idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 256 has weird spacing: '...w start uin...' == Line 260 has weird spacing: '...w start uin...' == Line 265 has weird spacing: '...w start uin...' == Line 268 has weird spacing: '...w start uin...' == Line 283 has weird spacing: '...w start ine...' == (10 more instances...) -- The document date (4 October 2021) is 928 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'IANA-ICMPv6-Parameters' is defined on line 3734, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-28) exists of draft-ietf-tcpm-rfc793bis-25 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-tcpm-rfc793bis' == Outdated reference: A later version (-32) exists of draft-ietf-i2nsf-capability-data-model-19 == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-10 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-15 Summary: 1 error (**), 0 flaws (~~), 12 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim, Ed. 3 Internet-Draft J. Jeong, Ed. 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 7 April 2022 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 4 October 2021 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-15 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF) in the Interface to 19 Network Security Functions (I2NSF) framework. The YANG data model in 20 this document corresponds to the information model for NSF-Facing 21 Interface in the I2NSF framework. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 7 April 2022. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Simplified BSD License text 51 as described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3 60 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5 61 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6 62 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 11 63 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 12 64 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 13 65 5. XML Configuration Examples of Low-Level Security Policy 66 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 65 67 5.1. Security Requirement 1: Block Social Networking Service 68 (SNS) Access during Business Hours . . . . . . . . . . . 65 69 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets 70 Coming to a Company . . . . . . . . . . . . . . . . . . . 69 71 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 72 Attacks on a Company Web Server . . . . . . . . . . . . . 72 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 75 74 7. Security Considerations . . . . . . . . . . . . . . . . . . . 75 75 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 76 76 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 76 77 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 77 78 10.1. Normative References . . . . . . . . . . . . . . . . . . 77 79 10.2. Informative References . . . . . . . . . . . . . . . . . 80 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 81 82 1. Introduction 84 This document defines a YANG [RFC6020][RFC7950] data model for 85 security policy rule configuration of Network Security Functions 86 (NSF). The YANG data model in this document is based on the 87 information and data model in [I-D.ietf-i2nsf-capability-data-model] 88 for the NSF-Facing Interface in the Interface to Network Security 89 Functions (I2NSF) architecture [RFC8329]. The YANG data model in 90 this document focuses on security policy configuration for the NSFs 91 discussed in [I-D.ietf-i2nsf-capability-data-model], i.e., generic 92 NSF (. 94 This YANG data model uses an "Event-Condition-Action" (ECA) policy 95 model that is used as the basis for the design of I2NSF Policy 96 described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model]. 98 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 99 document provides the configuration of the following features. 101 * A security policy rule of a network security function. 103 * An event clause of a generic network security function. 105 * A condition clause of a generic network security function. 107 * An action clause of a generic network security function. 109 2. Terminology 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 113 "OPTIONAL" in this document are to be interpreted as described in BCP 114 14 [RFC2119] [RFC8174] when, and only when, they appear in all 115 capitals, as shown here. 117 This document uses the terminology described in [RFC8329]. 119 This document follows the guidelines of [RFC8407], uses the common 120 YANG types defined in [RFC6991], and adopts the Network Management 121 Datastore Architecture (NMDA). The meaning of the symbols in tree 122 diagrams is defined in [RFC8340]. 124 3. YANG Tree Diagram 126 This section shows a YANG tree diagram of policy for network security 127 functions. [I-D.ietf-i2nsf-capability-data-model]. 129 3.1. General I2NSF Security Policy Rule 131 This section shows a YANG tree diagram for a general I2NSF security 132 policy rule for generic network security functions. 134 module: ietf-i2nsf-policy-rule-for-nsf 135 +--rw i2nsf-security-policy* [system-policy-name] 136 +--rw system-policy-name string 137 +--rw priority-usage? identityref 138 +--rw resolution-strategy? identityref 139 +--rw default-action? identityref 140 +--rw rules* [rule-name] 141 | +--rw rule-name string 142 | +--rw rule-description? string 143 | +--rw rule-priority? uint8 144 | +--rw rule-enable? boolean 145 | +--rw session-aging-time? uint16 146 | +--rw long-connection 147 | | +--rw enable? boolean 148 | | +--rw duration? uint16 149 | +--rw event 150 | ... 151 | +--rw action 152 | ... 153 +--rw rule-group 154 +--rw groups* [group-name] 155 +--rw group-name string 156 +--rw rule-range 157 | +--rw start-rule? string 158 | +--rw end-rule? string 159 +--rw enable? boolean 160 +--rw description? string 162 Figure 1: YANG Tree Diagram for Network Security Policy 164 The system policy provides for multiple system policies in one NSF, 165 and each system policy is used by one virtual instance of the NSF/ 166 device. The system policy includes system policy name, priority 167 usage, resolution strategy, default action, and rules. 169 A resolution strategy is used to decide how to resolve conflicts that 170 occur between the actions of the same or different policy rules that 171 are matched and contained in a particular NSF. The resolution 172 strategy is defined as First Matching Rule (FMR), Last Matching Rule 173 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 174 Prioritized Matching Rule with No Errors (PMRN). The resolution 175 strategy can be extended according to specific vendor action 176 features. The resolution strategy is described in detail in 177 [I-D.ietf-i2nsf-capability-data-model]. 179 A default action is used to execute I2NSF policy rule when no rule 180 matches a packet. The default action is defined as pass, drop, rate- 181 limit, and mirror. The default action can be extended according to 182 specific vendor action features. The default action is described in 183 detail in [I-D.ietf-i2nsf-capability-data-model]. 185 The rules include rule name, rule description, rule priority, rule 186 enable, event, condition, and action. 188 3.2. Event Clause 190 This section shows a YANG tree diagram for an event clause for a 191 general I2NSF security policy rule for generic network security 192 functions. 194 module: ietf-i2nsf-policy-rule-for-nsf 195 +--rw i2nsf-security-policy* [system-policy-name] 196 ... 197 +--rw rules* [rule-name] 198 | ... 199 | +--rw event 200 | | +--rw event-clause-description? string 201 | | +--rw time 202 | | | +--rw start-date-time? yang:date-and-time 203 | | | +--rw end-date-time? yang:date-and-time 204 | | | +--rw period 205 | | | | +--rw start-time? time 206 | | | | +--rw end-time? time 207 | | | | +--rw day* identityref 208 | | | | +--rw date* int32 209 | | | | +--rw month* string 210 | | | +--rw frequency? enumeration 211 | | +--rw event-clauses 212 | | +--rw system-event* identityref 213 | | +--rw system-alarm* identityref 214 | +--rw condition 215 | | ... 216 | +--rw action 217 | ... 218 +--rw rule-group 219 ... 221 Figure 2: YANG Tree Diagram for an Event Clause 223 An event clause is any important occurrence at a specific time of a 224 change in the system being managed, and/or in the environment of the 225 system being managed. An event clause is used to trigger the 226 evaluation of the condition clause of the I2NSF Policy Rule. The 227 event clause is defined as a system event, system alarm 228 [I-D.ietf-i2nsf-nsf-monitoring-data-model] and time. The event 229 clause can be extended according to specific vendor event features. 230 The event clause is described in detail in 231 [I-D.ietf-i2nsf-capability-data-model]. 