idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 256 has weird spacing: '...w start uin...' == Line 260 has weird spacing: '...w start uin...' == Line 265 has weird spacing: '...w start uin...' == Line 268 has weird spacing: '...w start uin...' == Line 283 has weird spacing: '...w start ine...' == (10 more instances...) -- The document date (15 September 2021) is 944 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'IANA-ICMPv6-Parameters' is defined on line 3692, but no explicit reference was found in the text ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-32) exists of draft-ietf-i2nsf-capability-data-model-17 == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-09 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-14 Summary: 2 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim, Ed. 3 Internet-Draft J. Jeong, Ed. 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 19 March 2022 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 15 September 2021 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-14 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF) in the Interface to 19 Network Security Functions (I2NSF) framework. The YANG data model in 20 this document corresponds to the information model for NSF-Facing 21 Interface in the I2NSF framework. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 19 March 2022. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Simplified BSD License text 51 as described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3 60 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5 61 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6 62 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 11 63 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 12 64 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 12 65 5. XML Configuration Examples of Low-Level Security Policy 66 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 64 67 5.1. Security Requirement 1: Block Social Networking Service 68 (SNS) Access during Business Hours . . . . . . . . . . . 64 69 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets 70 Coming to a Company . . . . . . . . . . . . . . . . . . . 68 71 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 72 Attacks on a Company Web Server . . . . . . . . . . . . . 71 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 74 74 7. Security Considerations . . . . . . . . . . . . . . . . . . . 74 75 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 75 76 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 75 77 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 76 78 10.1. Normative References . . . . . . . . . . . . . . . . . . 76 79 10.2. Informative References . . . . . . . . . . . . . . . . . 79 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 82 1. Introduction 84 This document defines a YANG [RFC6020][RFC7950] data model for 85 security policy rule configuration of Network Security Functions 86 (NSF). The YANG data model in this document is based on the 87 information and data model in [I-D.ietf-i2nsf-capability-data-model] 88 for the NSF-Facing Interface in the Interface to Network Security 89 Functions (I2NSF) architecture [RFC8329]. The YANG data model in 90 this document focuses on security policy configuration for the NSFs 91 discussed in [I-D.ietf-i2nsf-capability-data-model], i.e., generic 92 NSF (. 94 This YANG data model uses an "Event-Condition-Action" (ECA) policy 95 model that is used as the basis for the design of I2NSF Policy 96 described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model]. 98 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 99 document provides the configuration of the following features. 101 * A security policy rule of a network security function. 103 * An event clause of a generic network security function. 105 * A condition clause of a generic network security function. 107 * An action clause of a generic network security function. 109 2. Terminology 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 113 "OPTIONAL" in this document are to be interpreted as described in BCP 114 14 [RFC2119] [RFC8174] when, and only when, they appear in all 115 capitals, as shown here. 117 This document uses the terminology described in [RFC8329]. 119 This document follows the guidelines of [RFC8407], uses the common 120 YANG types defined in [RFC6991], and adopts the Network Management 121 Datastore Architecture (NMDA). The meaning of the symbols in tree 122 diagrams is defined in [RFC8340]. 124 3. YANG Tree Diagram 126 This section shows a YANG tree diagram of policy for network security 127 functions. [I-D.ietf-i2nsf-capability-data-model]. 129 3.1. General I2NSF Security Policy Rule 131 This section shows a YANG tree diagram for a general I2NSF security 132 policy rule for generic network security functions. 134 module: ietf-i2nsf-policy-rule-for-nsf 135 +--rw i2nsf-security-policy* [system-policy-name] 136 +--rw system-policy-name string 137 +--rw priority-usage? identityref 138 +--rw resolution-strategy? identityref 139 +--rw default-action? identityref 140 +--rw rules* [rule-name] 141 | +--rw rule-name string 142 | +--rw rule-description? string 143 | +--rw rule-priority? uint8 144 | +--rw rule-enable? boolean 145 | +--rw session-aging-time? uint16 146 | +--rw long-connection 147 | | +--rw enable? boolean 148 | | +--rw duration? uint16 149 | +--rw event 150 | ... 151 | +--rw action 152 | ... 153 +--rw rule-group 154 +--rw groups* [group-name] 155 +--rw group-name string 156 +--rw rule-range 157 | +--rw start-rule? string 158 | +--rw end-rule? string 159 +--rw enable? boolean 160 +--rw description? string 162 Figure 1: YANG Tree Diagram for Network Security Policy 164 The system policy provides for multiple system policies in one NSF, 165 and each system policy is used by one virtual instance of the NSF/ 166 device. The system policy includes system policy name, priority 167 usage, resolution strategy, default action, and rules. 169 A resolution strategy is used to decide how to resolve conflicts that 170 occur between the actions of the same or different policy rules that 171 are matched and contained in a particular NSF. The resolution 172 strategy is defined as First Matching Rule (FMR), Last Matching Rule 173 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 174 Prioritized Matching Rule with No Errors (PMRN). The resolution 175 strategy can be extended according to specific vendor action 176 features. The resolution strategy is described in detail in 177 [I-D.ietf-i2nsf-capability-data-model]. 179 A default action is used to execute I2NSF policy rule when no rule 180 matches a packet. The default action is defined as pass, drop, rate- 181 limit, and mirror. The default action can be extended according to 182 specific vendor action features. The default action is described in 183 detail in [I-D.ietf-i2nsf-capability-data-model]. 185 The rules include rule name, rule description, rule priority, rule 186 enable, event, condition, and action. 188 3.2. Event Clause 190 This section shows a YANG tree diagram for an event clause for a 191 general I2NSF security policy rule for generic network security 192 functions. 194 module: ietf-i2nsf-policy-rule-for-nsf 195 +--rw i2nsf-security-policy* [system-policy-name] 196 ... 197 +--rw rules* [rule-name] 198 | ... 199 | +--rw event 200 | | +--rw event-clause-description? string 201 | | +--rw time 202 | | | +--rw start-date-time? yang:date-and-time 203 | | | +--rw end-date-time? yang:date-and-time 204 | | | +--rw period 205 | | | | +--rw start-time? time 206 | | | | +--rw end-time? time 207 | | | | +--rw day* identityref 208 | | | | +--rw date* int32 209 | | | | +--rw month* string 210 | | | +--rw frequency? enumeration 211 | | +--rw event-clauses 212 | | +--rw system-event* identityref 213 | | +--rw system-alarm* identityref 214 | +--rw condition 215 | | ... 216 | +--rw action 217 | ... 218 +--rw rule-group 219 ... 221 Figure 2: YANG Tree Diagram for an Event Clause 223 An event clause is any important occurrence at a specific time of a 224 change in the system being managed, and/or in the environment of the 225 system being managed. An event clause is used to trigger the 226 evaluation of the condition clause of the I2NSF Policy Rule. The 227 event clause is defined as a system event, system alarm 228 [I-D.ietf-i2nsf-nsf-monitoring-data-model] and time. The event 229 clause can be extended according to specific vendor event features. 230 The event clause is described in detail in 231 [I-D.ietf-i2nsf-capability-data-model]. 233 3.3. Condition Clause 235 This section shows a YANG tree diagram for a condition clause for a 236 general I2NSF security policy rule for generic network security 237 functions. 239 module: ietf-i2nsf-policy-rule-for-nsf 240 +--rw i2nsf-security-policy* [system-policy-name] 241 ... 242 +--rw rules* [rule-name] 243 | ... 244 | +--rw event 245 | ... 246 | +--rw condition 247 | | +--rw condition-clause-description? string 248 | | +--rw ethernet 249 | | | +--rw ethernet-description? string 250 | | | +--rw source-address* yang:mac-address 251 | | | +--rw destination-address* yang:mac-address 252 | | | +--rw ether-type* uint16 253 | | +--rw ipv4 254 | | | +--rw description? string 255 | | | +--rw header-length* [start end] 256 | | | | +--rw start uint8 257 | | | | +--rw end uint8 258 | | | +--rw dscp* inet:dscp 259 | | | +--rw total-length* [start end] 260 | | | | +--rw start uint16 261 | | | | +--rw end uint16 262 | | | +--rw identification* uint16 263 | | | +--rw fragment-flags* identityref 264 | | | +--rw fragment-offset* [start end] 265 | | | | +--rw start uint16 266 | | | | +--rw end uint16 267 | | | +--rw ttl* [start end] 268 | | | | +--rw start uint8 269 | | | | +--rw end uint8 270 | | | +--rw protocol* uint8 271 | | | +--rw source-address 272 | | | | +--rw (match-type)? 273 | | | | +--:(prefix) 274 | | | | | +--rw ipv4-prefix* [ipv4] 275 | | | | | +--rw ipv4 inet:ipv4-address-no-zone 276 | | | | | +--rw (subnet)? 277 | | | | | +--:(prefix-length) 278 | | | | | | +--rw prefix-length? uint8 279 | | | | | +--:(netmask) 280 | | | | | +--rw netmask? yang:dotted-quad 281 | | | | +--:(range) 282 | | | | +--rw ipv4-range* [start end] 283 | | | | +--rw start inet:ipv4-address-no-zone 284 | | | | +--rw end inet:ipv4-address-no-zone 285 | | | +--rw destination-address 286 | | | | +--rw (match-type)? 287 | | | | +--:(prefix) 288 | | | | | +--rw ipv4-prefix* [ipv4] 289 | | | | | +--rw ipv4 inet:ipv4-address-no-zone 290 | | | | | +--rw (subnet)? 291 | | | | | +--:(prefix-length) 292 | | | | | | +--rw prefix-length? uint8 293 | | | | | +--:(netmask) 294 | | | | | +--rw netmask? yang:dotted-quad 295 | | | | +--:(range) 296 | | | | +--rw ipv4-range* [start end] 297 | | | | +--rw start inet:ipv4-address-no-zone 298 | | | | +--rw end inet:ipv4-address-no-zone 299 | | | +--rw ipopts* identityref 300 | | +--rw ipv6 301 | | | +--rw description? string 302 | | | +--rw dscp* inet:dscp 303 | | | +--rw flow-label* [start end] 304 | | | | +--rw start inet:ipv6-flow-label 305 | | | | +--rw end inet:ipv6-flow-label 306 | | | +--rw payload-length* [start end] 307 | | | | +--rw start uint16 308 | | | | +--rw end uint16 309 | | | +--rw next-header* uint8 310 | | | +--rw hop-limit* [start end] 311 | | | | +--rw start uint8 312 | | | | +--rw end uint8 313 | | | +--rw source-address 314 | | | | +--rw (match-type)? 315 | | | | +--:(prefix) 316 | | | | | +--rw ipv6-prefix* [ipv6] 317 | | | | | +--rw ipv6 inet:ipv6-address-no-zone 318 | | | | | +--rw prefix-length? uint8 319 | | | | +--:(range) 320 | | | | +--rw ipv6-range* [start end] 321 | | | | +--rw start inet:ipv6-address-no-zone 322 | | | | +--rw end inet:ipv6-address-no-zone 323 | | | +--rw destination-address 324 | | | +--rw (match-type)? 