idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 9 instances of too long lines in the document, the longest one being 9 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 266 has weird spacing: '...-length uin...' == Line 276 has weird spacing: '...-length uin...' == Line 287 has weird spacing: '...-offset uin...' == Line 296 has weird spacing: '...pv4-ttl uin...' == Line 312 has weird spacing: '...address inet:...' == (22 more instances...) -- The document date (March 8, 2021) is 1144 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-i2nsf-sdn-ipsec-flow-protection' is defined on line 4572, but no explicit reference was found in the text == Unused Reference: 'RFC8335' is defined on line 4641, but no explicit reference was found in the text == Outdated reference: A later version (-32) exists of draft-ietf-i2nsf-capability-data-model-15 == Outdated reference: A later version (-14) exists of draft-ietf-i2nsf-sdn-ipsec-flow-protection-12 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-04 Summary: 2 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim, Ed. 3 Internet-Draft J. Jeong, Ed. 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: September 9, 2021 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 March 8, 2021 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-12 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF) in the Interface to 19 Network Security Functions (I2NSF) framework. The YANG data model in 20 this document corresponds to the information model for NSF-Facing 21 Interface in the I2NSF framework. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 9, 2021. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 60 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3 61 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5 62 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6 63 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 12 64 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 13 65 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 14 66 5. XML Configuration Examples of Low-Level Security Policy Rules 85 67 5.1. Security Requirement 1: Block Social Networking Service 68 (SNS) Access during Business Hours . . . . . . . . . . . 85 69 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE 70 Packets Coming to a Company . . . . . . . . . . . . . . . 89 71 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 72 Attacks on a Company Web Server . . . . . . . . . . . . . 92 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 95 74 7. Security Considerations . . . . . . . . . . . . . . . . . . . 95 75 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 96 76 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 97 77 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 98 78 10.1. Normative References . . . . . . . . . . . . . . . . . . 98 79 10.2. Informative References . . . . . . . . . . . . . . . . . 101 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101 82 1. Introduction 84 This document defines a YANG [RFC6020][RFC7950] data model for 85 security policy rule configuration of Network Security Functions 86 (NSF). The YANG data model in this document is based on the 87 information model in [I-D.ietf-i2nsf-capability-data-model] for the 88 NSF-Facing Interface in the Interface to Network Security Functions 89 (I2NSF) architecture [RFC8329]. The YANG data model in this document 90 focuses on security policy configuration for generic network security 91 functions (e.g., firewall, web filter, and Distributed-Denial-of- 92 Service (DDoS) attack mitigator) 93 [I-D.ietf-i2nsf-capability-data-model]. Security policy 94 configuration for advanced network security functions is out of the 95 scope of this document, such as Intrusion Prevention System (IPS) and 96 anti-virus [I-D.ietf-i2nsf-capability-data-model]. 98 This YANG data model uses an "Event-Condition-Action" (ECA) policy 99 model that is used as the basis for the design of I2NSF Policy 100 described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model]. 102 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 103 document provides the configuration of the following features. 105 o A general security policy rule of a generic network security 106 function. 108 o An event clause of a generic network security function. 110 o A condition clause of a generic network security function. 112 o An action clause of a generic network security function. 114 2. Terminology 116 This document uses the terminology described in [RFC8329]. 118 This document follows the guidelines of [RFC8407], uses the common 119 YANG types defined in [RFC6991], and adopts the Network Management 120 Datastore Architecture (NMDA). The meaning of the symbols in tree 121 diagrams is defined in [RFC8340]. 123 3. YANG Tree Diagram 125 This section shows a YANG tree diagram of generic network security 126 functions. Advanced network security functions can be defined in 127 future. Advanced network security functions is out of the scope of 128 this document can be defined in future, such as Intrusion Prevention 129 System (IPS), Distributed-Denial-of-Service (DDoS) attack mitigator, 130 and anti-virus [I-D.ietf-i2nsf-capability-data-model]. 132 3.1. General I2NSF Security Policy Rule 134 This section shows a YANG tree diagram for a general I2NSF security 135 policy rule for generic network security functions. 137 module: ietf-i2nsf-policy-rule-for-nsf 138 +--rw i2nsf-security-policy 139 +--rw system-policy* [system-policy-name] 140 +--rw system-policy-name string 141 +--rw priority-usage? identityref 142 +--rw resolution-strategy? identityref 143 +--rw default-action? identityref 144 +--rw rules* [rule-name] 145 | +--rw rule-name string 146 | +--rw rule-description? string 147 | +--rw rule-priority? uint8 148 | +--rw rule-enable? boolean 149 | +--rw rule-session-aging-time? uint16 150 | +--rw rule-long-connection 151 | | +--rw enable? boolean 152 | | +--rw duration? uint16 153 | +--rw time-intervals 154 | | +--rw absolute-time-interval 155 | | | +--rw start-time? start-time-type 156 | | | +--rw end-time? end-time-type 157 | | +--rw periodic-time-interval 158 | | +--rw day 159 | | | +--rw every-day? boolean 160 | | | +--rw specific-day* day-type 161 | | +--rw month 162 | | +--rw every-month? boolean 163 | | +--rw specific-month* month-type 164 | +--rw event-clause-container 165 | | ... 166 | +--rw condition-clause-container 167 | | ... 168 | +--rw action-clause-container 169 | ... 170 +--rw rule-group 171 +--rw groups* [group-name] 172 +--rw group-name string 173 +--rw rule-range 174 | +--rw start-rule? string 175 | +--rw end-rule? string 176 +--rw enable? boolean 177 +--rw description? string 179 Figure 1: YANG Tree Diagram for Network Security Policy 181 The system policy provides for multiple system policies in one NSF, 182 and each system policy is used by one virtual instance of the NSF/ 183 device. The system policy includes system policy name, priority 184 usage, resolution strategy, default action, and rules. 186 A resolution strategy is used to decide how to resolve conflicts that 187 occur between the actions of the same or different policy rules that 188 are matched and contained in a particular NSF. The resolution 189 strategy is defined as First Matching Rule (FMR), Last Matching Rule 190 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 191 Prioritized Matching Rule with No Errors (PMRN). The resolution 192 strategy can be extended according to specific vendor action 193 features. The resolution strategy is described in detail in 194 [I-D.ietf-i2nsf-capability-data-model]. 196 A default action is used to execute I2NSF policy rule when no rule 197 matches a packet. The default action is defined as pass, drop, 198 reject, alert, and mirror. The default action can be extended 199 according to specific vendor action features. The default action is 200 described in detail in [I-D.ietf-i2nsf-capability-data-model]. 202 The rules include rule name, rule description, rule priority, rule 203 enable, time zone, event clause container, condition clause 204 container, and action clause container. 206 3.2. Event Clause 208 This section shows a YANG tree diagram for an event clause for a 209 general I2NSF security policy rule for generic network security 210 functions. 212 module: ietf-i2nsf-policy-rule-for-nsf 213 +--rw i2nsf-security-policy 214 +--rw system-policy* [system-policy-name] 215 ... 216 +--rw rules* [rule-name] 217 | ... 218 | +--rw event-clause-container 219 | | +--rw event-clause-description? string 220 | | +--rw event-clauses 221 | | +--rw system-event* identityref 222 | | +--rw system-alarm* identityref 223 | +--rw condition-clause-container 224 | | ... 225 | +--rw action-clause-container 226 | ... 227 +--rw rule-group 228 ... 230 Figure 2: YANG Tree Diagram for an Event Clause 232 An event clause is any important occurrence at a specific time of a 233 change in the system being managed, and/or in the environment of the 234 system being managed. An event clause is used to trigger the 235 evaluation of the condition clause of the I2NSF Policy Rule. The 236 event clause is defined as a system event and system alarm 237 [I-D.ietf-i2nsf-nsf-monitoring-data-model]. The event clause can be 238 extended according to specific vendor event features. The event 239 clause is described in detail in 240 [I-D.ietf-i2nsf-capability-data-model]. 242 3.3. Condition Clause 244 This section shows a YANG tree diagram for a condition clause for a 245 general I2NSF security policy rule for generic network security 246 functions. 248 module: ietf-i2nsf-policy-rule-for-nsf 249 +--rw i2nsf-security-policy 250 ... 251 +--rw rules* [rule-name] 252 | ... 253 | +--rw event-clause-container 254 | | ... 255 | +--rw condition-clause-container 256 | | +--rw condition-clause-description? string 257 | | +--rw packet-security-ipv4-condition 258 | | | +--rw ipv4-description? string 259 | | | +--rw pkt-sec-ipv4-header-length 260 | | | | +--rw (match-type)? 261 | | | | +--:(exact-match) 262 | | | | | +--rw ipv4-header-length* uint8 263 | | | | +--:(range-match) 264 | | | | +--rw range-ipv4-header-length* 265 [start-ipv4-header-length end-ipv4-header-length] 266 | | | | +--rw start-ipv4-header-length uint8 267 | | | | +--rw end-ipv4-header-length uint8 268 | | | +--rw pkt-sec-ipv4-tos* identityref 269 | | | +--rw pkt-sec-ipv4-total-length 270 | | | | +--rw (match-type)? 271 | | | | +--:(exact-match) 272 | | | | | +--rw ipv4-total-length* uint16 273 | | | | +--:(range-match) 274 | | | | +--rw range-ipv4-total-length* 275 [start-ipv4-total-length end-ipv4-total-length] 276 | | | | +--rw start-ipv4-total-length uint16 277 | | | | +--rw end-ipv4-total-length uint16 278 | | | +--rw pkt-sec-ipv4-id* uint16 279 | | | +--rw pkt-sec-ipv4-fragment-flags* identityref 280 | | | +--rw pkt-sec-ipv4-fragment-offset 281 | | | | +--rw (match-type)? 282 | | | | +--:(exact-match) 283 | | | | | +--rw ipv4-fragment-offset* uint16 284 | | | | +--:(range-match) 285 | | | | +--rw range-ipv4-fragment-offset* 286 [start-ipv4-fragment-offset end-ipv4-fragment-offset] 287 | | | | +--rw start-ipv4-fragment-offset uint16 288 | | | | +--rw end-ipv4-fragment-offset uint16 289 | | | +--rw pkt-sec-ipv4-ttl 290 | | | | +--rw (match-type)? 291 | | | | +--:(exact-match) 292 | | | | | +--rw ipv4-ttl* uint8 293 | | | | +--:(range-match) 294 | | | | +--rw range-ipv4-ttl* 295 [start-ipv4-ttl end-ipv4-ttl] 296 | | | | +--rw start-ipv4-ttl uint8 297 | | | | +--rw end-ipv4-ttl uint8 298 | | | +--rw pkt-sec-ipv4-protocol* identityref 299 | | | +--rw pkt-sec-ipv4-src 300 | | | | +--rw (match-type)? 301 | | | | +--:(exact-match) 302 | | | | | +--rw ipv4-address* [ipv4] 303 | | | | | +--rw ipv4 inet:ipv4-address 304 | | | | | +--rw (subnet)? 305 | | | | | +--:(prefix-length) 306 | | | | | | +--rw prefix-length? uint8 307 | | | | | +--:(netmask) 308 | | | | | +--rw netmask? yang:dotted-quad 309 | | | | +--:(range-match) 310 | | | | +--rw range-ipv4-address* 311 [start-ipv4-address end-ipv4-address] 312 | | | | +--rw start-ipv4-address inet:ipv4-address 313 | | | | +--rw end-ipv4-address inet:ipv4-address 314 | | | +--rw pkt-sec-ipv4-dest 315 | | | | +--rw (match-type)? 316 | | | | +--:(exact-match) 317 | | | | | +--rw ipv4-address* [ipv4] 318 | | | | | +--rw ipv4 inet:ipv4-address 319 | | | | | +--rw (subnet)? 320 | | | | | +--:(prefix-length) 321 | | | | | | +--rw prefix-length? uint8 322 | | | | | +--:(netmask) 323 | | | | | +--rw netmask? yang:dotted-quad 324 | | | | +--:(range-match) 325 | | | | +--rw range-ipv4-address* 326 [start-ipv4-address end-ipv4-address] 327 | | | | +--rw start-ipv4-address inet:ipv4-address 328 | | | | +--rw end-ipv4-address inet:ipv4-address 329 | | | +--rw pkt-sec-ipv4-ipopts* identityref 330 | | | +--rw pkt-sec-ipv4-same-ip? boolean 331 | | | +--rw pkt-sec-ipv4-geo-ip* string 332 | | +--rw packet-security-ipv6-condition 333 | | | +--rw ipv6-description? string 334 | | | +--rw pkt-sec-ipv6-traffic-class* identityref 335 | | | +--rw pkt-sec-ipv6-flow-label 336 | | | | +--rw (match-type)? 337 | | | | +--:(exact-match) 338 | | | | | +--rw ipv6-flow-label* uint32 339 | | | | +--:(range-match) 340 | | | | +--rw range-ipv6-flow-label* 341 [start-ipv6-flow-label end-ipv6-flow-label] 342 | | | | +--rw start-ipv6-flow-label uint32 343 | | | | +--rw end-ipv6-flow-label uint32 344 | | | +--rw pkt-sec-ipv6-payload-length 345 | | | | +--rw (match-type)? 346 | | | | +--:(exact-match) 347 | | | | | +--rw ipv6-payload-length* uint16 348 | | | | +--:(range-match) 349 | | | | +--rw range-ipv6-payload-length* 350 [start-ipv6-payload-length end-ipv6-payload-length] 351 | | | | +--rw start-ipv6-payload-length uint16 352 | | | | +--rw end-ipv6-payload-length uint16 353 | | | +--rw pkt-sec-ipv6-next-header* identityref 354 | | | +--rw pkt-sec-ipv6-hop-limit 355 | | | | +--rw (match-type)? 356 | | | | +--:(exact-match) 357 | | | | | +--rw ipv6-hop-limit* uint8 358 | | | | +--:(range-match) 359 | | | | +--rw range-ipv6-hop-limit* 360 [start-ipv6-hop-limit end-ipv6-hop-limit] 361 | | | | +--rw start-ipv6-hop-limit uint8 362 | | | | +--rw end-ipv6-hop-limit uint8 363 | | | +--rw pkt-sec-ipv6-src 364 | | | | +--rw (match-type)? 365 | | | | +--:(exact-match) 366 | | | | | +--rw ipv6-address* [ipv6] 367 | | | | | +--rw ipv6 inet:ipv6-address 368 | | | | | +--rw prefix-length? uint8 369 | | | | +--:(range-match) 370 | | | | +--rw range-ipv6-address* 371 [start-ipv6-address end-ipv6-address] 372 | | | | +--rw start-ipv6-address inet:ipv6-address 373 | | | | +--rw end-ipv6-address inet:ipv6-address 374 | | | +--rw pkt-sec-ipv6-dest 375 | | | +--rw (match-type)? 376 | | | +--:(exact-match) 377 | | | | +--rw ipv6-address* [ipv6] 378 | | | | +--rw ipv6 inet:ipv6-address 379 | | | | +--rw prefix-length? uint8 380 | | | +--:(range-match) 381 | | | +--rw range-ipv6-address* 382 [start-ipv6-address end-ipv6-address] 383 | | | +--rw start-ipv6-address inet:ipv6-address 384 | | | +--rw end-ipv6-address inet:ipv6-address 385 | | +--rw packet-security-tcp-condition 386 | | | +--rw tcp-description? string 387 | | | +--rw pkt-sec-tcp-src-port-num 388 | | | | +--rw (match-type)? 389 | | | | +--:(exact-match) 390 | | | | | +--rw port-num* inet:port-number 391 | | | | +--:(range-match) 392 | | | | +--rw range-port-num* 393 [start-port-num end-port-num] 394 | | | | +--rw start-port-num inet:port-number 395 | | | | +--rw end-port-num inet:port-number 396 | | | +--rw pkt-sec-tcp-dest-port-num 397 | | | | +--rw (match-type)? 398 | | | | +--:(exact-match) 399 | | | | | +--rw port-num* inet:port-number 400 | | | | +--:(range-match) 401 | | | | +--rw range-port-num* 402 [start-port-num end-port-num] 403 | | | | +--rw start-port-num inet:port-number 404 | | | | +--rw end-port-num inet:port-number 405 | | | +--rw pkt-sec-tcp-flags* identityref 406 | | +--rw packet-security-udp-condition 407 | | | +--rw udp-description? string 408 | | | +--rw pkt-sec-udp-src-port-num 409 | | | | +--rw (match-type)? 410 | | | | +--:(exact-match) 411 | | | | | +--rw port-num* inet:port-number 412 | | | | +--:(range-match) 413 | | | | +--rw range-port-num* 414 [start-port-num end-port-num] 415 | | | | +--rw start-port-num inet:port-number 416 | | | | +--rw end-port-num inet:port-number 417 | | | +--rw pkt-sec-udp-dest-port-num 418 | | | | +--rw (match-type)? 