Security Functions 86 (NSF). The YANG data model in this document is based on the 87 information model in [I-D.ietf-i2nsf-capability-data-model] for the 88 NSF-Facing Interface in the Interface to Network Security Functions 89 (I2NSF) architecture [RFC8329]. The YANG data model in this document 90 focuses on security policy configuration for generic network security 91 functions (e.g., firewall, web filter, and Distributed-Denial-of- 92 Service (DDoS) attack mitigator) 93 [I-D.ietf-i2nsf-capability-data-model]. Security policy 94 configuration for advanced network security functions is out of the 95 scope of this document, such as Intrusion Prevention System (IPS) and 96 anti-virus [I-D.ietf-i2nsf-capability-data-model]. 98 This YANG data model uses an "Event-Condition-Action" (ECA) policy 99 model that is used as the basis for the design of I2NSF Policy 100 described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model]. 102 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 103 document provides the configuration of the following features. 105 o A general security policy rule of a generic network security 106 function. 108 o An event clause of a generic network security function. 110 o A condition clause of a generic network security function. 112 o An action clause of a generic network security function. 114 2. Terminology 116 This document uses the terminology described in [RFC8329]. 118 This document follows the guidelines of [RFC8407], uses the common 119 YANG types defined in [RFC6991], and adopts the Network Management 120 Datastore Architecture (NMDA). The meaning of the symbols in tree 121 diagrams is defined in [RFC8340]. 123 3. YANG Tree Diagram 125 This section shows a YANG tree diagram of generic network security 126 functions. Advanced network security functions can be defined in 127 future. Advanced network security functions is out of the scope of 128 this document can be defined in future, such as Intrusion Prevention 129 System (IPS), Distributed-Denial-of-Service (DDoS) attack mitigator, 130 and anti-virus [I-D.ietf-i2nsf-capability-data-model]. 132 3.1. General I2NSF Security Policy Rule 134 This section shows a YANG tree diagram for a general I2NSF security 135 policy rule for generic network security functions. 137 module: ietf-i2nsf-policy-rule-for-nsf 138 +--rw i2nsf-security-policy 139 +--rw system-policy* [system-policy-name] 140 +--rw system-policy-name string 141 +--rw priority-usage? identityref 142 +--rw resolution-strategy? identityref 143 +--rw default-action? identityref 144 +--rw rules* [rule-name] 145 | +--rw rule-name string 146 | +--rw rule-description? string 147 | +--rw rule-priority? uint8 148 | +--rw rule-enable? boolean 149 | +--rw rule-session-aging-time? uint16 150 | +--rw rule-long-connection 151 | | +--rw enable? boolean 152 | | +--rw duration? uint16 153 | +--rw time-intervals 154 | | +--rw absolute-time-interval 155 | | | +--rw start-time? start-time-type 156 | | | +--rw end-time? end-time-type 157 | | +--rw periodic-time-interval 158 | | +--rw day 159 | | | +--rw every-day? boolean 160 | | | +--rw specific-day* day-type 161 | | +--rw month 162 | | +--rw every-month? boolean 163 | | +--rw specific-month* month-type 164 | +--rw event-clause-container 165 | | ... 166 | +--rw condition-clause-container 167 | | ... 168 | +--rw action-clause-container 169 | ... 170 +--rw rule-group 171 +--rw groups* [group-name] 172 +--rw group-name string 173 +--rw rule-range 174 | +--rw start-rule? string 175 | +--rw end-rule? string 176 +--rw enable? boolean 177 +--rw description? string 179 Figure 1: YANG Tree Diagram for Network Security Policy 181 The system policy provides for multiple system policies in one NSF, 182 and each system policy is used by one virtual instance of the NSF/ 183 device. The system policy includes system policy name, priority 184 usage, resolution strategy, default action, and rules. 186 A resolution strategy is used to decide how to resolve conflicts that 187 occur between the actions of the same or different policy rules that 188 are matched and contained in a particular NSF. The resolution 189 strategy is defined as First Matching Rule (FMR), Last Matching Rule 190 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 191 Prioritized Matching Rule with No Errors (PMRN). The resolution 192 strategy can be extended according to specific vendor action 193 features. The resolution strategy is described in detail in 194 [I-D.ietf-i2nsf-capability-data-model]. 196 A default action is used to execute I2NSF policy rule when no rule 197 matches a packet. The default action is defined as pass, drop, 198 reject, alert, and mirror. The default action can be extended 199 according to specific vendor action features. The default action is 200 described in detail in [I-D.ietf-i2nsf-capability-data-model]. 202 The rules include rule name, rule description, rule priority, rule 203 enable, time zone, event clause container, condition clause 204 container, and action clause container. 206 3.2. Event Clause 208 This section shows a YANG tree diagram for an event clause for a 209 general I2NSF security policy rule for generic network security 210 functions. 212 module: ietf-i2nsf-policy-rule-for-nsf 213 +--rw i2nsf-security-policy 214 +--rw system-policy* [system-policy-name] 215 ... 216 +--rw rules* [rule-name] 217 | ... 218 | +--rw event-clause-container 219 | | +--rw event-clause-description? string 220 | | +--rw event-clauses 221 | | +--rw system-event* identityref 222 | | +--rw system-alarm* identityref 223 | +--rw condition-clause-container 224 | | ... 225 | +--rw action-clause-container 226 | ... 227 +--rw rule-group 228 ... 230 Figure 2: YANG Tree Diagram for an Event Clause 232 An event clause is any important occurrence at a specific time of a 233 change in the system being managed, and/or in the environment of the 234 system being managed. An event clause is used to trigger the 235 evaluation of the condition clause of the I2NSF Policy Rule. The 236 event clause is defined as a system event and system alarm 237 [I-D.ietf-i2nsf-nsf-monitoring-data-model]. The event clause can be 238 extended according to specific vendor event features. The event 239 clause is described in detail in 240 [I-D.ietf-i2nsf-capability-data-model]. 242 3.3. Condition Clause 244 This section shows a YANG tree diagram for a condition clause for a 245 general I2NSF security policy rule for generic network security 246 functions. 248 module: ietf-i2nsf-policy-rule-for-nsf 249 +--rw i2nsf-security-policy 250 ... 251 +--rw rules* [rule-name] 252 | ... 253 | +--rw event-clause-container 254 | | ... 255 | +--rw condition-clause-container 256 | | +--rw condition-clause-description? string 257 | | +--rw packet-security-ipv4-condition 258 | | | +--rw ipv4-description? string 259 | | | +--rw pkt-sec-ipv4-header-length 260 | | | | +--rw (match-type)? 261 | | | | +--:(exact-match) 262 | | | | | +--rw ipv4-header-length* uint8 263 | | | | +--:(range-match) 264 | | | | +--rw range-ipv4-header-length* 265 [start-ipv4-header-length end-ipv4-header-length] 266 | | | | +--rw start-ipv4-header-length uint8 267 | | | | +--rw end-ipv4-header-length uint8 268 | | | +--rw pkt-sec-ipv4-tos* identityref 269 | | | +--rw pkt-sec-ipv4-total-length 270 | | | | +--rw (match-type)? 271 | | | | +--:(exact-match) 272 | | | | | +--rw ipv4-total-length* uint16 273 | | | | +--:(range-match) 274 | | | | +--rw range-ipv4-total-length* 275 [start-ipv4-total-length end-ipv4-total-length] 276 | | | | +--rw start-ipv4-total-length uint16 277 | | | | +--rw end-ipv4-total-length uint16 278 | | | +--rw pkt-sec-ipv4-id* uint16 279 | | | +--rw pkt-sec-ipv4-fragment-flags* identityref 280 | | | +--rw pkt-sec-ipv4-fragment-offset 281 | | | | +--rw (match-type)? 282 | | | | +--:(exact-match) 283 | | | | | +--rw ipv4-fragment-offset* uint16 284 | | | | +--:(range-match) 285 | | | | +--rw range-ipv4-fragment-offset* 286 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 287 | | | | +--rw start-ipv4-fragment-offset uint16 288 | | | | +--rw end-ipv4-fragment-offset uint16 289 | | | +--rw pkt-sec-ipv4-ttl 290 | | | | +--rw (match-type)? 291 | | | | +--:(exact-match) 292 | | | | | +--rw ipv4-ttl* uint8 293 | | | | +--:(range-match) 294 | | | | +--rw range-ipv4-ttl* 295 [start-ipv4-ttl end-ipv4-ttl] 296 | | | | +--rw start-ipv4-ttl uint8 297 | | | | +--rw end-ipv4-ttl uint8 298 | | | +--rw pkt-sec-ipv4-protocol* identityref 299 | | | +--rw pkt-sec-ipv4-src 300 | | | | +--rw (match-type)? 301 | | | | +--:(exact-match) 302 | | | | | +--rw ipv4-address* [ipv4] 303 | | | | | +--rw ipv4 inet:ipv4-address 304 | | | | | +--rw (subnet)? 305 | | | | | +--:(prefix-length) 306 | | | | | | +--rw prefix-length? uint8 307 | | | | | +--:(netmask) 308 | | | | | +--rw netmask? yang:dotted-quad 309 | | | | +--:(range-match) 310 | | | | +--rw range-ipv4-address* 311 [start-ipv4-address end-ipv4-address] 312 | | | | +--rw start-ipv4-address inet:ipv4-address 313 | | | | +--rw end-ipv4-address inet:ipv4-address 314 | | | +--rw pkt-sec-ipv4-dest 315 | | | | +--rw (match-type)? 316 | | | | +--:(exact-match) 317 | | | | | +--rw ipv4-address* [ipv4] 318 | | | | | +--rw ipv4 inet:ipv4-address 319 | | | | | +--rw (subnet)? 320 | | | | | +--:(prefix-length) 321 | | | | | | +--rw prefix-length? uint8 322 | | | | | +--:(netmask) 323 | | | | | +--rw netmask? yang:dotted-quad 324 | | | | +--:(range-match) 325 | | | | +--rw range-ipv4-address* 326 [start-ipv4-address end-ipv4-address] 327 | | | | +--rw start-ipv4-address inet:ipv4-address 328 | | | | +--rw end-ipv4-address inet:ipv4-address 329 | | | +--rw pkt-sec-ipv4-ipopts* identityref 330 | | | +--rw pkt-sec-ipv4-same-ip? boolean 331 | | | +--rw pkt-sec-ipv4-geo-ip* string 332 | | +--rw packet-security-ipv6-condition 333 | | | +--rw ipv6-description? string 334 | | | +--rw pkt-sec-ipv6-traffic-class* identityref 335 | | | +--rw pkt-sec-ipv6-flow-label 336 | | | | +--rw (match-type)? 337 | | | | +--:(exact-match) 338 | | | | | +--rw ipv6-flow-label* uint32 339 | | | | +--:(range-match) 340 | | | | +--rw range-ipv6-flow-label* 341 [start-ipv6-flow-label end-ipv6-flow-label] 342 | | | | +--rw start-ipv6-flow-label uint32 343 | | | | +--rw end-ipv6-flow-label uint32 344 | | | +--rw pkt-sec-ipv6-payload-length 345 | | | | +--rw (match-type)? 346 | | | | +--:(exact-match) 347 | | | | | +--rw ipv6-payload-length* uint16 348 | | | | +--:(range-match) 349 | | | | +--rw range-ipv6-payload-length* 350 [start-ipv6-payload-length end-ipv6-payload-length] 351 | | | | +--rw start-ipv6-payload-length uint16 352 | | | | +--rw end-ipv6-payload-length uint16 353 | | | +--rw pkt-sec-ipv6-next-header* identityref 354 | | | +--rw pkt-sec-ipv6-hop-limit 355 | | | | +--rw (match-type)? 356 | | | | +--:(exact-match) 357 | | | | | +--rw ipv6-hop-limit* uint8 358 | | | | +--:(range-match) 359 | | | | +--rw range-ipv6-hop-limit* 360 [start-ipv6-hop-limit end-ipv6-hop-limit] 361 | | | | +--rw start-ipv6-hop-limit uint8 362 | | | | +--rw end-ipv6-hop-limit uint8 363 | | | +--rw pkt-sec-ipv6-src 364 | | | | +--rw (match-type)? 365 | | | | +--:(exact-match) 366 | | | | | +--rw ipv6-address* [ipv6] 367 | | | | | +--rw ipv6 inet:ipv6-address 368 | | | | | +--rw prefix-length? uint8 369 | | | | +--:(range-match) 370 | | | | +--rw range-ipv6-address* 371 [start-ipv6-address end-ipv6-address] 372 | | | | +--rw start-ipv6-address inet:ipv6-address 373 | | | | +--rw end-ipv6-address inet:ipv6-address 374 | | | +--rw pkt-sec-ipv6-dest 375 | | | +--rw (match-type)? 376 | | | +--:(exact-match) 377 | | | | +--rw ipv6-address* [ipv6] 378 | | | | +--rw ipv6 inet:ipv6-address 379 | | | | +--rw prefix-length? uint8 380 | | | +--:(range-match) 381 | | | +--rw range-ipv6-address* 382 [start-ipv6-address end-ipv6-address] 383 | | | +--rw start-ipv6-address inet:ipv6-address 384 | | | +--rw end-ipv6-address inet:ipv6-address 385 | | +--rw packet-security-tcp-condition 386 | | | +--rw tcp-description? string 387 | | | +--rw pkt-sec-tcp-src-port-num 388 | | | | +--rw (match-type)? 389 | | | | +--:(exact-match) 390 | | | | | +--rw port-num* inet:port-number 391 | | | | +--:(range-match) 392 | | | | +--rw range-port-num* 393 [start-port-num end-port-num] 394 | | | | +--rw start-port-num inet:port-number 395 | | | | +--rw end-port-num inet:port-number 396 | | | +--rw pkt-sec-tcp-dest-port-num 397 | | | | +--rw (match-type)? 398 | | | | +--:(exact-match) 399 | | | | | +--rw port-num* inet:port-number 400 | | | | +--:(range-match) 401 | | | | +--rw range-port-num* 402 [start-port-num end-port-num] 403 | | | | +--rw start-port-num inet:port-number 404 | | | | +--rw end-port-num inet:port-number 405 | | | +--rw pkt-sec-tcp-flags* identityref 406 | | +--rw packet-security-udp-condition 407 | | | +--rw udp-description? string 408 | | | +--rw pkt-sec-udp-src-port-num 409 | | | | +--rw (match-type)? 410 | | | | +--:(exact-match) 411 | | | | | +--rw port-num* inet:port-number 412 | | | | +--:(range-match) 413 | | | | +--rw range-port-num* 414 [start-port-num end-port-num] 415 | | | | +--rw start-port-num inet:port-number 416 | | | | +--rw end-port-num inet:port-number 417 | | | +--rw pkt-sec-udp-dest-port-num 418 | | | | +--rw (match-type)? 419 | | | | +--:(exact-match) 420 | | | | | +--rw port-num* inet:port-number 421 | | | | +--:(range-match) 422 | | | | +--rw range-port-num* 423 [start-port-num end-port-num] 424 | | | | +--rw start-port-num inet:port-number 425 | | | | +--rw end-port-num inet:port-number 426 | | | +--rw pkt-sec-udp-total-length 427 | | | +--rw (match-type)? 428 | | | +--:(exact-match) 429 | | | | +--rw udp-total-length* uint32 430 | | | +--:(range-match) 431 | | | +--rw range-udp-total-length* 432 [start-udp-total-length end-udp-total-length] 433 | | | +--rw start-udp-total-length uint32 434 | | | +--rw end-udp-total-length uint32 435 | | +--rw packet-security-sctp-condition 436 | | | +--rw sctp-description? string 437 | | | +--rw pkt-sec-sctp-src-port-num 438 | | | | +--rw (match-type)? 439 | | | | +--:(exact-match) 440 | | | | | +--rw port-num* inet:port-number 441 | | | | +--:(range-match) 442 | | | | +--rw range-port-num* 443 [start-port-num end-port-num] 444 | | | | +--rw start-port-num inet:port-number 445 | | | | +--rw end-port-num inet:port-number 446 | | | +--rw pkt-sec-sctp-dest-port-num 447 | | | | +--rw (match-type)? 448 | | | | +--:(exact-match) 449 | | | | | +--rw port-num* inet:port-number 450 | | | | +--:(range-match) 451 | | | | +--rw range-port-num* 452 [start-port-num end-port-num] 453 | | | | +--rw start-port-num inet:port-number 454 | | | | +--rw end-port-num inet:port-number 455 | | | +--rw pkt-sec-sctp-verification-tag* uint32 456 | | | +--rw pkt-sec-sctp-chunk-type* uint8 457 | | +--rw packet-security-dccp-condition 458 | | | +--dccp-description? string 459 | | | +--rw pkt-sec-dccp-src-port-num 460 | | | | +--rw (match-type)? 461 | | | | +--:(exact-match) 462 | | | | | +--rw port-num* inet:port-number 463 | | | | +--:(range-match) 464 | | | | +--rw range-port-num* 465 [start-port-num end-port-num] 466 | | | | +--rw start-port-num inet:port-number 467 | | | | +--rw end-port-num inet:port-number 468 | | | +--rw pkt-sec-dccp-dest-port-num 469 | | | | +--rw (match-type)? 