233 3.3. Condition Clause 235 This section shows a YANG tree diagram for a condition clause for a 236 general I2NSF security policy rule for generic network security 237 functions. 239 module: ietf-i2nsf-policy-rule-for-nsf 240 +--rw i2nsf-security-policy* [system-policy-name] 241 ... 242 +--rw rules* [rule-name] 243 | ... 244 | +--rw event 245 | ... 246 | +--rw condition 247 | | +--rw condition-clause-description? string 248 | | +--rw ethernet 249 | | | +--rw ethernet-description? string 250 | | | +--rw source-address* yang:mac-address 251 | | | +--rw destination-address* yang:mac-address 252 | | | +--rw ether-type* uint16 253 | | +--rw ipv4 254 | | | +--rw description? string 255 | | | +--rw header-length* [start end] 256 | | | | +--rw start uint8 257 | | | | +--rw end uint8 258 | | | +--rw dscp* inet:dscp 259 | | | +--rw total-length* [start end] 260 | | | | +--rw start uint16 261 | | | | +--rw end uint16 262 | | | +--rw identification* uint16 263 | | | +--rw fragment-flags* identityref 264 | | | +--rw fragment-offset* [start end] 265 | | | | +--rw start uint16 266 | | | | +--rw end uint16 267 | | | +--rw ttl* [start end] 268 | | | | +--rw start uint8 269 | | | | +--rw end uint8 270 | | | +--rw protocol* uint8 271 | | | +--rw source-address 272 | | | | +--rw (match-type)? 273 | | | | +--:(prefix) 274 | | | | | +--rw ipv4-prefix* [ipv4] 275 | | | | | +--rw ipv4 inet:ipv4-address-no-zone 276 | | | | | +--rw (subnet)? 277 | | | | | +--:(prefix-length) 278 | | | | | | +--rw prefix-length? uint8 279 | | | | | +--:(netmask) 280 | | | | | +--rw netmask? yang:dotted-quad 281 | | | | +--:(range) 282 | | | | +--rw ipv4-range* [start end] 283 | | | | +--rw start inet:ipv4-address-no-zone 284 | | | | +--rw end inet:ipv4-address-no-zone 285 | | | +--rw destination-address 286 | | | | +--rw (match-type)? 287 | | | | +--:(prefix) 288 | | | | | +--rw ipv4-prefix* [ipv4] 289 | | | | | +--rw ipv4 inet:ipv4-address-no-zone 290 | | | | | +--rw (subnet)? 291 | | | | | +--:(prefix-length) 292 | | | | | | +--rw prefix-length? uint8 293 | | | | | +--:(netmask) 294 | | | | | +--rw netmask? yang:dotted-quad 295 | | | | +--:(range) 296 | | | | +--rw ipv4-range* [start end] 297 | | | | +--rw start inet:ipv4-address-no-zone 298 | | | | +--rw end inet:ipv4-address-no-zone 299 | | | +--rw ipopts* identityref 300 | | +--rw ipv6 301 | | | +--rw description? string 302 | | | +--rw dscp* inet:dscp 303 | | | +--rw flow-label* [start end] 304 | | | | +--rw start inet:ipv6-flow-label 305 | | | | +--rw end inet:ipv6-flow-label 306 | | | +--rw payload-length* [start end] 307 | | | | +--rw start uint16 308 | | | | +--rw end uint16 309 | | | +--rw next-header* uint8 310 | | | +--rw hop-limit* [start end] 311 | | | | +--rw start uint8 312 | | | | +--rw end uint8 313 | | | +--rw source-address 314 | | | | +--rw (match-type)? 315 | | | | +--:(prefix) 316 | | | | | +--rw ipv6-prefix* [ipv6] 317 | | | | | +--rw ipv6 inet:ipv6-address-no-zone 318 | | | | | +--rw prefix-length? uint8 319 | | | | +--:(range) 320 | | | | +--rw ipv6-range* [start end] 321 | | | | +--rw start inet:ipv6-address-no-zone 322 | | | | +--rw end inet:ipv6-address-no-zone 323 | | | +--rw destination-address 324 | | | +--rw (match-type)? 325 | | | +--:(prefix) 326 | | | | +--rw ipv6-prefix* [ipv6] 327 | | | | +--rw ipv6 inet:ipv6-address-no-zone 328 | | | | +--rw prefix-length? uint8 329 | | | +--:(range) 330 | | | +--rw ipv6-range* [start end] 331 | | | +--rw start inet:ipv6-address-no-zone 332 | | | +--rw end inet:ipv6-address-no-zone 333 | | +--rw tcp 334 | | | +--rw description? string 335 | | | +--rw source-port-number* [start end] 336 | | | | +--rw start inet:port-number 337 | | | | +--rw end inet:port-number 338 | | | +--rw destination-port-number* [start end] 339 | | | | +--rw start inet:port-number 340 | | | | +--rw end inet:port-number 341 | | | +--rw flags* identityref 342 | | +--rw udp 343 | | | +--rw description? string 344 | | | +--rw source-port-number 345 | | | | +--rw start? inet:port-number 346 | | | | +--rw end? inet:port-number 347 | | | +--rw destination-port-number 348 | | | | +--rw start? inet:port-number 349 | | | | +--rw end? inet:port-number 350 | | | +--rw total-length* [start end] 351 | | | +--rw start uint32 352 | | | +--rw end uint32 353 | | +--rw sctp 354 | | | +--rw description? string 355 | | | +--rw source-port-number 356 | | | | +--rw start? inet:port-number 357 | | | | +--rw end? inet:port-number 358 | | | +--rw destination-port-number 359 | | | | +--rw start? inet:port-number 360 | | | | +--rw end? inet:port-number 361 | | | +--rw verification-tag* uint32 362 | | | +--rw chunk-type* uint8 363 | | +--rw dccp 364 | | | +--rw description? string 365 | | | +--rw source-port-number 366 | | | | +--rw start? inet:port-number 367 | | | | +--rw end? inet:port-number 368 | | | +--rw destination-port-number 369 | | | | +--rw start? inet:port-number 370 | | | | +--rw end? inet:port-number 371 | | | +--rw service-code* uint32 372 | | +--rw icmp* [version] 373 | | | +--rw description? string 374 | | | +--rw version enumeration 375 | | | +--rw type* uint8 376 | | | +--rw code* uint8 377 | | +--rw url-category 378 | | | +--rw description? string 379 | | | +--rw pre-defined-category* string 380 | | | +--rw user-defined-category* string 381 | | +--rw voice 382 | | | +--rw description? string 383 | | | +--rw source-voice-id* string 384 | | | +--rw destination-voice-id* string 385 | | | +--rw user-agent* string 386 | | +--rw ddos 387 | | | +--rw description? string 388 | | | +--rw alert-packet-rate? uint32 389 | | | +--rw alert-flow-rate? uint32 390 | | | +--rw alert-byte-rate? uint32 391 | | +--rw anti-virus 392 | | | +--rw profile* string 393 | | | +--rw exception-files* string 394 | | +--rw payload 395 | | | +--rw packet-payload-description? string 396 | | | +--rw payload-content* string 397 | | +--rw context 398 | | +--rw context-description? string 399 | | +--rw application 400 | | | +--rw description? string 401 | | | +--rw object* string 402 | | | +--rw group* string 403 | | | +--rw label* string 404 | | | +--rw category 405 | | | +--rw application-category* [name subcategory] 406 | | | +--rw name string 407 | | | +--rw subcategory string 408 | | +--rw target 409 | | | +--rw description? string 410 | | | +--rw device* identityref 411 | | +--rw users 412 | | | +--rw users-description? string 413 | | | +--rw user* [user-id] 414 | | | | +--rw user-id uint32 415 | | | | +--rw user-name? string 416 | | | +--rw group* [group-id] 417 | | | | +--rw group-id uint32 418 | | | | +--rw group-name? string 419 | | | +--rw security-group? string 420 | | +--rw geography-location 421 | | +--rw description? string 422 | | +--rw source* string 423 | | +--rw destination* string 424 | +--rw action 425 | ... 426 +--rw rule-group 427 ... 429 Figure 3: YANG Tree Diagram for a Condition Clause 431 A condition clause is defined as a set of attributes, features, and/ 432 or values that are to be compared with a set of known attributes, 433 features, and/or values in order to determine whether or not the set 434 of actions in that (imperative) I2NSF policy rule can be executed or 435 not. A condition clause is classified as a condition of generic 436 network security functions, advanced network security functions, or 437 context. A condition clause of generic network security functions is 438 defined as IPv4 condition, IPv6 condition, TCP condition, UDP 439 condition, SCTP condition, DCCP condition, and ICMP (ICMPv4 and 440 ICMPv6) condition. 442 Note that the data model in this document does not focus on only IP 443 addresses, but focuses on all the fields of IPv4 and IPv6 headers. 444 The IPv4 and IPv6 headers have similarity with some different fields. 445 In this case, it is better to handle separately the IPv4 and IPv6 446 headers such that the different fields can be used to handle IPv4 and 447 IPv6 packets. 449 A condition clause of advanced network security functions is defined 450 as url category condition, voice condition, DDoS condition, or 451 payload condition. A condition clause of context is defined as 452 application condition, target condition, users condition, and 453 geography condition. 455 Note that this document deals only with conditions of several 456 advanced network security functions such as url filter (i.e., web 457 filter), VoIP/VoLTE security, and DDoS-attack mitigator. A condition 458 clause of other advanced network security functions such as Intrusion 459 Prevention System (IPS) and Data Loss Prevention (DLP) can be defined 460 as an extension in future. A condition clause can be extended 461 according to specific vendor condition features. A condition clause 462 is described in detail in [I-D.ietf-i2nsf-capability-data-model]. 