325 | | | +--:(prefix) 326 | | | | +--rw ipv6-prefix* [ipv6] 327 | | | | +--rw ipv6 inet:ipv6-address-no-zone 328 | | | | +--rw prefix-length? uint8 329 | | | +--:(range) 330 | | | +--rw ipv6-range* [start end] 331 | | | +--rw start inet:ipv6-address-no-zone 332 | | | +--rw end inet:ipv6-address-no-zone 333 | | +--rw tcp 334 | | | +--rw description? string 335 | | | +--rw source-port-number* [start end] 336 | | | | +--rw start inet:port-number 337 | | | | +--rw end inet:port-number 338 | | | +--rw destination-port-number* [start end] 339 | | | | +--rw start inet:port-number 340 | | | | +--rw end inet:port-number 341 | | | +--rw flags* identityref 342 | | +--rw udp 343 | | | +--rw description? string 344 | | | +--rw source-port-number 345 | | | | +--rw start? inet:port-number 346 | | | | +--rw end? inet:port-number 347 | | | +--rw destination-port-number 348 | | | | +--rw start? inet:port-number 349 | | | | +--rw end? inet:port-number 350 | | | +--rw total-length* [start end] 351 | | | +--rw start uint32 352 | | | +--rw end uint32 353 | | +--rw sctp 354 | | | +--rw description? string 355 | | | +--rw source-port-number 356 | | | | +--rw start? inet:port-number 357 | | | | +--rw end? inet:port-number 358 | | | +--rw destination-port-number 359 | | | | +--rw start? inet:port-number 360 | | | | +--rw end? inet:port-number 361 | | | +--rw verification-tag* uint32 362 | | | +--rw chunk-type* uint8 363 | | +--rw dccp 364 | | | +--rw description? string 365 | | | +--rw source-port-number 366 | | | | +--rw start? inet:port-number 367 | | | | +--rw end? inet:port-number 368 | | | +--rw destination-port-number 369 | | | | +--rw start? inet:port-number 370 | | | | +--rw end? inet:port-number 371 | | | +--rw service-code* uint32 372 | | +--rw icmp* [version] 373 | | | +--rw description? string 374 | | | +--rw version enumeration 375 | | | +--rw type* uint8 376 | | | +--rw code* uint8 377 | | +--rw url-category 378 | | | +--rw description? string 379 | | | +--rw pre-defined-category* string 380 | | | +--rw user-defined-category* string 381 | | +--rw voice 382 | | | +--rw description? string 383 | | | +--rw source-voice-id* string 384 | | | +--rw destination-voice-id* string 385 | | | +--rw user-agent* string 386 | | +--rw ddos 387 | | | +--rw description? string 388 | | | +--rw alert-packet-rate? uint32 389 | | | +--rw alert-flow-rate? uint32 390 | | | +--rw alert-byte-rate? uint32 391 | | +--rw anti-virus 392 | | | +--rw profile* string 393 | | | +--rw exception-files* string 394 | | +--rw payload 395 | | | +--rw packet-payload-description? string 396 | | | +--rw payload-content* string 397 | | +--rw context 398 | | +--rw context-description? string 399 | | +--rw application 400 | | | +--rw description? string 401 | | | +--rw object* string 402 | | | +--rw group* string 403 | | | +--rw label* string 404 | | | +--rw category 405 | | | +--rw application-category* [name subcategory] 406 | | | +--rw name string 407 | | | +--rw subcategory string 408 | | +--rw target 409 | | | +--rw description? string 410 | | | +--rw device* identityref 411 | | +--rw users 412 | | | +--rw users-description? string 413 | | | +--rw user* [user-id] 414 | | | | +--rw user-id uint32 415 | | | | +--rw user-name? string 416 | | | +--rw group* [group-id] 417 | | | | +--rw group-id uint32 418 | | | | +--rw group-name? string 419 | | | +--rw security-group? string 420 | | +--rw geography-location 421 | | +--rw description? string 422 | | +--rw source* string 423 | | +--rw destination* string 424 | +--rw action 425 | ... 426 +--rw rule-group 427 ... 429 Figure 3: YANG Tree Diagram for a Condition Clause 431 A condition clause is defined as a set of attributes, features, and/ 432 or values that are to be compared with a set of known attributes, 433 features, and/or values in order to determine whether or not the set 434 of actions in that (imperative) I2NSF policy rule can be executed or 435 not. A condition clause is classified as a condition of generic 436 network security functions, advanced network security functions, or 437 context. A condition clause of generic network security functions is 438 defined as IPv4 condition, IPv6 condition, TCP condition, UDP 439 condition, SCTP condition, DCCP condition, and ICMP (ICMPv4 and 440 ICMPv6) condition. 442 Note that the data model in this document does not focus on only IP 443 addresses, but focuses on all the fields of IPv4 and IPv6 headers. 444 The IPv4 and IPv6 headers have similarity with some different fields. 445 In this case, it is better to handle separately the IPv4 and IPv6 446 headers such that the different fields can be used to handle IPv4 and 447 IPv6 packets. 449 A condition clause of advanced network security functions is defined 450 as url category condition, voice condition, DDoS condition, or 451 payload condition. A condition clause of context is defined as 452 application condition, target condition, users condition, and 453 geography condition. 455 Note that this document deals only with conditions of several 456 advanced network security functions such as url filter (i.e., web 457 filter), VoIP/VoLTE security, and DDoS-attack mitigator. A condition 458 clause of other advanced network security functions such as Intrusion 459 Prevention System (IPS) and Data Loss Prevention (DLP) can be defined 460 as an extension in future. A condition clause can be extended 461 according to specific vendor condition features. A condition clause 462 is described in detail in [I-D.ietf-i2nsf-capability-data-model]. 464 3.4. Action Clause 466 This section shows a YANG tree diagram for an action clause for a 467 general I2NSF security policy rule for generic network security 468 functions. 470 module: ietf-i2nsf-policy-rule-for-nsf 471 +--rw i2nsf-security-policy* [system-policy-name] 472 ... 473 +--rw rules* [rule-name] 474 | ... 475 | +--rw event 476 | ... 477 | +--rw condition 478 | ... 479 | +--rw action 480 | +--rw action-clause-description? string 481 | +--rw packet-action 482 | | +--rw ingress-action? identityref 483 | | +--rw egress-action? identityref 484 | | +--rw log-action? identityref 485 | +--rw flow-action 486 | | +--rw ingress-action? identityref 487 | | +--rw egress-action? identityref 488 | | +--rw log-action? identityref 489 | +--rw advanced-action 490 | +--rw content-security-control* identityref 491 | +--rw attack-mitigation-control* identityref 492 +--rw rule-group 493 ... 495 Figure 4: YANG Tree Diagram for an Action Clause 497 An action is used to control and monitor aspects of flow-based NSFs 498 when the policy rule event and condition clauses are satisfied. NSFs 499 provide security services by executing various actions. The action 500 clause is defined as ingress action, egress action, or log action for 501 packet action, flow action, and advanced action for additional 502 inspection. The packet action is an action for an individual packet 503 such as an IP datagram as a stateless process that uses the packet's 504 header and payload. The flow action is an action of a traffic flow 505 such as the packets of a TCP session (e.g., an HTTP/HTTPS session) as 506 a stateful process that uses the traffic flow information such as 507 5-tuple information, packet counts, and byte counts. The advanced 508 action is an action for an advanced security service (e.g., url 509 filter, DDoS-attack mitigator, and VoIP/VoLTE filter) for either a 510 packet or a traffic flow according to the intention of such an 511 advanced security service. The action clause can be extended 512 according to specific vendor action features. The action clause is 513 described in detail in [I-D.ietf-i2nsf-capability-data-model]. 515 4. YANG Data Model of NSF-Facing Interface 517 The main objective of this data model is to provide both an 518 information model and the corresponding YANG data model of I2NSF NSF- 519 Facing Interface. This interface can be used to deliver control and 520 management messages between Security Controller and NSFs for the 521 I2NSF low-level security policies. 523 This data model is designed to support the I2NSF framework that can 524 be extended according to the security needs. In other words, the 525 model design is independent of the content and meaning of specific 526 policies as well as the implementation approach. 528 With the YANG data model of I2NSF NSF-Facing Interface, this document 529 suggests use cases for security policy rules such as time-based 530 firewall, web filter, VoIP/VoLTE security service, and DDoS-attack 531 mitigation in Section 5. 533 4.1. YANG Module of NSF-Facing Interface 535 This section describes a YANG module of NSF-Facing Interface. This 536 document provides identities in the data model for the configuration 537 of an NSF. The identity has the same concept with the corresponding 538 identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG 539 module imports from [RFC6991]. It makes references to [RFC0768] 540 [RFC0791] [RFC0792] [RFC0793] [RFC2474] [RFC3261] [RFC4340] [RFC4443] 541 [RFC4960] [RFC5595] [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] 542 [IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers] 543 [IANA-ICMP-Parameters] [I-D.ietf-i2nsf-capability-data-model] 544 [I-D.ietf-i2nsf-nsf-monitoring-data-model]. 546 file "ietf-i2nsf-policy-rule-for-nsf@2021-09-15.yang" 547 module ietf-i2nsf-policy-rule-for-nsf { 548 yang-version 1.1; 549 namespace 550 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 551 prefix 552 nsfintf; 554 import ietf-inet-types{ 555 prefix inet; 556 reference 557 "Section 4 of RFC 6991"; 558 } 559 import ietf-yang-types { 560 prefix yang; 561 reference 562 "Section 3 of RFC 6991"; 563 } 565 organization 566 "IETF I2NSF (Interface to Network Security Functions) 567 Working Group"; 569 contact 570 "WG Web: 571 WG List: 573 Editor: Jinyong Tim Kim 574 576 Editor: Jaehoon Paul Jeong 577 "; 579 description 580 "This module is a YANG module for Network Security Functions 581 (NSF)-Facing Interface. 583 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 584 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 585 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 586 document are to be interpreted as described in BCP 14 587 (RFC 2119) (RFC 8174) when, and only when, they appear 588 in all capitals, as shown here. 590 Copyright (c) 2021 IETF Trust and the persons identified as 591 authors of the code. All rights reserved. 593 Redistribution and use in source and binary forms, with or 594 without modification, is permitted pursuant to, and subject to 595 the license terms contained in, the Simplified BSD License set 596 forth in Section 4.c of the IETF Trust's Legal Provisions 597 Relating to IETF Documents 598 (https://trustee.ietf.org/license-info). 600 This version of this YANG module is part of RFC XXXX 601 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 602 for full legal notices."; 604 revision "2021-09-15"{ 605 description "The latest revision."; 606 reference 607 "RFC XXXX: I2NSF Network Security Function-Facing Interface 608 YANG Data Model"; 609 } 611 /* 612 * Identities 613 */ 615 identity priority-usage { 616 description 617 "Base identity for priority usage type."; 618 } 620 identity priority-by-order { 621 base priority-usage; 622 description 623 "Identity for priority by order"; 624 } 626 identity priority-by-number { 627 base priority-usage; 628 description 629 "Identity for priority by number"; 630 } 632 identity event { 633 description 634 "Base identity for policy events"; 635 reference 636 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 637 Monitoring YANG Data Model - Event"; 638 } 640 identity system-event { 641 base event; 642 description 643 "Identity for system events"; 644 reference 645 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 646 Monitoring YANG Data Model - System event"; 647 } 649 identity system-alarm { 650 base event; 651 description 652 "Identity for system alarms"; 653 reference 654 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 655 Monitoring YANG Data Model - System alarm"; 656 } 658 identity access-violation { 659 base system-event; 660 description 661 "Identity for access violation 662 system events"; 663 reference 664 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 665 Monitoring YANG Data Model - System event for access 666 violation"; 667 } 669 identity configuration-change { 670 base system-event; 671 description 672 "Identity for configuration change 673 system events"; 674 reference 675 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 676 Monitoring YANG Data Model - System event for configuration 677 change"; 678 } 680 identity memory-alarm { 681 base system-alarm; 682 description 683 "Identity for memory alarm 684 system alarms"; 685 reference 686 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 687 Monitoring YANG Data Model - System alarm for memory"; 688 } 689 identity cpu-alarm { 690 base system-alarm; 691 description 692 "Identity for CPU alarm 693 system alarms"; 694 reference 695 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 696 Monitoring YANG Data Model - System alarm for CPU"; 697 } 699 identity disk-alarm { 700 base system-alarm; 701 description 702 "Identity for disk alarm 703 system alarms"; 704 reference 705 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 706 Monitoring YANG Data Model - System alarm for disk"; 707 } 709 identity hardware-alarm { 710 base system-alarm; 711 description 712 "Identity for hardware alarm 713 system alarms"; 714 reference 715 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 716 Monitoring YANG Data Model - System alarm for hardware"; 717 } 719 identity interface-alarm { 720 base system-alarm; 721 description 722 "Identity for interface alarm 723 system alarms"; 724 reference 725 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 726 Monitoring YANG Data Model - System alarm for interface"; 727 } 729 identity fragmentation-flags { 730 description 731 "Base identity for fragmentation flags type"; 732 reference 733 "RFC 791: Internet Protocol - Fragmentation Flags"; 734 } 736 identity fragment { 737 base fragmentation-flags; 738 description 739 "Identity for 'More fragment' flag"; 740 reference 741 "RFC 791: Internet Protocol - Fragmentation Flags"; 742 } 744 identity no-fragment { 745 base fragmentation-flags; 746 description 747 "Identity for 'Do not fragment' flag"; 748 reference 749 "RFC 791: Internet Protocol - Fragmentation Flags"; 750 } 752 identity reserved { 753 base fragmentation-flags; 754 description 755 "Identity for reserved flags"; 756 reference 757 "RFC 791: Internet Protocol - Fragmentation Flags"; 758 } 760 identity ipopts { 761 description 762 "Base identity for IP options"; 763 reference 764 "RFC 791: Internet Protocol - Options"; 765 } 767 identity rr { 768 base ipopts; 769 description 770 "Identity for 'Record Route' IP Option"; 771 reference 772 "RFC 791: Internet Protocol - Options"; 773 } 775 identity eol { 776 base ipopts; 777 description 778 "Identity for 'End of List' IP Option"; 779 reference 780 "RFC 791: Internet Protocol - Options"; 781 } 783 identity nop { 784 base ipopts; 785 description 786 "Identity for 'No Operation' IP Option"; 787 reference 788 "RFC 791: Internet Protocol - Options"; 789 } 791 identity ts { 792 base ipopts; 793 description 794 "Identity for 'Timestamp' IP Option"; 795 reference 796 "RFC 791: Internet Protocol - Options"; 797 } 799 identity sec { 800 base ipopts; 801 description 802 "Identity for 'IP security' IP Option"; 803 reference 804 "RFC 791: Internet Protocol - Options"; 805 } 807 identity esec { 808 base ipopts; 809 description 810 "Identity for 'IP extended security' IP Option"; 811 reference 812 "RFC 791: Internet Protocol - Options"; 813 } 815 identity lsrr { 816 base ipopts; 817 description 818 "Identity for 'Loose Source Routing' IP Option"; 819 reference 820 "RFC 791: Internet Protocol - Options"; 821 } 823 identity ssrr { 824 base ipopts; 825 description 826 "Identity for 'Strict Source Routing' IP Option"; 827 reference 828 "RFC 791: Internet Protocol - Options"; 829 } 831 identity satid { 832 base ipopts; 833 description 834 "Identity for 'Stream Identifier' IP Option"; 835 reference 836 "RFC 791: Internet Protocol - Options"; 837 } 839 identity any { 840 base ipopts; 841 description 842 "Identity for 'any IP options 843 included in IPv4 packet"; 844 reference 845 "RFC 791: Internet Protocol - Options"; 846 } 848 identity tcp-flags { 849 description 850 "Base identity for TCP flags"; 851 reference 852 "RFC 793: Transmission Control Protocol - Flags"; 853 } 855 identity cwr { 856 base tcp-flags; 857 description 858 "Identity for 'Congestion Window Reduced' TCP flag"; 859 reference 860 "RFC 793: Transmission Control Protocol - Flags"; 861 } 863 identity ecn { 864 base tcp-flags; 865 description 866 "Identity for 'Explicit Congestion Notification' 867 TCP flag"; 868 reference 869 "RFC 793: Transmission Control Protocol - Flags"; 870 } 872 identity urg { 873 base tcp-flags; 874 description 875 "Identity for 'Urgent' TCP flag"; 876 reference 877 "RFC 793: Transmission Control Protocol - Flags"; 878 } 880 identity ack { 881 base tcp-flags; 882 description 883 "Identity for 'acknowledgement' TCP flag"; 884 reference 885 "RFC 793: Transmission Control Protocol - Flags"; 886 } 888 identity psh { 889 base tcp-flags; 890 description 891 "Identity for 'Push' TCP flag"; 892 reference 893 "RFC 793: Transmission Control Protocol - Flags"; 894 } 896 identity rst { 897 base tcp-flags; 898 description 899 "Identity for 'Reset' TCP flag"; 900 reference 901 "RFC 793: Transmission Control Protocol - Flags"; 902 } 904 identity syn { 905 base tcp-flags; 906 description 907 "Identity for 'Synchronize' TCP flag"; 908 reference 909 "RFC 793: Transmission Control Protocol - Flags"; 910 } 912 identity fin { 913 base tcp-flags; 914 description 915 "Identity for 'Finish' TCP flag"; 916 reference 917 "RFC 793: Transmission Control Protocol - Flags"; 918 } 920 identity target-device { 921 description 922 "Base identity for target devices"; 923 reference 924 "draft-ietf-i2nsf-capability-data-model-17: 925 I2NSF Capability YANG Data Model"; 926 } 928 identity computer { 929 base target-device; 930 description 931 "Identity for computer such as personal computer (PC) 932 and server"; 933 } 935 identity mobile-phone { 936 base target-device; 937 description 938 "Identity for mobile-phone such as smartphone and 939 cellphone"; 940 } 942 identity voip-volte-phone { 943 base target-device; 944 description 945 "Identity for voip-volte-phone"; 946 } 948 identity tablet { 949 base target-device; 950 description 951 "Identity for tablet"; 952 } 954 identity network-infrastructure-device { 955 base target-device; 956 description 957 "Identity for network infrastructure devices 958 such as switch, router, and access point"; 959 } 961 identity iot-device { 962 base target-device; 963 description 964 "Identity for IoT (Internet of Things) devices"; 965 } 967 identity ot { 968 base target-device; 969 description 970 "Identity for Operational Technology"; 971 } 973 identity vehicle { 974 base target-device; 975 description 976 "Identity for vehicle that connects to and shares 977 data through the Internet"; 978 } 980 identity advanced-nsf { 981 description 982 "Base identity for advanced Network Security Function (NSF) 983 capability. This can be used for advanced NSFs such as 984 Anti-DDoS Attack, IPS, URL-Filtering, Antivirus, 985 and VoIP/VoLTE Filter."; 986 reference 987 "draft-ietf-i2nsf-capability-data-model-17: 988 I2NSF Capability YANG Data Model"; 989 } 991 identity content-security-control { 992 base advanced-nsf; 993 description 994 "Base identity for content security control"; 995 reference 996 "draft-ietf-i2nsf-capability-data-model-17: 997 I2NSF Capability YANG Data Model"; 998 } 1000 identity ips { 1001 base content-security-control; 1002 description 1003 "Identity for IPS (Intrusion Prevention System) 1004 that prevents malicious activity within a network"; 1005 } 1007 identity url-filtering { 1008 base content-security-control; 1009 description 1010 "Identity for url filtering that limits access by comparing the 1011 web traffic's URL with the URLs for web filtering in a 1012 database"; 1013 } 1015 identity anti-virus { 1016 base content-security-control; 1017 description 1018 "Identity for antivirus to protect the network by detecting and 1019 removing viruses or malwares."; 1020 } 1022 identity voip-volte-filter { 1023 base content-security-control; 1024 description 1025 "Identity for VoIP/VoLTE security service that filters out the 1026 packets or flows of malicious users with a deny list of 1027 malicious users in a database"; 1028 } 1030 identity attack-mitigation-control { 1031 base advanced-nsf; 1032 description 1033 "Base identity for attack mitigation control"; 1034 reference 1035 "draft-ietf-i2nsf-capability-data-model-17: 1036 I2NSF Capability YANG Data Model"; 1037 } 1039 identity anti-ddos { 1040 base attack-mitigation-control; 1041 description 1042 "Identity for advanced NSF Anti-DDoS or DDoS Mitigator 1043 capability."; 1044 } 1046 identity action { 1047 description 1048 "Base identity for action"; 1049 } 1051 identity ingress-action { 1052 base action; 1053 description 1054 "Base identity for ingress action"; 1055 reference 1056 "draft-ietf-i2nsf-capability-data-model-17: 1057 I2NSF Capability YANG Data Model - Ingress Action"; 1058 } 1060 identity egress-action { 1061 base action; 1062 description 1063 "Base identity for egress action"; 1064 reference 1065 "draft-ietf-i2nsf-capability-data-model-17: 1066 I2NSF Capability YANG Data Model - Egress Action"; 1067 } 1069 identity default-action { 1070 base action; 1071 description 1072 "Base identity for default action"; 1074 reference 1075 "draft-ietf-i2nsf-capability-data-model-17: 1076 I2NSF Capability YANG Data Model - Default Action"; 1077 } 1079 identity pass { 1080 base ingress-action; 1081 base egress-action; 1082 base default-action; 1083 description 1084 "Identity for pass"; 1085 reference 1086 "draft-ietf-i2nsf-capability-data-model-17: 1087 I2NSF Capability YANG Data Model - Actions and 1088 Default Action"; 1089 } 1091 identity drop { 1092 base ingress-action; 1093 base egress-action; 1094 base default-action; 1095 description 1096 "Identity for drop"; 1097 reference 1098 "draft-ietf-i2nsf-capability-data-model-17: 1099 I2NSF Capability YANG Data Model - Actions and 1100 Default Action"; 1101 } 1103 identity mirror { 1104 base ingress-action; 1105 base egress-action; 1106 base default-action; 1107 description 1108 "Identity for mirror"; 1109 reference 1110 "draft-ietf-i2nsf-capability-data-model-17: 1111 I2NSF Capability YANG Data Model - Actions and 1112 Default Action"; 1113 } 1115 identity rate-limit { 1116 base ingress-action; 1117 base egress-action; 1118 base default-action; 1119 description 1120 "Identity for rate limiting action"; 1121 reference 1122 "draft-ietf-i2nsf-capability-data-model-17: 1123 I2NSF Capability YANG Data Model - Actions and 1124 Default Action"; 1125 } 1127 identity log-action { 1128 base action; 1129 description 1130 "Base identity for log action"; 1131 } 1133 identity rule-log { 1134 base log-action; 1135 description 1136 "Identity for rule log"; 1137 } 1139 identity session-log { 1140 base log-action; 1141 description 1142 "Identity for session log"; 1143 } 1145 identity invoke-signaling { 1146 base egress-action; 1147 description 1148 "Identity for invoke signaling"; 1149 } 1151 identity tunnel-encapsulation { 1152 base egress-action; 1153 description 1154 "Identity for tunnel encapsulation"; 1155 } 1157 identity forwarding { 1158 base egress-action; 1159 description 1160 "Identity for forwarding"; 1161 } 1163 identity transformation { 1164 base egress-action; 1165 description 1166 "Identity for transformation"; 1167 } 1169 identity redirection { 1170 base egress-action; 1171 description 1172 "Identity for redirection"; 1173 } 1175 identity resolution-strategy { 1176 description 1177 "Base identity for resolution strategy"; 1178 reference 1179 "draft-ietf-i2nsf-capability-data-model-17: 1180 I2NSF Capability YANG Data Model - Resolution Strategy"; 1181 } 1183 identity fmr { 1184 base resolution-strategy; 1185 description 1186 "Identity for First Matching Rule (FMR)"; 1187 reference 1188 "draft-ietf-i2nsf-capability-data-model-17: 1189 I2NSF Capability YANG Data Model - Resolution Strategy"; 1190 } 1192 identity lmr { 1193 base resolution-strategy; 1194 description 1195 "Identity for Last Matching Rule (LMR)"; 1196 reference 1197 "draft-ietf-i2nsf-capability-data-model-17: 1198 I2NSF Capability YANG Data Model - Resolution Strategy"; 1199 } 1201 identity pmr { 1202 base resolution-strategy; 1203 description 1204 "Identity for Prioritized Matching Rule (PMR)"; 1205 reference 1206 "draft-ietf-i2nsf-capability-data-model-17: 1207 I2NSF Capability YANG Data Model - Resolution Strategy"; 1208 } 1210 identity pmre { 1211 base resolution-strategy; 1212 description 1213 "Identity for Prioritized Matching Rule 1214 with Errors (PMRE)"; 1215 reference 1216 "draft-ietf-i2nsf-capability-data-model-17: 1217 I2NSF Capability YANG Data Model - Resolution Strategy"; 1219 } 1221 identity pmrn { 1222 base resolution-strategy; 1223 description 1224 "Identity for Prioritized Matching Rule 1225 with No Errors (PMRN)"; 1226 reference 1227 "draft-ietf-i2nsf-capability-data-model-17: 1228 I2NSF Capability YANG Data Model - Resolution Strategy"; 1229 } 1231 identity day { 1232 description 1233 "This represents the base for days."; 1234 } 1236 identity monday { 1237 base day; 1238 description 1239 "This represents Monday."; 1240 } 1242 identity tuesday { 1243 base day; 1244 description 1245 "This represents Tuesday."; 1246 } 1248 identity wednesday { 1249 base day; 1250 description 1251 "This represents Wednesday."; 1252 } 1254 identity thursday { 1255 base day; 1256 description 1257 "This represents Thursday."; 1258 } 1260 identity friday { 1261 base day; 1262 description 1263 "This represents Friday."; 1264 } 1266 identity saturday { 1267 base day; 1268 description 1269 "This represents Saturday."; 1270 } 1272 identity sunday { 1273 base day; 1274 description 1275 "This represents Sunday."; 1276 } 1278 /* 1279 * Typedefs 1280 */ 1282 typedef time { 1283 type string { 1284 pattern '(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.\d+)?' 1285 + '(Z|[\+\-]((1[0-3]|0[0-9]):([0-5][0-9])|14:00))?'; 1286 } 1287 description 1288 "The time type represents an instance of time of zero-duration 1289 that recurs every day."; 1290 } 1292 /* 1293 * Groupings 1294 */ 1296 grouping ipv4-prefix { 1297 description 1298 "The list of IPv4 addresses."; 1299 leaf ipv4 { 1300 type inet:ipv4-address-no-zone; 1301 description 1302 "The value of IPv4 address."; 1303 } 1304 choice subnet { 1305 description 1306 "The subnet can be specified as a prefix length or 1307 netmask."; 1308 leaf prefix-length { 1309 type uint8 { 1310 range "0..32"; 1311 } 1312 description 1313 "The length of the subnet prefix."; 1314 } 1315 leaf netmask { 1316 type yang:dotted-quad; 1317 description 1318 "The subnet specified as a netmask."; 1319 } 1320 } 1321 reference 1322 "RFC 791: Internet Protocol - IPv4 address 1323 RFC 8344: A YANG Data Model for IP Management"; 1324 } 1326 grouping ipv6-prefix { 1327 description 1328 "The list of IPv6 addresses."; 1329 leaf ipv6 { 1330 type inet:ipv6-address-no-zone; 1331 description 1332 "The value of IPv6 address."; 1333 } 1334 leaf prefix-length { 1335 type uint8 { 1336 range "0..128"; 1337 } 1338 description 1339 "The length of the subnet prefix."; 1340 } 1341 reference 1342 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1343 Specification - IPv6 address 1344 RFC 8344: A YANG Data Model for IP Management"; 1345 } 1347 grouping ipv4-range { 1348 description 1349 "Range match for the IPv4 addresses. If only one value is 1350 needed, then set both start and end to the same value. 