470 | | | | +--:(exact-match) 471 | | | | | +--rw port-num* inet:port-number 472 | | | | +--:(range-match) 473 | | | | +--rw range-port-num* 475 [start-port-num end-port-num] 476 | | | | +--rw start-port-num inet:port-number 477 | | | | +--rw end-port-num inet:port-number 478 | | | +--rw pkt-sec-dccp-service-code* uint32 479 | | +--rw packet-security-icmp-condition 480 | | | +--rw icmp-description? string 481 | | | +--rw pkt-sec-icmp-type-and-code* identityref 482 | | +--rw packet-security-url-category-condition 483 | | | +--rw url-category-description? string 484 | | | +--rw pre-defined-category* string 485 | | | +--rw user-defined-category* string 486 | | +--rw packet-security-voice-condition 487 | | | +--rw voice-description? string 488 | | | +--rw pkt-sec-src-voice-id* string 489 | | | +--rw pkt-sec-dest-voice-id* string 490 | | | +--rw pkt-sec-user-agent* string 491 | | +--rw packet-security-ddos-condition 492 | | | +--rw ddos-description? string 493 | | | +--rw pkt-sec-alert-packet-rate? uint32 494 | | | +--rw pkt-sec-alert-flow-rate? uint32 495 | | | +--rw pkt-sec-alert-byte-rate? uint32 496 | | +--rw packet-security-payload-condition 497 | | | +--rw packet-payload-description? string 498 | | | +--rw pkt-payload-content* string 499 | | +--rw context-condition 500 | | +--rw context-description? string 501 | | +--rw application-condition 502 | | | +--rw application-description? string 503 | | | +--rw application-object* string 504 | | | +--rw application-group* string 505 | | | +--rw application-label* string 506 | | | +--rw category 507 | | | +--rw application-category* 508 [name application-subcategory] 509 | | | +--rw name string 510 | | | +--rw application-subcategory string 511 | | +--rw target-condition 512 | | | +--rw target-description? string 513 | | | +--rw device-sec-context-cond 514 | | | +--rw target-device* identityref 515 | | +--rw users-condition 516 | | | +--rw users-description? string 517 | | | +--rw user [user-name user-id] 518 | | | +--rw user-name* string 519 | | | +--rw user-id* uint32 520 | | | +--rw group [group-name group-id] 521 | | | +--rw group-name string 522 | | | +--rw group-id uint32 523 | | | +--rw security-group string 524 | | +--rw geography-context-condition 525 | | +--rw geography-context-description? string 526 | | +--rw geography-location 527 | | +--rw src-geography-location* string 528 | | +--rw dest-geography-location* string 529 | +--rw action-clause-container 530 | ... 531 +--rw rule-group 532 ... 534 Figure 3: YANG Tree Diagram for a Condition Clause 536 A condition clause is defined as a set of attributes, features, and/ 537 or values that are to be compared with a set of known attributes, 538 features, and/or values in order to determine whether or not the set 539 of actions in that (imperative) I2NSF policy rule can be executed or 540 not. A condition clause is classified as a condition of generic 541 network security functions, advanced network security functions, or 542 context. A condition clause of generic network security functions is 543 defined as packet security IPv4 condition, packet security IPv6 544 condition, packet security tcp condition, and packet security icmp 545 condition. A condition clause of advanced network security functions 546 is defined as packet security url category condition, packet security 547 voice condition, packet security DDoS condition, or packet security 548 payload condition. A condition clause of context is defined as 549 application condition, target condition, users condition, and 550 geography condition. Note that this document deals only with 551 conditions of several advanced network security functions such as url 552 filter (i.e., web filter), VoIP/VoLTE security, and DDoS-attack 553 mitigator. A condition clause of other advanced network security 554 functions such as Intrusion Prevention System (IPS) and Data Loss 555 Prevention (DLP) can be defined as an extension in future. A 556 condition clause can be extended according to specific vendor 557 condition features. A condition clause is described in detail in 558 [I-D.ietf-i2nsf-capability-data-model]. 560 3.4. Action Clause 562 This section shows a YANG tree diagram for an action clause for a 563 general I2NSF security policy rule for generic network security 564 functions. 566 module: ietf-i2nsf-policy-rule-for-nsf 567 +--rw i2nsf-security-policy 568 ... 569 +--rw rules* [rule-name] 570 | ... 571 | +--rw event-clause-container 572 | | ... 573 | +--rw condition-clause-container 574 | | ... 575 | +--rw action-clause-container 576 | +--rw action-clause-description? string 577 | +--rw packet-action 578 | | +--rw ingress-action? identityref 579 | | +--rw egress-action? identityref 580 | | +--rw log-action? identityref 581 | +--rw flow-action 582 | | +--rw ingress-action? identityref 583 | | +--rw egress-action? identityref 584 | | +--rw log-action? identityref 585 | +--rw advanced-action 586 | +--rw content-security-control* identityref 587 | +--rw attack-mitigation-control* identityref 588 +--rw rule-group 589 ... 591 Figure 4: YANG Tree Diagram for an Action Clause 593 An action is used to control and monitor aspects of flow-based NSFs 594 when the policy rule event and condition clauses are satisfied. NSFs 595 provide security services by executing various actions. The action 596 clause is defined as ingress action, egress action, or log action for 597 packet action, flow action, and advanced action for additional 598 inspection. The packet action is an action for an individual packet 599 such as an IP datagram. The flow action is an action of a traffic 600 flow such as the packets of a TCP session (e.g., an HTTP/HTTPS 601 session). The advanced action is an action of an advanced action 602 (e.g., web filter and DDoS-attack mitigator) for either a packet or a 603 traffic flow. The action clause can be extended according to 604 specific vendor action features. The action clause is described in 605 detail in [I-D.ietf-i2nsf-capability-data-model]. 607 4. YANG Data Model of NSF-Facing Interface 609 The main objective of this data model is to provide both an 610 information model and the corresponding YANG data model of I2NSF NSF- 611 Facing Interface. This interface can be used to deliver control and 612 management messages between Security Controller and NSFs for the 613 I2NSF low-level security policies. 615 This data model is designed to support the I2NSF framework that can 616 be extended according to the security needs. In other words, the 617 model design is independent of the content and meaning of specific 618 policies as well as the implementation approach. 620 With the YANG data model of I2NSF NSF-Facing Interface, this document 621 suggests use cases for security policy rules such as time-based 622 firewall, web filter, VoIP/VoLTE security service, and DDoS-attack 623 mitigation in Section 5. 625 4.1. YANG Module of NSF-Facing Interface 627 This section describes a YANG module of NSF-Facing Interface. This 628 YANG module imports from [RFC6991]. It makes references to [RFC0768] 629 [RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][RFC8329][RFC83 630 35][RFC8344][ISO-Country-Codes][IANA-Protocol-Numbers]. 632 file "ietf-i2nsf-policy-rule-for-nsf@2021-02-02.yang" 634 module ietf-i2nsf-policy-rule-for-nsf { 635 yang-version 1.1; 636 namespace 637 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 638 prefix 639 nsfintf; 641 import ietf-inet-types{ 642 prefix inet; 643 reference "RFC 6991"; 644 } 645 import ietf-yang-types{ 646 prefix yang; 647 reference "RFC 6991"; 648 } 650 organization 651 "IETF I2NSF (Interface to Network Security Functions) 652 Working Group"; 654 contact 655 "WG Web: 656 WG List: 658 Editor: Jingyong Tim Kim 659 661 Editor: Jaehoon Paul Jeong 662 "; 664 description 665 "This module is a YANG module for Network Security Functions 666 (NSF)-Facing Interface. 668 Copyright (c) 2021 IETF Trust and the persons identified as 669 authors of the code. All rights reserved. 671 Redistribution and use in source and binary forms, with or 672 without modification, is permitted pursuant to, and subject 673 to the license terms contained in, the Simplified BSD License 674 set forth in Section 4.c of the IETF Trust's Legal Provisions 675 Relating to IETF Documents 676 http://trustee.ietf.org/license-info). 678 This version of this YANG module is part of RFC XXXX; see 679 the RFC itself for full legal notices."; 681 revision "2021-02-02"{ 682 description "The latest revision."; 683 reference 684 "RFC XXXX: I2NSF Network Security Function-Facing Interface 685 YANG Data Model"; 686 } 688 /* 689 * Identities 690 */ 692 identity priority-usage-type { 693 description 694 "Base identity for priority usage type."; 695 } 697 identity priority-by-order { 698 base priority-usage-type; 699 description 700 "Identity for priority by order"; 701 } 703 identity priority-by-number { 704 base priority-usage-type; 705 description 706 "Identity for priority by number"; 707 } 709 identity event { 710 description 711 "Base identity for policy events"; 713 reference 714 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 715 Monitoring YANG Data Model - Event"; 716 } 718 identity system-event { 719 base event; 720 description 721 "Identity for system events"; 722 reference 723 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 724 Monitoring YANG Data Model - System event"; 725 } 727 identity system-alarm { 728 base event; 729 description 730 "Identity for system alarms"; 731 reference 732 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 733 Monitoring YANG Data Model - System alarm"; 734 } 736 identity access-violation { 737 base system-event; 738 description 739 "Identity for access violation 740 system events"; 741 reference 742 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 743 Monitoring YANG Data Model - System event for access 744 violation"; 745 } 747 identity configuration-change { 748 base system-event; 749 description 750 "Identity for configuration change 751 system events"; 752 reference 753 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 754 Monitoring YANG Data Model - System event for configuration 755 change"; 756 } 758 identity memory-alarm { 759 base system-alarm; 760 description 761 "Identity for memory alarm 762 system alarms"; 763 reference 764 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 765 Monitoring YANG Data Model - System alarm for memory"; 766 } 768 identity cpu-alarm { 769 base system-alarm; 770 description 771 "Identity for CPU alarm 772 system alarms"; 773 reference 774 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 775 Monitoring YANG Data Model - System alarm for CPU"; 776 } 778 identity disk-alarm { 779 base system-alarm; 780 description 781 "Identity for disk alarm 782 system alarms"; 783 reference 784 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 785 Monitoring YANG Data Model - System alarm for disk"; 786 } 788 identity hardware-alarm { 789 base system-alarm; 790 description 791 "Identity for hardware alarm 792 system alarms"; 793 reference 794 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 795 Monitoring YANG Data Model - System alarm for hardware"; 796 } 798 identity interface-alarm { 799 base system-alarm; 800 description 801 "Identity for interface alarm 802 system alarms"; 803 reference 804 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 805 Monitoring YANG Data Model - System alarm for interface"; 806 } 808 identity type-of-service { 809 description 810 "Base identity for type of service of IPv4"; 811 reference 812 "RFC 791: Internet Protocol - Type of Service"; 813 } 815 identity traffic-class { 816 description 817 "Base identity for traffic-class of IPv6"; 818 reference 819 "RFC 8200: Internet Protocol, Version 6 (IPv6) 820 Specification - Traffic Class"; 821 } 823 identity normal { 824 base type-of-service; 825 base traffic-class; 826 description 827 "Identity for normal IPv4 TOS and IPv6 Traffic Class"; 828 reference 829 "RFC 791: Internet Protocol - Type of Service 830 RFC 8200: Internet Protocol, Version 6 (IPv6) 831 Specification - Traffic Class"; 832 } 834 identity minimize-cost { 835 base type-of-service; 836 base traffic-class; 837 description 838 "Identity for 'minimize monetary cost' IPv4 TOS and 839 IPv6 Traffic Class"; 840 reference 841 "RFC 791: Internet Protocol - Type of Service 842 RFC 8200: Internet Protocol, Version 6 (IPv6) 843 Specification - Traffic Class"; 844 } 846 identity maximize-reliability { 847 base type-of-service; 848 base traffic-class; 849 description 850 "Identity for 'maximize reliability' IPv4 TOS and 851 IPv6 Traffic Class"; 852 reference 853 "RFC 791: Internet Protocol - Type of Service 854 RFC 8200: Internet Protocol, Version 6 (IPv6) 855 Specification - Traffic Class"; 856 } 857 identity maximize-throughput { 858 base type-of-service; 859 base traffic-class; 860 description 861 "Identity for 'maximize throughput' IPv4 TOS and 862 IPv6 Traffic Class"; 863 reference 864 "RFC 791: Internet Protocol - Type of Service 865 RFC 8200: Internet Protocol, Version 6 (IPv6) 866 Specification - Traffic Class"; 867 } 869 identity minimize-delay { 870 base type-of-service; 871 base traffic-class; 872 description 873 "Identity for 'minimize delay' IPv4 TOS and 874 IPv6 Traffic Class"; 875 reference 876 "RFC 791: Internet Protocol - Type of Service 877 RFC 8200: Internet Protocol, Version 6 (IPv6) 878 Specification - Traffic Class"; 879 } 881 identity maximize-security { 882 base type-of-service; 883 base traffic-class; 884 description 885 "Identity for 'maximize security' IPv4 TOS and 886 IPv6 Traffic Class"; 887 reference 888 "RFC 791: Internet Protocol - Type of Service 889 RFC 8200: Internet Protocol, Version 6 (IPv6) 890 Specification - Traffic Class"; 891 } 893 identity fragmentation-flags-type { 894 description 895 "Base identity for fragmentation flags type"; 896 reference 897 "RFC 791: Internet Protocol - Fragmentation Flags"; 898 } 900 identity fragment { 901 base fragmentation-flags-type; 902 description 903 "Identity for 'More fragment' flag"; 904 reference 905 "RFC 791: Internet Protocol - Fragmentation Flags"; 906 } 908 identity no-fragment { 909 base fragmentation-flags-type; 910 description 911 "Identity for 'Do not fragment' flag"; 912 reference 913 "RFC 791: Internet Protocol - Fragmentation Flags"; 914 } 916 identity reserved { 917 base fragmentation-flags-type; 918 description 919 "Identity for reserved flags"; 920 reference 921 "RFC 791: Internet Protocol - Fragmentation Flags"; 922 } 924 identity protocol { 925 description 926 "Base identity for protocol of IPv4"; 927 reference 928 "IANA: Assigned Internet Protocol Numbers 929 RFC 791: Internet Protocol - Protocol"; 930 } 932 identity next-header { 933 description 934 "Base identity for IPv6 next header"; 935 reference 936 "RFC 8200: Internet Protocol, Version 6 (IPv6) 937 Specification - Next Header"; 938 } 940 identity icmp { 941 base protocol; 942 base next-header; 943 description 944 "Identity for ICMP IPv4 protocol and 945 IPv6 next header"; 946 reference 947 "IANA: Assigned Internet Protocol Numbers 948 RFC 791: Internet Protocol - Protocol 949 RFC 8200: Internet Protocol, Version 6 (IPv6) 950 Specification - Next Header"; 951 } 952 identity igmp { 953 base protocol; 954 base next-header; 955 description 956 "Identity for IGMP IPv4 protocol and 957 IPv6 next header"; 958 reference 959 "IANA: Assigned Internet Protocol Numbers 960 RFC 791: Internet Protocol - Protocol 961 RFC 8200: Internet Protocol, Version 6 (IPv6) 962 Specification - Next Header"; 963 } 965 identity tcp { 966 base protocol; 967 base next-header; 968 description 969 "Identity for TCP protocol"; 970 reference 971 "IANA: Assigned Internet Protocol Numbers 972 RFC 791: Internet Protocol - Protocol 973 RFC 8200: Internet Protocol, Version 6 (IPv6) 974 Specification - Next Header"; 975 } 977 identity igrp { 978 base protocol; 979 base next-header; 980 description 981 "Identity for IGRP IPv4 protocol 982 and IPv6 next header"; 983 reference 984 "IANA: Assigned Internet Protocol Numbers 985 RFC 791: Internet Protocol - Protocol 986 RFC 8200: Internet Protocol, Version 6 (IPv6) 987 Specification - Next Header"; 988 } 990 identity udp { 991 base protocol; 992 base next-header; 993 description 994 "Identity for UDP IPv4 protocol 995 and IPv6 next header"; 996 reference 997 "IANA: Assigned Internet Protocol Numbers 998 RFC 791: Internet Protocol - Protocol 999 RFC 8200: Internet Protocol, Version 6 (IPv6) 1000 Specification - Next Header"; 1001 } 1003 identity gre { 1004 base protocol; 1005 base next-header; 1006 description 1007 "Identity for GRE IPv4 protocol 1008 and IPv6 next header"; 1009 reference 1010 "IANA: Assigned Internet Protocol Numbers 1011 RFC 791: Internet Protocol - Protocol 1012 RFC 8200: Internet Protocol, Version 6 (IPv6) 1013 Specification - Next Header"; 1014 } 1016 identity esp { 1017 base protocol; 1018 base next-header; 1019 description 1020 "Identity for ESP IPv4 protocol 1021 and IPv6 next header"; 1022 reference 1023 "IANA: Assigned Internet Protocol Numbers 1024 RFC 791: Internet Protocol - Protocol 1025 RFC 8200: Internet Protocol, Version 6 (IPv6) 1026 Specification - Next Header"; 1027 } 1029 identity ah { 1030 base protocol; 1031 base next-header; 1032 description 1033 "Identity for AH IPv4 protocol 1034 and IPv6 next header"; 1035 reference 1036 "IANA: Assigned Internet Protocol Numbers 1037 RFC 791: Internet Protocol - Protocol 1038 RFC 8200: Internet Protocol, Version 6 (IPv6) 1039 Specification - Next Header"; 1040 } 1042 identity mobile { 1043 base protocol; 1044 base next-header; 1045 description 1046 "Identity for mobile IPv4 protocol 1047 and IPv6 next header"; 1049 reference 1050 "IANA: Assigned Internet Protocol Numbers 1051 RFC 791: Internet Protocol - Protocol 1052 RFC 8200: Internet Protocol, Version 6 (IPv6) 1053 Specification - Next Header"; 1054 } 1056 identity tlsp { 1057 base protocol; 1058 base next-header; 1059 description 1060 "Identity for TLSP IPv4 protocol 1061 and IPv6 next header"; 1062 reference 1063 "IANA: Assigned Internet Protocol Numbers 1064 RFC 791: Internet Protocol - Protocol 1065 RFC 8200: Internet Protocol, Version 6 (IPv6) 1066 Specification - Next Header"; 1067 } 1069 identity skip { 1070 base protocol; 1071 base next-header; 1072 description 1073 "Identity for skip IPv4 protocol 1074 and IPv6 next header"; 1075 reference 1076 "IANA: Assigned Internet Protocol Numbers 1077 RFC 791: Internet Protocol - Protocol 1078 RFC 8200: Internet Protocol, Version 6 (IPv6) 1079 Specification - Next Header"; 1080 } 1082 identity ipv6-icmp { 1083 base protocol; 1084 base next-header; 1085 description 1086 "Identity for IPv6 ICMP next header"; 1087 reference 1088 "IANA: Assigned Internet Protocol Numbers 1089 RFC 4443: Internet Control Message Protocol (ICMPv6) 1090 for the Internet Protocol Version 6 (IPv6) Specification 1091 RFC 8200: Internet Protocol, Version 6 (IPv6) 1092 Specification - Next Header"; 1093 } 1095 identity eigrp { 1096 base protocol; 1097 base next-header; 1098 description 1099 "Identity for EIGRP IPv4 protocol 1100 and IPv6 next header"; 1101 reference 1102 "IANA: Assigned Internet Protocol Numbers 1103 RFC 791: Internet Protocol - Protocol 1104 RFC 8200: Internet Protocol, Version 6 (IPv6) 1105 Specification - Next Header"; 1106 } 1108 identity ospf { 1109 base protocol; 1110 base next-header; 1111 description 1112 "Identity for OSPF IPv4 protocol 1113 and IPv6 next header"; 1114 reference 1115 "IANA: Assigned Internet Protocol Numbers 1116 RFC 791: Internet Protocol - Protocol 1117 RFC 8200: Internet Protocol, Version 6 (IPv6) 1118 Specification - Next Header"; 1119 } 1121 identity l2tp { 1122 base protocol; 1123 base next-header; 1124 description 1125 "Identity for L2TP IPv4 protocol 1126 and IPv6 next header"; 1127 reference 1128 "IANA: Assigned Internet Protocol Numbers 1129 RFC 791: Internet Protocol - Protocol 1130 RFC 8200: Internet Protocol, Version 6 (IPv6) 1131 Specification - Next Header"; 1132 } 1134 identity ipopts { 1135 description 1136 "Base identity for IP options"; 1137 reference 1138 "RFC 791: Internet Protocol - Options"; 1139 } 1141 identity rr { 1142 base ipopts; 1143 description 1144 "Identity for 'Record Route' IP Option"; 1146 reference 1147 "RFC 791: Internet Protocol - Options"; 1148 } 1150 identity eol { 1151 base ipopts; 1152 description 1153 "Identity for 'End of List' IP Option"; 1154 reference 1155 "RFC 791: Internet Protocol - Options"; 1156 } 1158 identity nop { 1159 base ipopts; 1160 description 1161 "Identity for 'No Operation' IP Option"; 1162 reference 1163 "RFC 791: Internet Protocol - Options"; 1164 } 1166 identity ts { 1167 base ipopts; 1168 description 1169 "Identity for 'Timestamp' IP Option"; 1170 reference 1171 "RFC 791: Internet Protocol - Options"; 1172 } 1174 identity sec { 1175 base ipopts; 1176 description 1177 "Identity for 'IP security' IP Option"; 1178 reference 1179 "RFC 791: Internet Protocol - Options"; 1180 } 1182 identity esec { 1183 base ipopts; 1184 description 1185 "Identity for 'IP extended security' IP Option"; 1186 reference 1187 "RFC 791: Internet Protocol - Options"; 1188 } 1190 identity lsrr { 1191 base ipopts; 1192 description 1193 "Identity for 'Loose Source Routing' IP Option"; 1195 reference 1196 "RFC 791: Internet Protocol - Options"; 1197 } 1199 identity ssrr { 1200 base ipopts; 1201 description 1202 "Identity for 'Strict Source Routing' IP Option"; 1203 reference 1204 "RFC 791: Internet Protocol - Options"; 1205 } 1207 identity satid { 1208 base ipopts; 1209 description 1210 "Identity for 'Stream Identifier' IP Option"; 1211 reference 1212 "RFC 791: Internet Protocol - Options"; 1213 } 1215 identity any { 1216 base ipopts; 1217 description 1218 "Identity for 'any IP options 1219 included in IPv4 packet"; 1220 reference 1221 "RFC 791: Internet Protocol - Options"; 1222 } 1224 identity tcp-flags { 1225 description 1226 "Base identity for TCP flags"; 1227 reference 1228 "RFC 793: Transmission Control Protocol - Flags"; 1229 } 1231 identity cwr { 1232 base tcp-flags; 1233 description 1234 "Identity for 'Congestion Window Reduced' TCP flag"; 1235 reference 1236 "RFC 793: Transmission Control Protocol - Flags"; 1237 } 1239 identity ecn { 1240 base tcp-flags; 1241 description 1242 "Identity for 'Explicit Congestion Notification' 1243 TCP flag"; 1244 reference 1245 "RFC 793: Transmission Control Protocol - Flags"; 1246 } 1248 identity urg { 1249 base tcp-flags; 1250 description 1251 "Identity for 'Urgent' TCP flag"; 1252 reference 1253 "RFC 793: Transmission Control Protocol - Flags"; 1254 } 1256 identity ack { 1257 base tcp-flags; 1258 description 1259 "Identity for 'acknowledgement' TCP flag"; 1260 reference 1261 "RFC 793: Transmission Control Protocol - Flags"; 1262 } 1264 identity psh { 1265 base tcp-flags; 1266 description 1267 "Identity for 'Push' TCP flag"; 1268 reference 1269 "RFC 793: Transmission Control Protocol - Flags"; 1270 } 1272 identity rst { 1273 base tcp-flags; 1274 description 1275 "Identity for 'Reset' TCP flag"; 1276 reference 1277 "RFC 793: Transmission Control Protocol - Flags"; 1278 } 1280 identity syn { 1281 base tcp-flags; 1282 description 1283 "Identity for 'Synchronize' TCP flag"; 1284 reference 1285 "RFC 793: Transmission Control Protocol - Flags"; 1286 } 1288 identity fin { 1289 base tcp-flags; 1290 description 1291 "Identity for 'Finish' TCP flag"; 1292 reference 1293 "RFC 793: Transmission Control Protocol - Flags"; 1294 } 1296 identity icmp-type { 1297 description 1298 "Base identity for ICMP Message types"; 1299 reference 1300 "RFC 792: Internet Control Message Protocol"; 1301 } 1303 identity echo-reply { 1304 base icmp-type; 1305 description 1306 "Identity for 'Echo Reply' ICMP message type"; 1307 reference 1308 "RFC 792: Internet Control Message Protocol"; 1309 } 1311 identity destination-unreachable { 1312 base icmp-type; 1313 description 1314 "Identity for 'Destination Unreachable' 1315 ICMP message type"; 1316 reference 1317 "RFC 792: Internet Control Message Protocol"; 1318 } 1320 identity redirect { 1321 base icmp-type; 1322 description 1323 "Identity for 'Redirect' ICMP message type"; 1324 reference 1325 "RFC 792: Internet Control Message Protocol"; 1326 } 1328 identity echo { 1329 base icmp-type; 1330 description 1331 "Identity for 'Echo' ICMP message type"; 1332 reference 1333 "RFC 792: Internet Control Message Protocol"; 1334 } 1336 identity router-advertisement { 1337 base icmp-type; 1338 description 1339 "Identity for 'Router Advertisement' 1340 ICMP message type"; 1341 reference 1342 "RFC 792: Internet Control Message Protocol"; 1343 } 1345 identity router-solicitation { 1346 base icmp-type; 1347 description 1348 "Identity for 'Router Solicitation' 1349 ICMP message type"; 1350 reference 1351 "RFC 792: Internet Control Message Protocol"; 1352 } 1354 identity time-exceeded { 1355 base icmp-type; 1356 description 1357 "Identity for 'Time exceeded' ICMP message type"; 1358 reference 1359 "RFC 792: Internet Control Message Protocol"; 1360 } 1362 identity parameter-problem { 1363 base icmp-type; 1364 description 1365 "Identity for 'Parameter Problem' 1366 ICMP message type"; 1367 reference 1368 "RFC 792: Internet Control Message Protocol"; 1369 } 1371 identity timestamp { 1372 base icmp-type; 1373 description 1374 "Identity for 'Timestamp' ICMP message type"; 1375 reference 1376 "RFC 792: Internet Control Message Protocol"; 1377 } 1379 identity timestamp-reply { 1380 base icmp-type; 1381 description 1382 "Identity for 'Timestamp Reply' 1383 ICMP message type"; 1384 reference 1385 "RFC 792: Internet Control Message Protocol"; 1387 } 1389 identity datagram-conversion-error { 1390 base icmp-type; 1391 description 1392 "Identity for 'Datagram Conversion Error' 1393 ICMP message type"; 1394 reference 1395 "RFC 792: Internet Control Message Protocol"; 1396 } 1398 identity experimental-mobility-protocols { 1399 base icmp-type; 1400 description 1401 "Identity for 'Experimental Mobility Protocols' 1402 ICMP message type"; 1403 reference 1404 "RFC 792: Internet Control Message Protocol"; 1405 } 1407 identity extended-echo-request { 1408 base icmp-type; 1409 description 1410 "Identity for 'Extended Echo Request' 1411 ICMP message type"; 1412 reference 1413 "RFC 792: Internet Control Message Protocol 1414 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1415 } 1417 identity extended-echo-reply { 1418 base icmp-type; 1419 description 1420 "Identity for 'Extended Echo Reply' 1421 ICMP message type"; 1422 reference 1423 "RFC 792: Internet Control Message Protocol 1424 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1425 } 1427 identity net-unreachable { 1428 base icmp-type; 1429 description 1430 "Identity for net unreachable 1431 in destination unreachable types"; 1432 reference 1433 "RFC 792: Internet Control Message Protocol"; 1434 } 1435 identity host-unreachable { 1436 base icmp-type; 1437 description 1438 "Identity for host unreachable 1439 in destination unreachable types"; 1440 reference 1441 "RFC 792: Internet Control Message Protocol"; 1442 } 1444 identity protocol-unreachable { 1445 base icmp-type; 1446 description 1447 "Identity for protocol unreachable 1448 in destination unreachable types"; 1449 reference 1450 "RFC 792: Internet Control Message Protocol"; 1451 } 1453 identity port-unreachable { 1454 base icmp-type; 1455 description 1456 "Identity for port unreachable 1457 in destination unreachable types"; 1458 reference 1459 "RFC 792: Internet Control Message Protocol"; 1460 } 1462 identity fragment-set { 1463 base icmp-type; 1464 description 1465 "Identity for fragmentation set 1466 in destination unreachable types"; 1467 reference 1468 "RFC 792: Internet Control Message Protocol"; 1469 } 1471 identity source-route-failed { 1472 base icmp-type; 1473 description 1474 "Identity for source route failed 1475 in destination unreachable types"; 1476 reference 1477 "RFC 792: Internet Control Message Protocol"; 1478 } 1480 identity destination-network-unknown { 1481 base icmp-type; 1482 description 1483 "Identity for destination network unknown 1484 in destination unreachable types"; 1485 reference 1486 "RFC 792: Internet Control Message Protocol"; 1487 } 1489 identity destination-host-unknown { 1490 base icmp-type; 1491 description 1492 "Identity for destination host unknown 1493 in destination unreachable types"; 1494 reference 1495 "RFC 792: Internet Control Message Protocol"; 1496 } 1498 identity source-host-isolated { 1499 base icmp-type; 1500 description 1501 "Identity for source host isolated 1502 in destination unreachable types"; 1503 reference 1504 "RFC 792: Internet Control Message Protocol"; 1505 } 1507 identity communication-prohibited-with-destination-network { 1508 base icmp-type; 1509 description 1510 "Identity for which communication with destination network 1511 is administratively prohibited in destination unreachable 1512 types"; 1513 reference 1514 "RFC 792: Internet Control Message Protocol"; 1515 } 1517 identity communication-prohibited-with-destination-host { 1518 base icmp-type; 1519 description 1520 "Identity for which communication with destination host 1521 is administratively prohibited in destination unreachable 1522 types"; 1523 reference 1524 "RFC 792: Internet Control Message Protocol"; 1525 } 1527 identity destination-network-unreachable-for-tos { 1528 base icmp-type; 1529 description 1530 "Identity for destination network unreachable 1531 for type of service in destination unreachable types"; 1532 reference 1533 "RFC 792: Internet Control Message Protocol"; 1534 } 1536 identity destination-host-unreachable-for-tos { 1537 base icmp-type; 1538 description 1539 "Identity for destination host unreachable 1540 for type of service in destination unreachable types"; 1541 reference 1542 "RFC 792: Internet Control Message Protocol"; 1543 } 1545 identity communication-prohibited { 1546 base icmp-type; 1547 description 1548 "Identity for communication administratively prohibited 1549 in destination unreachable types"; 1550 reference 1551 "RFC 792: Internet Control Message Protocol"; 1552 } 1554 identity host-precedence-violation { 1555 base icmp-type; 1556 description 1557 "Identity for host precedence violation 1558 in destination unreachable types"; 1559 reference 1560 "RFC 792: Internet Control Message Protocol"; 1561 } 1563 identity precedence-cutoff-in-effect { 1564 base icmp-type; 1565 description 1566 "Identity for precedence cutoff in effect 1567 in destination unreachable types"; 1568 reference 1569 "RFC 792: Internet Control Message Protocol"; 1570 } 1572 identity redirect-datagram-for-the-network { 1573 base icmp-type; 1574 description 1575 "Identity for redirect datagram for the network 1576 (or subnet) in redirect types"; 1577 reference 1578 "RFC 792: Internet Control Message Protocol"; 1580 } 1582 identity redirect-datagram-for-the-host { 1583 base icmp-type; 1584 description 1585 "Identity for redirect datagram for the host 1586 in redirect types"; 1587 reference 1588 "RFC 792: Internet Control Message Protocol"; 1589 } 1591 identity redirect-datagram-for-the-tos-and-network { 1592 base icmp-type; 1593 description 1594 "Identity for redirect datagram for the type of 1595 service and network in redirect types"; 1596 reference 1597 "RFC 792: Internet Control Message Protocol"; 1598 } 1600 identity redirect-datagram-for-the-tos-and-host { 1601 base icmp-type; 1602 description 1603 "Identity for redirect datagram for the type of 1604 service and host in redirect types"; 1605 reference 1606 "RFC 792: Internet Control Message Protocol"; 1607 } 1609 identity normal-router-advertisement { 1610 base icmp-type; 1611 description 1612 "Identity for normal router advertisement 1613 in router advertisement types"; 1614 reference 1615 "RFC 792: Internet Control Message Protocol"; 1616 } 1618 identity does-not-route-common-traffic { 1619 base icmp-type; 1620 description 1621 "Identity for does not route common traffic 1622 in router advertisement types"; 1623 reference 1624 "RFC 792: Internet Control Message Protocol"; 1625 } 1627 identity time-to-live-exceeded-in-transit { 1628 base icmp-type; 1629 description 1630 "Identity for time to live exceeded in transit 1631 in time exceeded types"; 1632 reference 1633 "RFC 792: Internet Control Message Protocol"; 1634 } 1636 identity fragment-reassembly-time-exceeded { 1637 base icmp-type; 1638 description 1639 "Identity for fragment reassembly time exceeded 1640 in time exceeded types"; 1641 reference 1642 "RFC 792: Internet Control Message Protocol"; 1643 } 1645 identity pointer-indicates-the-error { 1646 base icmp-type; 1647 description 1648 "Identity for pointer indicates the error 1649 in parameter problem types"; 1650 reference 1651 "RFC 792: Internet Control Message Protocol"; 1652 } 1654 identity missing-a-required-option { 1655 base icmp-type; 1656 description 