419 | | | | +--:(exact-match) 420 | | | | | +--rw port-num* inet:port-number 421 | | | | +--:(range-match) 422 | | | | +--rw range-port-num* 423 [start-port-num end-port-num] 424 | | | | +--rw start-port-num inet:port-number 425 | | | | +--rw end-port-num inet:port-number 426 | | | +--rw pkt-sec-udp-total-length 427 | | | +--rw (match-type)? 428 | | | +--:(exact-match) 429 | | | | +--rw udp-total-length* uint32 430 | | | +--:(range-match) 431 | | | +--rw range-udp-total-length* 432 [start-udp-total-length end-udp-total-length] 433 | | | +--rw start-udp-total-length uint32 434 | | | +--rw end-udp-total-length uint32 435 | | +--rw packet-security-sctp-condition 436 | | | +--rw sctp-description? string 437 | | | +--rw pkt-sec-sctp-src-port-num 438 | | | | +--rw (match-type)? 439 | | | | +--:(exact-match) 440 | | | | | +--rw port-num* inet:port-number 441 | | | | +--:(range-match) 442 | | | | +--rw range-port-num* 443 [start-port-num end-port-num] 444 | | | | +--rw start-port-num inet:port-number 445 | | | | +--rw end-port-num inet:port-number 446 | | | +--rw pkt-sec-sctp-dest-port-num 447 | | | | +--rw (match-type)? 448 | | | | +--:(exact-match) 449 | | | | | +--rw port-num* inet:port-number 450 | | | | +--:(range-match) 451 | | | | +--rw range-port-num* 452 [start-port-num end-port-num] 453 | | | | +--rw start-port-num inet:port-number 454 | | | | +--rw end-port-num inet:port-number 455 | | | +--rw pkt-sec-sctp-verification-tag* uint32 456 | | | +--rw pkt-sec-sctp-chunk-type* uint8 457 | | +--rw packet-security-dccp-condition 458 | | | +--dccp-description? string 459 | | | +--rw pkt-sec-dccp-src-port-num 460 | | | | +--rw (match-type)? 461 | | | | +--:(exact-match) 462 | | | | | +--rw port-num* inet:port-number 463 | | | | +--:(range-match) 464 | | | | +--rw range-port-num* 465 [start-port-num end-port-num] 466 | | | | +--rw start-port-num inet:port-number 467 | | | | +--rw end-port-num inet:port-number 468 | | | +--rw pkt-sec-dccp-dest-port-num 469 | | | | +--rw (match-type)? 470 | | | | +--:(exact-match) 471 | | | | | +--rw port-num* inet:port-number 472 | | | | +--:(range-match) 473 | | | | +--rw range-port-num* 475 [start-port-num end-port-num] 476 | | | | +--rw start-port-num inet:port-number 477 | | | | +--rw end-port-num inet:port-number 478 | | | +--rw pkt-sec-dccp-service-code* uint32 479 | | +--rw packet-security-icmp-condition 480 | | | +--rw icmp-description? string 481 | | | +--rw pkt-sec-icmp-type-and-code* identityref 482 | | +--rw packet-security-url-category-condition 483 | | | +--rw url-category-description? string 484 | | | +--rw pre-defined-category* string 485 | | | +--rw user-defined-category* string 486 | | +--rw packet-security-voice-condition 487 | | | +--rw voice-description? string 488 | | | +--rw pkt-sec-src-voice-id* string 489 | | | +--rw pkt-sec-dest-voice-id* string 490 | | | +--rw pkt-sec-user-agent* string 491 | | +--rw packet-security-ddos-condition 492 | | | +--rw ddos-description? string 493 | | | +--rw pkt-sec-alert-packet-rate? uint32 494 | | | +--rw pkt-sec-alert-flow-rate? uint32 495 | | | +--rw pkt-sec-alert-byte-rate? uint32 496 | | +--rw packet-security-payload-condition 497 | | | +--rw packet-payload-description? string 498 | | | +--rw pkt-payload-content* string 499 | | +--rw context-condition 500 | | +--rw context-description? string 501 | | +--rw application-condition 502 | | | +--rw application-description? string 503 | | | +--rw application-object* string 504 | | | +--rw application-group* string 505 | | | +--rw application-label* string 506 | | | +--rw category 507 | | | +--rw application-category* 508 [name application-subcategory] 509 | | | +--rw name string 510 | | | +--rw application-subcategory string 511 | | +--rw target-condition 512 | | | +--rw target-description? string 513 | | | +--rw device-sec-context-cond 514 | | | +--rw target-device* identityref 515 | | +--rw users-condition 516 | | | +--rw users-description? string 517 | | | +--rw user [user-name user-id] 518 | | | +--rw user-name* string 519 | | | +--rw user-id* uint32 520 | | | +--rw group [group-name group-id] 521 | | | +--rw group-name string 522 | | | +--rw group-id uint32 523 | | | +--rw security-group string 524 | | +--rw geography-context-condition 525 | | +--rw geography-context-description? string 526 | | +--rw geography-location 527 | | +--rw src-geography-location* string 528 | | +--rw dest-geography-location* string 529 | +--rw action-clause-container 530 | ... 531 +--rw rule-group 532 ... 534 Figure 3: YANG Tree Diagram for a Condition Clause 536 A condition clause is defined as a set of attributes, features, and/ 537 or values that are to be compared with a set of known attributes, 538 features, and/or values in order to determine whether or not the set 539 of actions in that (imperative) I2NSF policy rule can be executed or 540 not. A condition clause is classified as a condition of generic 541 network security functions, advanced network security functions, or 542 context. A condition clause of generic network security functions is 543 defined as packet security IPv4 condition, packet security IPv6 544 condition, packet security tcp condition, and packet security icmp 545 condition. A condition clause of advanced network security functions 546 is defined as packet security url category condition, packet security 547 voice condition, packet security DDoS condition, or packet security 548 payload condition. A condition clause of context is defined as 549 application condition, target condition, users condition, and 550 geography condition. Note that this document deals only with 551 conditions of several advanced network security functions such as url 552 filter (i.e., web filter), VoIP/VoLTE security, and DDoS-attack 553 mitigator. A condition clause of other advanced network security 554 functions such as Intrusion Prevention System (IPS) and Data Loss 555 Prevention (DLP) can be defined as an extension in future. A 556 condition clause can be extended according to specific vendor 557 condition features. A condition clause is described in detail in 558 [I-D.ietf-i2nsf-capability-data-model]. 560 3.4. Action Clause 562 This section shows a YANG tree diagram for an action clause for a 563 general I2NSF security policy rule for generic network security 564 functions. 566 module: ietf-i2nsf-policy-rule-for-nsf 567 +--rw i2nsf-security-policy 568 ... 569 +--rw rules* [rule-name] 570 | ... 571 | +--rw event-clause-container 572 | | ... 573 | +--rw condition-clause-container 574 | | ... 575 | +--rw action-clause-container 576 | +--rw action-clause-description? string 577 | +--rw packet-action 578 | | +--rw ingress-action? identityref 579 | | +--rw egress-action? identityref 580 | | +--rw log-action? identityref 581 | +--rw flow-action 582 | | +--rw ingress-action? identityref 583 | | +--rw egress-action? identityref 584 | | +--rw log-action? identityref 585 | +--rw advanced-action 586 | +--rw content-security-control* identityref 587 | +--rw attack-mitigation-control* identityref 588 +--rw rule-group 589 ... 591 Figure 4: YANG Tree Diagram for an Action Clause 593 An action is used to control and monitor aspects of flow-based NSFs 594 when the policy rule event and condition clauses are satisfied. NSFs 595 provide security services by executing various actions. The action 596 clause is defined as ingress action, egress action, or log action for 597 packet action, flow action, and advanced action for additional 598 inspection. The packet action is an action for an individual packet 599 such as an IP datagram. The flow action is an action of a traffic 600 flow such as the packets of a TCP session (e.g., an HTTP/HTTPS 601 session). The advanced action is an action of an advanced action 602 (e.g., web filter and DDoS-attack mitigator) for either a packet or a 603 traffic flow. The action clause can be extended according to 604 specific vendor action features. The action clause is described in 605 detail in [I-D.ietf-i2nsf-capability-data-model]. 607 4. YANG Data Model of NSF-Facing Interface 609 The main objective of this data model is to provide both an 610 information model and the corresponding YANG data model of I2NSF NSF- 611 Facing Interface. This interface can be used to deliver control and 612 management messages between Security Controller and NSFs for the 613 I2NSF low-level security policies. 615 This data model is designed to support the I2NSF framework that can 616 be extended according to the security needs. In other words, the 617 model design is independent of the content and meaning of specific 618 policies as well as the implementation approach. 620 With the YANG data model of I2NSF NSF-Facing Interface, this document 621 suggests use cases for security policy rules such as time-based 622 firewall, web filter, VoIP/VoLTE security service, and DDoS-attack 623 mitigation in Section 5. 625 4.1. YANG Module of NSF-Facing Interface 627 This section describes a YANG module of NSF-Facing Interface. This 628 YANG module imports from [RFC6991]. It makes references to [RFC0768] 629 [RFC0791][RFC0792][RFC0793][RFC3261][RFC4443][RFC8200][RFC8329][RFC83 630 35][RFC8344][ISO-Country-Codes][IANA-Protocol-Numbers]. 632 file "ietf-i2nsf-policy-rule-for-nsf@2021-03-08.yang" 633 module ietf-i2nsf-policy-rule-for-nsf { 634 yang-version 1.1; 635 namespace 636 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 637 prefix 638 nsfintf; 640 import ietf-inet-types{ 641 prefix inet; 642 reference "RFC 6991"; 643 } 644 import ietf-yang-types{ 645 prefix yang; 646 reference "RFC 6991"; 647 } 649 organization 650 "IETF I2NSF (Interface to Network Security Functions) 651 Working Group"; 653 contact 654 "WG Web: 655 WG List: 657 Editor: Jingyong Tim Kim 658 660 Editor: Jaehoon Paul Jeong 661 "; 663 description 664 "This module is a YANG module for Network Security Functions 665 (NSF)-Facing Interface. 667 Copyright (c) 2021 IETF Trust and the persons identified as 668 authors of the code. All rights reserved. 670 Redistribution and use in source and binary forms, with or 671 without modification, is permitted pursuant to, and subject to 672 the license terms contained in, the Simplified BSD License set 673 forth in Section 4.c of the IETF Trust's Legal Provisions 674 Relating to IETF Documents 675 (https://trustee.ietf.org/license-info). 677 This version of this YANG module is part of RFC XXXX 678 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 679 for full legal notices."; 681 revision "2021-03-08"{ 682 description "The latest revision."; 683 reference 684 "RFC XXXX: I2NSF Network Security Function-Facing Interface 685 YANG Data Model"; 686 } 688 /* 689 * Identities 690 */ 692 identity priority-usage-type { 693 description 694 "Base identity for priority usage type."; 695 } 697 identity priority-by-order { 698 base priority-usage-type; 699 description 700 "Identity for priority by order"; 701 } 703 identity priority-by-number { 704 base priority-usage-type; 705 description 706 "Identity for priority by number"; 707 } 709 identity event { 710 description 711 "Base identity for policy events"; 712 reference 713 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 714 Monitoring YANG Data Model - Event"; 715 } 717 identity system-event { 718 base event; 719 description 720 "Identity for system events"; 721 reference 722 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 723 Monitoring YANG Data Model - System event"; 724 } 726 identity system-alarm { 727 base event; 728 description 729 "Identity for system alarms"; 730 reference 731 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 732 Monitoring YANG Data Model - System alarm"; 733 } 735 identity access-violation { 736 base system-event; 737 description 738 "Identity for access violation 739 system events"; 740 reference 741 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 742 Monitoring YANG Data Model - System event for access 743 violation"; 744 } 746 identity configuration-change { 747 base system-event; 748 description 749 "Identity for configuration change 750 system events"; 751 reference 752 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 753 Monitoring YANG Data Model - System event for configuration 754 change"; 755 } 757 identity memory-alarm { 758 base system-alarm; 759 description 760 "Identity for memory alarm 761 system alarms"; 762 reference 763 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 764 Monitoring YANG Data Model - System alarm for memory"; 765 } 767 identity cpu-alarm { 768 base system-alarm; 769 description 770 "Identity for CPU alarm 771 system alarms"; 772 reference 773 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 774 Monitoring YANG Data Model - System alarm for CPU"; 775 } 777 identity disk-alarm { 778 base system-alarm; 779 description 780 "Identity for disk alarm 781 system alarms"; 782 reference 783 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 784 Monitoring YANG Data Model - System alarm for disk"; 785 } 787 identity hardware-alarm { 788 base system-alarm; 789 description 790 "Identity for hardware alarm 791 system alarms"; 792 reference 793 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 794 Monitoring YANG Data Model - System alarm for hardware"; 795 } 797 identity interface-alarm { 798 base system-alarm; 799 description 800 "Identity for interface alarm 801 system alarms"; 802 reference 803 "draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF NSF 804 Monitoring YANG Data Model - System alarm for interface"; 805 } 806 identity type-of-service { 807 description 808 "Base identity for type of service of IPv4"; 809 reference 810 "RFC 791: Internet Protocol - Type of Service"; 811 } 813 identity traffic-class { 814 description 815 "Base identity for traffic-class of IPv6"; 816 reference 817 "RFC 8200: Internet Protocol, Version 6 (IPv6) 818 Specification - Traffic Class"; 819 } 821 identity normal { 822 base type-of-service; 823 base traffic-class; 824 description 825 "Identity for normal IPv4 TOS and IPv6 Traffic Class"; 826 reference 827 "RFC 791: Internet Protocol - Type of Service 828 RFC 8200: Internet Protocol, Version 6 (IPv6) 829 Specification - Traffic Class"; 830 } 832 identity minimize-cost { 833 base type-of-service; 834 base traffic-class; 835 description 836 "Identity for 'minimize monetary cost' IPv4 TOS and 837 IPv6 Traffic Class"; 838 reference 839 "RFC 791: Internet Protocol - Type of Service 840 RFC 8200: Internet Protocol, Version 6 (IPv6) 841 Specification - Traffic Class"; 842 } 844 identity maximize-reliability { 845 base type-of-service; 846 base traffic-class; 847 description 848 "Identity for 'maximize reliability' IPv4 TOS and 849 IPv6 Traffic Class"; 850 reference 851 "RFC 791: Internet Protocol - Type of Service 852 RFC 8200: Internet Protocol, Version 6 (IPv6) 853 Specification - Traffic Class"; 855 } 857 identity maximize-throughput { 858 base type-of-service; 859 base traffic-class; 860 description 861 "Identity for 'maximize throughput' IPv4 TOS and 862 IPv6 Traffic Class"; 863 reference 864 "RFC 791: Internet Protocol - Type of Service 865 RFC 8200: Internet Protocol, Version 6 (IPv6) 866 Specification - Traffic Class"; 867 } 869 identity minimize-delay { 870 base type-of-service; 871 base traffic-class; 872 description 873 "Identity for 'minimize delay' IPv4 TOS and 874 IPv6 Traffic Class"; 875 reference 876 "RFC 791: Internet Protocol - Type of Service 877 RFC 8200: Internet Protocol, Version 6 (IPv6) 878 Specification - Traffic Class"; 879 } 881 identity maximize-security { 882 base type-of-service; 883 base traffic-class; 884 description 885 "Identity for 'maximize security' IPv4 TOS and 886 IPv6 Traffic Class"; 887 reference 888 "RFC 791: Internet Protocol - Type of Service 889 RFC 8200: Internet Protocol, Version 6 (IPv6) 890 Specification - Traffic Class"; 891 } 893 identity fragmentation-flags-type { 894 description 895 "Base identity for fragmentation flags type"; 896 reference 897 "RFC 791: Internet Protocol - Fragmentation Flags"; 898 } 900 identity fragment { 901 base fragmentation-flags-type; 902 description 903 "Identity for 'More fragment' flag"; 904 reference 905 "RFC 791: Internet Protocol - Fragmentation Flags"; 906 } 908 identity no-fragment { 909 base fragmentation-flags-type; 910 description 911 "Identity for 'Do not fragment' flag"; 912 reference 913 "RFC 791: Internet Protocol - Fragmentation Flags"; 914 } 916 identity reserved { 917 base fragmentation-flags-type; 918 description 919 "Identity for reserved flags"; 920 reference 921 "RFC 791: Internet