464 3.4. Action Clause 466 This section shows a YANG tree diagram for an action clause for a 467 general I2NSF security policy rule for generic network security 468 functions. 470 module: ietf-i2nsf-policy-rule-for-nsf 471 +--rw i2nsf-security-policy* [system-policy-name] 472 ... 473 +--rw rules* [rule-name] 474 | ... 475 | +--rw event 476 | ... 477 | +--rw condition 478 | ... 479 | +--rw action 480 | +--rw action-clause-description? string 481 | +--rw packet-action 482 | | +--rw ingress-action? identityref 483 | | +--rw egress-action? identityref 484 | | +--rw log-action? identityref 485 | +--rw flow-action 486 | | +--rw ingress-action? identityref 487 | | +--rw egress-action? identityref 488 | | +--rw log-action? identityref 489 | +--rw advanced-action 490 | +--rw content-security-control* identityref 491 | +--rw attack-mitigation-control* identityref 492 +--rw rule-group 493 ... 495 Figure 4: YANG Tree Diagram for an Action Clause 497 An action is used to control and monitor aspects of flow-based NSFs 498 when the policy rule event and condition clauses are satisfied. NSFs 499 provide security services by executing various actions. The action 500 clause is defined as ingress action, egress action, or log action for 501 packet action, flow action, and advanced action for additional 502 inspection. The packet action is an action for an individual packet 503 such as an IP datagram as a stateless process that uses the packet's 504 header and payload. The flow action is an action of a traffic flow 505 such as the packets of a TCP session (e.g., an HTTP/HTTPS session) as 506 a stateful process that uses the traffic flow information such as 507 5-tuple information, packet counts, and byte counts. The advanced 508 action is an action for an advanced security service (e.g., url 509 filter, DDoS-attack mitigator, and VoIP/VoLTE filter) for either a 510 packet or a traffic flow according to the intention of such an 511 advanced security service. The action clause can be extended 512 according to specific vendor action features. The action clause is 513 described in detail in [I-D.ietf-i2nsf-capability-data-model]. 515 4. YANG Data Model of NSF-Facing Interface 517 The main objective of this data model is to provide both an 518 information model and the corresponding YANG data model of I2NSF NSF- 519 Facing Interface. This interface can be used to deliver control and 520 management messages between Security Controller and NSFs for the 521 I2NSF low-level security policies. 523 This data model is designed to support the I2NSF framework that can 524 be extended according to the security needs. In other words, the 525 model design is independent of the content and meaning of specific 526 policies as well as the implementation approach. 528 With the YANG data model of I2NSF NSF-Facing Interface, this document 529 suggests use cases for security policy rules such as time-based 530 firewall, web filter, VoIP/VoLTE security service, and DDoS-attack 531 mitigation in Section 5. 533 4.1. YANG Module of NSF-Facing Interface 535 This section describes a YANG module of NSF-Facing Interface. This 536 document provides identities in the data model for the configuration 537 of an NSF. The identity has the same concept with the corresponding 538 identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG 539 module imports from [RFC6991]. It makes references to [RFC0768] 540 [RFC0791] [RFC0792] [RFC2474] [RFC3261] [RFC4340] [RFC4443] [RFC4960] 541 [RFC5595] [RFC6335] [RFC8200] [RFC8329] [RFC8335] [RFC8344] 542 [IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers] 543 [IANA-ICMP-Parameters] [I-D.ietf-tcpm-rfc793bis] 544 [I-D.ietf-i2nsf-capability-data-model] 545 [I-D.ietf-i2nsf-nsf-monitoring-data-model]. 547 file "ietf-i2nsf-policy-rule-for-nsf@2021-10-04.yang" 548 module ietf-i2nsf-policy-rule-for-nsf { 549 yang-version 1.1; 550 namespace 551 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 552 prefix 553 nsfintf; 555 import ietf-inet-types{ 556 prefix inet; 557 reference 558 "Section 4 of RFC 6991"; 559 } 560 import ietf-yang-types { 561 prefix yang; 562 reference 563 "Section 3 of RFC 6991"; 564 } 566 organization 567 "IETF I2NSF (Interface to Network Security Functions) 568 Working Group"; 570 contact 571 "WG Web: 572 WG List: 574 Editor: Jinyong Tim Kim 575 577 Editor: Jaehoon Paul Jeong 578 "; 580 description 581 "This module is a YANG module for Network Security Functions 582 (NSF)-Facing Interface. 584 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 585 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 586 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 587 document are to be interpreted as described in BCP 14 588 (RFC 2119) (RFC 8174) when, and only when, they appear 589 in all capitals, as shown here. 591 Copyright (c) 2021 IETF Trust and the persons identified as 592 authors of the code. All rights reserved. 594 Redistribution and use in source and binary forms, with or 595 without modification, is permitted pursuant to, and subject to 596 the license terms contained in, the Simplified BSD License set 597 forth in Section 4.c of the IETF Trust's Legal Provisions 598 Relating to IETF Documents 599 (https://trustee.ietf.org/license-info). 601 This version of this YANG module is part of RFC XXXX 602 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 603 for full legal notices."; 605 revision "2021-10-04"{ 606 description "The latest revision."; 607 reference 608 "RFC XXXX: I2NSF Network Security Function-Facing Interface 609 YANG Data Model"; 610 } 612 /* 613 * Identities 614 */ 616 identity priority-usage { 617 description 618 "Base identity for priority usage type."; 619 } 621 identity priority-by-order { 622 base priority-usage; 623 description 624 "Identity for priority by order"; 625 } 627 identity priority-by-number { 628 base priority-usage; 629 description 630 "Identity for priority by number"; 631 } 633 identity event { 634 description 635 "Base identity for policy events"; 636 reference 637 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 638 Monitoring YANG Data Model - Event"; 639 } 641 identity system-event { 642 base event; 643 description 644 "Identity for system events"; 645 reference 646 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 647 Monitoring YANG Data Model - System event"; 648 } 650 identity system-alarm { 651 base event; 652 description 653 "Identity for system alarms"; 654 reference 655 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 656 Monitoring YANG Data Model - System alarm"; 657 } 659 identity access-violation { 660 base system-event; 661 description 662 "Identity for access violation 663 system events"; 664 reference 665 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 666 Monitoring YANG Data Model - System event for access 667 violation"; 668 } 670 identity configuration-change { 671 base system-event; 672 description 673 "Identity for configuration change 674 system events"; 675 reference 676 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 677 Monitoring YANG Data Model - System event for configuration 678 change"; 679 } 681 identity memory-alarm { 682 base system-alarm; 683 description 684 "Identity for memory alarm 685 system alarms"; 686 reference 687 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 688 Monitoring YANG Data Model - System alarm for memory"; 689 } 691 identity cpu-alarm { 692 base system-alarm; 693 description 694 "Identity for CPU alarm 695 system alarms"; 696 reference 697 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 698 Monitoring YANG Data Model - System alarm for CPU"; 699 } 701 identity disk-alarm { 702 base system-alarm; 703 description 704 "Identity for disk alarm 705 system alarms"; 706 reference 707 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 708 Monitoring YANG Data Model - System alarm for disk"; 709 } 711 identity hardware-alarm { 712 base system-alarm; 713 description 714 "Identity for hardware alarm 715 system alarms"; 716 reference 717 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 718 Monitoring YANG Data Model - System alarm for hardware"; 719 } 721 identity interface-alarm { 722 base system-alarm; 723 description 724 "Identity for interface alarm 725 system alarms"; 726 reference 727 "draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF NSF 728 Monitoring YANG Data Model - System alarm for interface"; 729 } 731 identity fragmentation-flags { 732 description 733 "Base identity for fragmentation flags type"; 734 reference 735 "RFC 791: Internet Protocol - Fragmentation Flags"; 736 } 738 identity fragment { 739 base fragmentation-flags; 740 description 741 "Identity for 'More fragment' flag"; 742 reference 743 "RFC 791: Internet Protocol - Fragmentation Flags"; 744 } 746 identity no-fragment { 747 base fragmentation-flags; 