1657 "Identity for missing a required option 1658 in parameter problem types"; 1659 reference 1660 "RFC 792: Internet Control Message Protocol"; 1661 } 1663 identity bad-length { 1664 base icmp-type; 1665 description 1666 "Identity for bad length 1667 in parameter problem types"; 1668 reference 1669 "RFC 792: Internet Control Message Protocol"; 1670 } 1672 identity bad-spi { 1673 base icmp-type; 1674 description 1675 "Identity for bad spi"; 1677 reference 1678 "RFC 792: Internet Control Message Protocol"; 1679 } 1681 identity authentication-failed { 1682 base icmp-type; 1683 description 1684 "Identity for authentication failed"; 1685 reference 1686 "RFC 792: Internet Control Message Protocol"; 1687 } 1689 identity decompression-failed { 1690 base icmp-type; 1691 description 1692 "Identity for decompression failed"; 1693 reference 1694 "RFC 792: Internet Control Message Protocol"; 1695 } 1697 identity decryption-failed { 1698 base icmp-type; 1699 description 1700 "Identity for decryption failed"; 1701 reference 1702 "RFC 792: Internet Control Message Protocol"; 1703 } 1705 identity need-authentication { 1706 base icmp-type; 1707 description 1708 "Identity for need authentication"; 1709 reference 1710 "RFC 792: Internet Control Message Protocol"; 1711 } 1713 identity need-authorization { 1714 base icmp-type; 1715 description 1716 "Identity for need authorization"; 1717 reference 1718 "RFC 792: Internet Control Message Protocol"; 1719 } 1721 identity req-no-error { 1722 base icmp-type; 1723 description 1724 "Identity for request with no error 1725 in extended echo request types"; 1726 reference 1727 "RFC 792: Internet Control Message Protocol 1728 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1729 } 1731 identity rep-no-error { 1732 base icmp-type; 1733 description 1734 "Identity for reply with no error 1735 in extended echo reply types"; 1736 reference 1737 "RFC 792: Internet Control Message Protocol 1738 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1739 } 1741 identity malformed-query { 1742 base icmp-type; 1743 description 1744 "Identity for malformed query 1745 in extended echo reply types"; 1746 reference 1747 "RFC 792: Internet Control Message Protocol 1748 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1749 } 1751 identity no-such-interface { 1752 base icmp-type; 1753 description 1754 "Identity for no such interface 1755 in extended echo reply types"; 1756 reference 1757 "RFC 792: Internet Control Message Protocol 1758 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1759 } 1761 identity no-such-table-entry { 1762 base icmp-type; 1763 description 1764 "Identity for no such table entry 1765 in extended echo reply types"; 1766 reference 1767 "RFC 792: Internet Control Message Protocol 1768 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1769 } 1771 identity multiple-interfaces-satisfy-query { 1772 base icmp-type; 1773 description 1774 "Identity for multiple interfaces satisfy query 1775 in extended echo reply types"; 1776 reference 1777 "RFC 792: Internet Control Message Protocol 1778 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1779 } 1781 identity target-device { 1782 description 1783 "Base identity for target devices"; 1784 reference 1785 "draft-ietf-i2nsf-capability-data-model-15: 1786 I2NSF Capability YANG Data Model"; 1787 } 1789 identity computer { 1790 base target-device; 1791 description 1792 "Identity for computer such as personal computer (PC) 1793 and server"; 1794 } 1796 identity mobile-phone { 1797 base target-device; 1798 description 1799 "Identity for mobile-phone such as smartphone and 1800 cellphone"; 1801 } 1803 identity voip-volte-phone { 1804 base target-device; 1805 description 1806 "Identity for voip-volte-phone"; 1807 } 1809 identity tablet { 1810 base target-device; 1811 description 1812 "Identity for tablet"; 1813 } 1815 identity network-infrastructure-device { 1816 base target-device; 1817 description 1818 "Identity for network infrastructure devices 1819 such as switch, router, and access point"; 1820 } 1821 identity iot { 1822 base target-device; 1823 description 1824 "Identity for IoT (Internet of Things)"; 1825 } 1827 identity vehicle { 1828 base target-device; 1829 description 1830 "Identity for vehicle that connects to and shares 1831 data through the Internet"; 1832 } 1834 identity content-security-control { 1835 description 1836 "Base identity for content security control"; 1837 reference 1838 "RFC 8329: Framework for Interface to 1839 Network Security Functions - Flow-Based 1840 NSF Capability Characterization 1841 draft-ietf-i2nsf-capability-data-model-15: 1842 I2NSF Capability YANG Data Model"; 1843 } 1845 identity firewall { 1846 base content-security-control; 1847 description 1848 "Identity for firewall that monitors 1849 incoming and outgoing network traffic 1850 and permits or blocks data packets based 1851 on a set of security rules."; 1852 } 1854 identity antivirus { 1855 base content-security-control; 1856 description 1857 "Identity for antivirus that prevents, 1858 scans, detects and deletes viruses 1859 from a computer"; 1860 } 1862 identity ips { 1863 base content-security-control; 1864 description 1865 "Identity for IPS (Intrusion Prevention System) 1866 that prevents malicious activity within a network"; 1867 } 1868 identity ids { 1869 base content-security-control; 1870 description 1871 "Identity for IDS (Intrusion Detection System) 1872 that detects malicious activity within a network"; 1873 } 1875 identity url-filtering { 1876 base content-security-control; 1877 description 1878 "Identity for url filtering that 1879 limits access by comparing the web traffic's URL 1880 with the URLs for web filtering in a database"; 1881 } 1883 identity mail-filtering { 1884 base content-security-control; 1885 description 1886 "Identity for mail filtering that 1887 filters out a malicious email message by 1888 comparing its sender email address with the email 1889 addresses of malicious users in a database"; 1890 } 1892 identity file-blocking { 1893 base content-security-control; 1894 description 1895 "Identity for file blocking that blocks the 1896 download or upload of malicious files with the 1897 information of suspicious files in a database"; 1898 } 1900 identity pkt-capture { 1901 base content-security-control; 1902 description 1903 "Identity for packet capture that 1904 intercepts a packet that is crossing or moving 1905 over a specific network."; 1906 } 1908 identity application-control { 1909 base content-security-control; 1910 description 1911 "Identity for application control that 1912 filters out the packets of malicious applications 1913 with the information of those applications in a 1914 database"; 1915 } 1916 identity voip-volte { 1917 base content-security-control; 1918 description 1919 "Identity for VoIP/VoLTE security service that 1920 filters out the packets of malicious users 1921 with a blacklist of malicious users in a database"; 1922 } 1924 identity attack-mitigation-control { 1925 description 1926 "Base identity for attack mitigation control"; 1927 reference 1928 "RFC 8329: Framework for Interface to 1929 Network Security Functions - Flow-Based 1930 NSF Capability Characterization 1931 draft-ietf-i2nsf-capability-data-model-15: 1932 I2NSF Capability YANG Data Model"; 1933 } 1935 identity syn-flood { 1936 base attack-mitigation-control; 1937 description 1938 "Identity for syn flood 1939 that weakens the SYN flood attack"; 1940 } 1942 identity udp-flood { 1943 base attack-mitigation-control; 1944 description 1945 "Identity for udp flood 1946 that weakens the UDP flood attack"; 1947 } 1949 identity icmp-flood { 1950 base attack-mitigation-control; 1951 description 1952 "Identity for icmp flood 1953 that weakens the ICMP flood attack"; 1954 } 1956 identity ip-frag-flood { 1957 base attack-mitigation-control; 1958 description 1959 "Identity for ip frag flood 1960 that weakens the IP fragmentation flood attack"; 1961 } 1963 identity http-and-https-flood { 1964 base attack-mitigation-control; 1965 description 1966 "Identity for http and https flood 1967 that weakens the HTTP and HTTPS flood attack"; 1968 } 1970 identity dns-flood { 1971 base attack-mitigation-control; 1972 description 1973 "Identity for dns flood 1974 that weakens the DNS flood attack"; 1975 } 1977 identity dns-amp-flood { 1978 base attack-mitigation-control; 1979 description 1980 "Identity for dns amp flood 1981 that weakens the DNS amplification flood attack"; 1982 } 1984 identity ntp-amp-flood { 1985 base attack-mitigation-control; 1986 description 1987 "Identity for ntp amp flood 1988 that weakens the NTP amplification flood attack"; 1989 } 1991 identity ssl-ddos { 1992 base attack-mitigation-control; 1993 description 1994 "Identity for ssl ddos 1995 that weakens the SSL DDoS attack"; 1996 } 1998 identity ip-sweep { 1999 base attack-mitigation-control; 2000 description 2001 "Identity for ip sweep 2002 that weakens the IP sweep attack"; 2003 } 2005 identity port-scanning { 2006 base attack-mitigation-control; 2007 description 2008 "Identity for port scanning 2009 that weakens the port scanning attack"; 2010 } 2011 identity ping-of-death { 2012 base attack-mitigation-control; 2013 description 2014 "Identity for ping-of-death 2015 that weakens the ping-of-death attack"; 2016 } 2018 identity teardrop { 2019 base attack-mitigation-control; 2020 description 2021 "Identity for teardrop 2022 that weakens the teardrop attack"; 2023 } 2025 identity oversized-icmp { 2026 base attack-mitigation-control; 2027 description 2028 "Identity for oversized icmp 2029 that weakens the oversized icmp attack"; 2030 } 2032 identity tracert { 2033 base attack-mitigation-control; 2034 description 2035 "Identity for tracert 2036 that weakens the tracert attack"; 2037 } 2039 identity ingress-action { 2040 description 2041 "Base identity for action"; 2042 reference 2043 "draft-ietf-i2nsf-capability-data-model-15: 2044 I2NSF Capability YANG Data Model - Ingress Action"; 2045 } 2047 identity egress-action { 2048 description 2049 "Base identity for egress action"; 2050 reference 2051 "draft-ietf-i2nsf-capability-data-model-15: 2052 I2NSF Capability YANG Data Model - Egress Action"; 2053 } 2055 identity default-action { 2056 description 2057 "Base identity for default action"; 2058 reference 2059 "draft-ietf-i2nsf-capability-data-model-15: 2060 I2NSF Capability YANG Data Model - Default Action"; 2061 } 2063 identity pass { 2064 base ingress-action; 2065 base egress-action; 2066 base default-action; 2067 description 2068 "Identity for pass"; 2069 reference 2070 "draft-ietf-i2nsf-capability-data-model-15: 2071 I2NSF Capability YANG Data Model - Actions and 2072 Default Action"; 2073 } 2075 identity drop { 2076 base ingress-action; 2077 base egress-action; 2078 base default-action; 2079 description 2080 "Identity for drop"; 2081 reference 2082 "draft-ietf-i2nsf-capability-data-model-15: 2083 I2NSF Capability YANG Data Model - Actions and 2084 Default Action"; 2085 } 2087 identity reject { 2088 base ingress-action; 2089 base egress-action; 2090 base default-action; 2091 description 2092 "Identity for reject"; 2093 reference 2094 "draft-ietf-i2nsf-capability-data-model-15: 2095 I2NSF Capability YANG Data Model - Actions and 2096 Default Action"; 2097 } 2099 identity alert { 2100 base ingress-action; 2101 base egress-action; 2102 base default-action; 2103 description 2104 "Identity for alert"; 2105 reference 2106 "draft-ietf-i2nsf-capability-data-model-15: 2108 I2NSF Capability YANG Data Model - Actions and 2109 Default Action"; 2110 } 2112 identity mirror { 2113 base ingress-action; 2114 base egress-action; 2115 base default-action; 2116 description 2117 "Identity for mirror"; 2118 reference 2119 "draft-ietf-i2nsf-capability-data-model-15: 2120 I2NSF Capability YANG Data Model - Actions and 2121 Default Action"; 2122 } 2124 identity log-action { 2125 description 2126 "Base identity for log action"; 2127 } 2129 identity rule-log { 2130 base log-action; 2131 description 2132 "Identity for rule log"; 2133 } 2135 identity session-log { 2136 base log-action; 2137 description 2138 "Identity for session log"; 2139 } 2141 identity invoke-signaling { 2142 base egress-action; 2143 description 2144 "Identity for invoke signaling"; 2145 } 2147 identity tunnel-encapsulation { 2148 base egress-action; 2149 description 2150 "Identity for tunnel encapsulation"; 2151 } 2153 identity forwarding { 2154 base egress-action; 2155 description 2156 "Identity for forwarding"; 2157 } 2159 identity redirection { 2160 base egress-action; 2161 description 2162 "Identity for redirection"; 2164 } 2166 identity resolution-strategy { 2167 description 2168 "Base identity for resolution strategy"; 2169 reference 2170 "draft-ietf-i2nsf-capability-data-model-15: 2171 I2NSF Capability YANG Data Model - Resolution Strategy"; 2172 } 2174 identity fmr { 2175 base resolution-strategy; 2176 description 2177 "Identity for First Matching Rule (FMR)"; 2178 reference 2179 "draft-ietf-i2nsf-capability-data-model-15: 2180 I2NSF Capability YANG Data Model - Resolution Strategy"; 2181 } 2183 identity lmr { 2184 base resolution-strategy; 2185 description 2186 "Identity for Last Matching Rule (LMR)"; 2187 reference 2188 "draft-ietf-i2nsf-capability-data-model-15: 2189 I2NSF Capability YANG Data Model - Resolution Strategy"; 2190 } 2192 identity pmr { 2193 base resolution-strategy; 2194 description 2195 "Identity for Prioritized Matching Rule (PMR)"; 2196 reference 2197 "draft-ietf-i2nsf-capability-data-model-15: 2198 I2NSF Capability YANG Data Model - Resolution Strategy"; 2199 } 2201 identity pmre { 2202 base resolution-strategy; 2203 description 2204 "Identity for Prioritized Matching Rule 2205 with Errors (PMRE)"; 2206 reference 2207 "draft-ietf-i2nsf-capability-data-model-15: 2208 I2NSF Capability YANG Data Model - Resolution Strategy"; 2209 } 2211 identity pmrn { 2212 base resolution-strategy; 2213 description 2214 "Identity for Prioritized Matching Rule 2215 with No Errors (PMRN)"; 2216 reference 2217 "draft-ietf-i2nsf-capability-data-model-15: 2218 I2NSF Capability YANG Data Model - Resolution Strategy"; 2219 } 2221 /* 2222 * Typedefs 2223 */ 2225 typedef start-time-type { 2226 type union { 2227 type string { 2228 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2229 + '(Z|[\+\-]\d{2}:\d{2})'; 2230 } 2232 type enumeration { 2233 enum right-away { 2234 description 2235 "Immediate rule execution 2236 in the system."; 2237 } 2238 } 2239 } 2241 description 2242 "Start time when the rules are applied."; 2243 } 2245 typedef end-time-type { 2246 type union { 2247 type string { 2248 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2249 + '(Z|[\+\-]\d{2}:\d{2})'; 2250 } 2252 type enumeration { 2253 enum infinitely { 2254 description 2255 "Infinite rule execution 2256 in the system."; 2257 } 2258 } 2259 } 2260 description 2261 "End time when the rules are applied."; 2262 } 2264 typedef day-type { 2265 type enumeration { 2266 enum sunday { 2267 description 2268 "Sunday for periodic day"; 2269 } 2270 enum monday { 2271 description 2272 "Monday for periodic day"; 2273 } 2274 enum tuesday { 2275 description 2276 "Tuesday for periodic day"; 2277 } 2278 enum wednesday { 2279 description 2280 "Wednesday for periodic day"; 2281 } 2282 enum thursday { 2283 description 2284 "Thursday for periodic day"; 2285 } 2286 enum friday { 2287 description 2288 "Friday for periodic day"; 2289 } 2290 enum saturday { 2291 description 2292 "Saturday for periodic day"; 2293 } 2294 } 2295 description 2296 "This can be used for the rules to be applied 2297 according to periodic day"; 2298 } 2299 typedef month-type { 2300 type enumeration { 2301 enum january { 2302 description 2303 "January for periodic month"; 2304 } 2305 enum february { 2306 description 2307 "February for periodic month"; 2308 } 2309 enum march { 2310 description 2311 "March for periodic month"; 2312 } 2313 enum april { 2314 description 2315 "April for periodic month"; 2316 } 2317 enum may { 2318 description 2319 "May for periodic month"; 