Protocol - Fragmentation Flags"; 922 } 924 identity protocol { 925 description 926 "Base identity for protocol of IPv4"; 927 reference 928 "IANA: Assigned Internet Protocol Numbers 929 RFC 791: Internet Protocol - Protocol"; 930 } 932 identity next-header { 933 description 934 "Base identity for IPv6 next header"; 935 reference 936 "RFC 8200: Internet Protocol, Version 6 (IPv6) 937 Specification - Next Header"; 938 } 940 identity icmp { 941 base protocol; 942 base next-header; 943 description 944 "Identity for ICMP IPv4 protocol and 945 IPv6 next header"; 946 reference 947 "IANA: Assigned Internet Protocol Numbers 948 RFC 791: Internet Protocol - Protocol 949 RFC 8200: Internet Protocol, Version 6 (IPv6) 950 Specification - Next Header"; 952 } 954 identity igmp { 955 base protocol; 956 base next-header; 957 description 958 "Identity for IGMP IPv4 protocol and 959 IPv6 next header"; 960 reference 961 "IANA: Assigned Internet Protocol Numbers 962 RFC 791: Internet Protocol - Protocol 963 RFC 8200: Internet Protocol, Version 6 (IPv6) 964 Specification - Next Header"; 965 } 967 identity tcp { 968 base protocol; 969 base next-header; 970 description 971 "Identity for TCP protocol"; 972 reference 973 "IANA: Assigned Internet Protocol Numbers 974 RFC 791: Internet Protocol - Protocol 975 RFC 8200: Internet Protocol, Version 6 (IPv6) 976 Specification - Next Header"; 977 } 979 identity igrp { 980 base protocol; 981 base next-header; 982 description 983 "Identity for IGRP IPv4 protocol 984 and IPv6 next header"; 985 reference 986 "IANA: Assigned Internet Protocol Numbers 987 RFC 791: Internet Protocol - Protocol 988 RFC 8200: Internet Protocol, Version 6 (IPv6) 989 Specification - Next Header"; 990 } 992 identity udp { 993 base protocol; 994 base next-header; 995 description 996 "Identity for UDP IPv4 protocol 997 and IPv6 next header"; 998 reference 999 "IANA: Assigned Internet Protocol Numbers 1000 RFC 791: Internet Protocol - Protocol 1001 RFC 8200: Internet Protocol, Version 6 (IPv6) 1002 Specification - Next Header"; 1003 } 1005 identity gre { 1006 base protocol; 1007 base next-header; 1008 description 1009 "Identity for GRE IPv4 protocol 1010 and IPv6 next header"; 1011 reference 1012 "IANA: Assigned Internet Protocol Numbers 1013 RFC 791: Internet Protocol - Protocol 1014 RFC 8200: Internet Protocol, Version 6 (IPv6) 1015 Specification - Next Header"; 1016 } 1018 identity esp { 1019 base protocol; 1020 base next-header; 1021 description 1022 "Identity for ESP IPv4 protocol 1023 and IPv6 next header"; 1024 reference 1025 "IANA: Assigned Internet Protocol Numbers 1026 RFC 791: Internet Protocol - Protocol 1027 RFC 8200: Internet Protocol, Version 6 (IPv6) 1028 Specification - Next Header"; 1029 } 1031 identity ah { 1032 base protocol; 1033 base next-header; 1034 description 1035 "Identity for AH IPv4 protocol 1036 and IPv6 next header"; 1037 reference 1038 "IANA: Assigned Internet Protocol Numbers 1039 RFC 791: Internet Protocol - Protocol 1040 RFC 8200: Internet Protocol, Version 6 (IPv6) 1041 Specification - Next Header"; 1042 } 1044 identity mobile { 1045 base protocol; 1046 base next-header; 1047 description 1048 "Identity for mobile IPv4 protocol 1049 and IPv6 next header"; 1050 reference 1051 "IANA: Assigned Internet Protocol Numbers 1052 RFC 791: Internet Protocol - Protocol 1053 RFC 8200: Internet Protocol, Version 6 (IPv6) 1054 Specification - Next Header"; 1055 } 1057 identity tlsp { 1058 base protocol; 1059 base next-header; 1060 description 1061 "Identity for TLSP IPv4 protocol 1062 and IPv6 next header"; 1063 reference 1064 "IANA: Assigned Internet Protocol Numbers 1065 RFC 791: Internet Protocol - Protocol 1066 RFC 8200: Internet Protocol, Version 6 (IPv6) 1067 Specification - Next Header"; 1068 } 1070 identity skip { 1071 base protocol; 1072 base next-header; 1073 description 1074 "Identity for skip IPv4 protocol 1075 and IPv6 next header"; 1076 reference 1077 "IANA: Assigned Internet Protocol Numbers 1078 RFC 791: Internet Protocol - Protocol 1079 RFC 8200: Internet Protocol, Version 6 (IPv6) 1080 Specification - Next Header"; 1081 } 1083 identity ipv6-icmp { 1084 base protocol; 1085 base next-header; 1086 description 1087 "Identity for IPv6 ICMP next header"; 1088 reference 1089 "IANA: Assigned Internet Protocol Numbers 1090 RFC 4443: Internet Control Message Protocol (ICMPv6) 1091 for the Internet Protocol Version 6 (IPv6) Specification 1092 RFC 8200: Internet Protocol, Version 6 (IPv6) 1093 Specification - Next Header"; 1094 } 1095 identity eigrp { 1096 base protocol; 1097 base next-header; 1098 description 1099 "Identity for EIGRP IPv4 protocol 1100 and IPv6 next header"; 1101 reference 1102 "IANA: Assigned Internet Protocol Numbers 1103 RFC 791: Internet Protocol - Protocol 1104 RFC 8200: Internet Protocol, Version 6 (IPv6) 1105 Specification - Next Header"; 1106 } 1108 identity ospf { 1109 base protocol; 1110 base next-header; 1111 description 1112 "Identity for OSPF IPv4 protocol 1113 and IPv6 next header"; 1114 reference 1115 "IANA: Assigned Internet Protocol Numbers 1116 RFC 791: Internet Protocol - Protocol 1117 RFC 8200: Internet Protocol, Version 6 (IPv6) 1118 Specification - Next Header"; 1119 } 1121 identity l2tp { 1122 base protocol; 1123 base next-header; 1124 description 1125 "Identity for L2TP IPv4 protocol 1126 and IPv6 next header"; 1127 reference 1128 "IANA: Assigned Internet Protocol Numbers 1129 RFC 791: Internet Protocol - Protocol 1130 RFC 8200: Internet Protocol, Version 6 (IPv6) 1131 Specification - Next Header"; 1132 } 1134 identity ipopts { 1135 description 1136 "Base identity for IP options"; 1137 reference 1138 "RFC 791: Internet Protocol - Options"; 1139 } 1141 identity rr { 1142 base ipopts; 1143 description 1144 "Identity for 'Record Route' IP Option"; 1145 reference 1146 "RFC 791: Internet Protocol - Options"; 1147 } 1149 identity eol { 1150 base ipopts; 1151 description 1152 "Identity for 'End of List' IP Option"; 1153 reference 1154 "RFC 791: Internet Protocol - Options"; 1155 } 1157 identity nop { 1158 base ipopts; 1159 description 1160 "Identity for 'No Operation' IP Option"; 1161 reference 1162 "RFC 791: Internet Protocol - Options"; 1163 } 1165 identity ts { 1166 base ipopts; 1167 description 1168 "Identity for 'Timestamp' IP Option"; 1169 reference 1170 "RFC 791: Internet Protocol - Options"; 1171 } 1173 identity sec { 1174 base ipopts; 1175 description 1176 "Identity for 'IP security' IP Option"; 1177 reference 1178 "RFC 791: Internet Protocol - Options"; 1179 } 1181 identity esec { 1182 base ipopts; 1183 description 1184 "Identity for 'IP extended security' IP Option"; 1185 reference 1186 "RFC 791: Internet Protocol - Options"; 1187 } 1189 identity lsrr { 1190 base ipopts; 1191 description 1192 "Identity for 'Loose Source Routing' IP Option"; 1193 reference 1194 "RFC 791: Internet Protocol - Options"; 1195 } 1197 identity ssrr { 1198 base ipopts; 1199 description 1200 "Identity for 'Strict Source Routing' IP Option"; 1201 reference 1202 "RFC 791: Internet Protocol - Options"; 1203 } 1205 identity satid { 1206 base ipopts; 1207 description 1208 "Identity for 'Stream Identifier' IP Option"; 1209 reference 1210 "RFC 791: Internet Protocol - Options"; 1211 } 1213 identity any { 1214 base ipopts; 1215 description 1216 "Identity for 'any IP options 1217 included in IPv4 packet"; 1218 reference 1219 "RFC 791: Internet Protocol - Options"; 1220 } 1222 identity tcp-flags { 1223 description 1224 "Base identity for TCP flags"; 1225 reference 1226 "RFC 793: Transmission Control Protocol - Flags"; 1227 } 1229 identity cwr { 1230 base tcp-flags; 1231 description 1232 "Identity for 'Congestion Window Reduced' TCP flag"; 1233 reference 1234 "RFC 793: Transmission Control Protocol - Flags"; 1235 } 1237 identity ecn { 1238 base tcp-flags; 1239 description 1240 "Identity for 'Explicit Congestion Notification' 1241 TCP flag"; 1242 reference 1243 "RFC 793: Transmission Control Protocol - Flags"; 1244 } 1246 identity urg { 1247 base tcp-flags; 1248 description 1249 "Identity for 'Urgent' TCP flag"; 1250 reference 1251 "RFC 793: Transmission Control Protocol - Flags"; 1252 } 1254 identity ack { 1255 base tcp-flags; 1256 description 1257 "Identity for 'acknowledgement' TCP flag"; 1258 reference 1259 "RFC 793: Transmission Control Protocol - Flags"; 1260 } 1262 identity psh { 1263 base tcp-flags; 1264 description 1265 "Identity for 'Push' TCP flag"; 1266 reference 1267 "RFC 793: Transmission Control Protocol - Flags"; 1268 } 1270 identity rst { 1271 base tcp-flags; 1272 description 1273 "Identity for 'Reset' TCP flag"; 1274 reference 1275 "RFC 793: Transmission Control Protocol - Flags"; 1276 } 1278 identity syn { 1279 base tcp-flags; 1280 description 1281 "Identity for 'Synchronize' TCP flag"; 1282 reference 1283 "RFC 793: Transmission Control Protocol - Flags"; 1284 } 1286 identity fin { 1287 base tcp-flags; 1288 description 1289 "Identity for 'Finish' TCP flag"; 1290 reference 1291 "RFC 793: Transmission Control Protocol - Flags"; 1292 } 1294 identity icmp-type { 1295 description 1296 "Base identity for ICMP Message types"; 1297 reference 1298 "RFC 792: Internet Control Message Protocol"; 1299 } 1301 identity echo-reply { 1302 base icmp-type; 1303 description 1304 "Identity for 'Echo Reply' ICMP message type"; 1305 reference 1306 "RFC 792: Internet Control Message Protocol"; 1307 } 1309 identity destination-unreachable { 1310 base icmp-type; 1311 description 1312 "Identity for 'Destination Unreachable' 1313 ICMP message type"; 1314 reference 1315 "RFC 792: Internet Control Message Protocol"; 1316 } 1318 identity redirect { 1319 base icmp-type; 1320 description 1321 "Identity for 'Redirect' ICMP message type"; 1322 reference 1323 "RFC 792: Internet Control Message Protocol"; 1324 } 1326 identity echo { 1327 base icmp-type; 1328 description 1329 "Identity for 'Echo' ICMP message type"; 1330 reference 1331 "RFC 792: Internet Control Message Protocol"; 1332 } 1333 identity router-advertisement { 1334 base icmp-type; 1335 description 1336 "Identity for 'Router Advertisement' 1337 ICMP message type"; 1338 reference 1339 "RFC 792: Internet Control Message Protocol"; 1340 } 1342 identity router-solicitation { 1343 base icmp-type; 1344 description 1345 "Identity for 'Router Solicitation' 1346 ICMP message type"; 1347 reference 1348 "RFC 792: Internet Control Message Protocol"; 1349 } 1351 identity time-exceeded { 1352 base icmp-type; 1353 description 1354 "Identity for 'Time exceeded' ICMP message type"; 1355 reference 1356 "RFC 792: Internet Control Message Protocol"; 1357 } 1359 identity parameter-problem { 1360 base icmp-type; 1361 description 1362 "Identity for 'Parameter Problem' 1363 ICMP message type"; 1364 reference 1365 "RFC 792: Internet Control Message Protocol"; 1366 } 1368 identity timestamp { 1369 base icmp-type; 1370 description 1371 "Identity for 'Timestamp' ICMP message type"; 1372 reference 1373 "RFC 792: Internet Control Message Protocol"; 1374 } 1376 identity timestamp-reply { 1377 base icmp-type; 1378 description 1379 "Identity for 'Timestamp Reply' 1380 ICMP message type"; 1382 reference 1383 "RFC 792: Internet Control Message Protocol"; 1384 } 1386 identity datagram-conversion-error { 1387 base icmp-type; 1388 description 1389 "Identity for 'Datagram Conversion Error' 1390 ICMP message type"; 1391 reference 1392 "RFC 792: Internet Control Message Protocol"; 1393 } 1395 identity experimental-mobility-protocols { 1396 base icmp-type; 1397 description 1398 "Identity for 'Experimental Mobility Protocols' 1399 ICMP message type"; 1400 reference 1401 "RFC 792: Internet Control Message Protocol"; 1402 } 1404 identity extended-echo-request { 1405 base icmp-type; 1406 description 1407 "Identity for 'Extended Echo Request' 1408 ICMP message type"; 1409 reference 1410 "RFC 792: Internet Control Message Protocol 1411 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1412 } 1414 identity extended-echo-reply { 1415 base icmp-type; 1416 description 1417 "Identity for 'Extended Echo Reply' 1418 ICMP message type"; 1419 reference 1420 "RFC 792: Internet Control Message Protocol 1421 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1422 } 1424 identity net-unreachable { 1425 base icmp-type; 1426 description 1427 "Identity for net unreachable 1428 in destination unreachable types"; 1429 reference 1430 "RFC 792: Internet Control Message Protocol"; 1431 } 1433 identity host-unreachable { 1434 base icmp-type; 1435 description 1436 "Identity for host unreachable 1437 in destination unreachable types"; 1438 reference 1439 "RFC 792: Internet Control Message Protocol"; 1440 } 1442 identity protocol-unreachable { 1443 base icmp-type; 1444 description 1445 "Identity for protocol unreachable 1446 in destination unreachable types"; 1447 reference 1448 "RFC 792: Internet Control Message Protocol"; 1449 } 1451 identity port-unreachable { 1452 base icmp-type; 1453 description 1454 "Identity for port unreachable 1455 in destination unreachable types"; 1456 reference 1457 "RFC 792: Internet Control Message Protocol"; 1458 } 1460 identity fragment-set { 1461 base icmp-type; 1462 description 1463 "Identity for fragmentation set 1464 in destination unreachable types"; 1465 reference 1466 "RFC 792: Internet Control Message Protocol"; 1467 } 1469 identity source-route-failed { 1470 base icmp-type; 1471 description 1472 "Identity for source route failed 1473 in destination unreachable types"; 1474 reference 1475 "RFC 792: Internet Control Message Protocol"; 1476 } 1477 identity destination-network-unknown { 1478 base icmp-type; 1479 description 1480 "Identity for destination network unknown 1481 in destination unreachable types"; 1482 reference 1483 "RFC 792: Internet Control Message Protocol"; 1484 } 1486 identity destination-host-unknown { 1487 base icmp-type; 1488 description 1489 "Identity for destination host unknown 1490 in destination unreachable types"; 1491 reference 1492 "RFC 792: Internet Control Message Protocol"; 1493 } 1495 identity source-host-isolated { 1496 base icmp-type; 1497 description 1498 "Identity for source host isolated 1499 in destination unreachable types"; 1500 reference 1501 "RFC 792: Internet Control Message Protocol"; 1502 } 1504 identity communication-prohibited-with-destination-network { 1505 base icmp-type; 1506 description 1507 "Identity for which communication with destination network 1508 is administratively prohibited in destination unreachable 1509 types"; 1510 reference 1511 "RFC 792: Internet Control Message Protocol"; 1512 } 1514 identity communication-prohibited-with-destination-host { 1515 base icmp-type; 1516 description 1517 "Identity for which communication with destination host 1518 is administratively prohibited in destination unreachable 1519 types"; 1520 reference 1521 "RFC 792: Internet Control Message Protocol"; 1522 } 1524 identity destination-network-unreachable-for-tos { 1525 base icmp-type; 1526 description 1527 "Identity for destination network unreachable 1528 for type of service in destination unreachable types"; 1529 reference 1530 "RFC 792: Internet Control Message Protocol"; 1531 } 1533 identity destination-host-unreachable-for-tos { 1534 base icmp-type; 1535 description 1536 "Identity for destination host unreachable 1537 for type of service in destination unreachable types"; 1538 reference 1539 "RFC 792: Internet Control Message Protocol"; 1540 } 1542 identity communication-prohibited { 1543 base icmp-type; 1544 description 1545 "Identity for communication administratively prohibited 1546 in destination unreachable types"; 1547 reference 1548 "RFC 792: Internet Control Message Protocol"; 1549 } 1551 identity host-precedence-violation { 1552 base icmp-type; 1553 description 1554 "Identity for host precedence violation 1555 in destination unreachable types"; 1556 reference 1557 "RFC 792: Internet Control Message Protocol"; 1558 } 1560 identity precedence-cutoff-in-effect { 1561 base icmp-type; 1562 description 1563 "Identity for precedence cutoff in effect 1564 in destination unreachable types"; 1565 reference 1566 "RFC 792: Internet Control Message Protocol"; 1567 } 1569 identity redirect-datagram-for-the-network { 1570 base icmp-type; 1571 description 1572 "Identity for redirect datagram for the network 1573 (or subnet) in redirect types"; 1574 reference 1575 "RFC 792: Internet Control Message Protocol"; 1576 } 1578 identity redirect-datagram-for-the-host { 1579 base icmp-type; 