748 description 749 "Identity for 'Do not fragment' flag"; 750 reference 751 "RFC 791: Internet Protocol - Fragmentation Flags"; 752 } 754 identity reserved { 755 base fragmentation-flags; 756 description 757 "Identity for reserved flags"; 758 reference 759 "RFC 791: Internet Protocol - Fragmentation Flags"; 760 } 762 identity ipopts { 763 description 764 "Base identity for IP options"; 765 reference 766 "RFC 791: Internet Protocol - Options"; 767 } 769 identity rr { 770 base ipopts; 771 description 772 "Identity for 'Record Route' IP Option"; 774 reference 775 "RFC 791: Internet Protocol - Options"; 776 } 778 identity eol { 779 base ipopts; 780 description 781 "Identity for 'End of List' IP Option"; 782 reference 783 "RFC 791: Internet Protocol - Options"; 784 } 786 identity nop { 787 base ipopts; 788 description 789 "Identity for 'No Operation' IP Option"; 790 reference 791 "RFC 791: Internet Protocol - Options"; 792 } 794 identity ts { 795 base ipopts; 796 description 797 "Identity for 'Timestamp' IP Option"; 798 reference 799 "RFC 791: Internet Protocol - Options"; 800 } 802 identity sec { 803 base ipopts; 804 description 805 "Identity for 'IP security' IP Option"; 806 reference 807 "RFC 791: Internet Protocol - Options"; 808 } 810 identity esec { 811 base ipopts; 812 description 813 "Identity for 'IP extended security' IP Option"; 814 reference 815 "RFC 791: Internet Protocol - Options"; 816 } 818 identity lsrr { 819 base ipopts; 820 description 821 "Identity for 'Loose Source Routing' IP Option"; 823 reference 824 "RFC 791: Internet Protocol - Options"; 825 } 827 identity ssrr { 828 base ipopts; 829 description 830 "Identity for 'Strict Source Routing' IP Option"; 831 reference 832 "RFC 791: Internet Protocol - Options"; 833 } 835 identity satid { 836 base ipopts; 837 description 838 "Identity for 'Stream Identifier' IP Option"; 839 reference 840 "RFC 791: Internet Protocol - Options"; 841 } 843 identity any { 844 base ipopts; 845 description 846 "Identity for 'any IP options 847 included in IPv4 packet"; 848 reference 849 "RFC 791: Internet Protocol - Options"; 850 } 852 identity tcp-flags { 853 description 854 "Base identity for TCP flags"; 855 reference 856 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 857 (TCP) Specification - TCP Header Flags 858 RFC 3168: The Addition of Explicit Congestion Notification 859 (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window 860 Reduced (CWR) Flag 861 draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback 862 in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced 863 (CWR) Flag"; 864 } 866 identity cwr { 867 base tcp-flags; 868 description 869 "Identity for 'Congestion Window Reduced' TCP flag"; 870 reference 871 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 872 (TCP) Specification - TCP Header Flags 873 RFC 3168: The Addition of Explicit Congestion Notification 874 (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window 875 Reduced (CWR) Flag 876 draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback 877 in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced 878 (CWR) Flag"; 879 } 881 identity ece { 882 base tcp-flags; 883 description 884 "Identity for 'Explicit Congestion Notification-Echo' 885 TCP flag"; 886 reference 887 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 888 (TCP) Specification - TCP Header Flags 889 RFC 3168: The Addition of Explicit Congestion Notification 890 (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window 891 Reduced (CWR) Flag 892 draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback 893 in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced 894 (CWR) Flag"; 895 } 897 identity urg { 898 base tcp-flags; 899 description 900 "Identity for 'Urgent' TCP flag"; 901 reference 902 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 903 (TCP) Specification - Flags"; 904 } 906 identity ack { 907 base tcp-flags; 908 description 909 "Identity for 'acknowledgement' TCP flag"; 910 reference 911 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 912 (TCP) Specification - Flags"; 913 } 915 identity psh { 916 base tcp-flags; 917 description 918 "Identity for 'Push' TCP flag"; 920 reference 921 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 922 (TCP) Specification - Flags"; 923 } 925 identity rst { 926 base tcp-flags; 927 description 928 "Identity for 'Reset' TCP flag"; 929 reference 930 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 931 (TCP) Specification - Flags"; 932 } 934 identity syn { 935 base tcp-flags; 936 description 937 "Identity for 'Synchronize' TCP flag"; 938 reference 939 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 940 (TCP) Specification - Flags"; 941 } 943 identity fin { 944 base tcp-flags; 945 description 946 "Identity for 'Finish' TCP flag"; 947 reference 948 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 949 (TCP) Specification - Flags"; 950 } 952 identity target-device { 953 description 954 "Base identity for target devices"; 955 reference 956 "draft-ietf-i2nsf-capability-data-model-17: 957 I2NSF Capability YANG Data Model"; 958 } 960 identity computer { 961 base target-device; 962 description 963 "Identity for computer such as personal computer (PC) 964 and server"; 965 } 967 identity mobile-phone { 968 base target-device; 969 description 970 "Identity for mobile-phone such as smartphone and 971 cellphone"; 972 } 974 identity voip-volte-phone { 975 base target-device; 976 description 977 "Identity for voip-volte-phone"; 978 } 980 identity tablet { 981 base target-device; 982 description 983 "Identity for tablet"; 984 } 986 identity network-infrastructure-device { 987 base target-device; 988 description 989 "Identity for network infrastructure devices 990 such as switch, router, and access point"; 991 } 993 identity iot-device { 994 base target-device; 995 description 996 "Identity for IoT (Internet of Things) devices"; 997 } 999 identity ot { 1000 base target-device; 1001 description 1002 "Identity for Operational Technology"; 1003 } 1005 identity vehicle { 1006 base target-device; 1007 description 1008 "Identity for vehicle that connects to and shares 1009 data through the Internet"; 1010 } 1012 identity advanced-nsf { 1013 description 1014 "Base identity for advanced Network Security Function (NSF) 1015 capability. This can be used for advanced NSFs such as 1016 Anti-DDoS Attack, IPS, URL-Filtering, Antivirus, 1017 and VoIP/VoLTE Filter."; 1018 reference 1019 "draft-ietf-i2nsf-capability-data-model-17: 1020 I2NSF Capability YANG Data Model"; 1021 } 1023 identity content-security-control { 1024 base advanced-nsf; 1025 description 1026 "Base identity for content security control"; 1027 reference 1028 "draft-ietf-i2nsf-capability-data-model-17: 1029 I2NSF Capability YANG Data Model"; 1030 } 1032 identity ips { 1033 base content-security-control; 1034 description 1035 "Identity for IPS (Intrusion Prevention System) 1036 that prevents malicious activity within a network"; 1037 } 1039 identity url-filtering { 1040 base content-security-control; 1041 description 1042 "Identity for url filtering that limits access by comparing the 1043 web traffic's URL with the URLs for web filtering in a 1044 database"; 1045 } 1047 identity anti-virus { 1048 base content-security-control; 1049 description 1050 "Identity for antivirus to protect the network by detecting and 1051 removing viruses or malwares."; 1052 } 1054 identity voip-volte-filter { 1055 base content-security-control; 1056 description 1057 "Identity for VoIP/VoLTE security service that filters out the 1058 packets or flows of malicious users with a deny list of 1059 malicious users in a database"; 1060 } 1062 identity attack-mitigation-control { 1063 base advanced-nsf; 1064 description 1065 "Base identity for attack mitigation control"; 1066 reference 1067 "draft-ietf-i2nsf-capability-data-model-17: 1068 I2NSF Capability YANG Data Model"; 1069 } 1071 identity anti-ddos { 1072 base attack-mitigation-control; 1073 description 1074 "Identity for advanced NSF Anti-DDoS or DDoS Mitigator 1075 capability."; 1076 } 1078 identity action { 1079 description 1080 "Base identity for action"; 1081 } 1083 identity ingress-action { 1084 base action; 1085 description 1086 "Base identity for ingress action"; 1087 reference 1088 "draft-ietf-i2nsf-capability-data-model-17: 1089 I2NSF Capability YANG Data Model - Ingress Action"; 1090 } 1092 identity egress-action { 1093 base action; 1094 description 1095 "Base identity for egress action"; 1096 reference 1097 "draft-ietf-i2nsf-capability-data-model-17: 1098 I2NSF Capability YANG Data Model - Egress Action"; 1099 } 1101 identity default-action { 1102 base action; 1103 description 1104 "Base identity for default action"; 1105 