2320 } 2321 enum june { 2322 description 2323 "June for periodic month"; 2324 } 2325 enum july { 2326 description 2327 "July for periodic month"; 2328 } 2329 enum august { 2330 description 2331 "August for periodic month"; 2332 } 2333 enum september { 2334 description 2335 "September for periodic month"; 2336 } 2337 enum october { 2338 description 2339 "October for periodic month"; 2340 } 2341 enum november { 2342 description 2343 "November for periodic month"; 2344 } 2345 enum december { 2346 description 2347 "December for periodic month"; 2348 } 2349 } 2350 description 2351 "This can be used for the rules to be applied 2352 according to periodic month"; 2353 } 2355 /* 2356 * Groupings 2357 */ 2359 grouping ipv4 { 2360 list ipv4-address { 2361 key "ipv4"; 2362 description 2363 "The list of IPv4 addresses."; 2365 leaf ipv4 { 2366 type inet:ipv4-address; 2367 description 2368 "The value of IPv4 address."; 2369 } 2370 choice subnet { 2371 description 2372 "The subnet can be specified as a prefix length or 2373 netmask."; 2374 leaf prefix-length { 2375 type uint8 { 2376 range "0..32"; 2377 } 2378 description 2379 "The length of the subnet prefix."; 2380 } 2381 leaf netmask { 2382 type yang:dotted-quad; 2383 description 2384 "The subnet specified as a netmask."; 2385 } 2386 } 2387 } 2388 description 2389 "Grouping for an IPv4 address"; 2391 reference 2392 "RFC 791: Internet Protocol - IPv4 address 2393 RFC 8344: A YANG Data Model for IP Management"; 2394 } 2395 grouping ipv6 { 2396 list ipv6-address { 2397 key "ipv6"; 2398 description 2399 "The list of IPv6 addresses."; 2401 leaf ipv6 { 2402 type inet:ipv6-address; 2403 description 2404 "The value of IPv6 address."; 2405 } 2407 leaf prefix-length { 2408 type uint8 { 2409 range "0..128"; 2410 } 2411 description 2412 "The length of the subnet prefix."; 2413 } 2414 } 2415 description 2416 "Grouping for an IPv6 address"; 2418 reference 2419 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2420 Specification - IPv6 address 2421 RFC 8344: A YANG Data Model for IP Management"; 2422 } 2424 grouping pkt-sec-ipv4 { 2425 choice match-type { 2426 description 2427 "There are two types of security policy IPv4 address 2428 matching - exact match and range match."; 2429 case exact-match { 2430 uses ipv4; 2431 description 2432 "Exact match for an IPv4 address."; 2433 } 2434 case range-match { 2435 list range-ipv4-address { 2436 key "start-ipv4-address end-ipv4-address"; 2437 leaf start-ipv4-address { 2438 type inet:ipv4-address; 2439 description 2440 "Starting IPv4 address for a range match."; 2441 } 2442 leaf end-ipv4-address { 2443 type inet:ipv4-address; 2444 description 2445 "Ending IPv4 address for a range match."; 2446 } 2447 description 2448 "Range match for an IPv4 address."; 2449 } 2450 } 2451 } 2452 description 2453 "Grouping for an IPv4 address."; 2455 reference 2456 "RFC 791: Internet Protocol - IPv4 address"; 2457 } 2459 grouping pkt-sec-ipv6 { 2460 choice match-type { 2461 description 2462 "There are two types of security policy IPv6 address 2463 matching - exact match and range match."; 2464 case exact-match { 2465 uses ipv6; 2466 description 2467 "Exact match for an IPv6 address."; 2468 } 2469 case range-match { 2470 list range-ipv6-address { 2471 key "start-ipv6-address end-ipv6-address"; 2472 leaf start-ipv6-address { 2473 type inet:ipv6-address; 2474 description 2475 "Starting IPv6 address for a range match."; 2476 } 2478 leaf end-ipv6-address { 2479 type inet:ipv6-address; 2480 description 2481 "Ending IPv6 address for a range match."; 2482 } 2483 description 2484 "Range match for an IPv6 address."; 2485 } 2486 } 2487 } 2488 description 2489 "Grouping for IPv6 address."; 2491 reference 2492 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2493 Specification - IPv6 address"; 2494 } 2496 grouping pkt-sec-port-number { 2497 choice match-type { 2498 description 2499 "There are two types of security policy TCP/UDP port 2500 matching - exact match and range match."; 2501 case exact-match { 2502 leaf-list port-num { 2503 type inet:port-number; 2504 description 2505 "Exact match for a port number."; 2506 } 2507 } 2508 case range-match { 2509 list range-port-num { 2510 key "start-port-num end-port-num"; 2511 leaf start-port-num { 2512 type inet:port-number; 2513 description 2514 "Starting port number for a range match."; 2515 } 2516 leaf end-port-num { 2517 type inet:port-number; 2518 description 2519 "Ending port number for a range match."; 2520 } 2521 description 2522 "Range match for a port number."; 2523 } 2524 } 2525 } 2526 description 2527 "Grouping for port number."; 2529 reference 2530 "RFC 793: Transmission Control Protocol - Port number 2531 RFC 768: User Datagram Protocol - Port Number"; 2532 } 2534 /* 2535 * Data nodes 2536 */ 2538 container i2nsf-security-policy { 2539 description 2540 "Container for security policy 2541 including a set of security rules according to certain logic, 2542 i.e., their similarity or mutual relations, etc. The network 2543 security policy can be applied to both the unidirectional 2544 and bidirectional traffic across the NSF. 2545 The I2NSF security policies use the Event-Condition-Action 2546 (ECA) policy model "; 2548 reference 2549 "RFC 8329: Framework for Interface to Network Security 2550 Functions - I2NSF Flow Security Policy Structure 2551 draft-ietf-i2nsf-capability-data-model-15: 2552 I2NSF Capability YANG Data Model - Design Principles and 2553 ECA Policy Model Overview"; 2555 list system-policy { 2556 key "system-policy-name"; 2557 description 2558 "The system-policy represents there could be multiple system 2559 policies in one NSF, and each system policy is used by 2560 one virtual instance of the NSF/device."; 2562 leaf system-policy-name { 2563 type string; 2564 description 2565 "The name of the policy. 2566 This must be unique."; 2567 } 2569 leaf priority-usage { 2570 type identityref { 2571 base priority-usage-type; 2572 } 2573 default priority-by-order; 2574 description 2575 "Priority usage type for security policy rule: 2576 priority by order and priority by number"; 2577 } 2579 leaf resolution-strategy { 2580 type identityref { 2581 base resolution-strategy; 2582 } 2583 default fmr; 2584 description 2585 "The resolution strategies that can be used to 2586 specify how to resolve conflicts that occur between 2587 actions of the same or different policy rules that 2588 are matched and contained in this particular NSF"; 2590 reference 2591 "draft-ietf-i2nsf-capability-data-model-15: 2592 I2NSF Capability YANG Data Model - Resolution strategy"; 2593 } 2595 leaf default-action { 2596 type identityref { 2597 base default-action; 2598 } 2599 default alert; 2600 description 2601 "This default action can be used to specify a predefined 2602 action when no other alternative action was matched 2603 by the currently executing I2NSF Policy Rule. An analogy 2604 is the use of a default statement in a C switch statement."; 2606 reference 2607 "draft-ietf-i2nsf-capability-data-model-15: 2608 I2NSF Capability YANG Data Model - Default Action"; 2609 } 2611 list rules { 2612 key "rule-name"; 2613 description 2614 "This is a rule for network security functions."; 2616 leaf rule-name { 2617 type string; 2618 description 2619 "The name of the rule."; 2620 } 2622 leaf rule-description { 2623 type string; 2624 description 2625 "This description gives more information about 2626 rules."; 2627 } 2629 leaf rule-priority { 2630 type uint8 { 2631 range "1..255"; 2632 } 2633 description 2634 "The priority keyword comes with a mandatory 2635 numeric value which can range from 1 till 255. 2636 Note that a higher number means a higher priority"; 2637 } 2639 leaf rule-enable { 2640 type boolean; 2641 description 2642 "True is enable. 2643 False is not enable."; 2644 } 2646 leaf session-aging-time { 2647 type uint16; 2648 units "second"; 2649 description 2650 "This is session aging time."; 2651 } 2653 container long-connection { 2654 description 2655 "This is long-connection"; 2657 leaf enable { 2658 type boolean; 2659 description 2660 "True is enable. 2661 False is not enable."; 2662 } 2664 leaf duration { 2665 type uint16; 2666 description 2667 "This is the duration of the long-connection."; 2668 } 2669 } 2671 container time-intervals { 2672 description 2673 "Time zone when the rules are applied"; 2674 container absolute-time-interval { 2675 description 2676 "Rule execution according to the absolute time. 2677 The absolute time interval means the exact time to 2678 start or end."; 2680 leaf start-time { 2681 type start-time-type; 2682 default right-away; 2683 description 2684 "Start time when the rules are applied"; 2685 } 2686 leaf end-time { 2687 type end-time-type; 2688 default infinitely; 2689 description 2690 "End time when the rules are applied"; 2691 } 2692 } 2694 container periodic-time-interval { 2695 description 2696 "Rule execution according to the periodic time. 2697 The periodic time interval means the repeated time 2698 such as a day, week, or month."; 2700 container day { 2701 description 2702 "Rule execution according to day."; 2703 leaf every-day { 2704 type boolean; 2705 default true; 2706 description 2707 "Rule execution every day"; 2708 } 2710 leaf-list specific-day { 2711 when "../every-day = 'false'"; 2712 type day-type; 2713 description 2714 "Rule execution according 2715 to specific day"; 2716 } 2717 } 2719 container month { 2720 description 2721 "Rule execution according to month."; 2722 leaf every-month { 2723 type boolean; 2724 default true; 2725 description 2726 "Rule execution every day"; 2727 } 2728 leaf-list specific-month { 2729 when "../every-month = 'false'"; 2730 type month-type; 2731 description 2732 "Rule execution according 2733 to month day"; 2734 } 2735 } 2736 } 2737 } 2739 container event-clause-container { 2740 description 2741 "An event is defined as any important 2742 occurrence in time of a change in the system being 2743 managed, and/or in the environment of the system being 2744 managed. When used in the context of policy rules for 2745 a flow-based NSF, it is used to determine whether the 2746 Condition clause of the Policy Rule can be evaluated 2747 or not. Examples of an I2NSF event include time and 2748 user actions (e.g., logon, logoff, and actions that 2749 violate any ACL.)."; 2751 reference 2752 "RFC 8329: Framework for Interface to Network Security 2753 Functions - I2NSF Flow Security Policy Structure 2754 draft-ietf-i2nsf-capability-data-model-15: 2755 I2NSF Capability YANG Data Model - Design Principles and 2756 ECA Policy Model Overview 2757 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 2758 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 2759 and Counters"; 2761 leaf event-clause-description { 2762 type string; 2763 description 2764 "Description for an event clause"; 2765 } 2767 container event-clauses { 2768 description 2769 "System Event Clause - either a system event or 2770 system alarm"; 2771 reference 2772 "RFC 8329: Framework for Interface to Network Security 2773 Functions - I2NSF Flow Security Policy Structure 2774 draft-ietf-i2nsf-capability-data-model-15: 2775 I2NSF Capability YANG Data Model - Design Principles and 2776 ECA Policy Model Overview 2777 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 2778 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 2779 and Counters"; 2781 leaf-list system-event { 2782 type identityref { 2783 base system-event; 2784 } 2785 description 2786 "The security policy rule according to 2787 system events."; 2788 } 2790 leaf-list system-alarm { 2791 type identityref { 2792 base system-alarm; 2793 } 2794 description 2795 "The security policy rule according to 2796 system alarms."; 2797 } 2798 } 2799 } 2801 container condition-clause-container { 2802 description 2803 "A condition is defined as a set 2804 of attributes, features, and/or values that are to be 2805 compared with a set of known attributes, features, 2806 and/or values in order to determine whether or not the 2807 set of Actions in that (imperative) I2NSF Policy Rule 2808 can be executed or not. Examples of I2NSF Conditions 2809 include matching attributes of a packet or flow, and 2810 comparing the internal state of an NSF to a desired 2811 state."; 2812 reference 2813 "RFC 8329: Framework for Interface to Network Security 2814 Functions - I2NSF Flow Security Policy Structure 2815 draft-ietf-i2nsf-capability-data-model-15: 2816 I2NSF Capability YANG Data Model - Design Principles and 2817 ECA Policy Model Overview"; 2819 leaf condition-clause-description { 2820 type string; 2821 description 2822 "Description for a condition clause."; 2823 } 2824 container packet-security-ipv4-condition { 2825 description 2826 "The purpose of this container is to represent IPv4 2827 packet header information to determine if the set 2828 of policy actions in this ECA policy rule should be 2829 executed or not."; 2830 reference 2831 "RFC 791: Internet Protocol"; 2833 leaf ipv4-description { 2834 type string; 2835 description 2836 "ipv4 condition textual description."; 2837 } 2839 container pkt-sec-ipv4-header-length { 2840 choice match-type { 2841 description 2842 "Security policy IPv4 Header length match - 2843 exact match and range match."; 2844 case exact-match { 2845 leaf-list ipv4-header-length { 2846 type uint8 { 2847 range "5..15"; 2848 } 2849 description 2850 "Exact match for an IPv4 header length."; 2851 } 2852 } 2853 case range-match { 2854 list range-ipv4-header-length { 2855 key "start-ipv4-header-length 2856 end-ipv4-header-length"; 2857 leaf start-ipv4-header-length { 2858 type uint8 { 2859 range "5..15"; 2860 } 2861 description 2862 "Starting IPv4 header length for a range match."; 2863 } 2865 leaf end-ipv4-header-length { 2866 type uint8 { 2867 range "5..15"; 2868 } 2869 description 2870 "Ending IPv4 header length for a range match."; 2871 } 2872 description 2873 "Range match for an IPv4 header length."; 2874 } 2875 } 2876 } 2877 description 2878 "The security policy rule according to 2879 IPv4 header length."; 2880 reference 2881 "RFC 791: Internet Protocol - Header length"; 2882 } 2884 leaf-list pkt-sec-ipv4-tos { 2885 type identityref { 2886 base type-of-service; 2887 } 2888 description 2889 "The security policy rule according to 2890 IPv4 type of service."; 2891 reference 2892 "RFC 791: Internet Protocol - Type of service"; 2893 } 2895 container pkt-sec-ipv4-total-length { 2896 choice match-type { 2897 description 2898 "Security policy IPv4 total length matching 2899 - exact match and range match."; 2900 case exact-match { 2901 leaf-list ipv4-total-length { 2902 type uint16; 2903 description 2904 "Exact match for an IPv4 total length."; 2905 } 2906 } 2907 case range-match { 2908 list range-ipv4-total-length { 2909 key "start-ipv4-total-length end-ipv4-total-length"; 2910 leaf start-ipv4-total-length { 2911 type uint16; 2912 description 2913 "Starting IPv4 total length for a range match."; 2914 } 2915 leaf end-ipv4-total-length { 2916 type uint16; 2917 description 2918 "Ending IPv4 total length for a range match."; 2919 } 2920 description 2921 "Range match for an IPv4 total length."; 2922 } 2923 } 2924 } 2925 description 2926 "The security policy rule according to 2927 IPv4 total length."; 2928 reference 2929 "RFC 791: Internet Protocol - Total length"; 2930 } 2932 leaf-list pkt-sec-ipv4-id { 2933 type uint16; 2934 description 2935 "The security policy rule according to 2936 IPv4 identification."; 2937 reference 2938 "RFC 791: Internet Protocol - Identification"; 2939 } 2941 leaf-list pkt-sec-ipv4-fragment-flags { 2942 type identityref { 2943 base fragmentation-flags-type; 2944 } 2945 description 2946 "The security policy rule according to 2947 IPv4 fragment flags."; 2948 reference 2949 "RFC 791: Internet Protocol - Fragment flags"; 2950 } 2952 container pkt-sec-ipv4-fragment-offset { 2953 choice match-type { 2954 description 2955 "There are two types to configure a security 2956 policy for IPv4 fragment offset, such as exact match 2957 and range match."; 2958 case exact-match { 2959 leaf-list