1580 description 1581 "Identity for redirect datagram for the host 1582 in redirect types"; 1583 reference 1584 "RFC 792: Internet Control Message Protocol"; 1585 } 1587 identity redirect-datagram-for-the-tos-and-network { 1588 base icmp-type; 1589 description 1590 "Identity for redirect datagram for the type of 1591 service and network in redirect types"; 1592 reference 1593 "RFC 792: Internet Control Message Protocol"; 1594 } 1596 identity redirect-datagram-for-the-tos-and-host { 1597 base icmp-type; 1598 description 1599 "Identity for redirect datagram for the type of 1600 service and host in redirect types"; 1601 reference 1602 "RFC 792: Internet Control Message Protocol"; 1603 } 1605 identity normal-router-advertisement { 1606 base icmp-type; 1607 description 1608 "Identity for normal router advertisement 1609 in router advertisement types"; 1610 reference 1611 "RFC 792: Internet Control Message Protocol"; 1612 } 1614 identity does-not-route-common-traffic { 1615 base icmp-type; 1616 description 1617 "Identity for does not route common traffic 1618 in router advertisement types"; 1619 reference 1620 "RFC 792: Internet Control Message Protocol"; 1622 } 1624 identity time-to-live-exceeded-in-transit { 1625 base icmp-type; 1626 description 1627 "Identity for time to live exceeded in transit 1628 in time exceeded types"; 1629 reference 1630 "RFC 792: Internet Control Message Protocol"; 1631 } 1633 identity fragment-reassembly-time-exceeded { 1634 base icmp-type; 1635 description 1636 "Identity for fragment reassembly time exceeded 1637 in time exceeded types"; 1638 reference 1639 "RFC 792: Internet Control Message Protocol"; 1640 } 1642 identity pointer-indicates-the-error { 1643 base icmp-type; 1644 description 1645 "Identity for pointer indicates the error 1646 in parameter problem types"; 1647 reference 1648 "RFC 792: Internet Control Message Protocol"; 1649 } 1651 identity missing-a-required-option { 1652 base icmp-type; 1653 description 1654 "Identity for missing a required option 1655 in parameter problem types"; 1656 reference 1657 "RFC 792: Internet Control Message Protocol"; 1658 } 1660 identity bad-length { 1661 base icmp-type; 1662 description 1663 "Identity for bad length 1664 in parameter problem types"; 1665 reference 1666 "RFC 792: Internet Control Message Protocol"; 1667 } 1669 identity bad-spi { 1670 base icmp-type; 1671 description 1672 "Identity for bad spi"; 1673 reference 1674 "RFC 792: Internet Control Message Protocol"; 1675 } 1677 identity authentication-failed { 1678 base icmp-type; 1679 description 1680 "Identity for authentication failed"; 1681 reference 1682 "RFC 792: Internet Control Message Protocol"; 1683 } 1685 identity decompression-failed { 1686 base icmp-type; 1687 description 1688 "Identity for decompression failed"; 1689 reference 1690 "RFC 792: Internet Control Message Protocol"; 1691 } 1693 identity decryption-failed { 1694 base icmp-type; 1695 description 1696 "Identity for decryption failed"; 1697 reference 1698 "RFC 792: Internet Control Message Protocol"; 1699 } 1701 identity need-authentication { 1702 base icmp-type; 1703 description 1704 "Identity for need authentication"; 1705 reference 1706 "RFC 792: Internet Control Message Protocol"; 1707 } 1709 identity need-authorization { 1710 base icmp-type; 1711 description 1712 "Identity for need authorization"; 1713 reference 1714 "RFC 792: Internet Control Message Protocol"; 1715 } 1717 identity req-no-error { 1718 base icmp-type; 1719 description 1720 "Identity for request with no error 1721 in extended echo request types"; 1722 reference 1723 "RFC 792: Internet Control Message Protocol 1724 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1725 } 1727 identity rep-no-error { 1728 base icmp-type; 1729 description 1730 "Identity for reply with no error 1731 in extended echo reply types"; 1732 reference 1733 "RFC 792: Internet Control Message Protocol 1734 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1735 } 1737 identity malformed-query { 1738 base icmp-type; 1739 description 1740 "Identity for malformed query 1741 in extended echo reply types"; 1742 reference 1743 "RFC 792: Internet Control Message Protocol 1744 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1745 } 1747 identity no-such-interface { 1748 base icmp-type; 1749 description 1750 "Identity for no such interface 1751 in extended echo reply types"; 1752 reference 1753 "RFC 792: Internet Control Message Protocol 1754 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1755 } 1757 identity no-such-table-entry { 1758 base icmp-type; 1759 description 1760 "Identity for no such table entry 1761 in extended echo reply types"; 1762 reference 1763 "RFC 792: Internet Control Message Protocol 1764 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1765 } 1766 identity multiple-interfaces-satisfy-query { 1767 base icmp-type; 1768 description 1769 "Identity for multiple interfaces satisfy query 1770 in extended echo reply types"; 1771 reference 1772 "RFC 792: Internet Control Message Protocol 1773 RFC 8335: PROBE: A Utility for Probing Interfaces"; 1774 } 1776 identity target-device { 1777 description 1778 "Base identity for target devices"; 1779 reference 1780 "draft-ietf-i2nsf-capability-data-model-15: 1781 I2NSF Capability YANG Data Model"; 1782 } 1784 identity computer { 1785 base target-device; 1786 description 1787 "Identity for computer such as personal computer (PC) 1788 and server"; 1789 } 1791 identity mobile-phone { 1792 base target-device; 1793 description 1794 "Identity for mobile-phone such as smartphone and 1795 cellphone"; 1796 } 1798 identity voip-volte-phone { 1799 base target-device; 1800 description 1801 "Identity for voip-volte-phone"; 1802 } 1804 identity tablet { 1805 base target-device; 1806 description 1807 "Identity for tablet"; 1808 } 1810 identity network-infrastructure-device { 1811 base target-device; 1812 description 1813 "Identity for network infrastructure devices 1814 such as switch, router, and access point"; 1815 } 1817 identity iot { 1818 base target-device; 1819 description 1820 "Identity for IoT (Internet of Things)"; 1821 } 1823 identity vehicle { 1824 base target-device; 1825 description 1826 "Identity for vehicle that connects to and shares 1827 data through the Internet"; 1828 } 1830 identity content-security-control { 1831 description 1832 "Base identity for content security control"; 1833 reference 1834 "RFC 8329: Framework for Interface to 1835 Network Security Functions - Flow-Based 1836 NSF Capability Characterization 1837 draft-ietf-i2nsf-capability-data-model-15: 1838 I2NSF Capability YANG Data Model"; 1839 } 1841 identity firewall { 1842 base content-security-control; 1843 description 1844 "Identity for firewall that monitors 1845 incoming and outgoing network traffic 1846 and permits or blocks data packets based 1847 on a set of security rules."; 1848 } 1850 identity antivirus { 1851 base content-security-control; 1852 description 1853 "Identity for antivirus that prevents, 1854 scans, detects and deletes viruses 1855 from a computer"; 1856 } 1858 identity ips { 1859 base content-security-control; 1860 description 1861 "Identity for IPS (Intrusion Prevention System) 1862 that prevents malicious activity within a network"; 1863 } 1865 identity ids { 1866 base content-security-control; 1867 description 1868 "Identity for IDS (Intrusion Detection System) 1869 that detects malicious activity within a network"; 1870 } 1872 identity url-filtering { 1873 base content-security-control; 1874 description 1875 "Identity for url filtering that 1876 limits access by comparing the web traffic's URL 1877 with the URLs for web filtering in a database"; 1878 } 1880 identity mail-filtering { 1881 base content-security-control; 1882 description 1883 "Identity for mail filtering that 1884 filters out a malicious email message by 1885 comparing its sender email address with the email 1886 addresses of malicious users in a database"; 1887 } 1889 identity file-blocking { 1890 base content-security-control; 1891 description 1892 "Identity for file blocking that blocks the 1893 download or upload of malicious files with the 1894 information of suspicious files in a database"; 1895 } 1897 identity pkt-capture { 1898 base content-security-control; 1899 description 1900 "Identity for packet capture that 1901 intercepts a packet that is crossing or moving 1902 over a specific network."; 1903 } 1905 identity application-control { 1906 base content-security-control; 1907 description 1908 "Identity for application control that 1909 filters out the packets of malicious applications 1910 with the information of those applications in a 1911 database"; 1912 } 1914 identity voip-volte { 1915 base content-security-control; 1916 description 1917 "Identity for VoIP/VoLTE security service that 1918 filters out the packets of malicious users 1919 with a blacklist of malicious users in a database"; 1920 } 1922 identity attack-mitigation-control { 1923 description 1924 "Base identity for attack mitigation control"; 1925 reference 1926 "RFC 8329: Framework for Interface to 1927 Network Security Functions - Flow-Based 1928 NSF Capability Characterization 1929 draft-ietf-i2nsf-capability-data-model-15: 1930 I2NSF Capability YANG Data Model"; 1931 } 1933 identity syn-flood { 1934 base attack-mitigation-control; 1935 description 1936 "Identity for syn flood 1937 that weakens the SYN flood attack"; 1938 } 1940 identity udp-flood { 1941 base attack-mitigation-control; 1942 description 1943 "Identity for udp flood 1944 that weakens the UDP flood attack"; 1945 } 1947 identity icmp-flood { 1948 base attack-mitigation-control; 1949 description 1950 "Identity for icmp flood 1951 that weakens the ICMP flood attack"; 1952 } 1954 identity ip-frag-flood { 1955 base attack-mitigation-control; 1956 description 1957 "Identity for ip frag flood 1958 that weakens the IP fragmentation flood attack"; 1959 } 1961 identity http-and-https-flood { 1962 base attack-mitigation-control; 1963 description 1964 "Identity for http and https flood 1965 that weakens the HTTP and HTTPS flood attack"; 1966 } 1968 identity dns-flood { 1969 base attack-mitigation-control; 1970 description 1971 "Identity for dns flood 1972 that weakens the DNS flood attack"; 1973 } 1975 identity dns-amp-flood { 1976 base attack-mitigation-control; 1977 description 1978 "Identity for dns amp flood 1979 that weakens the DNS amplification flood attack"; 1980 } 1982 identity ntp-amp-flood { 1983 base attack-mitigation-control; 1984 description 1985 "Identity for ntp amp flood 1986 that weakens the NTP amplification flood attack"; 1987 } 1989 identity ssl-ddos { 1990 base attack-mitigation-control; 1991 description 1992 "Identity for ssl ddos 1993 that weakens the SSL DDoS attack"; 1994 } 1996 identity ip-sweep { 1997 base attack-mitigation-control; 1998 description 1999 "Identity for ip sweep 2000 that weakens the IP sweep attack"; 2001 } 2003 identity port-scanning { 2004 base attack-mitigation-control; 2005 description 2006 "Identity for port scanning 2007 that weakens the port scanning attack"; 2008 } 2010 identity ping-of-death { 2011 base attack-mitigation-control; 2012 description 2013 "Identity for ping-of-death 2014 that weakens the ping-of-death attack"; 2015 } 2017 identity teardrop { 2018 base attack-mitigation-control; 2019 description 2020 "Identity for teardrop 2021 that weakens the teardrop attack"; 2022 } 2024 identity oversized-icmp { 2025 base attack-mitigation-control; 2026 description 2027 "Identity for oversized icmp 2028 that weakens the oversized icmp attack"; 2029 } 2031 identity tracert { 2032 base attack-mitigation-control; 2033 description 2034 "Identity for tracert 2035 that weakens the tracert attack"; 2036 } 2038 identity ingress-action { 2039 description 2040 "Base identity for action"; 2041 reference 2042 "draft-ietf-i2nsf-capability-data-model-15: 2043 I2NSF Capability YANG Data Model - Ingress Action"; 2044 } 2046 identity egress-action { 2047 description 2048 "Base identity for egress action"; 2049 reference 2050 "draft-ietf-i2nsf-capability-data-model-15: 2051 I2NSF Capability YANG Data Model - Egress Action"; 2052 } 2053 identity default-action { 2054 description 2055 "Base identity for default action"; 2056 reference 2057 "draft-ietf-i2nsf-capability-data-model-15: 2058 I2NSF Capability YANG Data Model - Default Action"; 2059 } 2061 identity pass { 2062 base ingress-action; 2063 base egress-action; 2064 base default-action; 2065 description 2066 "Identity for pass"; 2067 reference 2068 "draft-ietf-i2nsf-capability-data-model-15: 2069 I2NSF Capability YANG Data Model - Actions and 2070 Default Action"; 2071 } 2073 identity drop { 2074 base ingress-action; 2075 base egress-action; 2076 base default-action; 2077 description 2078 "Identity for drop"; 2079 reference 2080 "draft-ietf-i2nsf-capability-data-model-15: 2081 I2NSF Capability YANG Data Model - Actions and 2082 Default Action"; 2083 } 2085 identity reject { 2086 base ingress-action; 2087 base egress-action; 2088 base default-action; 2089 description 2090 "Identity for reject"; 2091 reference 2092 "draft-ietf-i2nsf-capability-data-model-15: 2093 I2NSF Capability YANG Data Model - Actions and 2094 Default Action"; 2095 } 2097 identity alert { 2098 base ingress-action; 2099 base egress-action; 2100 base default-action; 2101 description 2102 "Identity for alert"; 2103 reference 2104 "draft-ietf-i2nsf-capability-data-model-15: 2105 I2NSF Capability YANG Data Model - Actions and 2106 Default Action"; 2107 } 2109 identity mirror { 2110 base ingress-action; 2111 base egress-action; 2112 base default-action; 2113 description 2114 "Identity for mirror"; 2115 reference 2116 "draft-ietf-i2nsf-capability-data-model-15: 2117 I2NSF Capability YANG Data Model - Actions and 2118 Default Action"; 2119 } 2121 identity log-action { 2122 description 2123 "Base identity for log action"; 2124 } 2126 identity rule-log { 2127 base log-action; 2128 description 2129 "Identity for rule log"; 2130 } 2132 identity session-log { 2133 base log-action; 2134 description 2135 "Identity for session log"; 2136 } 2138 identity invoke-signaling { 2139 base egress-action; 2140 description 2141 "Identity for invoke signaling"; 2142 } 2144 identity tunnel-encapsulation { 2145 base egress-action; 2146 description 2147 "Identity for tunnel encapsulation"; 2148 } 2149 identity forwarding { 2150 base egress-action; 2151 description 2152 "Identity for forwarding"; 2153 } 2155 identity redirection { 2156 base egress-action; 2157 description 2158 "Identity for redirection"; 2160 } 2162 identity resolution-strategy { 2163 description 2164 "Base identity for resolution strategy"; 2165 reference 2166 "draft-ietf-i2nsf-capability-data-model-15: 2167 I2NSF Capability YANG Data Model - Resolution Strategy"; 2168 } 2170 identity fmr { 2171 base resolution-strategy; 2172 description 2173 "Identity for First Matching Rule (FMR)"; 2174 reference 2175 "draft-ietf-i2nsf-capability-data-model-15: 2176 I2NSF Capability YANG Data Model - Resolution Strategy"; 2177 } 2179 identity lmr { 2180 base resolution-strategy; 2181 description 2182 "Identity for Last Matching Rule (LMR)"; 2183 reference 2184 "draft-ietf-i2nsf-capability-data-model-15: 2185 I2NSF Capability YANG Data Model - Resolution Strategy"; 2186 } 2188 identity pmr { 2189 base resolution-strategy; 2190 description 2191 "Identity for Prioritized Matching Rule (PMR)"; 2192 reference 2193 "draft-ietf-i2nsf-capability-data-model-15: 2194 I2NSF Capability YANG Data Model - Resolution Strategy"; 2195 } 2196 identity pmre { 2197 base resolution-strategy; 2198 description 2199 "Identity for Prioritized Matching Rule 2200 with Errors (PMRE)"; 2201 reference 2202 "draft-ietf-i2nsf-capability-data-model-15: 2203 I2NSF Capability YANG Data Model - Resolution Strategy"; 2204 } 2206 identity pmrn { 2207 base resolution-strategy; 2208 description 2209 "Identity for Prioritized Matching Rule 2210 with No Errors (PMRN)"; 2211 reference 2212 "draft-ietf-i2nsf-capability-data-model-15: 2213 I2NSF Capability YANG Data Model - Resolution Strategy"; 2214 } 2216 /* 2217 * Typedefs 2218 */ 2220 typedef start-time-type { 2221 type union { 2222 type string { 2223 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2224 + '(Z|[\+\-]\d{2}:\d{2})'; 2225 } 2227 type enumeration { 2228 enum right-away { 2229 description 2230 "Immediate rule execution 2231 in the system."; 2232 } 2233 } 2234 } 2236 description 2237 "Start time when the rules are applied."; 2238 } 2240 typedef end-time-type { 2241 type union { 2242 type string { 2243 pattern '\d{2}:\d{2}:\d{2}(\.