reference 1106 "draft-ietf-i2nsf-capability-data-model-17: 1107 I2NSF Capability YANG Data Model - Default Action"; 1108 } 1110 identity pass { 1111 base ingress-action; 1112 base egress-action; 1113 base default-action; 1114 description 1115 "Identity for pass"; 1116 reference 1117 "draft-ietf-i2nsf-capability-data-model-17: 1118 I2NSF Capability YANG Data Model - Actions and 1119 Default Action"; 1120 } 1122 identity drop { 1123 base ingress-action; 1124 base egress-action; 1125 base default-action; 1126 description 1127 "Identity for drop"; 1128 reference 1129 "draft-ietf-i2nsf-capability-data-model-17: 1130 I2NSF Capability YANG Data Model - Actions and 1131 Default Action"; 1132 } 1134 identity mirror { 1135 base ingress-action; 1136 base egress-action; 1137 base default-action; 1138 description 1139 "Identity for mirror"; 1140 reference 1141 "draft-ietf-i2nsf-capability-data-model-17: 1142 I2NSF Capability YANG Data Model - Actions and 1143 Default Action"; 1144 } 1146 identity rate-limit { 1147 base ingress-action; 1148 base egress-action; 1149 base default-action; 1150 description 1151 "Identity for rate limiting action"; 1152 reference 1153 "draft-ietf-i2nsf-capability-data-model-17: 1154 I2NSF Capability YANG Data Model - Actions and 1155 Default Action"; 1156 } 1158 identity log-action { 1159 base action; 1160 description 1161 "Base identity for log action"; 1162 } 1164 identity rule-log { 1165 base log-action; 1166 description 1167 "Identity for rule log"; 1168 } 1170 identity session-log { 1171 base log-action; 1172 description 1173 "Identity for session log"; 1174 } 1176 identity invoke-signaling { 1177 base egress-action; 1178 description 1179 "Identity for invoke signaling"; 1180 } 1182 identity tunnel-encapsulation { 1183 base egress-action; 1184 description 1185 "Identity for tunnel encapsulation"; 1186 } 1188 identity forwarding { 1189 base egress-action; 1190 description 1191 "Identity for forwarding"; 1192 } 1194 identity transformation { 1195 base egress-action; 1196 description 1197 "Identity for transformation"; 1198 } 1200 identity redirection { 1201 base egress-action; 1202 description 1203 "Identity for redirection"; 1204 } 1206 identity resolution-strategy { 1207 description 1208 "Base identity for resolution strategy"; 1209 reference 1210 "draft-ietf-i2nsf-capability-data-model-17: 1211 I2NSF Capability YANG Data Model - Resolution Strategy"; 1212 } 1214 identity fmr { 1215 base resolution-strategy; 1216 description 1217 "Identity for First Matching Rule (FMR)"; 1218 reference 1219 "draft-ietf-i2nsf-capability-data-model-17: 1220 I2NSF Capability YANG Data Model - Resolution Strategy"; 1221 } 1223 identity lmr { 1224 base resolution-strategy; 1225 description 1226 "Identity for Last Matching Rule (LMR)"; 1227 reference 1228 "draft-ietf-i2nsf-capability-data-model-17: 1229 I2NSF Capability YANG Data Model - Resolution Strategy"; 1230 } 1232 identity pmr { 1233 base resolution-strategy; 1234 description 1235 "Identity for Prioritized Matching Rule (PMR)"; 1236 reference 1237 "draft-ietf-i2nsf-capability-data-model-17: 1238 I2NSF Capability YANG Data Model - Resolution Strategy"; 1239 } 1241 identity pmre { 1242 base resolution-strategy; 1243 description 1244 "Identity for Prioritized Matching Rule 1245 with Errors (PMRE)"; 1246 reference 1247 "draft-ietf-i2nsf-capability-data-model-17: 1248 I2NSF Capability YANG Data Model - Resolution Strategy"; 1249 } 1251 identity pmrn { 1252 base resolution-strategy; 1253 description 1254 "Identity for Prioritized Matching Rule 1255 with No Errors (PMRN)"; 1257 reference 1258 "draft-ietf-i2nsf-capability-data-model-17: 1259 I2NSF Capability YANG Data Model - Resolution Strategy"; 1260 } 1262 identity day { 1263 description 1264 "This represents the base for days."; 1265 } 1267 identity monday { 1268 base day; 1269 description 1270 "This represents Monday."; 1271 } 1273 identity tuesday { 1274 base day; 1275 description 1276 "This represents Tuesday."; 1277 } 1279 identity wednesday { 1280 base day; 1281 description 1282 "This represents Wednesday."; 1283 } 1285 identity thursday { 1286 base day; 1287 description 1288 "This represents Thursday."; 1289 } 1291 identity friday { 1292 base day; 1293 description 1294 "This represents Friday."; 1295 } 1297 identity saturday { 1298 base day; 1299 description 1300 "This represents Saturday."; 1301 } 1303 identity sunday { 1304 base day; 1305 description 1306 "This represents Sunday."; 1307 } 1309 /* 1310 * Typedefs 1311 */ 1313 typedef time { 1314 type string { 1315 pattern '(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.\d+)?' 1316 + '(Z|[\+\-]((1[0-3]|0[0-9]):([0-5][0-9])|14:00))?'; 1317 } 1318 description 1319 "The time type represents an instance of time of zero-duration 1320 that recurs every day."; 1321 } 1323 /* 1324 * Groupings 1325 */ 1327 grouping ipv4-prefix { 1328 description 1329 "The list of IPv4 addresses."; 1330 leaf ipv4 { 1331 type inet:ipv4-address-no-zone; 1332 description 1333 "The value of IPv4 address."; 1334 } 1335 choice subnet { 1336 description 1337 "The subnet can be specified as a prefix length or 1338 netmask."; 1339 leaf prefix-length { 1340 type uint8 { 1341 range "0..32"; 1342 } 1343 description 1344 "The length of the subnet prefix."; 1345 } 1346 leaf netmask { 1347 type yang:dotted-quad; 1348 description 1349 "The subnet specified as a netmask."; 1350 } 1351 } 1352 reference 1353 "RFC 791: Internet Protocol - IPv4 address 1354 RFC 8344: A YANG Data Model for IP Management"; 1355 } 1357 grouping ipv6-prefix { 1358 description 1359 "The list of IPv6 addresses."; 1360 leaf ipv6 { 1361 type inet:ipv6-address-no-zone; 1362 description 1363 "The value of IPv6 address."; 1364 } 1365 leaf prefix-length { 1366 type uint8 { 1367 range "0..128"; 1368 } 1369 description 1370 "The length of the subnet prefix."; 1371 } 1372 reference 1373 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1374 Specification - IPv6 address 1375 RFC 8344: A YANG Data Model for IP Management"; 1376 } 1378 grouping ipv4-range { 1379 description 1380 "Range match for the IPv4 addresses. If only one value is 1381 needed, then set both start and end to the same value. 1382 The end IPv4 address MUST be equal or greater than the 1383 start IPv4 address."; 1384 leaf start { 1385 type inet:ipv4-address-no-zone; 1386 description 1387 "Starting IPv4 address for a range match."; 1388 } 1389 leaf end { 1390 type inet:ipv4-address-no-zone; 1391 description 1392 "Ending IPv4 address for a range match."; 1393 } 1394 reference 1395 "RFC 791: Internet Protocol - IPv4 address"; 1396 } 1398 grouping ipv6-range { 1399 description 1400 "Range match for the IPv6 addresses. If only one value is 1401 needed, then set both start and end to the same value. 1402 The end IPv6 address number MUST be equal to or greater than 1403 the start IPv6 address."; 1404 leaf start { 1405 type inet:ipv6-address-no-zone; 1406 description 1407 "Starting IPv6 address for a range match."; 1408 } 1410 leaf end { 1411 type inet:ipv6-address-no-zone; 1412 description 1413 "Ending IPv6 address for a range match."; 1414 } 1415 reference 1416 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1417 Specification - IPv6 address"; 1418 } 1420 grouping ipv4-address { 1421 description 1422 "Grouping for IPv4 address. IPv4 address can be in the form of 1423 prefix or range."; 1424 choice match-type { 1425 description 1426 "Choose between Prefix or Range"; 1427 case prefix { 1428 list ipv4-prefix { 1429 key "ipv4"; 1430 uses ipv4-prefix; 1431 description 1432 "The list of IPv4 addresses specified with an 1433 IPv4 address and a prefix-length or 1434 a netmask."; 1435 } 1436 } 1437 case range { 1438 list ipv4-range { 1439 key "start end"; 1440 uses ipv4-range; 1441 description 1442 "The list of IPv4 address specified with a 1443 start IPv4 address and an end IPv4 address. 1444 If only one value is needed, then set both 1445 start and end to the same value."; 1446 } 1447 } 1448 } 1450 } 1452 grouping ipv6-address { 1453 description 1454 "Grouping for IPv6 address. IPv6 address can be in the form of 1455 prefix or range."; 1456 choice match-type { 1457 description 1458 "Choose between Prefix or Range"; 1459 case prefix { 1460 list ipv6-prefix { 1461 key "ipv6"; 1462 uses ipv6-prefix; 1463 description 1464 "The list of IPv6 addresses specified with an 1465 IPv6 address and a prefix-length."; 1466 } 1467 } 1468 case range { 1469 list ipv6-range { 1470 key "start end"; 1471 uses ipv6-range; 1472 description 1473 "The list of IPv6 address specified with a 1474 start IPv6 address and an end IPv6 address. 