ipv4-fragment-offset { 2960 type uint16 { 2961 range "0..16383"; 2962 } 2963 description 2964 "Exact match for an IPv4 fragment offset."; 2965 } 2966 } 2967 case range-match { 2968 list range-ipv4-fragment-offset { 2969 key "start-ipv4-fragment-offset 2970 end-ipv4-fragment-offset"; 2971 leaf start-ipv4-fragment-offset { 2972 type uint16 { 2973 range "0..16383"; 2974 } 2975 description 2976 "Starting IPv4 fragment offset for a range match."; 2977 } 2978 leaf end-ipv4-fragment-offset { 2979 type uint16 { 2980 range "0..16383"; 2981 } 2982 description 2983 "Ending IPv4 fragment offset for a range match."; 2984 } 2985 description 2986 "Range match for an IPv4 fragment offset."; 2987 } 2988 } 2989 } 2990 description 2991 "The security policy rule according to 2992 IPv4 fragment offset."; 2993 reference 2994 "RFC 791: Internet Protocol - Fragment offset"; 2995 } 2997 container pkt-sec-ipv4-ttl { 2998 choice match-type { 2999 description 3000 "There are two types to configure a security 3001 policy for IPv4 TTL, such as exact match 3002 and range match."; 3003 case exact-match { 3004 leaf-list ipv4-ttl { 3005 type uint8; 3006 description 3007 "Exact match for an IPv4 TTL."; 3008 } 3009 } 3010 case range-match { 3011 list range-ipv4-ttl { 3012 key "start-ipv4-ttl end-ipv4-ttl"; 3013 leaf start-ipv4-ttl { 3014 type uint8; 3015 description 3016 "Starting IPv4 TTL for a range match."; 3017 } 3018 leaf end-ipv4-ttl { 3019 type uint8; 3020 description 3021 "Ending IPv4 TTL for a range match."; 3022 } 3023 description 3024 "Range match for an IPv4 TTL."; 3025 } 3026 } 3027 } 3028 description 3029 "The security policy rule according to 3030 IPv4 time-to-live (TTL)."; 3031 reference 3032 "RFC 791: Internet Protocol - Time to live"; 3033 } 3035 leaf-list pkt-sec-ipv4-protocol { 3036 type identityref { 3037 base protocol; 3038 } 3039 description 3040 "The security policy rule according to 3041 IPv4 protocol."; 3042 reference 3043 "RFC 791: Internet Protocol - Protocol"; 3044 } 3046 container pkt-sec-ipv4-src { 3047 uses pkt-sec-ipv4; 3048 description 3049 "The security policy rule according to 3050 IPv4 source address."; 3051 reference 3052 "RFC 791: Internet Protocol - IPv4 Address"; 3053 } 3055 container pkt-sec-ipv4-dest { 3056 uses pkt-sec-ipv4; 3057 description 3058 "The security policy rule according to 3059 IPv4 destination address."; 3060 reference 3061 "RFC 791: Internet Protocol - IPv4 Address"; 3062 } 3063 leaf-list pkt-sec-ipv4-ipopts { 3064 type identityref { 3065 base ipopts; 3066 } 3067 description 3068 "The security policy rule according to 3069 IPv4 options."; 3070 reference 3071 "RFC 791: Internet Protocol - Options"; 3072 } 3074 leaf pkt-sec-ipv4-same-ip { 3075 type boolean; 3076 description 3077 "Match on packets with the same IPv4 source 3078 and IPv4 destination address."; 3079 } 3081 leaf-list pkt-sec-ipv4-geo-ip { 3082 type string; 3083 description 3084 "The geo-ip keyword enables you to match on 3085 source and destination IP addresses of network 3086 traffic and to see to which country it belongs."; 3087 reference 3088 "ISO 3166: Codes for the representation of 3089 names of countries and their subdivisions"; 3090 } 3091 } 3093 container packet-security-ipv6-condition { 3094 description 3095 "The purpose of this container is to represent 3096 IPv6 packet header information to determine 3097 if the set of policy actions in this ECA policy 3098 rule should be executed or not."; 3099 reference 3100 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3101 Specification"; 3103 leaf ipv6-description { 3104 type string; 3105 description 3106 "This is description for ipv6 condition."; 3107 } 3109 leaf-list pkt-sec-ipv6-traffic-class { 3110 type identityref { 3111 base traffic-class; 3112 } 3113 description 3114 "The security policy rule according to 3115 IPv6 traffic class."; 3116 reference 3117 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3118 Specification - Traffic class"; 3119 } 3121 container pkt-sec-ipv6-flow-label { 3122 choice match-type { 3123 description 3124 "There are two types to configure a security 3125 policy for IPv6 flow label, such as exact match 3126 and range match."; 3127 case exact-match { 3128 leaf-list ipv6-flow-label { 3129 type uint32 { 3130 range "0..1048575"; 3131 } 3132 description 3133 "Exact match for an IPv6 flow label."; 3134 } 3135 } 3136 case range-match { 3137 list range-ipv6-flow-label { 3138 key "start-ipv6-flow-label end-ipv6-flow-label"; 3139 leaf start-ipv6-flow-label { 3140 type uint32 { 3141 range "0..1048575"; 3142 } 3143 description 3144 "Starting IPv6 flow label for a range match."; 3145 } 3146 leaf end-ipv6-flow-label { 3147 type uint32 { 3148 range "0..1048575"; 3149 } 3150 description 3151 "Ending IPv6 flow label for a range match."; 3152 } 3153 description 3154 "Range match for an IPv6 flow label."; 3155 } 3156 } 3157 } 3158 description 3159 "The security policy rule according to 3160 IPv6 flow label."; 3161 reference 3162 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3163 Specification - Flow label"; 3164 } 3166 container pkt-sec-ipv6-payload-length { 3167 choice match-type { 3168 description 3169 "There are two types to configure a security 3170 policy for IPv6 payload length, such as 3171 exact match and range match."; 3172 case exact-match { 3173 leaf-list ipv6-payload-length { 3174 type uint16; 3175 description 3176 "Exact match for an IPv6 payload length."; 3177 } 3178 } 3179 case range-match { 3180 list range-ipv6-payload-length { 3181 key "start-ipv6-payload-length 3182 end-ipv6-payload-length"; 3183 leaf start-ipv6-payload-length { 3184 type uint16; 3185 description 3186 "Starting IPv6 payload length for a range match."; 3187 } 3188 leaf end-ipv6-payload-length { 3189 type uint16; 3190 description 3191 "Ending IPv6 payload length for a range match."; 3192 } 3193 description 3194 "Range match for an IPv6 payload length."; 3195 } 3196 } 3197 } 3198 description 3199 "The security policy rule according to 3200 IPv6 payload length."; 3201 reference 3202 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3203 Specification - Payload length"; 3204 } 3205 leaf-list pkt-sec-ipv6-next-header { 3206 type identityref { 3207 base next-header; 3208 } 3209 description 3210 "The security policy rule according to 3211 IPv6 next header."; 3212 reference 3213 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3214 Specification - Next header"; 3215 } 3217 container pkt-sec-ipv6-hop-limit { 3218 choice match-type { 3219 description 3220 "There are two types to configure a security 3221 policy for IPv6 hop limit, such as exact match 3222 and range match."; 3223 case exact-match { 3224 leaf-list ipv6-hop-limit { 3225 type uint8; 3226 description 3227 "Exact match for an IPv6 hop limit."; 3228 } 3229 } 3230 case range-match { 3231 list range-ipv6-hop-limit { 3232 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3233 leaf start-ipv6-hop-limit { 3234 type uint8; 3235 description 3236 "Start IPv6 hop limit for a range match."; 3237 } 3238 leaf end-ipv6-hop-limit { 3239 type uint8; 3240 description 3241 "End IPv6 hop limit for a range match."; 3242 } 3243 description 3244 "Range match for an IPv6 hop limit."; 3245 } 3246 } 3247 } 3248 description 3249 "The security policy rule according to 3250 IPv6 hop limit."; 3251 reference 3252 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3253 Specification - Hop limit"; 3254 } 3256 container pkt-sec-ipv6-src { 3257 uses pkt-sec-ipv6; 3258 description 3259 "The security policy rule according to 3260 IPv6 source address."; 3261 reference 3262 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3263 Specification - IPv6 address"; 3264 } 3266 container pkt-sec-ipv6-dest { 3267 uses pkt-sec-ipv6; 3268 description 3269 "The security policy rule according to 3270 IPv6 destination address."; 3271 reference 3272 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3273 Specification - IPv6 address"; 3274 } 3276 } 3278 container packet-security-tcp-condition { 3279 description 3280 "The purpose of this container is to represent 3281 TCP packet header information to determine 3282 if the set of policy actions in this ECA policy 3283 rule should be executed or not."; 3284 reference 3285 "RFC 793: Transmission Control Protocol"; 3287 leaf tcp-description { 3288 type string; 3289 description 3290 "This is description for tcp condition."; 3291 } 3293 container pkt-sec-tcp-src-port-num { 3294 uses pkt-sec-port-number; 3295 description 3296 "The security policy rule according to 3297 tcp source port number."; 3298 reference 3299 "RFC 793: Transmission Control Protocol 3300 - Port number"; 3302 } 3304 container pkt-sec-tcp-dest-port-num { 3305 uses pkt-sec-port-number; 3306 description 3307 "The security policy rule according to 3308 tcp destination port number."; 3309 reference 3310 "RFC 793: Transmission Control Protocol 3311 - Port number"; 3312 } 3314 leaf-list pkt-sec-tcp-flags { 3315 type identityref { 3316 base tcp-flags; 3317 } 3318 description 3319 "The security policy rule according to 3320 tcp flags."; 3321 reference 3322 "RFC 793: Transmission Control Protocol 3323 - Flags"; 3324 } 3325 } 3327 container packet-security-udp-condition { 3328 description 3329 "The purpose of this container is to represent 3330 UDP packet header information to determine 3331 if the set of policy actions in this ECA policy 3332 rule should be executed or not."; 3333 reference 3334 "RFC 793: Transmission Control Protocol"; 3336 leaf udp-description { 3337 type string; 3338 description 3339 "This is description for udp condition."; 3340 } 3342 container pkt-sec-udp-src-port-num { 3343 uses pkt-sec-port-number; 3344 description 3345 "The security policy rule according to 3346 udp source port number."; 3347 reference 3348 "RFC 768: User Datagram Protocol 3349 - Total Length"; 3351 } 3353 container pkt-sec-udp-dest-port-num { 3354 uses pkt-sec-port-number; 3355 description 3356 "The security policy rule according to 3357 udp destination port number."; 3358 reference 3359 "RFC 768: User Datagram Protocol 3360 - Total Length"; 3361 } 3363 container pkt-sec-udp-total-length { 3364 choice match-type { 3365 description 3366 "There are two types to configure a security 3367 policy for udp sequence number, 3368 such as exact match and range match."; 3369 case exact-match { 3370 leaf-list udp-total-length { 3371 type uint32; 3372 description 3373 "Exact match for an udp-total-length."; 3374 } 3375 } 3376 case range-match { 3377 list range-udp-total-length { 3378 key "start-udp-total-length end-udp-total-length"; 3379 leaf start-udp-total-length { 3380 type uint32; 3381 description 3382 "Start udp total length for a range match."; 3383 } 3384 leaf end-udp-total-length { 3385 type uint32; 3386 description 3387 "End udp total length for a range match."; 3388 } 3389 description 3390 "Range match for a udp total length."; 3391 } 3392 } 3393 } 3394 description 3395 "The security policy rule according to 3396 udp total length."; 3397 reference 3398 "RFC 768: User Datagram Protocol 3399 - Total Length"; 3400 } 3401 } 3403 container packet-security-sctp-condition { 3404 description 3405 "The purpose of this container is to represent 3406 SCTP packet header information to determine 3407 if the set of policy actions in this ECA policy 3408 rule should be executed or not."; 3409 leaf sctp-description { 3410 type string; 3411 description 3412 "This is description for sctp condition."; 3413 } 3415 container pkt-sec-sctp-src-port-num { 3416 uses pkt-sec-port-number; 3417 description 3418 "The security policy rule according to 3419 sctp source port number."; 3420 reference 3421 "RFC 4960: Stream Control Transmission Protocol 3422 - Port number"; 3423 } 3425 container pkt-sec-sctp-dest-port-num { 3426 uses pkt-sec-port-number; 3427 description 3428 "The security policy rule according to 3429 sctp destination port number."; 3430 reference 3431 "RFC 4960: Stream Control Transmission Protocol 3432 - Total Length"; 3433 } 3435 leaf-list pkt-sec-sctp-verification-tag { 3436 type uint32; 3437 description 3438 "The security policy rule according to 3439 udp total length."; 3440 reference 3441 "RFC 4960: Stream Control Transmission Protocol 3442 - Verification Tag"; 3443 } 3444 leaf-list pkt-sec-sctp-chunk-type { 3445 type uint8; 3446 description 3447 "The security policy rule according to 3448 sctp chunk type ID Value."; 3449 reference 3450 "RFC 4960: Stream Control Transmission Protocol 3451 - Chunk Type"; 3452 } 3453 } 3455 container packet-security-dccp-condition { 3456 description 3457 "The purpose of this container is to represent 3458 DCCP packet header information to determine 3459 if the set of policy actions in this ECA policy 3460 rule should be executed or not."; 3461 leaf dccp-description { 3462 type string; 3463 description 3464 "This is description for dccp condition."; 3465 } 3467 container pkt-sec-dccp-src-port-num { 3468 uses pkt-sec-port-number; 3469 description 3470 "The security policy rule according to 3471 dccp source port number."; 3472 reference 3473 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 3474 - Port number"; 3475 } 3477 container pkt-sec-dccp-dest-port-num { 3478 uses pkt-sec-port-number; 3479 description 3480 "The security policy rule according to 3481 dccp destination port number."; 3482 reference 3483 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 3484 - Port number"; 3485 } 3487 leaf-list pkt-sec-dccp-service-code { 3488 type uint32; 3489 description 3490 "The security policy rule according to 3491 dccp service code."; 3493 reference 3494 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 3495 - Service Codes 3496 RFC 5595: The Datagram Congestion Control Protocol (DCCP) 3497 Service Codes 3498 RFC 6335: Internet Assigned Numbers Authority (IANA) 3499 Procedures for the Management of the Service Name and 3500 Transport Protocol Port Number Registry - Service Code"; 3501 } 3502 } 3504 container packet-security-icmp-condition { 3505 description 3506 "The purpose of this container is to represent 3507 ICMP packet header information to determine 3508 if the set of policy actions in this ECA policy 3509 rule should be executed or not."; 3510 reference 3511 "RFC 792: Internet Control Message Protocol 3512 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3514 leaf icmp-description { 3515 type string; 3516 description 3517 "This is description for icmp condition."; 3518 } 3520 leaf-list pkt-sec-icmp-type-and-code { 3521 type identityref { 3522 base icmp-type; 3523 } 3524 description 3525 "The security policy rule according to 3526 ICMP parameters."; 3527 reference 3528 "RFC 792: Internet Control Message Protocol 3529 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3530 } 3531 } 3533 container packet-security-url-category-condition { 3534 description 3535 "Condition for url category"; 3536 leaf url-category-description { 3537 type string; 3538 description 3539 "This is description for the condition of a URL's 3540 category such as SNS sites, game sites, ecommerce 3541 sites, company sites, and university sites."; 3542 } 3544 leaf-list pre-defined-category { 3545 type string; 3546 description 3547 "This is pre-defined-category."; 3548 } 3549 leaf-list user-defined-category { 3550 type string; 3551 description 3552 "This user-defined-category."; 3553 } 3554 } 3556 container packet-security-voice-condition { 3557 description 3558 "For the VoIP/VoLTE security system, a VoIP/ 3559 VoLTE security system can monitor each 3560 VoIP/VoLTE flow and manage VoIP/VoLTE 3561 security rules controlled by a centralized 3562 server for VoIP/VoLTE security service 3563 (called VoIP IPS). The VoIP/VoLTE security 3564 system controls each switch for the 3565 VoIP/VoLTE call flow management by 3566 manipulating the rules that can be added, 3567 deleted, or modified dynamically."; 3568 reference 3569 "RFC 3261: SIP: Session Initiation Protocol"; 3571 leaf voice-description { 3572 type string; 3573 description 3574 "This is description for voice condition."; 3575 } 3577 leaf-list pkt-sec-src-voice-id { 3578 type string; 3579 description 3580 "The security policy rule according to 3581 a source voice ID for VoIP and VoLTE."; 3582 } 3584 leaf-list pkt-sec-dest-voice-id { 3585 type string; 3586 description 3587 "The security policy rule according to 3588 a destination voice ID for VoIP and VoLTE."; 3590 } 3592 leaf-list pkt-sec-user-agent { 3593 type string; 3594 description 3595 "The security policy rule according to 3596 an user agent for VoIP and VoLTE."; 3597 } 3598 } 3600 container packet-security-ddos-condition { 3601 description 3602 "Condition for DDoS attack."; 3604 leaf ddos-description { 3605 type string; 3606 description 3607 "This is description for ddos condition."; 3608 } 3610 leaf pkt-sec-alert-packet-rate { 3611 type uint32; 3612 units "pps"; 3613 description 3614 "The alert rate of flood detection for 3615 packets per second (PPS) of an IP address."; 3616 } 3618 leaf pkt-sec-alert-flow-rate { 3619 type uint32; 3620 description 3621 "The alert rate of flood detection for 3622 flows per second of an IP address."; 3623 } 3625 leaf pkt-sec-alert-byte-rate { 3626 type uint32; 3627 units "BPS"; 3628 description 3629 "The alert rate of flood detection for 3630 bytes per second of an IP address."; 3631 } 3632 } 3634 container packet-security-payload-condition { 3635 description 3636 "Condition for packet payload"; 3637 leaf packet-payload-description { 3638 type string; 3639 description 3640 "This is description for payload condition."; 3641 } 3642 leaf-list pkt-payload-content { 3643 type string; 3644 description 3645 "This is a condition for packet payload content."; 3646 } 3647 } 3649 container context-condition { 3650 description 3651 "Condition for context"; 3652 leaf context-description { 3653 type string; 3654 description 3655 "This is description for context condition."; 3656 } 3658 container application-condition { 3659 description 3660 "Condition for application"; 3661 leaf application-description { 3662 type string; 3663 description 3664 "This is description for application condition."; 3665 } 3666 leaf-list application-object { 3667 type string; 3668 description 3669 "This is application object."; 3670 } 3671 leaf-list application-group { 3672 type string; 3673 description 3674 "This is application group."; 3675 } 3676 leaf-list application-label { 3677 type string; 3678 description 3679 "This is application label."; 3680 } 3681 container category { 3682 description 3683 "This is application category"; 3684 list application-category { 3685 key "name application-subcategory"; 3686 description 3687 "This is application category list"; 3688 leaf name { 3689 type string; 3690 description 3691 "This is name for application category."; 3692 } 3693 leaf application-subcategory { 3694 type string; 3695 description 3696 "This is application subcategory."; 3697 } 3698 } 3699 } 3700 } 3702 container target-condition { 3703 description 3704 "Condition for target"; 3705 leaf target-description { 3706 type string; 3707 description 3708 "This is description for target condition. 3709 Vendors can write instructions for target condition 3710 that vendor made"; 3711 } 3713 container device-sec-context-cond { 3714 description 3715 "The device attribute that can identify a device, 3716 including the device type (i.e., router, switch, 3717 pc, ios, or android) and the device's owner as 3718 well."; 3720 leaf-list target-device { 3721 type identityref { 3722 base target-device; 3723 } 3724 description 3725 "Leaf list for target devices"; 3726 } 3727 } 3728 } 3730 container users-condition { 3731 description 3732 "Condition for users"; 3733 leaf users-description { 3734 type string; 3735 description 3736 "This is the description for users' condition."; 3737 } 3738 list user{ 3739 description 3740 "The user (or user group) information with which 3741 network flow is associated: The user has many 3742 attributes such as name, id, password, type, 3743 authentication mode and so on. 3744 id is often used in the security policy to 3745 identify the user. 3746 Besides, an NSF is aware of the IP address of the 3747 user provided by a unified user management system 3748 via network. Based on name-address association, 3749 an NSF is able to enforce the security functions 3750 over the given user (or user group)"; 3751 key "user-id"; 3752 leaf user-id { 3753 type uint32; 3754 description 3755 "The ID of the user."; 3756 } 3757 leaf user-name { 3758 type string; 3759 description 3760 "The name of the user."; 3761 } 3762 } 3763 list group { 3764 description 3765 "The user (or user group) information with which 3766 network flow is associated: The user has many 3767 attributes such as name, id, password, type, 3768 authentication mode and so on. 3769 id is often used in the security policy to 3770 identify the user. 3771 Besides, an NSF is aware of the IP address of the 3772 user provided by a unified user management system 3773 via network. Based on name-address association, 3774 an NSF is able to enforce the security functions 3775 over the given user (or user group)"; 3776 key "group-id"; 3777 leaf group-id { 3778 type uint32; 3779 description 3780 "The ID of the group."; 3781 } 3782 leaf group-name { 3783 type string; 3784 description 3785 "The name of the group."; 3786 } 3787 } 3789 leaf security-group { 3790 type string; 3791 description 3792 "security-group."; 3793 } 3794 } 3796 container geography-context-condition { 3797 description 3798 "Condition for generic context"; 3799 leaf geography-context-description { 3800 type string; 3801 description 3802 "This is description for generic context condition. 3803 Vendors can write instructions for generic context 3804 condition that vendor made"; 3805 } 3807 container geography-location { 3808 description 3809 "The location which network traffic flow is associated 3810 with. The region can be the geographical location 3811 such as country, province, and city, 3812 as well as the logical network location such as 3813 IP address, network section, and network domain."; 3815 leaf-list src-geography-location { 3816 type string; 3817 description 3818 "The src-geography-location is a geographical 3819 location mapped into an IP address. It matches the 3820 mapped IP address to the source IP address of the 3821 traffic flow."; 3822 reference 3823 "ISO 3166: Codes for the representation of 3824 names of countries and their subdivisions"; 3825 } 3827 leaf-list dest-geography-location { 3828 type string; 3829 description 3830 "The dest-geography-location is a geographical 3831 location mapped into an IP address. It matches the 3832 mapped IP address to the destination IP address of 3833 the traffic flow."; 3834 reference 3835 "ISO 3166: Codes for the representation of 3836 names of countries and their subdivisions"; 3837 } 3838 } 3839 } 3840 } 3841 } 3843 container action-clause-container { 3844 description 3845 "An action is used to control and monitor aspects of 3846 flow-based NSFs when the event and condition clauses 3847 are satisfied. NSFs provide security functions by 3848 executing various Actions. Examples of I2NSF Actions 3849 include providing intrusion detection and/or protection, 3850 web and flow filtering, and deep packet inspection 3851 for packets and flows."; 3852 reference 3853 "RFC 8329: Framework for Interface to Network Security 3854 Functions - I2NSF Flow Security Policy Structure 3855 draft-ietf-i2nsf-capability-data-model-15: 3856 I2NSF Capability YANG Data Model - Design Principles and 3857 ECA Policy Model Overview"; 3859 leaf action-clause-description { 3860 type string; 3861 description 3862 "Description for an action clause."; 3863 } 3865 container packet-action { 3866 description 3867 "Action for packets"; 3868 reference 3869 "RFC 8329: Framework for Interface to Network Security 3870 Functions - I2NSF Flow Security Policy Structure 3871 draft-ietf-i2nsf-capability-data-model-15: 3872 I2NSF Capability YANG Data Model - Design Principles and 3873 ECA Policy Model Overview"; 3875 leaf ingress-action { 3876 type identityref { 3877 base ingress-action; 3879 } 3880 description 3881 "Action: pass, drop, reject, alert, and mirror."; 3882 } 3884 leaf egress-action { 3885 type identityref { 3886 base egress-action; 3887 } 3888 description 3889 "Egress action: pass, drop, reject, alert, mirror, 3890 invoke-signaling, tunnel-encapsulation, 3891 forwarding, and redirection."; 3892 } 3894 leaf log-action { 3895 type identityref { 3896 base log-action; 3897 } 3898 description 3899 "Log action: rule log and session log"; 3900 } 3902 } 3904 container flow-action { 3905 description 3906 "Action for flows"; 3907 reference 3908 "RFC 8329: Framework for Interface to Network Security 3909 Functions - I2NSF Flow Security Policy Structure 3910 draft-ietf-i2nsf-capability-data-model-15: 3911 I2NSF Capability YANG Data Model - Design Principles and 3912 ECA Policy Model Overview"; 3914 leaf ingress-action { 3915 type identityref { 3916 base ingress-action; 3917 } 3918 description 3919 "Action: pass, drop, reject, alert, and mirror."; 3920 } 3922 leaf egress-action { 3923 type identityref { 3924 base egress-action; 3925 } 3926 description 3927 "Egress action: pass, drop, reject, alert, mirror, 3928 invoke-signaling, tunnel-encapsulation, 3929 forwarding, and redirection."; 3930 } 3932 leaf log-action { 3933 type identityref { 3934 base log-action; 3935 } 3936 description 3937 "Log action: rule log and session log"; 3938 } 3940 } 3942 container advanced-action { 3943 description 3944 "If the packet needs to be additionally inspected, 3945 the packet is passed to advanced network 3946 security functions according to the profile. 3947 The profile means the types of NSFs where the packet 3948 will be forwarded in order to additionally 3949 inspect the packet."; 3950 reference 3951 "RFC 8329: Framework for Interface to Network Security 3952 Functions - Differences from ACL Data Models"; 3954 leaf-list content-security-control { 3955 type identityref { 3956 base content-security-control; 3957 } 3958 description 3959 "Content-security-control is the NSFs that 3960 inspect the payload of the packet. 3961 The Profile is divided into content security 3962 control and attack-mitigation-control. 3963 Content security control: antivirus, ips, ids, 3964 url filtering, mail filtering, file blocking, 3965 file isolate, packet capture, application control, 3966 voip and volte."; 3967 } 3969 leaf-list attack-mitigation-control { 3970 type identityref { 3971 base attack-mitigation-control; 3972 } 3973 description 3974 "Attack-mitigation-control is the NSFs that weaken 3975 the attacks related to a denial of service 3976 and reconnaissance. 3977 The Profile is divided into content security 3978 control and attack-mitigation-control. 3979 Attack mitigation control: syn flood, udp flood, 3980 icmp flood, ip frag flood, ipv6 related, http flood, 3981 https flood, dns flood, dns amp flood, ssl ddos, 3982 ip sweep, port scanning, ping of death, teardrop, 3983 oversized icmp, tracert."; 3984 } 3985 } 3986 } 3987 } 3988 container rule-group { 3989 description 3990 "This is rule group"; 3992 list groups { 3993 key "group-name"; 3994 description 3995 "This is a group for rules"; 3997 leaf group-name { 3998 type string; 3999 description 4000 "This is a group for rules"; 4001 } 4003 container rule-range { 4004 description 4005 "This is a rule range."; 4007 leaf start-rule { 4008 type string; 4009 description 4010 "This is a start rule"; 4011 } 4012 leaf end-rule { 4013 type string; 4014 description 4015 "This is a end rule"; 4016 } 4017 } 4018 leaf enable { 4019 type boolean; 4020 description 4021 "This is enable 4022 False is not enable."; 4024 } 4025 leaf description { 4026 type string; 4027 description 4028 "This is a description for rule-group"; 4029 } 4030 } 4031 } 4032 } 4033 } 4034 } 4036 4038 Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 4040 5. XML Configuration Examples of Low-Level Security Policy Rules 4042 This section shows XML configuration examples of low-level security 4043 policy rules that are delivered from the Security Controller to NSFs 4044 over the NSF-Facing Interface. For security requirements, we assume 4045 that the NSFs (i.e., General firewall, Time-based firewall, URL 4046 filter, VoIP/VoLTE filter, and http and https flood mitigation ) 4047 described in Section Configuration Examples of 4048 [I-D.ietf-i2nsf-capability-data-model] are registered in the I2NSF 4049 framework. With the registered NSFs, we show configuration examples 4050 for security policy rules of network security functions according to 4051 the following three security requirements: (i) Block Social 4052 Networking Service (SNS) access during business hours, (ii) Block 4053 malicious VoIP/VoLTE packets coming to the company, and (iii) 4054 Mitigate http and https flood attacks on company web server. 4056 5.1. Security Requirement 1: Block Social Networking Service (SNS) 4057 Access during Business Hours 4059 This section shows a configuration example for blocking SNS access 4060 during business hours in IPv4 networks or IPv6 networks. 4062 4064 4065 sns_access 4066 4067 block_sns_access_during_operation_time 4068 4069 4070 09:00:00Z 4071 18:00:00Z 4072 4073 4074 4075 4076 4077 4078 192.0.2.11 4079 192.0.2.90 4080 4081 4082 4083 4084 4085 4086 url-filtering 4087 4088 4089 4090 4091 4093 Figure 6: Configuration XML for Time-based Firewall to Block SNS 4094 Access during Business Hours in IPv4 Networks 4096 4098 4099 sns_access 4100 4101 block_sns_access_during_operation_time 4102 4103 4104 09:00:00Z 4105 18:00:00Z 4106 4107 4108 4109 4110 4111 4112 2001:DB8:0:1::11 4113 2001:DB8:0:1::90 4114 4115 4116 4117 4118 4119 4120 url-filtering 4121 4122 4123 4124 4125 4127 Figure 7: Configuration XML for Time-based Firewall to Block SNS 4128 Access during Business Hours in IPv6 Networks 4130 4132 4133 sns_access 4134 4135 block_sns_access_during_operation_time 4136 4137 4138 09:00:00Z 4139 18:00:00Z 4140 4141 4142 4143 4144 SNS_1 4145 SNS_2 4146 4147 4148 4149 4150 drop 4151 4152 4153 4154 4155 4157 Figure 8: Configuration XML for Web Filter to Block SNS Access during 4158 Business Hours 4160 Figure 6 (or Figure 7) and Figure 8 show the configuration XML 4161 documents for time-based firewall and web filter to block SNS access 4162 during business hours in IPv4 networks (or IPv6 networks). For the 4163 security requirement, two NSFs (i.e., a time-based firewall and a web 4164 filter) were used because one NSF cannot meet the security 4165 requirement. The instances of XML documents for the time-based 4166 firewall and the web filter are as follows: Note that a detailed data 4167 model for the configuration of the advanced network security function 4168 (i.e., web filter) can be defined as an extension in future. 4170 Time-based Firewall is as follows: 4172 1. The name of the system policy is sns_access. 4174 2. The name of the rule is block_sns_access_during_operation_time. 4176 3. The rule is operated during the business hours (i.e., from 9 a.m. 4177 to 6 p.m.). 4179 4. The rule inspects a source IPv4 address (i.e., from 192.0.2.11 to 4180 192.0.2.90) to inspect the outgoing packets of employees. For 4181 the case of IPv6 networks, the rule inspects a source IPv6 4182 address (i.e., from 2001:DB8:0:1::11 to 2001:DB8:0:1::90) to 4183 inspect the outgoing packets of employees. 4185 5. If the outgoing packets match the rules above, the time-based 4186 firewall sends the packets to url filtering for additional 4187 inspection because the time-based firewall can not inspect 4188 contents of the packets for the SNS URL. 4190 Web Filter is as follows: 4192 1. The name of the system policy is sns_access. 4194 2. The name of the rule is block_SNS_1_and_SNS_2. 4196 3. The rule inspects URL address to block the access packets to the 4197 SNS_1 or the SNS_2. 4199 4. If the outgoing packets match the rules above, the packets are 4200 blocked. 4202 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 4203 to a Company 4205 This section shows a configuration example for blocking malicious 4206 VoIP/VoLTE packets coming to a company. 