\d+)?' 2244 + '(Z|[\+\-]\d{2}:\d{2})'; 2245 } 2247 type enumeration { 2248 enum infinitely { 2249 description 2250 "Infinite rule execution 2251 in the system."; 2252 } 2253 } 2254 } 2255 description 2256 "End time when the rules are applied."; 2257 } 2259 typedef day-type { 2260 type enumeration { 2261 enum sunday { 2262 description 2263 "Sunday for periodic day"; 2264 } 2265 enum monday { 2266 description 2267 "Monday for periodic day"; 2268 } 2269 enum tuesday { 2270 description 2271 "Tuesday for periodic day"; 2272 } 2273 enum wednesday { 2274 description 2275 "Wednesday for periodic day"; 2276 } 2277 enum thursday { 2278 description 2279 "Thursday for periodic day"; 2280 } 2281 enum friday { 2282 description 2283 "Friday for periodic day"; 2284 } 2285 enum saturday { 2286 description 2287 "Saturday for periodic day"; 2288 } 2289 } 2290 description 2291 "This can be used for the rules to be applied 2292 according to periodic day"; 2293 } 2295 typedef month-type { 2296 type enumeration { 2297 enum january { 2298 description 2299 "January for periodic month"; 2300 } 2301 enum february { 2302 description 2303 "February for periodic month"; 2304 } 2305 enum march { 2306 description 2307 "March for periodic month"; 2308 } 2309 enum april { 2310 description 2311 "April for periodic month"; 2312 } 2313 enum may { 2314 description 2315 "May for periodic month"; 2316 } 2317 enum june { 2318 description 2319 "June for periodic month"; 2320 } 2321 enum july { 2322 description 2323 "July for periodic month"; 2324 } 2325 enum august { 2326 description 2327 "August for periodic month"; 2328 } 2329 enum september { 2330 description 2331 "September for periodic month"; 2332 } 2333 enum october { 2334 description 2335 "October for periodic month"; 2336 } 2337 enum november { 2338 description 2339 "November for periodic month"; 2341 } 2342 enum december { 2343 description 2344 "December for periodic month"; 2345 } 2346 } 2347 description 2348 "This can be used for the rules to be applied 2349 according to periodic month"; 2350 } 2352 /* 2353 * Groupings 2354 */ 2356 grouping ipv4 { 2357 list ipv4-address { 2358 key "ipv4"; 2359 description 2360 "The list of IPv4 addresses."; 2362 leaf ipv4 { 2363 type inet:ipv4-address; 2364 description 2365 "The value of IPv4 address."; 2366 } 2367 choice subnet { 2368 description 2369 "The subnet can be specified as a prefix length or 2370 netmask."; 2371 leaf prefix-length { 2372 type uint8 { 2373 range "0..32"; 2374 } 2375 description 2376 "The length of the subnet prefix."; 2377 } 2378 leaf netmask { 2379 type yang:dotted-quad; 2380 description 2381 "The subnet specified as a netmask."; 2382 } 2383 } 2384 } 2385 description 2386 "Grouping for an IPv4 address"; 2388 reference 2389 "RFC 791: Internet Protocol - IPv4 address 2390 RFC 8344: A YANG Data Model for IP Management"; 2391 } 2393 grouping ipv6 { 2394 list ipv6-address { 2395 key "ipv6"; 2396 description 2397 "The list of IPv6 addresses."; 2399 leaf ipv6 { 2400 type inet:ipv6-address; 2401 description 2402 "The value of IPv6 address."; 2403 } 2405 leaf prefix-length { 2406 type uint8 { 2407 range "0..128"; 2408 } 2409 description 2410 "The length of the subnet prefix."; 2411 } 2412 } 2413 description 2414 "Grouping for an IPv6 address"; 2416 reference 2417 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2418 Specification - IPv6 address 2419 RFC 8344: A YANG Data Model for IP Management"; 2420 } 2422 grouping pkt-sec-ipv4 { 2423 choice match-type { 2424 description 2425 "There are two types of security policy IPv4 address 2426 matching - exact match and range match."; 2427 case exact-match { 2428 uses ipv4; 2429 description 2430 "Exact match for an IPv4 address."; 2431 } 2432 case range-match { 2433 list range-ipv4-address { 2434 key "start-ipv4-address end-ipv4-address"; 2435 leaf start-ipv4-address { 2436 type inet:ipv4-address; 2437 description 2438 "Starting IPv4 address for a range match."; 2439 } 2441 leaf end-ipv4-address { 2442 type inet:ipv4-address; 2443 description 2444 "Ending IPv4 address for a range match."; 2445 } 2446 description 2447 "Range match for an IPv4 address."; 2448 } 2449 } 2450 } 2451 description 2452 "Grouping for an IPv4 address."; 2454 reference 2455 "RFC 791: Internet Protocol - IPv4 address"; 2456 } 2458 grouping pkt-sec-ipv6 { 2459 choice match-type { 2460 description 2461 "There are two types of security policy IPv6 address 2462 matching - exact match and range match."; 2463 case exact-match { 2464 uses ipv6; 2465 description 2466 "Exact match for an IPv6 address."; 2467 } 2468 case range-match { 2469 list range-ipv6-address { 2470 key "start-ipv6-address end-ipv6-address"; 2471 leaf start-ipv6-address { 2472 type inet:ipv6-address; 2473 description 2474 "Starting IPv6 address for a range match."; 2475 } 2477 leaf end-ipv6-address { 2478 type inet:ipv6-address; 2479 description 2480 "Ending IPv6 address for a range match."; 2481 } 2482 description 2483 "Range match for an IPv6 address."; 2484 } 2486 } 2487 } 2488 description 2489 "Grouping for IPv6 address."; 2491 reference 2492 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2493 Specification - IPv6 address"; 2494 } 2496 grouping pkt-sec-port-number { 2497 choice match-type { 2498 description 2499 "There are two types of security policy TCP/UDP port 2500 matching - exact match and range match."; 2501 case exact-match { 2502 leaf-list port-num { 2503 type inet:port-number; 2504 description 2505 "Exact match for a port number."; 2506 } 2507 } 2508 case range-match { 2509 list range-port-num { 2510 key "start-port-num end-port-num"; 2511 leaf start-port-num { 2512 type inet:port-number; 2513 description 2514 "Starting port number for a range match."; 2515 } 2516 leaf end-port-num { 2517 type inet:port-number; 2518 description 2519 "Ending port number for a range match."; 2520 } 2521 description 2522 "Range match for a port number."; 2523 } 2524 } 2525 } 2526 description 2527 "Grouping for port number."; 2529 reference 2530 "RFC 793: Transmission Control Protocol - Port number 2531 RFC 768: User Datagram Protocol - Port Number"; 2532 } 2533 /* 2534 * Data nodes 2535 */ 2537 container i2nsf-security-policy { 2538 description 2539 "Container for security policy 2540 including a set of security rules according to certain logic, 2541 i.e., their similarity or mutual relations, etc. The network 2542 security policy can be applied to both the unidirectional 2543 and bidirectional traffic across the NSF. 2544 The I2NSF security policies use the Event-Condition-Action 2545 (ECA) policy model "; 2547 reference 2548 "RFC 8329: Framework for Interface to Network Security 2549 Functions - I2NSF Flow Security Policy Structure 2550 draft-ietf-i2nsf-capability-data-model-15: 2551 I2NSF Capability YANG Data Model - Design Principles and 2552 ECA Policy Model Overview"; 2554 list system-policy { 2555 key "system-policy-name"; 2556 description 2557 "The system-policy represents there could be multiple system 2558 policies in one NSF, and each system policy is used by 2559 one virtual instance of the NSF/device."; 2561 leaf system-policy-name { 2562 type string; 2563 description 2564 "The name of the policy. 2565 This must be unique."; 2566 } 2568 leaf priority-usage { 2569 type identityref { 2570 base priority-usage-type; 2571 } 2572 default priority-by-order; 2573 description 2574 "Priority usage type for security policy rule: 2575 priority by order and priority by number"; 2576 } 2578 leaf resolution-strategy { 2579 type identityref { 2580 base resolution-strategy; 2582 } 2583 default fmr; 2584 description 2585 "The resolution strategies that can be used to 2586 specify how to resolve conflicts that occur between 2587 actions of the same or different policy rules that 2588 are matched and contained in this particular NSF"; 2590 reference 2591 "draft-ietf-i2nsf-capability-data-model-15: 2592 I2NSF Capability YANG Data Model - Resolution strategy"; 2593 } 2595 leaf default-action { 2596 type identityref { 2597 base default-action; 2598 } 2599 default alert; 2600 description 2601 "This default action can be used to specify a predefined 2602 action when no other alternative action was matched 2603 by the currently executing I2NSF Policy Rule. An analogy 2604 is the use of a default statement in a C switch statement."; 2606 reference 2607 "draft-ietf-i2nsf-capability-data-model-15: 2608 I2NSF Capability YANG Data Model - Default Action"; 2609 } 2611 list rules { 2612 key "rule-name"; 2613 description 2614 "This is a rule for network security functions."; 2616 leaf rule-name { 2617 type string; 2618 description 2619 "The name of the rule."; 2620 } 2622 leaf rule-description { 2623 type string; 2624 description 2625 "This description gives more information about 2626 rules."; 2627 } 2629 leaf rule-priority { 2630 type uint8 { 2631 range "1..255"; 2632 } 2633 description 2634 "The priority keyword comes with a mandatory 2635 numeric value which can range from 1 till 255. 2636 Note that a higher number means a higher priority"; 2637 } 2639 leaf rule-enable { 2640 type boolean; 2641 description 2642 "True is enable. 2643 False is not enable."; 2644 } 2646 leaf session-aging-time { 2647 type uint16; 2648 units "second"; 2649 description 2650 "This is session aging time."; 2651 } 2653 container long-connection { 2654 description 2655 "This is long-connection"; 2657 leaf enable { 2658 type boolean; 2659 description 2660 "True is enable. 2661 False is not enable."; 2662 } 2664 leaf duration { 2665 type uint16; 2666 description 2667 "This is the duration of the long-connection."; 2668 } 2669 } 2671 container time-intervals { 2672 description 2673 "Time zone when the rules are applied"; 2674 container absolute-time-interval { 2675 description 2676 "Rule execution according to the absolute time. 2677 The absolute time interval means the exact time to 2678 start or end."; 2680 leaf start-time { 2681 type start-time-type; 2682 default right-away; 2683 description 2684 "Start time when the rules are applied"; 2685 } 2686 leaf end-time { 2687 type end-time-type; 2688 default infinitely; 2689 description 2690 "End time when the rules are applied"; 2691 } 2692 } 2694 container periodic-time-interval { 2695 description 2696 "Rule execution according to the periodic time. 2697 The periodic time interval means the repeated time 2698 such as a day, week, or month."; 2700 container day { 2701 description 2702 "Rule execution according to day."; 2703 leaf every-day { 2704 type boolean; 2705 default true; 2706 description 2707 "Rule execution every day"; 2708 } 2710 leaf-list specific-day { 2711 when "../every-day = 'false'"; 2712 type day-type; 2713 description 2714 "Rule execution according 2715 to specific day"; 2716 } 2717 } 2719 container month { 2720 description 2721 "Rule execution according to month."; 2722 leaf every-month { 2723 type boolean; 2724 default true; 2725 description 2726 "Rule execution every day"; 2727 } 2729 leaf-list specific-month { 2730 when "../every-month = 'false'"; 2731 type month-type; 2732 description 2733 "Rule execution according 2734 to month day"; 2735 } 2736 } 2737 } 2738 } 2740 container event-clause-container { 2741 description 2742 "An event is defined as any important 2743 occurrence in time of a change in the system being 2744 managed, and/or in the environment of the system being 2745 managed. When used in the context of policy rules for 2746 a flow-based NSF, it is used to determine whether the 2747 Condition clause of the Policy Rule can be evaluated 2748 or not. Examples of an I2NSF event include time and 2749 user actions (e.g., logon, logoff, and actions that 2750 violate any ACL.)."; 2752 reference 2753 "RFC 8329: Framework for Interface to Network Security 2754 Functions - I2NSF Flow Security Policy Structure 2755 draft-ietf-i2nsf-capability-data-model-15: 2756 I2NSF Capability YANG Data Model - Design Principles and 2757 ECA Policy Model Overview 2758 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 2759 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 2760 and Counters"; 2762 leaf event-clause-description { 2763 type string; 2764 description 2765 "Description for an event clause"; 2766 } 2768 container event-clauses { 2769 description 2770 "System Event Clause - either a system event or 2771 system alarm"; 2772 reference 2773 "RFC 8329: Framework for Interface to Network Security 2774 Functions - I2NSF Flow Security Policy Structure 2775 draft-ietf-i2nsf-capability-data-model-15: 2776 I2NSF Capability YANG Data Model - Design Principles and 2777 ECA Policy Model Overview 2778 draft-ietf-i2nsf-nsf-monitoring-data-model-04: I2NSF 2779 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 2780 and Counters"; 2782 leaf-list system-event { 2783 type identityref { 2784 base system-event; 2785 } 2786 description 2787 "The security policy rule according to 2788 system events."; 2789 } 2791 leaf-list system-alarm { 2792 type identityref { 2793 base system-alarm; 2794 } 2795 description 2796 "The security policy rule according to 2797 system alarms."; 2798 } 2799 } 2800 } 2802 container condition-clause-container { 2803 description 2804 "A condition is defined as a set 2805 of attributes, features, and/or values that are to be 2806 compared with a set of known attributes, features, 2807 and/or values in order to determine whether or not the 2808 set of Actions in that (imperative) I2NSF Policy Rule 2809 can be executed or not. Examples of I2NSF Conditions 2810 include matching attributes of a packet or flow, and 2811 comparing the internal state of an NSF to a desired 2812 state."; 2813 reference 2814 "RFC 8329: Framework for Interface to Network Security 2815 Functions - I2NSF Flow Security Policy Structure 2816 draft-ietf-i2nsf-capability-data-model-15: 2817 I2NSF Capability YANG Data Model - Design Principles and 2818 ECA Policy Model Overview"; 2820 leaf condition-clause-description { 2821 type string; 2822 description 2823 "Description for a condition clause."; 2824 } 2826 container packet-security-ipv4-condition { 2827 description 2828 "The purpose of this container is to represent IPv4 2829 packet header information to determine if the set 2830 of policy actions in this ECA policy rule should be 2831 executed or not."; 2832 reference 2833 "RFC 791: Internet Protocol"; 2835 leaf ipv4-description { 2836 type string; 2837 description 2838 "ipv4 condition textual description."; 2839 } 2841 container pkt-sec-ipv4-header-length { 2842 choice match-type { 2843 description 2844 "Security policy IPv4 Header length match - 2845 exact match and range match."; 2846 case exact-match { 2847 leaf-list ipv4-header-length { 2848 type uint8 { 2849 range "5..15"; 2850 } 2851 description 2852 "Exact match for an IPv4 header length."; 2853 } 2854 } 2855 case range-match { 2856 list range-ipv4-header-length { 2857 key "start-ipv4-header-length 2858 end-ipv4-header-length"; 2859 leaf start-ipv4-header-length { 2860 type uint8 { 2861 range "5..15"; 2862 } 2863 description 2864 "Starting IPv4 header length for a range match."; 2865 } 2867 leaf end-ipv4-header-length { 2868 type uint8 { 2869 range "5..15"; 2870 } 2871 description 2872 "Ending IPv4 header length for a range match."; 2873 } 2874 description 2875 "Range match for an IPv4 header length."; 2876 } 2877 } 2878 } 2879 description 2880 "The security policy rule according to 2881 IPv4 header length."; 2882 reference 2883 "RFC 791: Internet Protocol - Header length"; 2884 } 2886 leaf-list pkt-sec-ipv4-tos { 2887 type identityref { 2888 base type-of-service; 2889 } 2890 description 2891 "The security policy rule according to 2892 IPv4 type of service."; 2893 reference 2894 "RFC 791: Internet Protocol - Type of service"; 2895 } 2897 container pkt-sec-ipv4-total-length { 2898 choice match-type { 2899 description 2900 "Security policy IPv4 total length matching 2901 - exact match and range match."; 2902 case exact-match { 2903 leaf-list ipv4-total-length { 2904 type uint16; 2905 description 2906 "Exact match for an IPv4 total length."; 2907 } 2908 } 2909 case range-match { 2910 list range-ipv4-total-length { 2911 key "start-ipv4-total-length end-ipv4-total-length"; 2912 leaf start-ipv4-total-length { 2913 type uint16; 2914 description 2915 "Starting IPv4 total