1475 If only one value is needed, then set both 1476 start and end to the same value."; 1477 } 1478 } 1479 } 1480 } 1482 grouping port-range { 1483 leaf start { 1484 type inet:port-number; 1485 description 1486 "Starting port number for a range match."; 1487 } 1488 leaf end { 1489 type inet:port-number; 1490 must '. >= ../start' { 1491 error-message 1492 "The end port number MUST be equal to or greater than the 1493 start port number."; 1494 } 1495 description 1496 "Ending port number for a range match."; 1497 } 1498 description 1499 "Range match for the port numbers. If only one value is needed, 1500 then set both start and end to the same value."; 1501 reference 1502 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 1503 (TCP) Specification - Port Number 1504 RFC 768: User Datagram Protocol - Port Number 1505 RFC 4960: Stream Control Transmission Protocol - Port Number 1506 RFC 4340: Datagram Congestion Control Protocol (DCCP) 1507 - Port Number"; 1508 } 1510 /* 1511 * Data nodes 1512 */ 1514 list i2nsf-security-policy { 1516 key "system-policy-name"; 1518 description 1519 "Container for security policy 1520 including a set of security rules according to certain logic, 1521 i.e., their similarity or mutual relations, etc. The network 1522 security policy can be applied to both the unidirectional 1523 and bidirectional traffic across the NSF. 1524 The I2NSF security policies use the Event-Condition-Action 1525 (ECA) policy model "; 1527 reference 1528 "RFC 8329: Framework for Interface to Network Security 1529 Functions - I2NSF Flow Security Policy Structure 1530 draft-ietf-i2nsf-capability-data-model-17: 1531 I2NSF Capability YANG Data Model - Design Principles and 1532 ECA Policy Model Overview"; 1534 leaf system-policy-name { 1535 type string; 1536 description 1537 "The name of the policy. 1538 This must be unique."; 1539 } 1541 leaf priority-usage { 1542 type identityref { 1543 base priority-usage; 1544 } 1545 default priority-by-order; 1546 description 1547 "Priority usage type for security policy rule: 1548 priority by order and priority by number"; 1549 } 1551 leaf resolution-strategy { 1552 type identityref { 1553 base resolution-strategy; 1554 } 1555 default fmr; 1556 description 1557 "The resolution strategies that can be used to 1558 specify how to resolve conflicts that occur between 1559 actions of the same or different policy rules that 1560 are matched and contained in this particular NSF"; 1562 reference 1563 "draft-ietf-i2nsf-capability-data-model-17: 1564 I2NSF Capability YANG Data Model - Resolution strategy"; 1565 } 1567 leaf default-action { 1568 type identityref { 1569 base default-action; 1570 } 1571 default mirror; 1572 description 1573 "This default action can be used to specify a predefined 1574 action when no other alternative action was matched 1575 by the currently executing I2NSF Policy Rule. An analogy 1576 is the use of a default statement in a C switch statement."; 1577 reference 1578 "draft-ietf-i2nsf-capability-data-model-17: 1579 I2NSF Capability YANG Data Model - Default Action"; 1580 } 1582 list rules { 1583 key "rule-name"; 1584 description 1585 "This is a rule for network security functions."; 1587 leaf rule-name { 1588 type string; 1589 description 1590 "The name of the rule."; 1591 } 1593 leaf rule-description { 1594 type string; 1595 description 1596 "This description gives more information about 1597 rules."; 1598 } 1600 leaf rule-priority { 1601 type uint8 { 1602 range "1..255"; 1603 } 1604 description 1605 "The priority keyword comes with a mandatory 1606 numeric value which can range from 1 up to 255. 1607 Note that a higher number means a higher priority"; 1608 } 1610 leaf rule-enable { 1611 type boolean; 1612 description 1613 "True is enable. 1614 False is not enable."; 1615 } 1617 leaf session-aging-time { 1618 type uint16; 1619 units "second"; 1620 description 1621 "This is session aging time."; 1622 } 1624 container long-connection { 1625 description 1626 "A container for long connection. A long connection is a 1627 connection that is maintained after the socket connection 1628 is established, regardless of whether it is used for data 1629 traffic or not."; 1631 leaf enable { 1632 type boolean; 1633 description 1634 "True is enabled. 1635 False is not enabled."; 1636 } 1638 leaf duration { 1639 type uint16; 1640 units "second"; 1641 description 1642 "This is the duration of the long-connection."; 1643 } 1644 } 1646 container event { 1647 description 1648 "An event is defined as any important 1649 occurrence in time of a change in the system being 1650 managed, and/or in the environment of the system being 1651 managed. When used in the context of policy rules for 1652 a flow-based NSF, it is used to determine whether the 1653 Condition clause of the Policy Rule can be evaluated 1654 or not. Examples of an I2NSF event include time and 1655 user actions (e.g., logon, logoff, and actions that 1656 violate any ACL.)."; 1658 reference 1659 "RFC 8329: Framework for Interface to Network Security 1660 Functions - I2NSF Flow Security Policy Structure 1661 draft-ietf-i2nsf-capability-data-model-17: 1662 I2NSF Capability YANG Data Model - Design Principles and 1663 ECA Policy Model Overview 1664 draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF 1665 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 1666 and Counters"; 1668 leaf event-clause-description { 1669 type string; 1670 description 1671 "Description for an event clause"; 1672 } 1674 container time { 1675 description 1676 "Time to determine when the policy should be applied"; 1677 leaf start-date-time { 1678 type yang:date-and-time; 1679 description 1680 "This is the start date and time for a security policy 1681 rule."; 1682 } 1684 leaf end-date-time { 1685 type yang:date-and-time; 1686 description 1687 "This is the end date and time for a policy rule. The 1688 policy rule will stop working after the specified 1689 end-date-time."; 1691 } 1693 container period { 1694 when 1695 "../frequency!='only-once'"; 1696 description 1697 "This represents the repetition time. In the case 1698 where the frequency is weekly, the days can be set."; 1699 leaf start-time { 1700 type time; 1701 description 1702 "This is a period's start time for an event."; 1703 } 1704 leaf end-time { 1705 type time; 1706 description 1707 "This is a period's end time for an event."; 1708 } 1709 leaf-list day { 1710 when 1711 "../../frequency='weekly'"; 1712 type identityref{ 1713 base day; 1714 } 1715 min-elements 1; 1716 description 1717 "This represents the repeated day of every week 1718 (e.g., Monday and Tuesday). More than one day can 1719 be specified."; 1720 } 1721 leaf-list date { 1722 when 1723 "../../frequency='monthly'"; 1724 type int32{ 1725 range "1..31"; 1726 } 1727 min-elements 1; 1728 description 1729 "This represents the repeated date of every month. 1730 More than one date can be specified."; 1731 } 1732 leaf-list month { 1733 when 1734 "../../frequency='yearly'"; 1735 type string{ 1736 pattern '\d{2}-\d{2}'; 1737 } 1738 min-elements 1; 1739 description 1740 "This represents the repeated date and month of every 1741 year. More than one can be specified. A pattern 1742 used here is Month and Date (MM-DD)."; 1743 } 1744 } 1746 leaf frequency { 1747 type enumeration { 1748 enum only-once { 1749 description 1750 "This represents that the rule is immediately 1751 enforcedonly once and not repeated. The policy 1752 will continuously be active from the start-time 1753 to the end-time."; 1754 } 1755 enum daily { 1756 description 1757 "This represents that the rule is enforced on a 1758 daily basis. The policy will be repeated 1759 daily until the end-date."; 1760 } 1761 enum weekly { 1762 description 1763 "This represents that the rule is enforced on a 1764 weekly basis. The policy will be repeated weekly 1765 until the end-date. The repeated days can be 1766 specified."; 1767 } 1768 enum monthly { 1769 description 1770 "This represents that the rule is enforced on a 1771 monthly basis. The policy will be repeated monthly 1772 until the end-date."; 1773 } 1774 enum yearly { 1775 description 1776 "This represents that the rule is enforced on 1777 a yearly basis. The policy will be repeated 1778 yearly until the end-date."; 1779 } 1780 } 1781 default only-once; 1782 description 1783 "This represents how frequently the rule 1784 should be enforced."; 1785 } 1786 } 1787 container event-clauses { 1788 description 1789 "System Event Clause - either a system event or 1790 system alarm"; 1791 reference 1792 "RFC 8329: Framework for Interface to Network Security 1793 Functions - I2NSF Flow Security Policy Structure 1794 draft-ietf-i2nsf-capability-data-model-17: 1795 I2NSF Capability YANG Data Model - Design Principles and 1796 ECA Policy Model Overview 1797 draft-ietf-i2nsf-nsf-monitoring-data-model-09: I2NSF 1798 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 