4208 4210 4211 voip_volte_inspection 4212 4213 block_malicious_voice_id 4214 4215 4216 4217 4218 192.0.2.11 4219 192.0.2.90 4220 4221 4222 4223 4224 4225 5060 4226 5061 4227 4228 4229 4230 4231 4232 voip-volte 4233 4234 4235 4236 4237 4239 Figure 9: Configuration XML for General Firewall to Block Malicious 4240 VoIP/VoLTE Packets Coming to a Company 4242 4244 4245 voip_volte_inspection 4246 4247 block_malicious_voice_id 4248 4249 4250 user1@voip.malicious.example.com 4251 user2@voip.malicious.example.com 4252 4253 4254 4255 4256 drop 4257 4258 4259 4260 4261 4263 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious 4264 VoIP/VoLTE Packets Coming to a Company 4266 Figure 9 and Figure 10 show the configuration XML documents for 4267 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 4268 packets coming to a company. For the security requirement, two NSFs 4269 (i.e., a general firewall and a VoIP/VoLTE filter) were used because 4270 one NSF can not meet the security requirement. The instances of XML 4271 documents for the general firewall and the VoIP/VoLTE filter are as 4272 follows: Note that a detailed data model for the configuration of the 4273 advanced network security function (i.e., VoIP/VoLTE filter) can be 4274 described as an extension in future. 4276 General Firewall is as follows: 4278 1. The name of the system policy is voip_volte_inspection. 4280 2. The name of the rule is block_malicious_voip_volte_packets. 4282 3. The rule inspects a destination IPv4 address (i.e., from 4283 192.0.2.11 to 192.0.2.90) to inspect the packets coming into the 4284 company. 4286 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 4287 VoIP/VoLTE packet. 4289 5. If the incoming packets match the rules above, the general 4290 firewall sends the packets to VoIP/VoLTE filter for additional 4291 inspection because the general firewall can not inspect contents 4292 of the VoIP/VoLTE packets. 4294 VoIP/VoLTE Filter is as follows: 4296 1. The name of the system policy is malicious_voice_id. 4298 2. The name of the rule is block_malicious_voice_id. 4300 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 4301 the malicious VoIP/VoLTE packets (i.e., 4302 user1@voip.malicious.example.com and 4303 user2@voip.malicious.example.com). 4305 4. If the incoming packets match the rules above, the packets are 4306 blocked. 4308 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 4309 Company Web Server 4311 This section shows a configuration example for mitigating http and 4312 https flood attacks on a company web server. 4314 4316 4317 flood_attack_mitigation 4318 4319 mitigate_http_and_https_flood_attack 4320 4321 4322 4323 4324 192.0.2.11 4325 4326 4327 4328 4329 4330 80 4331 443 4332 4333 4334 4335 4336 4337 http-and-https-flood 4338 4339 4340 4341 4342 4343 4345 Figure 11: Configuration XML for General Firewall to Mitigate HTTP 4346 and HTTPS Flood Attacks on a Company Web Server 4348 4350 4351 flood_attack_mitigation 4352 4353 mitigate_http_and_https_flood_attack 4354 4355 4356 100 4357 4358 4359 4360 4361 drop 4362 4363 4364 4365 4366 4368 Figure 12: Configuration XML for HTTP and HTTPS Flood Attack 4369 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4370 Server 4372 Figure 11 and Figure 12 show the configuration XML documents for 4373 general firewall and http and https flood attack mitigation to 4374 mitigate http and https flood attacks on a company web server. For 4375 the security requirement, two NSFs (i.e., a general firewall and a 4376 http and https flood attack mitigation) were used because one NSF can 4377 not meet the security requirement. The instances of XML documents 4378 for the general firewall and http and https flood attack mitigation 4379 are as follows: Note that a detailed data model for the configuration 4380 of the advanced network security function (i.e., http and https flood 4381 attack mitigation) can be defined as an extension in future. 4383 General Firewall is as follows: 4385 1. The name of the system policy is flood_attack_mitigation. 4387 2. The name of the rule is mitigate_http_and_https_flood_attack. 4389 3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11) 4390 to inspect the access packets coming into the company web server. 4392 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4393 http and https packet. 4395 5. If the packets match the rules above, the general firewall sends 4396 the packets to http and https flood attack mitigation for 4397 additional inspection because the general firewall can not 4398 control the amount of packets for http and https packets. 4400 HTTP and HTTPS Flood Attack Mitigation is as follows: 4402 1. The name of the system policy is 4403 http_and_https_flood_attack_mitigation. 4405 2. The name of the rule is 100_per_second. 4407 3. The rule controls the http and https packets according to the 4408 amount of incoming packets. 4410 4. If the incoming packets match the rules above, the packets are 4411 blocked. 4413 6. IANA Considerations 4415 This document requests IANA to register the following URI in the 4416 "IETF XML Registry" [RFC3688]: 4418 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4419 Registrant Contact: The IESG. 4420 XML: N/A; the requested URI is an XML namespace. 4422 This document requests IANA to register the following YANG module in 4423 the "YANG Module Names" registry [RFC7950][RFC8525]. 4425 name: ietf-i2nsf-policy-rule-for-nsf 4426 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4427 prefix: nsfintf 4428 reference: RFC XXXX 4430 7. Security Considerations 4432 The YANG module specified in this document defines a data schema 4433 designed to be accessed through network management protocols such as 4434 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 4435 the secure transport layer, and the required secure transport is 4436 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 4437 and the required secure transport is TLS [RFC8446]. 4439 The NETCONF access control model [RFC8341] provides a means of 4440 restricting access to specific NETCONF or RESTCONF users to a 4441 preconfigured subset of all available NETCONF or RESTCONF protocol 4442 operations and content. 4444 There are a number of data nodes defined in this YANG module that are 4445 writable/creatable/deletable (i.e., config true, which is the 4446 default). These data nodes may be considered sensitive or vulnerable 4447 in some network environments. Write operations (e.g., edit-config) 4448 to these data nodes without proper protection can have a negative 4449 effect on network operations. These are the subtrees and data nodes 4450 and their sensitivity/vulnerability: 4452 o ietf-i2nsf-policy-rule-for-nsf: Writing to almost any element of 4453 this YANG module would directly impact on the configuration of 4454 NSFs, e.g., completely turning off security monitoring and 4455 mitigation capabilities; altering the scope of this monitoring and 4456 mitigation; creating an overwhelming logging volume to overwhelm 4457 downstream analytics or storage capacity; creating logging 4458 patterns which are confusing; or rendering useless trained 4459 statistics or artificial intelligence models. 4461 Some of the readable data nodes in this YANG module may be considered 4462 sensitive or vulnerable in some network environments. It is thus 4463 important to control read access (e.g., via get, get-config, or 4464 notification) to these data nodes. These are the subtrees and data 4465 nodes and their sensitivity/vulnerability: 4467 o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the 4468 security policy information of any target NSFs and misuse the 4469 security policy information for subsequent attacks. 4471 In this YANG data module, note that the identity information of users 4472 can be exchanged for security policy configuration based on a user's 4473 information. This implied that to improve the network security there 4474 is a tradeoff between a user's information privacy and network 4475 security. For container users-conditions in this YANG data module, 4476 the identity information of users can be exchanged between Security 4477 Controller and an NSF for security policy configuration based on 4478 users' information. Thus, for this exchange of the identity 4479 information of users, there is a proportional relationship between 4480 the release level of a user's privacy information and the network 4481 security strength of an NSF. 4483 8. Acknowledgments 4485 This work was supported by Institute of Information & Communications 4486 Technology Planning & Evaluation (IITP) grant funded by the Korea 4487 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 4488 Security Intelligence Technology Development for the Customized 4489 Security Service Provisioning). This work was supported in part by 4490 the IITP (2020-0-00395, Standard Development of Blockchain based 4491 Network Management Automation Technology). 4493 9. Contributors 4495 This document is made by the group effort of I2NSF working group. 4496 Many people actively contributed to this document, such as Acee 4497 Lindem and Roman Danyliw. The authors sincerely appreciate their 4498 contributions. 4500 The following are co-authors of this document: 4502 Patrick Lingga 4503 Department of Computer Science and Engineering 4504 Sungkyunkwan University 4505 2066 Seo-ro Jangan-gu 4506 Suwon, Gyeonggi-do 16419 4507 Republic of Korea 4509 EMail: patricklink@skku.edu 4511 Hyoungshick Kim 4512 Department of Computer Science and Engineering 4513 Sungkyunkwan University 4514 2066 Seo-ro Jangan-gu 4515 Suwon, Gyeonggi-do 16419 4516 Republic of Korea 4518 EMail: hyoung@skku.edu 4520 Daeyoung Hyun 4521 Department of Computer Science and Engineering 4522 Sungkyunkwan University 4523 2066 Seo-ro Jangan-gu 4524 Suwon, Gyeonggi-do 16419 4525 Republic of Korea 4527 EMail: dyhyun@skku.edu 4529 Dongjin Hong 4530 Department of Electronic, Electrical and Computer Engineering 4531 Sungkyunkwan University 4532 2066 Seo-ro Jangan-gu 4533 Suwon, Gyeonggi-do 16419 4534 Republic of Korea 4536 EMail: dong.jin@skku.edu 4538 Liang Xia 4539 Huawei 4540 101 Software Avenue 4541 Nanjing, Jiangsu 210012 4542 China 4544 EMail: Frank.Xialiang@huawei.com 4546 Tae-Jin Ahn 4547 Korea Telecom 4548 70 Yuseong-Ro, Yuseong-Gu 4549 Daejeon, 305-811 4550 Republic of Korea 4552 EMail: taejin.ahn@kt.com 4554 Se-Hui Lee 4555 Korea Telecom 4556 70 Yuseong-Ro, Yuseong-Gu 4557 Daejeon, 305-811 4558 Republic of Korea 4560 EMail: sehuilee@kt.com 4562 10. References 4564 10.1. Normative References 4566 [I-D.ietf-i2nsf-capability-data-model] 4567 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 4568 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 4569 capability-data-model-15 (work in progress), January 2021. 4571 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 4572 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 4573 Garcia, "Software-Defined Networking (SDN)-based IPsec 4574 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 4575 protection-12 (work in progress), October 2020. 4577 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 4578 DOI 10.17487/RFC0768, August 1980, 4579 . 4581 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 4582 DOI 10.17487/RFC0791, September 1981, 4583 . 4585 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 4586 RFC 792, DOI 10.17487/RFC0792, September 1981, 4587 . 4589 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 4590 RFC 793, DOI 10.17487/RFC0793, September 1981, 4591 . 4593 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 4594 A., Peterson, J., Sparks, R., Handley, M., and E. 4595 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 4596 DOI 10.17487/RFC3261, June 2002, 4597 . 4599 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 4600 DOI 10.17487/RFC3688, January 2004, 4601 . 4603 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 4604 Control Message Protocol (ICMPv6) for the Internet 4605 Protocol Version 6 (IPv6) Specification", STD 89, 4606 RFC 4443, DOI 10.17487/RFC4443, March 2006, 4607 . 4609 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 4610 the Network Configuration Protocol (NETCONF)", RFC 6020, 4611 DOI 10.17487/RFC6020, October 2010, 4612 . 4614 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4615 and A. Bierman, Ed., "Network Configuration Protocol 4616 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4617 . 4619 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4620 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4621 . 4623 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4624 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4625 . 4627 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4628 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4629 . 4631 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4632 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4633 . 4635 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4636 (IPv6) Specification", STD 86, RFC 8200, 4637 DOI 10.17487/RFC8200, July 2017, 4638 . 4640 [RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M. 4641 Boucadair, "PROBE: A Utility for Probing Interfaces", 4642 RFC 8335, DOI 10.17487/RFC8335, February 2018, 4643 . 4645 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4646 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4647 . 4649 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4650 Access Control Model", STD 91, RFC 8341, 4651 DOI 10.17487/RFC8341, March 2018, 4652 . 4654 [RFC8344] Bjorklund, M., "A YANG Data Model for IP Management", 4655 RFC 8344, DOI 10.17487/RFC8344, March 2018, 4656 . 4658 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 4659 Documents Containing YANG Data Models", BCP 216, RFC 8407, 4660 DOI 10.17487/RFC8407, October 2018, 4661 . 4663 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4664 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4665 . 4667 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 4668 and R. Wilton, "YANG Library", RFC 8525, 4669 DOI 10.17487/RFC8525, March 2019, 4670 . 4672 10.2. Informative References 4674 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 4675 Jeong, J., Lingga, P., Hares, S., Xia, L., and H. 4676 Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft- 4677 ietf-i2nsf-nsf-monitoring-data-model-04 (work in 4678 progress), September 2020. 4680 [IANA-Protocol-Numbers] 4681 "Assigned Internet Protocol Numbers", Available: 4682 https://www.iana.org/assignments/protocol- 4683 numbers/protocol-numbers.xhtml, January 2021. 4685 [ISO-Country-Codes] 4686 "Codes for the representation of names of countries and 4687 their subdivisions", ISO 3166, September 2018. 4689 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4690 Kumar, "Framework for Interface to Network Security 4691 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4692 . 4694 Authors' Addresses 4696 Jinyong Tim Kim (editor) 4697 Department of Electronic, Electrical and Computer Engineering 4698 Sungkyunkwan University 4699 2066 Seobu-Ro, Jangan-Gu 4700 Suwon, Gyeonggi-Do 16419 4701 Republic of Korea 4703 Phone: +82 10 8273 0930 4704 EMail: timkim@skku.edu 4706 Jaehoon Paul Jeong (editor) 4707 Department of Computer Science and Engineering 4708 Sungkyunkwan University 4709 2066 Seobu-Ro, Jangan-Gu 4710 Suwon, Gyeonggi-Do 16419 4711 Republic of Korea 4713 Phone: +82 31 299 4957 4714 Fax: +82 31 290 7996 4715 EMail: pauljeong@skku.edu 4716 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4717 Jung-Soo Park 4718 Electronics and Telecommunications Research Institute 4719 218 Gajeong-Ro, Yuseong-Gu 4720 Daejeon 34129 4721 Republic of Korea 4723 Phone: +82 42 860 6514 4724 EMail: pjs@etri.re.kr 4726 Susan Hares 4727 Huawei 4728 7453 Hickory Hill 4729 Saline, MI 48176 4730 USA 4732 Phone: +1-734-604-0332 4733 EMail: shares@ndzh.com 4735 Qiushi Lin 4736 Huawei 4737 Huawei Industrial Base 4738 Shenzhen, Guangdong 518129 4739 China 4741 EMail: linqiushi@huawei.com