length for a range match."; 2916 } 2917 leaf end-ipv4-total-length { 2918 type uint16; 2919 description 2920 "Ending IPv4 total length for a range match."; 2921 } 2922 description 2923 "Range match for an IPv4 total length."; 2924 } 2925 } 2926 } 2927 description 2928 "The security policy rule according to 2929 IPv4 total length."; 2930 reference 2931 "RFC 791: Internet Protocol - Total length"; 2932 } 2934 leaf-list pkt-sec-ipv4-id { 2935 type uint16; 2936 description 2937 "The security policy rule according to 2938 IPv4 identification."; 2939 reference 2940 "RFC 791: Internet Protocol - Identification"; 2941 } 2943 leaf-list pkt-sec-ipv4-fragment-flags { 2944 type identityref { 2945 base fragmentation-flags-type; 2946 } 2947 description 2948 "The security policy rule according to 2949 IPv4 fragment flags."; 2950 reference 2951 "RFC 791: Internet Protocol - Fragment flags"; 2952 } 2954 container pkt-sec-ipv4-fragment-offset { 2955 choice match-type { 2956 description 2957 "There are two types to configure a security 2958 policy for IPv4 fragment offset, such as exact match 2959 and range match."; 2960 case exact-match { 2961 leaf-list ipv4-fragment-offset { 2962 type uint16 { 2963 range "0..16383"; 2964 } 2965 description 2966 "Exact match for an IPv4 fragment offset."; 2967 } 2968 } 2969 case range-match { 2970 list range-ipv4-fragment-offset { 2971 key "start-ipv4-fragment-offset 2972 end-ipv4-fragment-offset"; 2973 leaf start-ipv4-fragment-offset { 2974 type uint16 { 2975 range "0..16383"; 2976 } 2977 description 2978 "Starting IPv4 fragment offset for a range match."; 2979 } 2980 leaf end-ipv4-fragment-offset { 2981 type uint16 { 2982 range "0..16383"; 2983 } 2984 description 2985 "Ending IPv4 fragment offset for a range match."; 2986 } 2987 description 2988 "Range match for an IPv4 fragment offset."; 2989 } 2990 } 2991 } 2992 description 2993 "The security policy rule according to 2994 IPv4 fragment offset."; 2995 reference 2996 "RFC 791: Internet Protocol - Fragment offset"; 2997 } 2999 container pkt-sec-ipv4-ttl { 3000 choice match-type { 3001 description 3002 "There are two types to configure a security 3003 policy for IPv4 TTL, such as exact match 3004 and range match."; 3005 case exact-match { 3006 leaf-list ipv4-ttl { 3007 type uint8; 3008 description 3009 "Exact match for an IPv4 TTL."; 3010 } 3011 } 3012 case range-match { 3013 list range-ipv4-ttl { 3014 key "start-ipv4-ttl end-ipv4-ttl"; 3015 leaf start-ipv4-ttl { 3016 type uint8; 3017 description 3018 "Starting IPv4 TTL for a range match."; 3019 } 3020 leaf end-ipv4-ttl { 3021 type uint8; 3022 description 3023 "Ending IPv4 TTL for a range match."; 3024 } 3025 description 3026 "Range match for an IPv4 TTL."; 3027 } 3028 } 3029 } 3030 description 3031 "The security policy rule according to 3032 IPv4 time-to-live (TTL)."; 3033 reference 3034 "RFC 791: Internet Protocol - Time to live"; 3035 } 3037 leaf-list pkt-sec-ipv4-protocol { 3038 type identityref { 3039 base protocol; 3040 } 3041 description 3042 "The security policy rule according to 3043 IPv4 protocol."; 3044 reference 3045 "RFC 791: Internet Protocol - Protocol"; 3046 } 3048 container pkt-sec-ipv4-src { 3049 uses pkt-sec-ipv4; 3050 description 3051 "The security policy rule according to 3052 IPv4 source address."; 3053 reference 3054 "RFC 791: Internet Protocol - IPv4 Address"; 3055 } 3057 container pkt-sec-ipv4-dest { 3058 uses pkt-sec-ipv4; 3059 description 3060 "The security policy rule according to 3061 IPv4 destination address."; 3062 reference 3063 "RFC 791: Internet Protocol - IPv4 Address"; 3064 } 3066 leaf-list pkt-sec-ipv4-ipopts { 3067 type identityref { 3068 base ipopts; 3069 } 3070 description 3071 "The security policy rule according to 3072 IPv4 options."; 3073 reference 3074 "RFC 791: Internet Protocol - Options"; 3075 } 3077 leaf pkt-sec-ipv4-same-ip { 3078 type boolean; 3079 description 3080 "Match on packets with the same IPv4 source 3081 and IPv4 destination address."; 3082 } 3084 leaf-list pkt-sec-ipv4-geo-ip { 3085 type string; 3086 description 3087 "The geo-ip keyword enables you to match on 3088 source and destination IP addresses of network 3089 traffic and to see to which country it belongs."; 3090 reference 3091 "ISO 3166: Codes for the representation of 3092 names of countries and their subdivisions"; 3093 } 3094 } 3096 container packet-security-ipv6-condition { 3097 description 3098 "The purpose of this container is to represent 3099 IPv6 packet header information to determine 3100 if the set of policy actions in this ECA policy 3101 rule should be executed or not."; 3102 reference 3103 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3104 Specification"; 3106 leaf ipv6-description { 3107 type string; 3108 description 3109 "This is description for ipv6 condition."; 3110 } 3112 leaf-list pkt-sec-ipv6-traffic-class { 3113 type identityref { 3114 base traffic-class; 3115 } 3116 description 3117 "The security policy rule according to 3118 IPv6 traffic class."; 3119 reference 3120 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3121 Specification - Traffic class"; 3122 } 3124 container pkt-sec-ipv6-flow-label { 3125 choice match-type { 3126 description 3127 "There are two types to configure a security 3128 policy for IPv6 flow label, such as exact match 3129 and range match."; 3130 case exact-match { 3131 leaf-list ipv6-flow-label { 3132 type uint32 { 3133 range "0..1048575"; 3134 } 3135 description 3136 "Exact match for an IPv6 flow label."; 3137 } 3138 } 3139 case range-match { 3140 list range-ipv6-flow-label { 3141 key "start-ipv6-flow-label end-ipv6-flow-label"; 3142 leaf start-ipv6-flow-label { 3143 type uint32 { 3144 range "0..1048575"; 3145 } 3146 description 3147 "Starting IPv6 flow label for a range match."; 3148 } 3149 leaf end-ipv6-flow-label { 3150 type uint32 { 3151 range "0..1048575"; 3152 } 3153 description 3154 "Ending IPv6 flow label for a range match."; 3156 } 3157 description 3158 "Range match for an IPv6 flow label."; 3159 } 3160 } 3161 } 3162 description 3163 "The security policy rule according to 3164 IPv6 flow label."; 3165 reference 3166 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3167 Specification - Flow label"; 3168 } 3170 container pkt-sec-ipv6-payload-length { 3171 choice match-type { 3172 description 3173 "There are two types to configure a security 3174 policy for IPv6 payload length, such as 3175 exact match and range match."; 3176 case exact-match { 3177 leaf-list ipv6-payload-length { 3178 type uint16; 3179 description 3180 "Exact match for an IPv6 payload length."; 3181 } 3182 } 3183 case range-match { 3184 list range-ipv6-payload-length { 3185 key "start-ipv6-payload-length 3186 end-ipv6-payload-length"; 3187 leaf start-ipv6-payload-length { 3188 type uint16; 3189 description 3190 "Starting IPv6 payload length for a range match."; 3191 } 3192 leaf end-ipv6-payload-length { 3193 type uint16; 3194 description 3195 "Ending IPv6 payload length for a range match."; 3196 } 3197 description 3198 "Range match for an IPv6 payload length."; 3199 } 3200 } 3201 } 3202 description 3203 "The security policy rule according to 3204 IPv6 payload length."; 3205 reference 3206 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3207 Specification - Payload length"; 3208 } 3210 leaf-list pkt-sec-ipv6-next-header { 3211 type identityref { 3212 base next-header; 3213 } 3214 description 3215 "The security policy rule according to 3216 IPv6 next header."; 3217 reference 3218 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3219 Specification - Next header"; 3220 } 3222 container pkt-sec-ipv6-hop-limit { 3223 choice match-type { 3224 description 3225 "There are two types to configure a security 3226 policy for IPv6 hop limit, such as exact match 3227 and range match."; 3228 case exact-match { 3229 leaf-list ipv6-hop-limit { 3230 type uint8; 3231 description 3232 "Exact match for an IPv6 hop limit."; 3233 } 3234 } 3235 case range-match { 3236 list range-ipv6-hop-limit { 3237 key "start-ipv6-hop-limit end-ipv6-hop-limit"; 3238 leaf start-ipv6-hop-limit { 3239 type uint8; 3240 description 3241 "Start IPv6 hop limit for a range match."; 3242 } 3243 leaf end-ipv6-hop-limit { 3244 type uint8; 3245 description 3246 "End IPv6 hop limit for a range match."; 3247 } 3248 description 3249 "Range match for an IPv6 hop limit."; 3250 } 3251 } 3253 } 3254 description 3255 "The security policy rule according to 3256 IPv6 hop limit."; 3257 reference 3258 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3259 Specification - Hop limit"; 3260 } 3262 container pkt-sec-ipv6-src { 3263 uses pkt-sec-ipv6; 3264 description 3265 "The security policy rule according to 3266 IPv6 source address."; 3267 reference 3268 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3269 Specification - IPv6 address"; 3270 } 3272 container pkt-sec-ipv6-dest { 3273 uses pkt-sec-ipv6; 3274 description 3275 "The security policy rule according to 3276 IPv6 destination address."; 3277 reference 3278 "RFC 8200: Internet Protocol, Version 6 (IPv6) 3279 Specification - IPv6 address"; 3280 } 3282 } 3284 container packet-security-tcp-condition { 3285 description 3286 "The purpose of this container is to represent 3287 TCP packet header information to determine 3288 if the set of policy actions in this ECA policy 3289 rule should be executed or not."; 3290 reference 3291 "RFC 793: Transmission Control Protocol"; 3293 leaf tcp-description { 3294 type string; 3295 description 3296 "This is description for tcp condition."; 3297 } 3299 container pkt-sec-tcp-src-port-num { 3300 uses pkt-sec-port-number; 3301 description 3302 "The security policy rule according to 3303 tcp source port number."; 3304 reference 3305 "RFC 793: Transmission Control Protocol 3306 - Port number"; 3307 } 3309 container pkt-sec-tcp-dest-port-num { 3310 uses pkt-sec-port-number; 3311 description 3312 "The security policy rule according to 3313 tcp destination port number."; 3314 reference 3315 "RFC 793: Transmission Control Protocol 3316 - Port number"; 3317 } 3319 leaf-list pkt-sec-tcp-flags { 3320 type identityref { 3321 base tcp-flags; 3322 } 3323 description 3324 "The security policy rule according to 3325 tcp flags."; 3326 reference 3327 "RFC 793: Transmission Control Protocol 3328 - Flags"; 3329 } 3330 } 3332 container packet-security-udp-condition { 3333 description 3334 "The purpose of this container is to represent 3335 UDP packet header information to determine 3336 if the set of policy actions in this ECA policy 3337 rule should be executed or not."; 3338 reference 3339 "RFC 793: Transmission Control Protocol"; 3341 leaf udp-description { 3342 type string; 3343 description 3344 "This is description for udp condition."; 3345 } 3347 container pkt-sec-udp-src-port-num { 3348 uses pkt-sec-port-number; 3349 description 3350 "The security policy rule according to 3351 udp source port number."; 3352 reference 3353 "RFC 768: User Datagram Protocol 3354 - Total Length"; 3355 } 3357 container pkt-sec-udp-dest-port-num { 3358 uses pkt-sec-port-number; 3359 description 3360 "The security policy rule according to 3361 udp destination port number."; 3362 reference 3363 "RFC 768: User Datagram Protocol 3364 - Total Length"; 3365 } 3367 container pkt-sec-udp-total-length { 3368 choice match-type { 3369 description 3370 "There are two types to configure a security 3371 policy for udp sequence number, 3372 such as exact match and range match."; 3373 case exact-match { 3374 leaf-list udp-total-length { 3375 type uint32; 3376 description 3377 "Exact match for an udp-total-length."; 3378 } 3379 } 3380 case range-match { 3381 list range-udp-total-length { 3382 key "start-udp-total-length end-udp-total-length"; 3383 leaf start-udp-total-length { 3384 type uint32; 3385 description 3386 "Start udp total length for a range match."; 3387 } 3388 leaf end-udp-total-length { 3389 type uint32; 3390 description 3391 "End udp total length for a range match."; 3392 } 3393 description 3394 "Range match for a udp total length."; 3395 } 3397 } 3398 } 3399 description 3400 "The security policy rule according to 3401 udp total length."; 3402 reference 3403 "RFC 768: User Datagram Protocol 3404 - Total Length"; 3405 } 3406 } 3408 container packet-security-sctp-condition { 3409 description 3410 "The purpose of this container is to represent 3411 SCTP packet header information to determine 3412 if the set of policy actions in this ECA policy 3413 rule should be executed or not."; 3414 leaf sctp-description { 3415 type string; 3416 description 3417 "This is description for sctp condition."; 3418 } 3420 container pkt-sec-sctp-src-port-num { 3421 uses pkt-sec-port-number; 3422 description 3423 "The security policy rule according to 3424 sctp source port number."; 3425 reference 3426 "RFC 4960: Stream Control Transmission Protocol 3427 - Port number"; 3428 } 3430 container pkt-sec-sctp-dest-port-num { 3431 uses pkt-sec-port-number; 3432 description 3433 "The security policy rule according to 3434 sctp destination port number."; 3435 reference 3436 "RFC 4960: Stream Control Transmission Protocol 3437 - Total Length"; 3438 } 3440 leaf-list pkt-sec-sctp-verification-tag { 3441 type uint32; 3442 description 3443 "The security policy rule according to 3444 udp total length."; 3445 reference 3446 "RFC 4960: Stream Control Transmission Protocol 3447 - Verification Tag"; 3448 } 3450 leaf-list pkt-sec-sctp-chunk-type { 3451 type uint8; 3452 description 3453 "The security policy rule according to 3454 sctp chunk type ID Value."; 3455 reference 3456 "RFC 4960: Stream Control Transmission Protocol 3457 - Chunk Type"; 3458 } 3459 } 3461 container packet-security-dccp-condition { 3462 description 3463 "The purpose of this container is to represent 3464 DCCP packet header information to determine 3465 if the set of policy actions in this ECA policy 3466 rule should be executed or not."; 3467 leaf dccp-description { 3468 type string; 3469 description 3470 "This is description for dccp condition."; 3471 } 3473 container pkt-sec-dccp-src-port-num { 3474 uses pkt-sec-port-number; 3475 description 3476 "The security policy rule according to 3477 dccp source port number."; 3478 reference 3479 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 3480 - Port number"; 3481 } 3483 container pkt-sec-dccp-dest-port-num { 3484 uses pkt-sec-port-number; 3485 description 3486 "The security policy rule according to 3487 dccp destination port number."; 3488 reference 3489 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 3490 - Port number"; 3491 } 3492 leaf-list pkt-sec-dccp-service-code { 3493 type uint32; 3494 description 3495 "The security policy rule according to 3496 dccp service code."; 3497 reference 3498 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 3499 - Service Codes 3500 RFC 5595: The Datagram Congestion Control Protocol (DCCP) 3501 Service Codes 3502 RFC 6335: Internet Assigned Numbers Authority (IANA) 3503 Procedures for the Management of the Service Name and 3504 Transport Protocol Port Number Registry - Service Code"; 3505 } 3506 } 3508 container packet-security-icmp-condition { 3509 description 3510 "The purpose of this container is to represent 3511 ICMP packet header information to determine 3512 if the set of policy actions in this ECA policy 3513 rule should be executed or not."; 3514 reference 3515 "RFC 792: Internet Control Message Protocol 3516 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3518 leaf icmp-description { 3519 type string; 3520 description 3521 "This is description for icmp condition."; 3522 } 3524 leaf-list pkt-sec-icmp-type-and-code { 3525 type identityref { 3526 base icmp-type; 3527 } 3528 description 3529 "The security policy rule according to 3530 ICMP parameters."; 3531 reference 3532 "RFC 792: Internet Control Message Protocol 3533 RFC 8335: PROBE: A Utility for Probing Interfaces"; 3534 } 3535 } 3537 container packet-security-url-category-condition { 3538 description 3539 "Condition for url category"; 3541 leaf url-category-description { 3542 type string; 3543 description 3544 "This is description for the condition of a URL's 3545 category such as SNS sites, game sites, ecommerce 3546 sites, company sites, and university sites."; 3547 } 3549 leaf-list pre-defined-category { 3550 type string; 3551 description 3552 "This is pre-defined-category."; 3553 } 3554 leaf-list user-defined-category { 3555 type string; 3556 description 3557 "This user-defined-category."; 