1799 and Counters"; 1801 leaf-list system-event { 1802 type identityref { 1803 base system-event; 1804 } 1805 description 1806 "The security policy rule according to 1807 system events."; 1808 } 1810 leaf-list system-alarm { 1811 type identityref { 1812 base system-alarm; 1813 } 1814 description 1815 "The security policy rule according to 1816 system alarms."; 1817 } 1818 } 1819 } 1821 container condition { 1822 description 1823 "A condition is defined as a set 1824 of attributes, features, and/or values that are to be 1825 compared with a set of known attributes, features, 1826 and/or values in order to determine whether or not the 1827 set of Actions in that (imperative) I2NSF Policy Rule 1828 can be executed or not. Examples of I2NSF Conditions 1829 include matching attributes of a packet or flow, and 1830 comparing the internal state of an NSF to a desired 1831 state."; 1832 reference 1833 "RFC 8329: Framework for Interface to Network Security 1834 Functions - I2NSF Flow Security Policy Structure 1835 draft-ietf-i2nsf-capability-data-model-17: 1836 I2NSF Capability YANG Data Model - Design Principles and 1837 ECA Policy Model Overview"; 1839 leaf condition-clause-description { 1840 type string; 1841 description 1842 "Description for a condition clause."; 1843 } 1845 container ethernet { 1846 description 1847 "The purpose of this container is to represent layer 2 1848 packet header information to determine the set of policy 1849 actions in this ECA policy rule should be executed or 1850 not."; 1851 reference 1852 "IEEE 802.3: IEEE Standard for Ethernet"; 1854 leaf ethernet-description { 1855 type string; 1856 description 1857 "The MAC Condition description"; 1858 } 1860 leaf-list source-address { 1861 type yang:mac-address; 1862 description 1863 "The condition for source Media Access Control (MAC) 1864 Address of a Layer 2 packet. Multiple source MAC 1865 Addresses can be given in a single rule."; 1866 reference 1867 "IEEE 802.3: IEEE Standard for Ethernet"; 1868 } 1870 leaf-list destination-address { 1871 type yang:mac-address; 1872 description 1873 "The condition for destination Media Access Control 1874 (MAC) Address of a Layer 2 packet. Multiple 1875 destination MAC Addresses can be given in a 1876 single rule."; 1877 reference 1878 "IEEE 802.3: IEEE Standard for Ethernet"; 1879 } 1881 leaf-list ether-type { 1882 type uint16; 1883 description 1884 "The condition for matching the 2-octet of IEEE 802.3 1885 Length/Type field. Can be specified with decimal or 1886 hexadecimal from 0 through 65535 (0xFFFF) 1888 A value from 0 through 1500 (0x05DC) specifies the 1889 number of MAC client data octets contained in the 1890 subsequent MAC Client Data Field of the basic frame 1892 A value greater than or equal to 1536 (0x0600) 1893 specifies that the Length/Type field indicates 1894 Ethertype of the MAC client protocol"; 1895 reference 1896 "IEEE 802.3: IEEE Standard for Ethernet"; 1897 } 1898 } 1900 container ipv4 { 1901 description 1902 "The purpose of this container is to represent IPv4 1903 packet header information to determine if the set 1904 of policy actions in this ECA policy rule should be 1905 executed or not."; 1906 reference 1907 "RFC 791: Internet Protocol"; 1909 leaf description { 1910 type string; 1911 description 1912 "ipv4 condition textual description."; 1913 } 1915 list header-length { 1916 key "start end"; 1917 leaf start{ 1918 type uint8 { 1919 range "5..15"; 1920 } 1921 description 1922 "Starting IPv4 header length for a range match."; 1923 } 1925 leaf end { 1926 type uint8 { 1927 range "5..15"; 1928 } 1929 must '. >= ../start' { 1930 error-message 1931 "The end header length MUST be equal to or greater 1932 than the start header length."; 1933 } 1934 description 1935 "Ending IPv4 header length for a range match."; 1936 } 1937 description 1938 "The security policy rule according to 1939 IPv4 header length. If only one value is needed, then 1940 set both start and end to the same value."; 1941 reference 1942 "RFC 791: Internet Protocol - Header length"; 1943 } 1945 leaf-list dscp { 1946 type inet:dscp; 1947 description 1948 "The security policy rule according to 1949 IPv4 type of service for DSCP."; 1950 reference 1951 "RFC 791: Internet Protocol - Type of service 1952 RFC 2474: Definition of the Differentiated 1953 Services Field (DS Field) in the IPv4 and 1954 IPv6 Headers."; 1955 } 1957 list total-length { 1958 key "start end"; 1959 leaf start { 1960 type uint16; 1961 description 1962 "Starting IPv4 total length for a range match."; 1963 } 1964 leaf end { 1965 type uint16; 1966 must '. >= ../start' { 1967 error-message 1968 "The end total length MUST be equal to or greater 1969 than the start total length."; 1970 } 1971 description 1972 "Ending IPv4 total length for a range match."; 1973 } 1974 description 1975 "The security policy rule according to 1976 IPv4 total length. If only one value is needed, then 1977 set both start and end to the same value."; 1978 reference 1979 "RFC 791: Internet Protocol - Total length"; 1980 } 1982 leaf-list identification { 1983 type uint16; 1984 description 1985 "The security policy rule according to 1986 IPv4 identification."; 1987 reference 1988 "RFC 791: Internet Protocol - Identification"; 1989 } 1991 leaf-list fragment-flags { 1992 type identityref { 1993 base fragmentation-flags; 1994 } 1995 description 1996 "The security policy rule according to 1997 IPv4 fragment flags."; 1998 reference 1999 "RFC 791: Internet Protocol - Fragment flags"; 2000 } 2002 list fragment-offset { 2003 key "start end"; 2004 leaf start { 2005 type uint16 { 2006 range "0..16383"; 2007 } 2008 description 2009 "Starting IPv4 fragment offset for a range match."; 2010 } 2011 leaf end { 2012 type uint16 { 2013 range "0..16383"; 2014 } 2015 must '. >= ../start' { 2016 error-message 2017 "The end fragment offset MUST be equal or greater 2018 than the start fragment offset."; 2019 } 2020 description 2021 "Ending IPv4 fragment offset for a range match."; 2022 } 2023 description 2024 "The security policy rule according to 2025 IPv4 fragment offset."; 2026 reference 2027 "RFC 791: Internet Protocol - Fragment offset"; 2028 } 2030 list ttl { 2031 key "start end"; 2032 leaf start { 2033 type uint8; 2034 description 2035 "Starting IPv4 TTL for a range match."; 2036 } 2037 leaf end { 2038 type uint8; 2039 must '. >= ../start' { 2040 error-message 2041 "The end TTL MUST be equal or greater than 2042 the start TTL."; 2043 } 2044 description 2045 "Ending IPv4 TTL for a range match."; 2046 } 2047 description 2048 "The security policy rule according to 2049 IPv4 time-to-live (TTL). If only one value is needed, 2050 then set both start and end to the same value."; 2051 reference 2052 "RFC 791: Internet Protocol - Time to live"; 2053 } 2055 leaf-list protocol { 2056 type uint8; 2057 description 2058 "The security policy rule according to 2059 IPv4 protocol header field."; 2060 reference 2061 "RFC 791: Internet Protocol - Protocol 2062 IANA: Assigned Internet Protocol Numbers"; 2063 } 2065 container source-address { 2066 uses ipv4-address; 2067 description 2068 "The security policy rule according to 2069 IPv4 source address."; 2070 reference 2071 "RFC 791: Internet Protocol - IPv4 Address"; 2072 } 2074 container destination-address { 2075 uses ipv4-address; 2076 description 2077 "The security policy rule according to 2078 IPv4 destination address."; 2079 reference 2080 "RFC 791: Internet Protocol - IPv4 Address"; 2081 } 2083 leaf-list ipopts { 2084 type identityref { 2085 base ipopts; 2086 } 2087 description 2088 "The security policy rule according to 2089 IPv4 options."; 2090 reference 2091 "RFC 791: Internet Protocol - Options"; 2092 } 2093 } 2095 container ipv6 { 2096 description 2097 "The purpose of this container is to represent 2098 IPv6 packet header information to determine 2099 if the set of policy actions in this ECA policy 2100 rule should be executed or not."; 2101 reference 2102 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2103 Specification"; 2105 leaf description { 2106 type string; 2107 description 2108 "This is description for ipv6 condition."; 2109 } 2111 leaf-list dscp { 2112 type inet:dscp; 2113 description 2114 "The security policy rule according to 2115 IPv6 traffic class for DSCP."; 2116 reference 2117 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2118 Specification - Traffic class 2119 RFC 2474: Definition of the Differentiated 2120 Services Field (DS Field) in the IPv4 and 2121 IPv6 Headers."; 2123 } 2125 list flow-label { 2126 key "start end"; 2127 leaf start { 2128 type inet:ipv6-flow-label; 2129 description 2130 "Starting IPv6 flow label for a range match."; 2131 } 2132 leaf end { 2133 type inet:ipv6-flow-label; 2134 must '. >= ../start' { 2135 