1351 The end IPv4 address MUST be equal or greater than the 1352 start IPv4 address."; 1353 leaf start { 1354 type inet:ipv4-address-no-zone; 1355 description 1356 "Starting IPv4 address for a range match."; 1357 } 1358 leaf end { 1359 type inet:ipv4-address-no-zone; 1360 description 1361 "Ending IPv4 address for a range match."; 1362 } 1363 reference 1364 "RFC 791: Internet Protocol - IPv4 address"; 1365 } 1367 grouping ipv6-range { 1368 description 1369 "Range match for the IPv6 addresses. If only one value is 1370 needed, then set both start and end to the same value. 1371 The end IPv6 address number MUST be equal to or greater than 1372 the start IPv6 address."; 1373 leaf start { 1374 type inet:ipv6-address-no-zone; 1375 description 1376 "Starting IPv6 address for a range match."; 1377 } 1379 leaf end { 1380 type inet:ipv6-address-no-zone; 1381 description 1382 "Ending IPv6 address for a range match."; 1383 } 1384 reference 1385 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1386 Specification - IPv6 address"; 1387 } 1389 grouping ipv4-address { 1390 description 1391 "Grouping for IPv4 address. IPv4 address can be in the form of 1392 prefix or range."; 1393 choice match-type { 1394 description 1395 "Choose between Prefix or Range"; 1396 case prefix { 1397 list ipv4-prefix { 1398 key "ipv4"; 1399 uses ipv4-prefix; 1400 description 1401 "The list of IPv4 addresses specified with an 1402 IPv4 address and a prefix-length or 1403 a netmask."; 1404 } 1405 } 1406 case range { 1407 list ipv4-range { 1408 key "start end"; 1409 uses ipv4-range; 1410 description 1411 "The list of IPv4 address specified with a 1412 start IPv4 address and an end IPv4 address. 1413 If only one value is needed, then set both 1414 start and end to the same value."; 1415 } 1416 } 1417 } 1418 } 1420 grouping ipv6-address { 1421 description 1422 "Grouping for IPv6 address. IPv6 address can be in the form of 1423 prefix or range."; 1424 choice match-type { 1425 description 1426 "Choose between Prefix or Range"; 1427 case prefix { 1428 list ipv6-prefix { 1429 key "ipv6"; 1430 uses ipv6-prefix; 1431 description 1432 "The list of IPv6 addresses specified with an 1433 IPv6 address and a prefix-length."; 1434 } 1435 } 1436 case range { 1437 list ipv6-range { 1438 key "start end"; 1439 uses ipv6-range; 1440 description 1441 "The list of IPv6 address specified with a 1442 start IPv6 address and an end IPv6 address. 1443 If only one value is needed, then set both 1444 start and end to the same value."; 1445 } 1446 } 1447 } 1448 } 1450 grouping port-range { 1451 leaf start { 1452 type inet:port-number; 1453 description 1454 "Starting port number for a range match."; 1455 } 1456 leaf end { 1457 type inet:port-number; 1458 must '. >= ../start' { 1459 error-message 1460 "The end port number MUST be equal to or greater than the 1461 start port number."; 1462 } 1463 description 1464 "Ending port number for a range match."; 1465 } 1466 description 1467 "Range match for the port numbers. If only one value is needed, 1468 then set both start and end to the same value."; 1469 reference 1470 "RFC 793: Transmission Control Protocol - Port number 1471 RFC 768: User Datagram Protocol - Port Number 1472 RFC 4960: Stream Control Transmission Protocol - Port number 1473 RFC 4340: Datagram Congestion Control Protocol (DCCP) 1474 - Port number"; 1475 } 1477 /* 1478 * Data nodes 1479 */ 1481 list i2nsf-security-policy { 1483 key "system-policy-name"; 1485 description 1486 "Container for security policy 1487 including a set of security rules according to certain logic, 1488 i.e., their similarity or mutual relations, etc. The network 1489 security policy can be applied to both the unidirectional 1490 and bidirectional traffic across the NSF. 1491 The I2NSF security policies use the Event-Condition-Action 1492 (ECA) policy model "; 1494 reference 1495 "RFC 8329: Framework for Interface to Network Security 1496 Functions - I2NSF Flow Security Policy Structure 1497 draft-ietf-i2nsf-capability-data-model-17: 1498 I2NSF Capability YANG Data Model - Design Principles and 1499 ECA Policy Model Overview"; 1501 leaf system-policy-name { 1502 type string; 1503 description 1504 "The name of the policy. 1505 This must be unique."; 1506 } 1507 leaf priority-usage { 1508 type identityref { 1509 base priority-usage; 1510 } 1511 default priority-by-order; 1512 description 1513 "Priority usage type for security policy rule: 1514 priority by order and priority by number"; 1515 } 1517 leaf resolution-strategy { 1518 type identityref { 1519 base resolution-strategy; 1520 } 1521 default fmr; 1522 description 1523 "The resolution strategies that can be used to 1524 specify how to resolve conflicts that occur between 1525 actions of the same or different policy rules that 1526 are matched and contained in this particular NSF"; 1528 reference 1529 "draft-ietf-i2nsf-capability-data-model-17: 1530 I2NSF Capability YANG Data Model - Resolution strategy"; 1531 } 1533 leaf default-action { 1534 type identityref { 1535 base default-action; 1536 } 1537 default mirror; 1538 description 1539 "This default action can be used to specify a predefined 1540 action when no other alternative action was matched 1541 by the currently executing I2NSF Policy Rule. An analogy 1542 is the use of a default statement in a C switch statement."; 1543 reference 1544 "draft-ietf-i2nsf-capability-data-model-17: 1545 I2NSF Capability YANG Data Model - Default Action"; 1546 } 1548 list rules { 1549 key "rule-name"; 1550 description 1551 "This is a rule for network security functions."; 1553 leaf rule-name { 1554 type string; 1555 description 1556 "The name of the rule."; 1557 } 1559 leaf rule-description { 1560 type string; 1561 description 1562 "This description gives more information about 1563 rules."; 1564 } 1566 leaf rule-priority { 1567 type uint8 { 1568 range "1..255"; 1569 } 1570 description 1571 "The priority keyword comes with a mandatory 1572 numeric value which can range from 1 up to 255. 1573 Note that a higher number means a higher priority"; 1574 } 1576 leaf rule-enable { 1577 type boolean; 1578 description 1579 "True is enable. 1580 False is not enable."; 1581 } 1583 leaf session-aging-time { 1584 type uint16; 1585 units "second"; 1586 description 1587 "This is session aging time."; 1588 } 1590 container long-connection { 1591 description 1592 "A container for long connection. A long connection is a 1593 connection that is maintained after the socket connection 1594 is established, regardless of whether it is used for data 1595 traffic or not."; 1597 leaf enable { 1598 type boolean; 1599 description 1600 "True is enabled. 1601 False is not enabled."; 1602 } 1603 leaf duration { 1604 type uint16; 1605 units "second"; 1606 description 1607 "This is the duration of the long-connection."; 1608 } 1609 } 1611 container event { 1612 description 1613 "An event is defined as any important 1614 occurrence in time of a change in the system being 1615 managed, and/or in the environment of the system being 1616 managed. When used in the context of policy rules for 1617 a flow-based NSF, it is used to determine whether the 1618 Condition clause of the Policy Rule can be evaluated 1619 or not. Examples of an I2NSF event include time and 1620 user actions (e.g., logon, logoff, and actions that 1621 violate any ACL.)."; 1623 reference 1624 "RFC 8329: Framework for Interface to Network Security 1625 Functions - I2NSF Flow Security Policy Structure 1626 draft-ietf-i2nsf-capability-data-model-17: 1627 I2NSF Capability YANG Data Model - Design Principles and 1628 ECA Policy Model Overview 1629 draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF 1630 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 1631 and Counters"; 1633 leaf event-clause-description { 1634 type string; 1635 description 1636 "Description for an event clause"; 1637 } 1639 container time { 1640 description 1641 "Time to determine when the policy should be applied"; 1642 leaf start-date-time { 1643 type yang:date-and-time; 1644 description 1645 "This is the start date and time for a security policy 1646 rule."; 1647 } 1649 leaf end-date-time { 1650 type yang:date-and-time; 1651 description 1652 "This is the end date and time for a policy rule. The 1653 policy rule will stop working after the specified 1654 end-date-time."; 1655 } 1657 container period { 1658 when 1659 "../frequency!='only-once'"; 1660 description 1661 "This represents the repetition time. In the case 1662 where the frequency is weekly, the days can be set."; 1663 leaf start-time { 1664 type time; 1665 description 1666 "This is a period's start time for an event."; 1667 } 1668 leaf end-time { 1669 type time; 1670 description 1671 "This is a period's end time for an event."; 1672 } 1673 leaf-list day { 1674 when 1675 "../../frequency='weekly'"; 1676 type identityref{ 1677 base day; 1678 } 1679 min-elements 1; 1680 description 1681 "This represents the repeated day of every week 1682 (e.g., Monday and Tuesday). More than one day can 1683 be specified."; 1684 } 1685 leaf-list date { 1686 when 1687 "../../frequency='monthly'"; 1688 type int32{ 1689 range "1..31"; 1690 } 1691 min-elements 1; 1692 description 1693 "This represents the repeated date of every month. 1694 More than one date can be specified."; 1695 } 1696 leaf-list month { 1697 when 1698 "../../frequency='yearly'"; 1700 type string{ 1701 pattern '\d{2}-\d{2}'; 1702 } 1703 min-elements 1; 1704 description 1705 "This represents the repeated date and month of every 1706 year. More than one can be specified. A pattern 1707 used here is Month and Date (MM-DD)."; 1708 } 1709 } 1711 leaf frequency { 1712 type enumeration { 1713 enum only-once { 1714 description 1715 "This represents that the rule is immediately 1716 enforcedonly once and not repeated. The policy 1717 will continuously be active from the start-time 1718 to the end-time."; 1719 } 1720 enum daily { 1721 description 1722 "This represents that the rule is enforced on a 1723 daily basis. The policy will be repeated 1724 daily until the end-date."; 1725 } 1726 enum weekly { 1727 description 1728 "This represents that the rule is enforced on a 1729 weekly basis. The policy will be repeated weekly 1730 until the end-date. The repeated days can be 1731 specified."; 1732 } 1733 enum monthly { 1734 description 1735 "This represents that the rule is enforced on a 1736 monthly basis. The policy will be repeated monthly 1737 until the end-date."; 1738 } 1739 enum yearly { 1740 description 1741 "This represents that the rule is enforced on 1742 a yearly basis. The policy will be repeated 1743 yearly until the end-date."; 1744 } 1745 } 1746 default only-once; 1747 description 1748 "This represents how frequently the rule 1749 should be enforced."; 1750 } 1751 } 1753 container event-clauses { 1754 description 1755 "System Event Clause - either a system event or 1756 system alarm"; 1757 reference 1758 "RFC 8329: Framework for Interface to Network Security 1759 Functions - I2NSF Flow Security Policy Structure 1760 draft-ietf-i2nsf-capability-data-model-17: 1761 I2NSF Capability YANG Data Model - Design Principles and 1762 ECA Policy Model Overview 1763 draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF 1764 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 1765 and Counters"; 1767 leaf-list system-event { 1768 type identityref { 1769 base system-event; 1770 } 1771 description 1772 "The security policy rule according to 1773 system events."; 1774 } 1776 leaf-list system-alarm { 1777 type identityref { 1778 base system-alarm; 1779 } 1780 description 1781 "The security policy rule according to 1782 system alarms."; 1783 } 1784 } 1785 } 1787 container condition { 1788 description 1789 "A condition is defined as a set 1790 of attributes, features, and/or values that are to be 1791 compared with a set of known attributes, features, 1792 and/or values in order to determine whether or not the 1793 set of Actions in that (imperative) I2NSF Policy Rule 1794 can be executed or not. Examples of I2NSF Conditions 1795 include matching attributes of a packet or flow, and 1796 comparing the internal state of an NSF to a desired 1797 state."; 1798 reference 1799 "RFC 8329: Framework for Interface to Network Security 1800 Functions - I2NSF Flow Security Policy Structure 1801 draft-ietf-i2nsf-capability-data-model-17: 1802 I2NSF Capability YANG Data Model - Design Principles and 1803 ECA Policy Model Overview"; 1805 leaf condition-clause-description { 1806 type string; 1807 description 1808 "Description for a condition clause."; 1809 } 1811 container ethernet { 1812 description 1813 "The purpose of this container is