3558 } 3559 } 3561 container packet-security-voice-condition { 3562 description 3563 "For the VoIP/VoLTE security system, a VoIP/ 3564 VoLTE security system can monitor each 3565 VoIP/VoLTE flow and manage VoIP/VoLTE 3566 security rules controlled by a centralized 3567 server for VoIP/VoLTE security service 3568 (called VoIP IPS). The VoIP/VoLTE security 3569 system controls each switch for the 3570 VoIP/VoLTE call flow management by 3571 manipulating the rules that can be added, 3572 deleted, or modified dynamically."; 3573 reference 3574 "RFC 3261: SIP: Session Initiation Protocol"; 3576 leaf voice-description { 3577 type string; 3578 description 3579 "This is description for voice condition."; 3580 } 3582 leaf-list pkt-sec-src-voice-id { 3583 type string; 3584 description 3585 "The security policy rule according to 3586 a source voice ID for VoIP and VoLTE."; 3587 } 3588 leaf-list pkt-sec-dest-voice-id { 3589 type string; 3590 description 3591 "The security policy rule according to 3592 a destination voice ID for VoIP and VoLTE."; 3593 } 3595 leaf-list pkt-sec-user-agent { 3596 type string; 3597 description 3598 "The security policy rule according to 3599 an user agent for VoIP and VoLTE."; 3600 } 3601 } 3603 container packet-security-ddos-condition { 3604 description 3605 "Condition for DDoS attack."; 3607 leaf ddos-description { 3608 type string; 3609 description 3610 "This is description for ddos condition."; 3611 } 3613 leaf pkt-sec-alert-packet-rate { 3614 type uint32; 3615 units "pps"; 3616 description 3617 "The alert rate of flood detection for 3618 packets per second (PPS) of an IP address."; 3619 } 3621 leaf pkt-sec-alert-flow-rate { 3622 type uint32; 3623 description 3624 "The alert rate of flood detection for 3625 flows per second of an IP address."; 3626 } 3628 leaf pkt-sec-alert-byte-rate { 3629 type uint32; 3630 units "BPS"; 3631 description 3632 "The alert rate of flood detection for 3633 bytes per second of an IP address."; 3634 } 3635 } 3636 container packet-security-payload-condition { 3637 description 3638 "Condition for packet payload"; 3639 leaf packet-payload-description { 3640 type string; 3641 description 3642 "This is description for payload condition."; 3643 } 3644 leaf-list pkt-payload-content { 3645 type string; 3646 description 3647 "This is a condition for packet payload content."; 3648 } 3649 } 3651 container context-condition { 3652 description 3653 "Condition for context"; 3654 leaf context-description { 3655 type string; 3656 description 3657 "This is description for context condition."; 3658 } 3660 container application-condition { 3661 description 3662 "Condition for application"; 3663 leaf application-description { 3664 type string; 3665 description 3666 "This is description for application condition."; 3667 } 3668 leaf-list application-object { 3669 type string; 3670 description 3671 "This is application object."; 3672 } 3673 leaf-list application-group { 3674 type string; 3675 description 3676 "This is application group."; 3677 } 3678 leaf-list application-label { 3679 type string; 3680 description 3681 "This is application label."; 3682 } 3683 container category { 3684 description 3685 "This is application category"; 3686 list application-category { 3687 key "name application-subcategory"; 3688 description 3689 "This is application category list"; 3691 leaf name { 3692 type string; 3693 description 3694 "This is name for application category."; 3695 } 3696 leaf application-subcategory { 3697 type string; 3698 description 3699 "This is application subcategory."; 3700 } 3701 } 3702 } 3703 } 3705 container target-condition { 3706 description 3707 "Condition for target"; 3708 leaf target-description { 3709 type string; 3710 description 3711 "This is description for target condition. 3712 Vendors can write instructions for target condition 3713 that vendor made"; 3714 } 3716 container device-sec-context-cond { 3717 description 3718 "The device attribute that can identify a device, 3719 including the device type (i.e., router, switch, 3720 pc, ios, or android) and the device's owner as 3721 well."; 3723 leaf-list target-device { 3724 type identityref { 3725 base target-device; 3726 } 3727 description 3728 "Leaf list for target devices"; 3729 } 3730 } 3731 } 3732 container users-condition { 3733 description 3734 "Condition for users"; 3735 leaf users-description { 3736 type string; 3737 description 3738 "This is the description for users' condition."; 3739 } 3740 list user{ 3741 key "user-id"; 3742 description 3743 "The user (or user group) information with which 3744 network flow is associated: The user has many 3745 attributes such as name, id, password, type, 3746 authentication mode and so on. 3747 id is often used in the security policy to 3748 identify the user. 3749 Besides, an NSF is aware of the IP address of the 3750 user provided by a unified user management system 3751 via network. Based on name-address association, 3752 an NSF is able to enforce the security functions 3753 over the given user (or user group)"; 3755 leaf user-id { 3756 type uint32; 3757 description 3758 "The ID of the user."; 3759 } 3760 leaf user-name { 3761 type string; 3762 description 3763 "The name of the user."; 3764 } 3765 } 3766 list group { 3767 key "group-id"; 3768 description 3769 "The user (or user group) information with which 3770 network flow is associated: The user has many 3771 attributes such as name, id, password, type, 3772 authentication mode and so on. 3773 id is often used in the security policy to 3774 identify the user. 3775 Besides, an NSF is aware of the IP address of the 3776 user provided by a unified user management system 3777 via network. Based on name-address association, 3778 an NSF is able to enforce the security functions 3779 over the given user (or user group)"; 3781 leaf group-id { 3782 type uint32; 3783 description 3784 "The ID of the group."; 3785 } 3786 leaf group-name { 3787 type string; 3788 description 3789 "The name of the group."; 3790 } 3791 } 3793 leaf security-group { 3794 type string; 3795 description 3796 "security-group."; 3797 } 3798 } 3800 container geography-context-condition { 3801 description 3802 "Condition for generic context"; 3803 leaf geography-context-description { 3804 type string; 3805 description 3806 "This is description for generic context condition. 3807 Vendors can write instructions for generic context 3808 condition that vendor made"; 3809 } 3811 container geography-location { 3812 description 3813 "The location which network traffic flow is associated 3814 with. The region can be the geographical location 3815 such as country, province, and city, 3816 as well as the logical network location such as 3817 IP address, network section, and network domain."; 3819 leaf-list src-geography-location { 3820 type string; 3821 description 3822 "The src-geography-location is a geographical 3823 location mapped into an IP address. It matches the 3824 mapped IP address to the source IP address of the 3825 traffic flow."; 3826 reference 3827 "ISO 3166: Codes for the representation of 3828 names of countries and their subdivisions"; 3830 } 3832 leaf-list dest-geography-location { 3833 type string; 3834 description 3835 "The dest-geography-location is a geographical 3836 location mapped into an IP address. It matches the 3837 mapped IP address to the destination IP address of 3838 the traffic flow."; 3839 reference 3840 "ISO 3166: Codes for the representation of 3841 names of countries and their subdivisions"; 3842 } 3843 } 3844 } 3845 } 3846 } 3848 container action-clause-container { 3849 description 3850 "An action is used to control and monitor aspects of 3851 flow-based NSFs when the event and condition clauses 3852 are satisfied. NSFs provide security functions by 3853 executing various Actions. Examples of I2NSF Actions 3854 include providing intrusion detection and/or protection, 3855 web and flow filtering, and deep packet inspection 3856 for packets and flows."; 3857 reference 3858 "RFC 8329: Framework for Interface to Network Security 3859 Functions - I2NSF Flow Security Policy Structure 3860 draft-ietf-i2nsf-capability-data-model-15: 3861 I2NSF Capability YANG Data Model - Design Principles and 3862 ECA Policy Model Overview"; 3864 leaf action-clause-description { 3865 type string; 3866 description 3867 "Description for an action clause."; 3868 } 3870 container packet-action { 3871 description 3872 "Action for packets"; 3873 reference 3874 "RFC 8329: Framework for Interface to Network Security 3875 Functions - I2NSF Flow Security Policy Structure 3876 draft-ietf-i2nsf-capability-data-model-15: 3877 I2NSF Capability YANG Data Model - Design Principles and 3878 ECA Policy Model Overview"; 3880 leaf ingress-action { 3881 type identityref { 3882 base ingress-action; 3883 } 3884 description 3885 "Action: pass, drop, reject, alert, and mirror."; 3886 } 3888 leaf egress-action { 3889 type identityref { 3890 base egress-action; 3891 } 3892 description 3893 "Egress action: pass, drop, reject, alert, mirror, 3894 invoke-signaling, tunnel-encapsulation, 3895 forwarding, and redirection."; 3896 } 3898 leaf log-action { 3899 type identityref { 3900 base log-action; 3901 } 3902 description 3903 "Log action: rule log and session log"; 3904 } 3906 } 3908 container flow-action { 3909 description 3910 "Action for flows"; 3911 reference 3912 "RFC 8329: Framework for Interface to Network Security 3913 Functions - I2NSF Flow Security Policy Structure 3914 draft-ietf-i2nsf-capability-data-model-15: 3915 I2NSF Capability YANG Data Model - Design Principles and 3916 ECA Policy Model Overview"; 3918 leaf ingress-action { 3919 type identityref { 3920 base ingress-action; 3921 } 3922 description 3923 "Action: pass, drop, reject, alert, and mirror."; 3924 } 3925 leaf egress-action { 3926 type identityref { 3927 base egress-action; 3928 } 3929 description 3930 "Egress action: pass, drop, reject, alert, mirror, 3931 invoke-signaling, tunnel-encapsulation, 3932 forwarding, and redirection."; 3933 } 3935 leaf log-action { 3936 type identityref { 3937 base log-action; 3938 } 3939 description 3940 "Log action: rule log and session log"; 3941 } 3943 } 3945 container advanced-action { 3946 description 3947 "If the packet needs to be additionally inspected, 3948 the packet is passed to advanced network 3949 security functions according to the profile. 3950 The profile means the types of NSFs where the packet 3951 will be forwarded in order to additionally 3952 inspect the packet."; 3953 reference 3954 "RFC 8329: Framework for Interface to Network Security 3955 Functions - Differences from ACL Data Models"; 3957 leaf-list content-security-control { 3958 type identityref { 3959 base content-security-control; 3960 } 3961 description 3962 "Content-security-control is the NSFs that 3963 inspect the payload of the packet. 3964 The Profile is divided into content security 3965 control and attack-mitigation-control. 3966 Content security control: antivirus, ips, ids, 3967 url filtering, mail filtering, file blocking, 3968 file isolate, packet capture, application control, 3969 voip and volte."; 3970 } 3972 leaf-list attack-mitigation-control { 3973 type identityref { 3974 base attack-mitigation-control; 3975 } 3976 description 3977 "Attack-mitigation-control is the NSFs that weaken 3978 the attacks related to a denial of service 3979 and reconnaissance. 3980 The Profile is divided into content security 3981 control and attack-mitigation-control. 3982 Attack mitigation control: syn flood, udp flood, 3983 icmp flood, ip frag flood, ipv6 related, http flood, 3984 https flood, dns flood, dns amp flood, ssl ddos, 3985 ip sweep, port scanning, ping of death, teardrop, 3986 oversized icmp, tracert."; 3987 } 3988 } 3989 } 3990 } 3991 container rule-group { 3992 description 3993 "This is rule group"; 3995 list groups { 3996 key "group-name"; 3997 description 3998 "This is a group for rules"; 4000 leaf group-name { 4001 type string; 4002 description 4003 "This is a group for rules"; 4004 } 4006 container rule-range { 4007 description 4008 "This is a rule range."; 4010 leaf start-rule { 4011 type string; 4012 description 4013 "This is a start rule"; 4014 } 4015 leaf end-rule { 4016 type string; 4017 description 4018 "This is a end rule"; 4019 } 4020 } 4021 leaf enable { 4022 type boolean; 4023 description 4024 "This is enable 4025 False is not enable."; 4026 } 4027 leaf description { 4028 type string; 4029 description 4030 "This is a description for rule-group"; 4031 } 4032 } 4033 } 4034 } 4035 } 4036 } 4037 4039 Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 4041 5. XML Configuration Examples of Low-Level Security Policy Rules 4043 This section shows XML configuration examples of low-level security 4044 policy rules that are delivered from the Security Controller to NSFs 4045 over the NSF-Facing Interface. For security requirements, we assume 4046 that the NSFs (i.e., General firewall, Time-based firewall, URL 4047 filter, VoIP/VoLTE filter, and http and https flood mitigation ) 4048 described in Section Configuration Examples of 4049 [I-D.ietf-i2nsf-capability-data-model] are registered in the I2NSF 4050 framework. With the registered NSFs, we show configuration examples 4051 for security policy rules of network security functions according to 4052 the following three security requirements: (i) Block Social 4053 Networking Service (SNS) access during business hours, (ii) Block 4054 malicious VoIP/VoLTE packets coming to the company, and (iii) 4055 Mitigate http and https flood attacks on company web server. 4057 5.1. Security Requirement 1: Block Social Networking Service (SNS) 4058 Access during Business Hours 4060 This section shows a configuration example for blocking SNS access 4061 during business hours in IPv4 networks or IPv6 networks. 4063 4065 4066 sns_access 4067 4068 block_sns_access_during_operation_time 4069 4070 4071 09:00:00Z 4072 18:00:00Z 4073 4074 4075 4076 4077 4078 4079 192.0.2.11 4080 192.0.2.90 4081 4082 4083 4084 4085 4086 4087 url-filtering 4088 4089 4090 4091 4092 4094 Figure 6: Configuration XML for Time-based Firewall to Block SNS 4095 Access during Business Hours in IPv4 Networks 4097 4099 4100 sns_access 4101 4102 block_sns_access_during_operation_time 4103 4104 4105 09:00:00Z 4106 18:00:00Z 4107 4108 4109 4110 4111 4112 4113 2001:DB8:0:1::11 4114 2001:DB8:0:1::90 4115 4116 4117 4118 4119 4120 4121 url-filtering 4122 4123 4124 4125 4126 4128 Figure 7: Configuration XML for Time-based Firewall to Block SNS 4129 Access during Business Hours in IPv6 Networks 4131 4133 4134 sns_access 4135 4136 block_sns_access_during_operation_time 4137 4138 4139 09:00:00Z 4140 18:00:00Z 4141 4142 4143 4144 4145 SNS_1 4146 SNS_2 4147 4148 4149 4150 4151 drop 4152 4153 4154 4155 4156 4158 Figure 8: Configuration XML for Web Filter to Block SNS Access during 4159 Business Hours 4161 Figure 6 (or Figure 7) and Figure 8 show the configuration XML 4162 documents for time-based firewall and web filter to block SNS access 4163 during business hours in IPv4 networks (or IPv6 networks). For the 4164 security requirement, two NSFs (i.e., a time-based firewall and a web 4165 filter) were used because one NSF cannot meet the security 4166 requirement. The instances of XML documents for the time-based 4167 firewall and the web filter are as follows: Note that a detailed data 4168 model for the configuration of the advanced network security function 4169 (i.e., web filter) can be defined as an extension in future. 4171 Time-based Firewall is as follows: 4173 1. The name of the system policy is sns_access. 4175 2. The name of the rule is block_sns_access_during_operation_time. 4177 3. The rule is operated during the business hours (i.e., from 9 a.m. 4178 to 6 p.m.). 4180 4. The rule inspects a source IPv4 address (i.e., from 192.0.2.11 to 4181 192.0.2.90) to inspect the outgoing packets of employees. For 4182 the case of IPv6 networks, the rule inspects a source IPv6 4183 address (i.e., from 2001:DB8:0:1::11 to 2001:DB8:0:1::90) to 4184 inspect the outgoing packets of employees. 4186 5. If the outgoing packets match the rules above, the time-based 4187 firewall sends the packets to url filtering for additional 4188 inspection because the time-based firewall can not inspect 4189 contents of the packets for the SNS URL. 4191 Web Filter is as follows: 4193 1. The name of the system policy is sns_access. 