to represent layer 2 1814 packet header information to determine the set of policy 1815 actions in this ECA policy rule should be executed or 1816 not."; 1817 reference 1818 "IEEE 802.3: IEEE Standard for Ethernet"; 1820 leaf ethernet-description { 1821 type string; 1822 description 1823 "The MAC Condition description"; 1824 } 1826 leaf-list source-address { 1827 type yang:mac-address; 1828 description 1829 "The condition for source Media Access Control (MAC) 1830 Address of a Layer 2 packet. Multiple source MAC 1831 Addresses can be given in a single rule."; 1832 reference 1833 "IEEE 802.3: IEEE Standard for Ethernet"; 1834 } 1836 leaf-list destination-address { 1837 type yang:mac-address; 1838 description 1839 "The condition for destination Media Access Control 1840 (MAC) Address of a Layer 2 packet. Multiple 1841 destination MAC Addresses can be given in a 1842 single rule."; 1843 reference 1844 "IEEE 802.3: IEEE Standard for Ethernet"; 1845 } 1847 leaf-list ether-type { 1848 type uint16; 1849 description 1850 "The condition for matching the 2-octet of IEEE 802.3 1851 Length/Type field. Can be specified with decimal or 1852 hexadecimal from 0 through 65535 (0xFFFF) 1854 A value from 0 through 1500 (0x05DC) specifies the 1855 number of MAC client data octets contained in the 1856 subsequent MAC Client Data Field of the basic frame 1858 A value greater than or equal to 1536 (0x0600) 1859 specifies that the Length/Type field indicates 1860 Ethertype of the MAC client protocol"; 1861 reference 1862 "IEEE 802.3: IEEE Standard for Ethernet"; 1863 } 1864 } 1866 container ipv4 { 1867 description 1868 "The purpose of this container is to represent IPv4 1869 packet header information to determine if the set 1870 of policy actions in this ECA policy rule should be 1871 executed or not."; 1872 reference 1873 "RFC 791: Internet Protocol"; 1875 leaf description { 1876 type string; 1877 description 1878 "ipv4 condition textual description."; 1879 } 1881 list header-length { 1882 key "start end"; 1883 leaf start{ 1884 type uint8 { 1885 range "5..15"; 1886 } 1887 description 1888 "Starting IPv4 header length for a range match."; 1889 } 1891 leaf end { 1892 type uint8 { 1893 range "5..15"; 1894 } 1895 must '. >= ../start' { 1896 error-message 1897 "The end header length MUST be equal to or greater 1898 than the start header length."; 1899 } 1900 description 1901 "Ending IPv4 header length for a range match."; 1902 } 1903 description 1904 "The security policy rule according to 1905 IPv4 header length. If only one value is needed, then 1906 set both start and end to the same value."; 1907 reference 1908 "RFC 791: Internet Protocol - Header length"; 1909 } 1911 leaf-list dscp { 1912 type inet:dscp; 1913 description 1914 "The security policy rule according to 1915 IPv4 type of service for DSCP."; 1916 reference 1917 "RFC 791: Internet Protocol - Type of service 1918 RFC 2474: Definition of the Differentiated 1919 Services Field (DS Field) in the IPv4 and 1920 IPv6 Headers."; 1921 } 1923 list total-length { 1924 key "start end"; 1925 leaf start { 1926 type uint16; 1927 description 1928 "Starting IPv4 total length for a range match."; 1929 } 1930 leaf end { 1931 type uint16; 1932 must '. >= ../start' { 1933 error-message 1934 "The end total length MUST be equal to or greater 1935 than the start total length."; 1936 } 1937 description 1938 "Ending IPv4 total length for a range match."; 1939 } 1940 description 1941 "The security policy rule according to 1942 IPv4 total length. If only one value is needed, then 1943 set both start and end to the same value."; 1944 reference 1945 "RFC 791: Internet Protocol - Total length"; 1946 } 1948 leaf-list identification { 1949 type uint16; 1950 description 1951 "The security policy rule according to 1952 IPv4 identification."; 1953 reference 1954 "RFC 791: Internet Protocol - Identification"; 1955 } 1957 leaf-list fragment-flags { 1958 type identityref { 1959 base fragmentation-flags; 1960 } 1961 description 1962 "The security policy rule according to 1963 IPv4 fragment flags."; 1964 reference 1965 "RFC 791: Internet Protocol - Fragment flags"; 1966 } 1968 list fragment-offset { 1969 key "start end"; 1970 leaf start { 1971 type uint16 { 1972 range "0..16383"; 1973 } 1974 description 1975 "Starting IPv4 fragment offset for a range match."; 1976 } 1977 leaf end { 1978 type uint16 { 1979 range "0..16383"; 1980 } 1981 must '. >= ../start' { 1982 error-message 1983 "The end fragment offset MUST be equal or greater 1984 than the start fragment offset."; 1985 } 1986 description 1987 "Ending IPv4 fragment offset for a range match."; 1989 } 1990 description 1991 "The security policy rule according to 1992 IPv4 fragment offset."; 1993 reference 1994 "RFC 791: Internet Protocol - Fragment offset"; 1995 } 1997 list ttl { 1998 key "start end"; 1999 leaf start { 2000 type uint8; 2001 description 2002 "Starting IPv4 TTL for a range match."; 2003 } 2004 leaf end { 2005 type uint8; 2006 must '. >= ../start' { 2007 error-message 2008 "The end TTL MUST be equal or greater than 2009 the start TTL."; 2010 } 2011 description 2012 "Ending IPv4 TTL for a range match."; 2013 } 2014 description 2015 "The security policy rule according to 2016 IPv4 time-to-live (TTL). If only one value is needed, 2017 then set both start and end to the same value."; 2018 reference 2019 "RFC 791: Internet Protocol - Time to live"; 2020 } 2022 leaf-list protocol { 2023 type uint8; 2024 description 2025 "The security policy rule according to 2026 IPv4 protocol header field."; 2027 reference 2028 "RFC 791: Internet Protocol - Protocol 2029 IANA: Assigned Internet Protocol Numbers"; 2030 } 2032 container source-address { 2033 uses ipv4-address; 2034 description 2035 "The security policy rule according to 2036 IPv4 source address."; 2038 reference 2039 "RFC 791: Internet Protocol - IPv4 Address"; 2040 } 2042 container destination-address { 2043 uses ipv4-address; 2044 description 2045 "The security policy rule according to 2046 IPv4 destination address."; 2047 reference 2048 "RFC 791: Internet Protocol - IPv4 Address"; 2049 } 2051 leaf-list ipopts { 2052 type identityref { 2053 base ipopts; 2054 } 2055 description 2056 "The security policy rule according to 2057 IPv4 options."; 2058 reference 2059 "RFC 791: Internet Protocol - Options"; 2060 } 2061 } 2063 container ipv6 { 2064 description 2065 "The purpose of this container is to represent 2066 IPv6 packet header information to determine 2067 if the set of policy actions in this ECA policy 2068 rule should be executed or not."; 2069 reference 2070 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2071 Specification"; 2073 leaf description { 2074 type string; 2075 description 2076 "This is description for ipv6 condition."; 2077 } 2079 leaf-list dscp { 2080 type inet:dscp; 2081 description 2082 "The security policy rule according to 2083 IPv6 traffic class for DSCP."; 2084 reference 2085 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2086 Specification - Traffic class 2087 RFC 2474: Definition of the Differentiated 2088 Services Field (DS Field) in the IPv4 and 2089 IPv6 Headers."; 2090 } 2092 list flow-label { 2093 key "start end"; 2094 leaf start { 2095 type inet:ipv6-flow-label; 2096 description 2097 "Starting IPv6 flow label for a range match."; 2098 } 2099 leaf end { 2100 type inet:ipv6-flow-label; 2101 must '. >= ../start' { 2102 error-message 2103 "The end flow label MUST be equal or greater than 2104 the start flow label."; 2105 } 2106 description 2107 "Ending IPv6 flow label for a range match."; 2108 } 2109 description 2110 "The security policy rule according to 2111 IPv6 flow label. If only one value is needed, 2112 then set both start and end to the same value."; 2113 reference 2114 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2115 Specification - Flow label"; 2116 } 2118 list payload-length { 2119 key "start end"; 2120 leaf start { 2121 type uint16; 2122 description 2123 "Starting IPv6 payload length for a range match."; 2124 } 2125 leaf end { 2126 type uint16; 2127 must '. >= ../start' { 2128 error-message 2129 "The end payload length MUST be equal or greater 2130 than the start payload length."; 2131 } 2132 description 2133 "Ending IPv6 payload length for a range match."; 2134 } 2135 description 2136 "The security policy rule according to 2137 IPv6 payload length. If only one value is needed, 2138 then set both start and end to the same value."; 2139 reference 2140 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2141 Specification - Payload length"; 2142 } 2144 leaf-list next-header { 2145 type uint8; 2146 description 2147 "The security policy rule according to 2148 IPv6 next header."; 2149 reference 2150 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2151 Specification - Next header 2152 IANA: Assigned Internet Protocol Numbers"; 2153 } 2155 list hop-limit { 2156 key "start end"; 2157 leaf start { 2158 type uint8; 2159 description 2160 "Start IPv6 hop limit for a range match."; 2161 } 2162 leaf end { 2163 type uint8; 2164 must '. >= ../start' { 2165 error-message 2166 "The end hop limit MUST be equal or greater than 2167 the start hop limit."; 2168 } 2169 description 2170 "End IPv6 hop limit for a range match."; 2171 } 2172 description 2173 "The security policy rule according to 2174 IPv6 hop limit. If only one value is needed, 2175 then set both start and end to the same value."; 2176 reference 2177 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2178 Specification - Hop limit"; 2179 } 2180 container source-address { 2181 uses ipv6-address; 2182 description 2183 "The security policy rule according to 2184 IPv6 source address."; 2185 reference 2186 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2187 Specification - IPv6 address"; 2188 } 2190 container destination-address { 2191 uses ipv6-address; 2192 description 2193 "The security policy rule according to 2194 IPv6 destination address."; 2195 reference 2196 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2197 Specification - IPv6 address"; 2198 } 2199 } 2201 container tcp { 2202 description 2203 "The purpose of this container is to represent 2204 TCP packet header information to determine 2205 if the set of policy actions in this ECA policy 2206 rule should be executed or not."; 2207 reference 2208 "RFC 793: Transmission Control Protocol"; 2210 leaf description { 2211 type string; 2212 description 2213 "This is description for tcp condition."; 2214 } 2216 list source-port-number { 2217 key "start end"; 2218 uses port-range; 2219 description 2220 "The security policy rule according to 2221 tcp source port number."; 2222 reference 2223 "RFC 793: Transmission Control Protocol 2224 - Port number"; 2225 } 2227 list destination-port-number { 2228 key "start end"; 2229 uses port-range; 2230 description 2231 "The security policy rule according to 2232 tcp destination port number."; 2233 reference 2234 "RFC 793: Transmission Control Protocol 2235 - Port number"; 2236 } 2238 leaf-list flags { 2239 type identityref { 2240 base tcp-flags; 2241 } 2242 description 2243 "The security policy rule according to 2244 tcp flags."; 2245 reference 2246 "RFC 793: Transmission Control Protocol 2247 - Flags"; 2248 } 2249 } 2251 container udp { 2252 description 2253 "The purpose of this container is to represent 2254 UDP packet header information to determine 2255 if the set of policy actions in this ECA policy 2256 rule should be executed or not."; 2257 reference 2258 "RFC 768: User Datagram Protocol"; 2260 leaf description { 2261 type string; 2262 description 2263 "This is description for udp condition."; 2264 } 2266 container source-port-number { 2267 uses port-range; 2268 description 2269 "The security policy rule according to 2270 udp source port number."; 2271 reference 2272 "RFC 768: User Datagram Protocol - Port Number"; 2273 } 2275 container destination-port-number { 2276 uses port-range; 2277 description 2278 "The security policy rule according to 2279 udp destination port number."; 2280 reference 2281 "RFC 768: User Datagram Protocol - Port Number"; 2282 } 2284 list total-length { 2285 key "start end"; 2286 leaf start { 2287 type uint32; 2288 description 2289 "Start udp total length for a range match."; 2290 } 2291 leaf end { 2292 type uint32; 2293 must '. >= ../start' { 2294 error-message 2295 "The end hop limit MUST be equal or greater than 2296 the start hop limit."; 2297 } 2298 description 2299 "End udp total length for a range match."; 2300 } 2301 description 2302 "The security policy rule according to 2303 udp total length. If only one value is needed, 2304 then set both start and end to the same value"; 2305 reference 2306 "RFC 768: User Datagram Protocol - Total Length"; 2307 } 2308 } 2310 container sctp { 2311 description 2312 "The purpose of this container is to represent 2313 SCTP packet header information to determine 2314 if the set of policy actions in this ECA policy 2315 rule should be executed or not."; 2316 leaf description { 2317 type string; 2318 description 2319 "This is description for sctp condition."; 2320 } 2322 container source-port-number { 2323 uses port-range; 2324 description 2325 "The security policy rule according to 2326 sctp source port number."; 2327 reference 2328 "RFC 4960: Stream Control Transmission Protocol 2329 - Port number"; 2330 } 2332 container destination-port-number { 2333 uses port-range; 2334 description 2335 "The security policy rule according to 2336 sctp destination port number."; 2337 reference 2338 "RFC 4960: Stream Control Transmission Protocol 2339 - Port Number"; 2340 } 2342 leaf-list verification-tag { 2343 type uint32; 2344 description 2345 "The security policy rule according to 2346 udp total length."; 2347 reference 2348 "RFC 4960: Stream Control Transmission Protocol 2349 - Verification Tag"; 2350 } 2352 leaf-list chunk-type { 2353 type uint8; 2354 description 2355 "The security policy rule according to 2356 sctp chunk type ID Value."; 2357 reference 2358 "RFC 4960: Stream Control Transmission Protocol 2359 - Chunk Type"; 2360 } 2361 } 2363 container dccp { 2364 description 2365 "The purpose of this container is to represent 2366 DCCP packet header information to determine 2367 if the set of policy actions in this ECA policy 2368 rule should be executed or not."; 2369 leaf description { 2370 type string; 2371 description 2372 "This is description for dccp condition."; 2373 } 2375 container source-port-number { 2376 uses port-range; 2377 description 2378 "The security policy rule according to 2379 dccp source port number."; 2380 reference 2381 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2382 - Port number"; 2383 } 2385 container destination-port-number { 2386 uses port-range; 2387 description 2388 "The security policy rule according to 2389 dccp destination port number."; 2390 reference 2391 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2392 - Port number"; 2393 } 2395 leaf-list service-code { 2396 type uint32; 2397 description 2398 "The security policy rule according to 2399 dccp service code."; 2400 reference 2401 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2402 - Service Codes 2403 RFC 5595: The Datagram Congestion Control Protocol 2404 (DCCP) Service Codes 2405 RFC 6335: Internet Assigned Numbers Authority (IANA) 2406 Procedures for the Management of the Service 2407 Name and Transport Protocol Port Number 2408 Registry - Service Code"; 2409 } 2410 } 2412 list icmp { 2413 key "version"; 2414 description 2415 "The purpose of this container is to represent 2416 ICMP packet header information to determine 2417 if the set of policy actions in this ECA policy 2418 rule should be executed or not."; 2420 reference 2421 "RFC 792: Internet Control Message Protocol 2422 RFC 8335: PROBE: A Utility for Probing Interfaces"; 2424 leaf description { 2425 type string; 2426 description 2427 "This is description for icmp condition."; 2428 } 2430 leaf version { 2431 type enumeration { 2432 enum icmpv4 { 2433 value "1"; 2434 description 2435 "The ICMPv4 Protocol as defined in RFC 792"; 2436 } 2437 enum icmpv6 { 2438 value "2"; 2439 description 2440 "The ICMPv6 Protocol as defined in RFC 4443"; 2441 } 2442 } 2443 description 2444 "The ICMP version to be matched. This value 2445 affected the type and code values."; 2446 reference 2447 "RFC 792: Internet Control Message Protocol 2448 RFC 4443: Internet Control Message Protocol (ICMPv6) 2449 for the Internet Protocol Version 6 (IPv6) 2450 Specification"; 2451 } 2453 leaf-list type { 2454 type uint8; 2455 description 2456 "The security policy rule according to 2457 ICMPv4 or ICMPv6 type header field. 2459 The value of this leaf-list is affected by 2460 the value of the leaf version. 2462 If the version value is icmpv4, the type follows 2463 the IANA ICMP Parameters. 2465 If the version value is icmpv6, the type follows 2466 the IANA ICMPv6 Parameters."; 2467 reference 2468 "RFC 792: Internet Control Message Protocol 2469 RFC 4443: Internet Control Message Protocol (ICMPv6) 2470 for the Internet Protocol Version 6 (IPv6) 2471 Specification 2472 RFC 8335: PROBE: A Utility for Probing Interfaces 2473 IANA: Internet Control Message Protocol (ICMP) 2474 Parameters 2475 IANA: Internet Control Message Protocol version 6 2476 (ICMPv6) Parameters"; 2477 } 2479 leaf-list code { 2480 type uint8; 2481 description 2482 "The security policy rule according to 2483 ICMPv4 or ICMPv6 code header field. 2485 The value of this leaf-list is affected by 2486 the value of the leaf version. 2488 If the version value is icmpv4, the code follows 2489 the IANA ICMP parameters. 2491 If the version value is icmpv6, the code follows 2492 the IANA ICMPv6 parameters."; 2493 reference 2494 "RFC 792: Internet Control Message Protocol 2495 RFC 4443: Internet Control Message Protocol (ICMPv6) 2496 for the Internet Protocol Version 6 (IPv6) 2497 Specification 2498 RFC 8335: PROBE: A Utility for Probing Interfaces 2499 IANA: Internet Control Message Protocol (ICMP) 2500 Parameters 2501 IANA: Internet Control Message Protocol version 6 2502 (ICMPv6) Parameters"; 2503 } 2504 } 2506 container url-category { 2507 description 2508 "Condition for url category"; 2509 leaf description { 2510 type string; 2511 description 2512 "This is description for the condition of a URL's 2513 category such as SNS sites, game sites, ecommerce 2514 sites, company sites, and university sites."; 2515 } 2516 leaf-list pre-defined-category { 2517 type string; 2518 description 2519 "This is pre-defined-category."; 2520 } 2521 leaf-list user-defined-category { 2522 type string; 2523 description 2524 "This user-defined-category."; 2525 } 2526 } 2528 container voice { 2529 description 2530 "For the VoIP/VoLTE security system, a VoIP/ 2531 VoLTE security system can monitor each 2532 VoIP/VoLTE flow and manage VoIP/VoLTE 2533 security rules controlled by a centralized 2534 server for VoIP/VoLTE security service 2535 (called VoIP IPS). The VoIP/VoLTE security 2536 system controls each switch for the 2537 VoIP/VoLTE call flow management by 2538 manipulating the rules that can be added, 2539 deleted, or modified dynamically."; 2540 reference 2541 "RFC 3261: SIP: Session Initiation Protocol"; 2543 leaf description { 2544 type string; 2545 description 2546 "This is description for voice condition."; 2547 } 2549 leaf-list source-voice-id { 2550 type string; 2551 description 2552 "The security policy rule according to 2553 a source voice ID for VoIP and VoLTE."; 2554 } 2556 leaf-list destination-voice-id { 2557 type string; 2558 description 2559 "The security policy rule according to 2560 a destination voice ID for VoIP and VoLTE."; 2561 } 2563 leaf-list user-agent { 2564 type string; 2565 description 2566 "The security policy rule according to 2567 an user agent for VoIP and VoLTE."; 2568 } 2569 } 2571 container ddos { 2572 description 2573 "Condition for DDoS attack."; 2575 leaf description { 2576 type string; 2577 description 2578 "This is description for ddos condition."; 2579 } 2581 leaf alert-packet-rate { 2582 type uint32; 2583 units "pps"; 2584 description 2585 "The alert rate of flood detection for 2586 packets per second (PPS) of an IP address."; 2587 } 2589 leaf alert-flow-rate { 2590 type uint32; 2591 description 2592 "The alert rate of flood detection for 2593 flows per second of an IP address."; 2594 } 2596 leaf alert-byte-rate { 2597 type uint32; 2598 units "BPS"; 2599 description 2600 "The alert rate of flood detection for 2601 bytes per second of an IP address."; 2602 } 2603 } 2605 container anti-virus { 2606 description 2607 "Condition for antivirus"; 2609 leaf-list profile { 2610 type string; 2611 description 2612 "The security profile for antivirus. This is used to 2613 update the security profile for improving the 2614 security. The security profile is used to scan 2615 the viruses."; 2616 } 2618 leaf-list exception-files { 2619 type string; 2620 description 2621 "The type or name of the files to be excluded by the 2622 anti-virus. This can be used to keep the known 2623 harmless files."; 2624 } 2625 } 2627 container payload { 2628 description 2629 "Condition for packet payload"; 2630 leaf packet-payload-description { 2631 type string; 2632 description 2633 "This is description for payload condition."; 2634 } 2635 leaf-list payload-content { 2636 type string; 2637 description 2638 "This is a condition for packet payload content."; 2639 } 2640 } 2642 container context { 2643 description 2644 "Condition for context"; 2645 leaf context-description { 2646 type string; 2647 description 2648 "This is description for context condition."; 2649 } 2651 container application { 2652 description 2653 "Condition for application"; 2654 leaf description { 2655 type string; 2656 description 2657 "This is description for application condition."; 2658 } 2659 leaf-list object { 2660 type string; 2661 description 2662 "This is application object."; 2663 } 2664 leaf-list group { 2665 type string; 2666 description 2667 "This is application group."; 2668 } 2669 leaf-list label { 2670 type string; 2671 description 2672 "This is application label."; 2673 } 2674 container category { 2675 description 2676 "This is application category"; 2677 list application-category { 2678 key "name subcategory"; 2679 description 2680 "This is application category list"; 2682 leaf name { 2683 type string; 2684 description 2685 "This is name for application category."; 2686 } 2687 leaf subcategory { 2688 type string; 2689 description 2690 "This is application subcategory."; 2691 } 2692 } 2693 } 2694 } 2696 container target { 2697 description 2698 "Condition for target"; 2699 leaf description { 2700 type string; 2701 description 2702 "This is description for target condition. 2703 Vendors can write instructions for target condition 2704 that vendor made"; 2705 } 2707 leaf-list device { 2708 type identityref { 2709 base target-device; 2710 } 2711 description 2712 "The device attribute that can identify a device, 2713 including the device type (i.e., router, switch, 2714 pc, ios, or android) and the device's owner as 2715 well."; 2716 } 2717 } 2719 container users { 2720 description 2721 "Condition for users"; 2722 leaf users-description { 2723 type string; 2724 description 2725 "This is the description for users' condition."; 2726 } 2727 list user { 2728 key "user-id"; 2729 description 2730 "The user with which the traffic flow is associated 2731 can be identified by either a user id or user name. 2732 The user-to-IP address mapping is assumed to be 2733 provided by the unified user management system via 2734 network."; 2735 leaf user-id { 2736 type uint32; 2737 description 2738 "The ID of the user."; 2739 } 2740 leaf user-name { 2741 type string; 2742 description 2743 "The name of the user."; 2744 } 2745 } 2746 list group { 2747 key "group-id"; 2748 description 2749 "The user group with which the traffic flow is 2750 associated can be identified by either a group id 2751 or group name. The group-to-IP address and 2752 user-to-group mappings are assumed to be provided by 2753 the unified user management system via network."; 2754 leaf group-id { 2755 type uint32; 2756 description 2757 "The ID of the group."; 2758 } 2759 leaf group-name { 2760 type string; 2761 description 2762 "The name of the group."; 2763 } 2764 } 2766 leaf security-group { 2767 type string; 2768 description 2769 "security-group."; 2770 } 2771 } 2773 container geography-location { 2774 description 2775 "The location which network traffic flow is associated 2776 with. The region can be the geographical location 2777 such as country, province, and city, 2778 as well as the logical network location such as 2779 IP address, network section, and network domain."; 2781 leaf description { 2782 type string; 2783 description 2784 "This is description for generic context condition. 2785 Vendors can write instructions for generic context 2786 condition that vendor made"; 2787 } 2789 leaf-list source { 2790 type string; 2791 description 2792 "The src-geography-location is a geographical 2793 location mapped into an IP address. It matches the 2794 mapped IP address to the source IP address of the 2795 traffic flow."; 2796 reference 2797 "ISO 3166: Codes for the representation of 2798 names of countries and their subdivisions"; 2799 } 2801 leaf-list destination { 2802 type string; 2803 description 2804 "The dest-geography-location is a geographical 2805 location mapped into an IP address. It matches the 2806 mapped IP address to the destination IP address of 2807 the traffic flow."; 2808 reference 2809 "ISO 3166: Codes for the representation of 2810 names of countries and their subdivisions"; 2811 } 2812 } 2813 } 2814 } 2816 container action { 2817 description 2818 "An action is used to control and monitor aspects of 2819 flow-based NSFs when the event and condition clauses 2820 are satisfied. NSFs provide security functions by 2821 executing various Actions. Examples of I2NSF Actions 2822 include providing intrusion detection and/or protection, 2823 web and flow filtering, and deep packet inspection 2824 for packets and flows."; 2825 reference 2826 "RFC 8329: Framework for Interface to Network Security 2827 Functions - I2NSF Flow Security Policy Structure 2828 draft-ietf-i2nsf-capability-data-model-17: 2829 I2NSF Capability YANG Data Model - Design Principles and 2830 ECA Policy Model Overview"; 2832 leaf action-clause-description { 2833 type string; 2834 description 2835 "Description for an action clause."; 2836 } 2838 container packet-action { 2839 description 2840 "Action for packets"; 2841 reference 2842 "RFC 8329: Framework for Interface to Network Security 2843 Functions - I2NSF Flow Security Policy Structure 2844 draft-ietf-i2nsf-capability-data-model-17: 2845 I2NSF Capability YANG Data Model - Design Principles and 2846 ECA Policy Model Overview"; 2848 leaf ingress-action { 2849 type identityref { 2850 base ingress-action; 2851 } 2852 description 2853 "Ingress Action: pass, drop, rate-limit, and 2854 mirror."; 2855 } 2857 leaf egress-action { 2858 type identityref { 2859 base egress-action; 2860 } 2861 description 2862 "Egress action: pass, drop, rate-limit, mirror, 2863 invoke-signaling, tunnel-encapsulation, forwarding, 2864 and redirection."; 2865 } 2867 leaf log-action { 2868 type identityref { 2869 base log-action; 2870 } 2871 description 2872 "Log action: rule log and session log"; 2873 } 2875 } 2877 container flow-action { 2878 description 2879 "Action for flows"; 2880 reference 2881 "RFC 8329: Framework for Interface to Network Security 2882 Functions - I2NSF Flow Security Policy Structure 2883 draft-ietf-i2nsf-capability-data-model-17: 2884 I2NSF Capability YANG Data Model - Design Principles and 2885 ECA Policy Model Overview"; 2887 leaf ingress-action { 2888 type identityref { 2889 base ingress-action; 2890 } 2891 description 2892 "Action: pass, drop, rate-limit, and mirror."; 2893 } 2895 leaf egress-action { 2896 type identityref { 2897 base egress-action; 2898 } 2899 description 2900 "Egress action: pass, drop, rate-limit, mirror, 2901 invoke-signaling, tunnel-encapsulation, forwarding, 2902 and redirection."; 2903 } 2905 leaf log-action { 2906 type identityref { 2907 base log-action; 2908 } 2909 description 2910 "Log action: rule log and session log"; 2911 } 2912 } 2914 container advanced-action { 2915 description 2916 "If the packet needs to be additionally inspected, 2917 the packet is passed to advanced network 2918 security functions according to the profile. 2919 The profile means the types of NSFs where the packet 2920 will be forwarded in order to additionally 2921 inspect the packet. 2922 The advanced action activates Service Function 2923 Chaining (SFC) for further inspection of a packet."; 2924 reference 2925 "draft-ietf-i2nsf-capability-data-model-17: 2926 I2NSF Capability YANG Data Model - YANG Tree 2927 Diagram"; 2929 leaf-list content-security-control { 2930 type identityref { 2931 base content-security-control; 2932 } 2933 description 2934 "Content-security-control is the NSFs that 2935 inspect the payload of the packet. 2936 The profile for the types of NSFs for mitigation is 2937 divided into content security control and 2938 attack-mitigation-control. 2939 Content security control: ips, url filtering, 2940 anti-virus, and voip-volte-filter. This can be 2941 extended according to the provided NSFs."; 2942 reference 2943 "draft-ietf-i2nsf-capability-data-model-17: 2944 I2NSF Capability YANG Data Model - YANG Tree Diagram"; 2945 } 2947 leaf-list attack-mitigation-control { 2948 type identityref { 2949 base attack-mitigation-control; 2950 } 2951 description 2952 "Attack-mitigation-control is the NSFs that weaken 2953 the attacks related to a denial of service 2954 and reconnaissance. 2955 The profile for the types of NSFs for mitigation is 2956 divided into content security control and 2957 attack-mitigation-control. 2958 Attack mitigation control: Anti-DDoS or DDoS 2959 mitigator. This can be extended according to the 2960 provided NSFs such as mitigators for ip sweep, 2961 port scanning, ping of death, teardrop, oversized 2962 icmp, and tracert."; 2963 reference 2964 "draft-ietf-i2nsf-capability-data-model-17: 2965 I2NSF Capability YANG Data Model - YANG Tree Diagram"; 2966 } 2967 } 2968 } 2969 } 2970 container rule-group { 2971 description 2972 "This is rule group"; 2974 list groups { 2975 key "group-name"; 2976 description 2977 "This is a group for rules"; 2979 leaf group-name { 2980 type string; 2981 description 2982 "This is a group for rules"; 2983 } 2985 leaf-list rule-name { 2986 type leafref { 2987 path 2988 "../../../rules/rule-name"; 2989 } 2990 description 2991 "The names of the rules to be grouped."; 2992 } 2994 leaf enable { 2995 type boolean; 2996 description 2997 "True is enabled, and False is not enabled."; 2998 } 3000 leaf description { 3001 type string; 3002 description 3003 "This is a description for rule-group"; 3004 } 3005 } 3006 } 3007 } 3008 } 3009 3011 Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 3013 5. XML Configuration Examples of Low-Level Security Policy Rules 3015 This section shows XML configuration examples of low-level security 3016 policy rules that are delivered from the Security Controller to NSFs 3017 over the NSF-Facing Interface. For security requirements, we assume 3018 that the NSFs (i.e., General firewall, Time-based firewall, URL 3019 filter, VoIP/VoLTE filter, and http and https flood mitigation ) 3020 described in of [I-D.ietf-i2nsf-capability-data-model] are registered 3021 in the I2NSF framework. With the registered NSFs, we show 3022 configuration examples for security policy rules of network security 3023 functions according to the following three security requirements: (i) 3024 Block Social Networking Service (SNS) access during business hours, 3025 (ii) Block malicious VoIP/VoLTE packets coming to the company, and 3026 (iii) Mitigate http and https flood attacks on company web server. 3028 5.1. Security Requirement 1: Block Social Networking Service (SNS) 3029 Access during Business Hours 3031 This section shows a configuration example for blocking SNS access 3032 during business hours in IPv4 networks or IPv6 networks. 3034 3036 sns_access 3037 3038 block_sns_access_during_operation_time 3039 3040 3053 weekly 3054 3055 3056 3057 3058 3059 192.0.2.11 3060 192.0.2.90 3061 3062 3063 3064 3065 3066 3067 3068 url-filtering 3069 3070 3071 3072 3073 3075 Figure 6: Configuration XML for Time-based Firewall to Block SNS 3076 Access during Business Hours in IPv4 Networks 3078 3080 sns_access 3081 3082 block_sns_access_during_operation_time 3083 3084 3097 weekly 3098 3099 3100 3101 3102 3103 2001:DB8:0:1::11 3104 2001:DB8:0:1::90 3105 3106 3107 3108 3109 3110 3111 3112 url-filtering 3113 3114 3115 3116 3117 3119 Figure 7: Configuration XML for Time-based Firewall to Block SNS 3120 Access during Business Hours in IPv6 Networks 3122 3124 sns_access 3125 3126 block_sns_access_during_operation_time 3127 3128 3129 SNS_1 3130 SNS_2 3131 3132 3133 3134 3135 drop 3136 3137 3138 3139 3141 Figure 8: Configuration XML for Web Filter to Block SNS Access 3142 during Business Hours 3144 Figure 6 (or Figure 7) and Figure 8 show the configuration XML 3145 documents for time-based firewall and web filter to block SNS access 3146 during business hours in IPv4 networks (or IPv6 networks). For the 3147 security requirement, two NSFs (i.e., a time-based firewall and a web 3148 filter) were used because one NSF cannot meet the security 3149 requirement. The instances of XML documents for the time-based 3150 firewall and the web filter are as follows: Note that a detailed data 3151 model for the configuration of the advanced network security function 3152 (i.e., web filter) can be defined as an extension in future. 3154 Time-based Firewall is as follows: 3156 1. The name of the system policy is sns_access. 3158 2. The name of the rule is block_sns_access_during_operation_time. 3160 3. The rule is started from 2021-03-11 at 9 a.m. to 2021-12-31 at 6 3161 p.m. 3163 4. The rule is operated weekly every weekday (i.e., Monday, Tuesday, 3164 Wednesday, Thursday, and Friday) during the business hours (i.e., 3165 from 9 a.m. to 6 p.m.) . 3167 5. The rule inspects a source IPv4 address (i.e., from 192.0.2.11 to 3168 192.0.2.90) to inspect the outgoing packets of employees. For 3169 the case of IPv6 networks, the rule inspects a source IPv6 3170 address (i.e., from 2001:DB8:0:1::11 to 2001:DB8:0:1::90) to 3171 inspect the outgoing packets of employees. 3173 6. If the outgoing packets match the rules above, the time-based 3174 firewall sends the packets to url filtering for additional 3175 inspection because the time-based firewall can not inspect 3176 contents of the packets for the SNS URL. 3178 Web Filter is as follows: 3180 1. The name of the system policy is sns_access. 3182 2. The name of the rule is block_SNS_1_and_SNS_2. 3184 3. The rule inspects URL address to block the access packets to the 3185 SNS_1 or the SNS_2. 3187 4. If the outgoing packets match the rules above, the packets are 3188 blocked. 3190 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 3191 to a Company 3193 This section shows a configuration example for blocking malicious 3194 VoIP/VoLTE packets coming to a company. 3196 3198 voip_volte_inspection 3199 3200 block_malicious_voice_id 3201 3202 3203 3204 3205 192.0.2.11 3206 192.0.2.90 3207 3208 3209 3210 3211 3212 5060 3213 5061 3214 3215 3216 3217 3218 3219 3220 voip-volte-filter 3221 3222 3223 3224 3225 3227 Figure 9: Configuration XML for General Firewall to Block 3228 Malicious VoIP/VoLTE Packets Coming to a Company 3230 3232 voip_volte_inspection 3233 3234 block_malicious_voice_id 3235 3236 3237 3238 user1@voip.malicious.example.com 3239 3240 3241 user2@voip.malicious.example.com 3242 3243 3244 3245 3246 3247 drop 3248 3249 3250 3251 3253 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block 3254 Malicious VoIP/VoLTE Packets Coming to a Company 3256 Figure 9 and Figure 10 show the configuration XML documents for 3257 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 3258 packets coming to a company. For the security requirement, two NSFs 3259 (i.e., a general firewall and a VoIP/VoLTE filter) were used because 3260 one NSF can not meet the security requirement. The instances of XML 3261 documents for the general firewall and the VoIP/VoLTE filter are as 3262 follows: Note that a detailed data model for the configuration of the 3263 advanced network security function (i.e., VoIP/VoLTE filter) can be 3264 described as an extension in future. 3266 General Firewall is as follows: 3268 1. The name of the system policy is voip_volte_inspection. 3270 2. The name of the rule is block_malicious_voip_volte_packets. 3272 3. The rule inspects a destination IPv4 address (i.e., from 3273 192.0.2.11 to 192.0.2.90) to inspect the packets coming into the 3274 company. 3276 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 3277 VoIP/VoLTE packet. 3279 5. If the incoming packets match the rules above, the general 3280 firewall sends the packets to VoIP/VoLTE filter for additional 3281 inspection because the general firewall can not inspect contents 3282 of the VoIP/VoLTE packets. 3284 VoIP/VoLTE Filter is as follows: 3286 1. The name of the system policy is malicious_voice_id. 3288 2. The name of the rule is block_malicious_voice_id. 3290 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 3291 the malicious VoIP/VoLTE packets (i.e., 3292 user1@voip.malicious.example.com and 3293 user2@voip.malicious.example.com). 3295 4. If the incoming packets match the rules above, the packets are 3296 blocked. 3298 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 3299 Company Web Server 3301 This section shows a configuration example for mitigating http and 3302 https flood attacks on a company web server. 3304 3306 flood_attack_mitigation 3307 3308 mitigate_http_and_https_flood_attack 3309 3310 3311 3312 3313 192.0.2.11 3314 192.0.2.11 3315 3316 3317 3318 3319 3320 80 3321 80 3322 3323 3324 443 3325 443 3326 3327 3328 3329 3330 3331 3332 anti-ddos 3333 3334 3335 3336 3337 3339 Figure 11: Configuration XML for General Firewall to Mitigate 3340 HTTP and HTTPS Flood Attacks on a Company Web Server 3342 3344 flood_attack_mitigation 3345 3346 mitigate_http_and_https_flood_attack 3347 3348 3349 1000 3350 3351 3352 3353 3354 drop 3355 3356 3357 3358 3360 Figure 12: Configuration XML for Anti-DDoS to Mitigate HTTP and 3361 HTTPS Flood Attacks on a Company Web Server 3363 Figure 11 and Figure 12 show the configuration XML documents for 3364 general firewall and http and https flood attack mitigation to 3365 mitigate http and https flood attacks on a company web server. For 3366 the security requirement, two NSFs (i.e., a general firewall and a 3367 http and https flood attack mitigation) were used because one NSF can 3368 not meet the security requirement. The instances of XML documents 3369 for the general firewall and http and https flood attack mitigation 3370 are as follows: Note that a detailed data model for the configuration 3371 of the advanced network security function (i.e., http and https flood 3372 attack mitigation) can be defined as an extension in future. 3374 General Firewall is as follows: 3376 1. The name of the system policy is flood_attack_mitigation. 