4195 2. The name of the rule is block_SNS_1_and_SNS_2. 4197 3. The rule inspects URL address to block the access packets to the 4198 SNS_1 or the SNS_2. 4200 4. If the outgoing packets match the rules above, the packets are 4201 blocked. 4203 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 4204 to a Company 4206 This section shows a configuration example for blocking malicious 4207 VoIP/VoLTE packets coming to a company. 4209 4211 4212 voip_volte_inspection 4213 4214 block_malicious_voice_id 4215 4216 4217 4218 4219 192.0.2.11 4220 192.0.2.90 4221 4222 4223 4224 4225 4226 5060 4227 5061 4228 4229 4230 4231 4232 4233 voip-volte 4234 4235 4236 4237 4238 4240 Figure 9: Configuration XML for General Firewall to Block Malicious 4241 VoIP/VoLTE Packets Coming to a Company 4243 4245 4246 voip_volte_inspection 4247 4248 block_malicious_voice_id 4249 4250 4251 user1@voip.malicious.example.com 4252 user2@voip.malicious.example.com 4253 4254 4255 4256 4257 drop 4258 4259 4260 4261 4262 4264 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block Malicious 4265 VoIP/VoLTE Packets Coming to a Company 4267 Figure 9 and Figure 10 show the configuration XML documents for 4268 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 4269 packets coming to a company. For the security requirement, two NSFs 4270 (i.e., a general firewall and a VoIP/VoLTE filter) were used because 4271 one NSF can not meet the security requirement. The instances of XML 4272 documents for the general firewall and the VoIP/VoLTE filter are as 4273 follows: Note that a detailed data model for the configuration of the 4274 advanced network security function (i.e., VoIP/VoLTE filter) can be 4275 described as an extension in future. 4277 General Firewall is as follows: 4279 1. The name of the system policy is voip_volte_inspection. 4281 2. The name of the rule is block_malicious_voip_volte_packets. 4283 3. The rule inspects a destination IPv4 address (i.e., from 4284 192.0.2.11 to 192.0.2.90) to inspect the packets coming into the 4285 company. 4287 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 4288 VoIP/VoLTE packet. 4290 5. If the incoming packets match the rules above, the general 4291 firewall sends the packets to VoIP/VoLTE filter for additional 4292 inspection because the general firewall can not inspect contents 4293 of the VoIP/VoLTE packets. 4295 VoIP/VoLTE Filter is as follows: 4297 1. The name of the system policy is malicious_voice_id. 4299 2. The name of the rule is block_malicious_voice_id. 4301 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 4302 the malicious VoIP/VoLTE packets (i.e., 4303 user1@voip.malicious.example.com and 4304 user2@voip.malicious.example.com). 4306 4. If the incoming packets match the rules above, the packets are 4307 blocked. 4309 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 4310 Company Web Server 4312 This section shows a configuration example for mitigating http and 4313 https flood attacks on a company web server. 4315 4317 4318 flood_attack_mitigation 4319 4320 mitigate_http_and_https_flood_attack 4321 4322 4323 4324 4325 192.0.2.11 4326 4327 4328 4329 4330 4331 80 4332 443 4333 4334 4335 4336 4337 4338 http-and-https-flood 4339 4340 4341 4342 4343 4344 4346 Figure 11: Configuration XML for General Firewall to Mitigate HTTP 4347 and HTTPS Flood Attacks on a Company Web Server 4349 4351 4352 flood_attack_mitigation 4353 4354 mitigate_http_and_https_flood_attack 4355 4356 4357 100 4358 4359 4360 4361 4362 drop 4363 4364 4365 4366 4367 4369 Figure 12: Configuration XML for HTTP and HTTPS Flood Attack 4370 Mitigation to Mitigate HTTP and HTTPS Flood Attacks on a Company Web 4371 Server 4373 Figure 11 and Figure 12 show the configuration XML documents for 4374 general firewall and http and https flood attack mitigation to 4375 mitigate http and https flood attacks on a company web server. For 4376 the security requirement, two NSFs (i.e., a general firewall and a 4377 http and https flood attack mitigation) were used because one NSF can 4378 not meet the security requirement. The instances of XML documents 4379 for the general firewall and http and https flood attack mitigation 4380 are as follows: Note that a detailed data model for the configuration 4381 of the advanced network security function (i.e., http and https flood 4382 attack mitigation) can be defined as an extension in future. 4384 General Firewall is as follows: 4386 1. The name of the system policy is flood_attack_mitigation. 4388 2. The name of the rule is mitigate_http_and_https_flood_attack. 4390 3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11) 4391 to inspect the access packets coming into the company web server. 4393 4. The rule inspects a port number (i.e., 80 and 443) to inspect 4394 http and https packet. 4396 5. If the packets match the rules above, the general firewall sends 4397 the packets to http and https flood attack mitigation for 4398 additional inspection because the general firewall can not 4399 control the amount of packets for http and https packets. 4401 HTTP and HTTPS Flood Attack Mitigation is as follows: 4403 1. The name of the system policy is 4404 http_and_https_flood_attack_mitigation. 4406 2. The name of the rule is 100_per_second. 4408 3. The rule controls the http and https packets according to the 4409 amount of incoming packets. 4411 4. If the incoming packets match the rules above, the packets are 4412 blocked. 4414 6. IANA Considerations 4416 This document requests IANA to register the following URI in the 4417 "IETF XML Registry" [RFC3688]: 4419 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4420 Registrant Contact: The IESG. 4421 XML: N/A; the requested URI is an XML namespace. 4423 This document requests IANA to register the following YANG module in 4424 the "YANG Module Names" registry [RFC7950][RFC8525]. 4426 name: ietf-i2nsf-policy-rule-for-nsf 4427 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 4428 prefix: nsfintf 4429 reference: RFC XXXX 4431 7. Security Considerations 4433 The YANG module specified in this document defines a data schema 4434 designed to be accessed through network management protocols such as 4435 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 4436 the secure transport layer, and the required secure transport is 4437 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 4438 and the required secure transport is TLS [RFC8446]. 4440 The NETCONF access control model [RFC8341] provides a means of 4441 restricting access to specific NETCONF or RESTCONF users to a 4442 preconfigured subset of all available NETCONF or RESTCONF protocol 4443 operations and content. 4445 There are a number of data nodes defined in this YANG module that are 4446 writable/creatable/deletable (i.e., config true, which is the 4447 default). These data nodes may be considered sensitive or vulnerable 4448 in some network environments. Write operations (e.g., edit-config) 4449 to these data nodes without proper protection can have a negative 4450 effect on network operations. These are the subtrees and data nodes 4451 and their sensitivity/vulnerability: 4453 o ietf-i2nsf-policy-rule-for-nsf: Writing to almost any element of 4454 this YANG module would directly impact on the configuration of 4455 NSFs, e.g., completely turning off security monitoring and 4456 mitigation capabilities; altering the scope of this monitoring and 4457 mitigation; creating an overwhelming logging volume to overwhelm 4458 downstream analytics or storage capacity; creating logging 4459 patterns which are confusing; or rendering useless trained 4460 statistics or artificial intelligence models. 4462 Some of the readable data nodes in this YANG module may be considered 4463 sensitive or vulnerable in some network environments. It is thus 4464 important to control read access (e.g., via get, get-config, or 4465 notification) to these data nodes. These are the subtrees and data 4466 nodes and their sensitivity/vulnerability: 4468 o ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the 4469 security policy information of any target NSFs and misuse the 4470 security policy information for subsequent attacks. 4472 In this YANG data module, note that the identity information of users 4473 can be exchanged for security policy configuration based on a user's 4474 information. This implied that to improve the network security there 4475 is a tradeoff between a user's information privacy and network 4476 security. For container users-conditions in this YANG data module, 4477 the identity information of users can be exchanged between Security 4478 Controller and an NSF for security policy configuration based on 4479 users' information. Thus, for this exchange of the identity 4480 information of users, there is a proportional relationship between 4481 the release level of a user's privacy information and the network 4482 security strength of an NSF. 4484 8. Acknowledgments 4486 This work was supported by Institute of Information & Communications 4487 Technology Planning & Evaluation (IITP) grant funded by the Korea 4488 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 4489 Security Intelligence Technology Development for the Customized 4490 Security Service Provisioning). This work was supported in part by 4491 the IITP (2020-0-00395, Standard Development of Blockchain based 4492 Network Management Automation Technology). 4494 9. Contributors 4496 This document is made by the group effort of I2NSF working group. 4497 Many people actively contributed to this document, such as Acee 4498 Lindem and Roman Danyliw. The authors sincerely appreciate their 4499 contributions. 4501 The following are co-authors of this document: 4503 Patrick Lingga 4504 Department of Computer Science and Engineering 4505 Sungkyunkwan University 4506 2066 Seo-ro Jangan-gu 4507 Suwon, Gyeonggi-do 16419 4508 Republic of Korea 4510 EMail: patricklink@skku.edu 4512 Hyoungshick Kim 4513 Department of Computer Science and Engineering 4514 Sungkyunkwan University 4515 2066 Seo-ro Jangan-gu 4516 Suwon, Gyeonggi-do 16419 4517 Republic of Korea 4519 EMail: hyoung@skku.edu 4521 Daeyoung Hyun 4522 Department of Computer Science and Engineering 4523 Sungkyunkwan University 4524 2066 Seo-ro Jangan-gu 4525 Suwon, Gyeonggi-do 16419 4526 Republic of Korea 4528 EMail: dyhyun@skku.edu 4530 Dongjin Hong 4531 Department of Electronic, Electrical and Computer Engineering 4532 Sungkyunkwan University 4533 2066 Seo-ro Jangan-gu 4534 Suwon, Gyeonggi-do 16419 4535 Republic of Korea 4537 EMail: dong.jin@skku.edu 4539 Liang Xia 4540 Huawei 4541 101 Software Avenue 4542 Nanjing, Jiangsu 210012 4543 China 4545 EMail: Frank.Xialiang@huawei.com 4547 Tae-Jin Ahn 4548 Korea Telecom 4549 70 Yuseong-Ro, Yuseong-Gu 4550 Daejeon, 305-811 4551 Republic of Korea 4553 EMail: taejin.ahn@kt.com 4555 Se-Hui Lee 4556 Korea Telecom 4557 70 Yuseong-Ro, Yuseong-Gu 4558 Daejeon, 305-811 4559 Republic of Korea 4561 EMail: sehuilee@kt.com 4563 10. References 4565 10.1. Normative References 4567 [I-D.ietf-i2nsf-capability-data-model] 4568 Hares, S., Jeong, J., Kim, J., Moskowitz, R., and Q. Lin, 4569 "I2NSF Capability YANG Data Model", draft-ietf-i2nsf- 4570 capability-data-model-15 (work in progress), January 2021. 4572 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 4573 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 4574 Garcia, "Software-Defined Networking (SDN)-based IPsec 4575 Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- 4576 protection-12 (work in progress), October 2020. 4578 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 4579 DOI 10.17487/RFC0768, August 1980, 4580 . 4582 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 4583 DOI 10.17487/RFC0791, September 1981, 4584 . 4586 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 4587 RFC 792, DOI 10.17487/RFC0792, September 1981, 4588 . 4590 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 4591 RFC 793, DOI 10.17487/RFC0793, September 1981, 4592 . 4594 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 4595 A., Peterson, J., Sparks, R., Handley, M., and E. 4596 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 4597 DOI 10.17487/RFC3261, June 2002, 4598 . 4600 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 4601 DOI 10.17487/RFC3688, January 2004, 4602 . 4604 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 4605 Control Message Protocol (ICMPv6) for the Internet 4606 Protocol Version 6 (IPv6) Specification", STD 89, 4607 RFC 4443, DOI 10.17487/RFC4443, March 2006, 4608 . 4610 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 4611 the Network Configuration Protocol (NETCONF)", RFC 6020, 4612 DOI 10.17487/RFC6020, October 2010, 4613 . 4615 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4616 and A. Bierman, Ed., "Network Configuration Protocol 4617 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4618 . 4620 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4621 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4622 . 4624 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4625 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4626 . 4628 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4629 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4630 . 4632 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4633 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4634 . 4636 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4637 (IPv6) Specification", STD 86, RFC 8200, 4638 DOI 10.17487/RFC8200, July 2017, 4639 . 4641 [RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M. 4642 Boucadair, "PROBE: A Utility for Probing Interfaces", 4643 RFC 8335, DOI 10.17487/RFC8335, February 2018, 4644 . 4646 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4647 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4648 . 4650 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4651 Access Control Model", STD 91, RFC 8341, 4652 DOI 10.17487/RFC8341, March 2018, 4653 . 4655 [RFC8344] Bjorklund, M., "A YANG Data Model for IP Management", 4656 RFC 8344, DOI 10.17487/RFC8344, March 2018, 4657 . 4659 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 4660 Documents Containing YANG Data Models", BCP 216, RFC 8407, 4661 DOI 10.17487/RFC8407, October 2018, 4662 . 4664 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4665 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4666 . 4668 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 4669 and R. Wilton, "YANG Library", RFC 8525, 4670 DOI 10.17487/RFC8525, March 2019, 4671 . 4673 10.2. Informative References 4675 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 4676 Jeong, J., Lingga, P., Hares, S., Xia, L., and H. 4677 Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft- 4678 ietf-i2nsf-nsf-monitoring-data-model-04 (work in 4679 progress), September 2020. 4681 [IANA-Protocol-Numbers] 4682 "Assigned Internet Protocol Numbers", Available: 4683 https://www.iana.org/assignments/protocol- 4684 numbers/protocol-numbers.xhtml, January 2021. 4686 [ISO-Country-Codes] 4687 "Codes for the representation of names of countries and 4688 their subdivisions", ISO 3166, September 2018. 4690 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4691 Kumar, "Framework for Interface to Network Security 4692 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4693 . 4695 Authors' Addresses 4697 Jinyong (Tim) Kim (editor) 4698 Department of Electronic, Electrical and Computer Engineering 4699 Sungkyunkwan University 4700 2066 Seobu-Ro, Jangan-Gu 4701 Suwon, Gyeonggi-Do 16419 4702 Republic of Korea 4704 Phone: +82 10 8273 0930 4705 EMail: timkim@skku.edu 4707 Jaehoon (Paul) Jeong (editor) 4708 Department of Computer Science and Engineering 4709 Sungkyunkwan University 4710 2066 Seobu-Ro, Jangan-Gu 4711 Suwon, Gyeonggi-Do 16419 4712 Republic of Korea 4714 Phone: +82 31 299 4957 4715 Fax: +82 31 290 7996 4716 EMail: pauljeong@skku.edu 4717 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4718 Jung-Soo Park 4719 Electronics and Telecommunications Research Institute 4720 218 Gajeong-Ro, Yuseong-Gu 4721 Daejeon 34129 4722 Republic of Korea 4724 Phone: +82 42 860 6514 4725 EMail: pjs@etri.re.kr 4727 Susan Hares 4728 Huawei 4729 7453 Hickory Hill 4730 Saline, MI 48176 4731 USA 4733 Phone: +1-734-604-0332 4734 EMail: shares@ndzh.com 4736 Qiushi Lin 4737 Huawei 4738 Huawei Industrial Base 4739 Shenzhen, Guangdong 518129 4740 China 4742 EMail: linqiushi@huawei.com