3378 2. The name of the rule is mitigate_http_and_https_flood_attack. 3380 3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11) 3381 to inspect the access packets coming into the company web server. 3383 4. The rule inspects a port number (i.e., 80 and 443) to inspect 3384 http and https packet. 3386 5. If the packets match the rules above, the general firewall sends 3387 the packets to anti-DDoS for additional inspection because the 3388 general firewall can not control the amount of packets for http 3389 and https packets. 3391 Anti DDoS for HTTP and HTTPS Flood Attack Mitigation is as follows: 3393 1. The name of the system policy is flood_attack_mitigation. 3395 2. The name of the rule is mitigate_http_and_https_flood_attack. 3397 3. The rule controls the http and https packets according to the 3398 amount of incoming packets (1000 packets per second). 3400 4. If the incoming packets match the rules above, the packets are 3401 blocked. 3403 6. IANA Considerations 3405 This document requests IANA to register the following URI in the 3406 "IETF XML Registry" [RFC3688]: 3408 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 3409 Registrant Contact: The IESG. 3410 XML: N/A; the requested URI is an XML namespace. 3412 This document requests IANA to register the following YANG module in 3413 the "YANG Module Names" registry [RFC7950][RFC8525]. 3415 name: ietf-i2nsf-policy-rule-for-nsf 3416 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 3417 prefix: nsfintf 3418 reference: RFC XXXX 3420 7. Security Considerations 3422 The YANG module specified in this document defines a data schema 3423 designed to be accessed through network management protocols such as 3424 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 3425 the secure transport layer, and the required secure transport is 3426 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 3427 and the required secure transport is TLS [RFC8446]. 3429 The NETCONF access control model [RFC8341] provides a means of 3430 restricting access to specific NETCONF or RESTCONF users to a 3431 preconfigured subset of all available NETCONF or RESTCONF protocol 3432 operations and content. 3434 There are a number of data nodes defined in this YANG module that are 3435 writable/creatable/deletable (i.e., config true, which is the 3436 default). These data nodes may be considered sensitive or vulnerable 3437 in some network environments. Write operations (e.g., edit-config) 3438 to these data nodes without proper protection can have a negative 3439 effect on network operations. These are the subtrees and data nodes 3440 and their sensitivity/vulnerability: 3442 * ietf-i2nsf-policy-rule-for-nsf: Writing to almost any element of 3443 this YANG module would directly impact on the configuration of 3444 NSFs, e.g., completely turning off security monitoring and 3445 mitigation capabilities; altering the scope of this monitoring and 3446 mitigation; creating an overwhelming logging volume to overwhelm 3447 downstream analytics or storage capacity; creating logging 3448 patterns which are confusing; or rendering useless trained 3449 statistics or artificial intelligence models. 3451 Some of the readable data nodes in this YANG module may be considered 3452 sensitive or vulnerable in some network environments. It is thus 3453 important to control read access (e.g., via get, get-config, or 3454 notification) to these data nodes. These are the subtrees and data 3455 nodes and their sensitivity/vulnerability: 3457 * ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the 3458 security policy information of any target NSFs and misuse the 3459 security policy information for subsequent attacks. 3461 Policy rules identifying the specified users and user groups can be 3462 specified with "rules/condition/context/users". As with other data 3463 in this YANG module, this user information is provided by the 3464 Security Controller to the NSFs and is protected via the transport 3465 and access control mechanisms described above. 3467 8. Acknowledgments 3469 This work was supported by Institute of Information & Communications 3470 Technology Planning & Evaluation (IITP) grant funded by the Korea 3471 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3472 Security Intelligence Technology Development for the Customized 3473 Security Service Provisioning). This work was supported in part by 3474 the IITP (2020-0-00395, Standard Development of Blockchain based 3475 Network Management Automation Technology). 3477 9. Contributors 3479 This document is made by the group effort of I2NSF working group. 3480 Many people actively contributed to this document, such as Acee 3481 Lindem and Roman Danyliw. The authors sincerely appreciate their 3482 contributions. 3484 The following are co-authors of this document: 3486 Patrick Lingga Department of Electrical and Computer Engineering 3487 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3488 16419 Republic of Korea EMail: patricklink@skku.edu 3490 Hyoungshick Kim Department of Computer Science and Engineering 3491 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3492 16419 Republic of Korea EMail: hyoung@skku.edu 3494 Daeyoung Hyun Department of Computer Science and Engineering 3495 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3496 16419 Republic of Korea EMail: dyhyun@skku.edu 3498 Dongjin Hong Department of Electronic, Electrical and Computer 3499 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3500 Gyeonggi-do 16419 Republic of Korea EMail: dong.jin@skku.edu 3502 Liang Xia Huawei 101 Software Avenue Nanjing, Jiangsu 210012 China 3503 EMail: Frank.Xialiang@huawei.com 3505 Tae-Jin Ahn Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 3506 Republic of Korea EMail: taejin.ahn@kt.com 3508 Se-Hui Lee Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 3509 Republic of Korea EMail: sehuilee@kt.com 3511 10. References 3513 10.1. Normative References 3515 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3516 DOI 10.17487/RFC0768, August 1980, 3517 . 3519 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3520 DOI 10.17487/RFC0791, September 1981, 3521 . 3523 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 3524 RFC 792, DOI 10.17487/RFC0792, September 1981, 3525 . 3527 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 3528 RFC 793, DOI 10.17487/RFC0793, September 1981, 3529 . 3531 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3532 Requirement Levels", BCP 14, RFC 2119, 3533 DOI 10.17487/RFC2119, March 1997, 3534 . 3536 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 3537 "Definition of the Differentiated Services Field (DS 3538 Field) in the IPv4 and IPv6 Headers", RFC 2474, 3539 DOI 10.17487/RFC2474, December 1998, 3540 . 3542 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 3543 A., Peterson, J., Sparks, R., Handley, M., and E. 3544 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 3545 DOI 10.17487/RFC3261, June 2002, 3546 . 3548 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3549 DOI 10.17487/RFC3688, January 2004, 3550 . 3552 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 3553 Congestion Control Protocol (DCCP)", RFC 4340, 3554 DOI 10.17487/RFC4340, March 2006, 3555 . 3557 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 3558 Control Message Protocol (ICMPv6) for the Internet 3559 Protocol Version 6 (IPv6) Specification", STD 89, 3560 RFC 4443, DOI 10.17487/RFC4443, March 2006, 3561 . 3563 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 3564 RFC 4960, DOI 10.17487/RFC4960, September 2007, 3565 . 3567 [RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol 3568 (DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595, 3569 September 2009, . 3571 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 3572 the Network Configuration Protocol (NETCONF)", RFC 6020, 3573 DOI 10.17487/RFC6020, October 2010, 3574 . 3576 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3577 and A. Bierman, Ed., "Network Configuration Protocol 3578 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3579 . 3581 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3582 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3583 . 3585 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 3586 Cheshire, "Internet Assigned Numbers Authority (IANA) 3587 Procedures for the Management of the Service Name and 3588 Transport Protocol Port Number Registry", BCP 165, 3589 RFC 6335, DOI 10.17487/RFC6335, August 2011, 3590 . 3592 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3593 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3594 . 3596 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3597 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3598 . 3600 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3601 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3602 . 3604 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 3605 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 3606 May 2017, . 3608 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 3609 (IPv6) Specification", STD 86, RFC 8200, 3610 DOI 10.17487/RFC8200, July 2017, 3611 . 3613 [RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M. 3614 Boucadair, "PROBE: A Utility for Probing Interfaces", 3615 RFC 8335, DOI 10.17487/RFC8335, February 2018, 3616 . 3618 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3619 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3620 . 3622 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3623 Access Control Model", STD 91, RFC 8341, 3624 DOI 10.17487/RFC8341, March 2018, 3625 . 3627 [RFC8344] Bjorklund, M., "A YANG Data Model for IP Management", 3628 RFC 8344, DOI 10.17487/RFC8344, March 2018, 3629 . 3631 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 3632 Documents Containing YANG Data Models", BCP 216, RFC 8407, 3633 DOI 10.17487/RFC8407, October 2018, 3634 . 3636 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3637 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3638 . 3640 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 3641 and R. Wilton, "YANG Library", RFC 8525, 3642 DOI 10.17487/RFC8525, March 2019, 3643 . 3645 [I-D.ietf-i2nsf-capability-data-model] 3646 Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. 3647 Lin, "I2NSF Capability YANG Data Model", Work in Progress, 3648 Internet-Draft, draft-ietf-i2nsf-capability-data-model-17, 3649 14 August 2021, . 3652 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 3653 Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. 3654 Birkholz, "I2NSF NSF Monitoring Interface YANG Data 3655 Model", Work in Progress, Internet-Draft, draft-ietf- 3656 i2nsf-nsf-monitoring-data-model-09, 24 August 2021, 3657 . 3660 10.2. Informative References 3662 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3663 Kumar, "Framework for Interface to Network Security 3664 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 3665 . 3667 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3668 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 3669 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 3670 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 3671 facing-interface-dm-14, 21 August 2021, 3672 . 3675 [ISO-Country-Codes] 3676 "Codes for the representation of names of countries and 3677 their subdivisions", ISO 3166, September 2018, 3678 . 3680 [IANA-Protocol-Numbers] 3681 Internet Assigned Numbers Authority (IANA), "Assigned 3682 Internet Protocol Numbers", September 2020, 3683 . 3686 [IANA-ICMP-Parameters] 3687 Internet Assigned Numbers Authority (IANA), "Internet 3688 Control Message Procotol (ICMP) Parameters", February 3689 2021, . 3692 [IANA-ICMPv6-Parameters] 3693 Internet Assigned Numbers Authority (IANA), "Internet 3694 Control Message Procotol version 6 (ICMPv6) Parameters", 3695 February 2021, . 3698 [IEEE-802.3] 3699 Institute of Electrical and Electronics Engineers, "IEEE 3700 Standard for Ethernet", 2018, 3701 . 3703 Authors' Addresses 3705 Jinyong (Tim) Kim (editor) 3706 Department of Electronic, Electrical and Computer Engineering 3707 Sungkyunkwan University 3708 2066 Seobu-Ro, Jangan-Gu 3709 Suwon 3710 Gyeonggi-Do 3711 16419 3712 Republic of Korea 3714 Phone: +82 10 8273 0930 3715 Email: timkim@skku.edu 3716 Jaehoon (Paul) Jeong (editor) 3717 Department of Computer Science and Engineering 3718 Sungkyunkwan University 3719 2066 Seobu-Ro, Jangan-Gu 3720 Suwon 3721 Gyeonggi-Do 3722 16419 3723 Republic of Korea 3725 Phone: +82 31 299 4957 3726 Email: pauljeong@skku.edu 3727 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3729 Jung-Soo Park 3730 Electronics and Telecommunications Research Institute 3731 218 Gajeong-Ro, Yuseong-Gu 3732 Daejeon 3733 34129 3734 Republic of Korea 3736 Phone: +82 42 860 6514 3737 Email: pjs@etri.re.kr 3739 Susan Hares 3740 Huawei 3741 7453 Hickory Hill 3742 Saline, MI 48176 3743 United States of America 3745 Phone: +1-734-604-0332 3746 Email: shares@ndzh.com 3748 Qiushi Lin 3749 Huawei 3750 Huawei Industrial Base 3751 Shenzhen 3752 Guangdong 518129, 3753 China 3755 Email: linqiushi@huawei.com