error-message 2136 "The end flow label MUST be equal or greater than 2137 the start flow label."; 2138 } 2139 description 2140 "Ending IPv6 flow label for a range match."; 2141 } 2142 description 2143 "The security policy rule according to 2144 IPv6 flow label. If only one value is needed, 2145 then set both start and end to the same value."; 2146 reference 2147 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2148 Specification - Flow label"; 2149 } 2151 list payload-length { 2152 key "start end"; 2153 leaf start { 2154 type uint16; 2155 description 2156 "Starting IPv6 payload length for a range match."; 2157 } 2158 leaf end { 2159 type uint16; 2160 must '. >= ../start' { 2161 error-message 2162 "The end payload length MUST be equal or greater 2163 than the start payload length."; 2164 } 2165 description 2166 "Ending IPv6 payload length for a range match."; 2167 } 2168 description 2169 "The security policy rule according to 2170 IPv6 payload length. If only one value is needed, 2171 then set both start and end to the same value."; 2172 reference 2173 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2174 Specification - Payload length"; 2175 } 2177 leaf-list next-header { 2178 type uint8; 2179 description 2180 "The security policy rule according to 2181 IPv6 next header."; 2182 reference 2183 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2184 Specification - Next header 2185 IANA: Assigned Internet Protocol Numbers"; 2186 } 2188 list hop-limit { 2189 key "start end"; 2190 leaf start { 2191 type uint8; 2192 description 2193 "Start IPv6 hop limit for a range match."; 2194 } 2195 leaf end { 2196 type uint8; 2197 must '. >= ../start' { 2198 error-message 2199 "The end hop limit MUST be equal or greater than 2200 the start hop limit."; 2201 } 2202 description 2203 "End IPv6 hop limit for a range match."; 2204 } 2205 description 2206 "The security policy rule according to 2207 IPv6 hop limit. If only one value is needed, 2208 then set both start and end to the same value."; 2209 reference 2210 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2211 Specification - Hop limit"; 2212 } 2214 container source-address { 2215 uses ipv6-address; 2216 description 2217 "The security policy rule according to 2218 IPv6 source address."; 2220 reference 2221 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2222 Specification - IPv6 address"; 2223 } 2225 container destination-address { 2226 uses ipv6-address; 2227 description 2228 "The security policy rule according to 2229 IPv6 destination address."; 2230 reference 2231 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2232 Specification - IPv6 address"; 2233 } 2234 } 2236 container tcp { 2237 description 2238 "The purpose of this container is to represent 2239 TCP packet header information to determine 2240 if the set of policy actions in this ECA policy 2241 rule should be executed or not."; 2242 reference 2243 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2244 Protocol (TCP) Specification"; 2246 leaf description { 2247 type string; 2248 description 2249 "This is description for tcp condition."; 2250 } 2252 list source-port-number { 2253 key "start end"; 2254 uses port-range; 2255 description 2256 "The security policy rule according to 2257 tcp source port number."; 2258 reference 2259 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2260 Protocol (TCP) Specification - Port Number"; 2261 } 2263 list destination-port-number { 2264 key "start end"; 2265 uses port-range; 2266 description 2267 "The security policy rule according to 2268 tcp destination port number."; 2269 reference 2270 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2271 Protocol (TCP) Specification - Port Number"; 2272 } 2274 leaf-list flags { 2275 type identityref { 2276 base tcp-flags; 2277 } 2278 description 2279 "The security policy rule according to 2280 tcp flags."; 2281 reference 2282 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2283 Protocol (TCP) Specification - Flags"; 2284 } 2285 } 2287 container udp { 2288 description 2289 "The purpose of this container is to represent 2290 UDP packet header information to determine 2291 if the set of policy actions in this ECA policy 2292 rule should be executed or not."; 2293 reference 2294 "RFC 768: User Datagram Protocol"; 2296 leaf description { 2297 type string; 2298 description 2299 "This is description for udp condition."; 2300 } 2302 container source-port-number { 2303 uses port-range; 2304 description 2305 "The security policy rule according to 2306 udp source port number."; 2307 reference 2308 "RFC 768: User Datagram Protocol - Port Number"; 2309 } 2311 container destination-port-number { 2312 uses port-range; 2313 description 2314 "The security policy rule according to 2315 udp destination port number."; 2316 reference 2317 "RFC 768: User Datagram Protocol - Port Number"; 2318 } 2320 list total-length { 2321 key "start end"; 2322 leaf start { 2323 type uint32; 2324 description 2325 "Start udp total length for a range match."; 2326 } 2327 leaf end { 2328 type uint32; 2329 must '. >= ../start' { 2330 error-message 2331 "The end hop limit MUST be equal or greater than 2332 the start hop limit."; 2333 } 2334 description 2335 "End udp total length for a range match."; 2336 } 2337 description 2338 "The security policy rule according to 2339 udp total length. If only one value is needed, 2340 then set both start and end to the same value"; 2341 reference 2342 "RFC 768: User Datagram Protocol - Total Length"; 2343 } 2344 } 2346 container sctp { 2347 description 2348 "The purpose of this container is to represent 2349 SCTP packet header information to determine 2350 if the set of policy actions in this ECA policy 2351 rule should be executed or not."; 2352 leaf description { 2353 type string; 2354 description 2355 "This is description for sctp condition."; 2356 } 2358 container source-port-number { 2359 uses port-range; 2360 description 2361 "The security policy rule according to 2362 sctp source port number."; 2364 reference 2365 "RFC 4960: Stream Control Transmission Protocol 2366 - Port number"; 2367 } 2369 container destination-port-number { 2370 uses port-range; 2371 description 2372 "The security policy rule according to 2373 sctp destination port number."; 2374 reference 2375 "RFC 4960: Stream Control Transmission Protocol 2376 - Port Number"; 2377 } 2379 leaf-list verification-tag { 2380 type uint32; 2381 description 2382 "The security policy rule according to 2383 udp total length."; 2384 reference 2385 "RFC 4960: Stream Control Transmission Protocol 2386 - Verification Tag"; 2387 } 2389 leaf-list chunk-type { 2390 type uint8; 2391 description 2392 "The security policy rule according to 2393 sctp chunk type ID Value."; 2394 reference 2395 "RFC 4960: Stream Control Transmission Protocol 2396 - Chunk Type"; 2397 } 2398 } 2400 container dccp { 2401 description 2402 "The purpose of this container is to represent 2403 DCCP packet header information to determine 2404 if the set of policy actions in this ECA policy 2405 rule should be executed or not."; 2406 leaf description { 2407 type string; 2408 description 2409 "This is description for dccp condition."; 2410 } 2411 container source-port-number { 2412 uses port-range; 2413 description 2414 "The security policy rule according to 2415 dccp source port number."; 2416 reference 2417 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2418 - Port number"; 2419 } 2421 container destination-port-number { 2422 uses port-range; 2423 description 2424 "The security policy rule according to 2425 dccp destination port number."; 2426 reference 2427 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2428 - Port number"; 2429 } 2431 leaf-list service-code { 2432 type uint32; 2433 description 2434 "The security policy rule according to 2435 dccp service code."; 2436 reference 2437 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2438 - Service Codes 2439 RFC 5595: The Datagram Congestion Control Protocol 2440 (DCCP) Service Codes 2441 RFC 6335: Internet Assigned Numbers Authority (IANA) 2442 Procedures for the Management of the Service 2443 Name and Transport Protocol Port Number 2444 Registry - Service Code"; 2445 } 2446 } 2448 list icmp { 2449 key "version"; 2450 description 2451 "The purpose of this container is to represent 2452 ICMP packet header information to determine 2453 if the set of policy actions in this ECA policy 2454 rule should be executed or not."; 2455 reference 2456 "RFC 792: Internet Control Message Protocol 2457 RFC 8335: PROBE: A Utility for Probing Interfaces"; 2459 leaf description { 2460 type string; 2461 description 2462 "This is description for icmp condition."; 2463 } 2465 leaf version { 2466 type enumeration { 2467 enum icmpv4 { 2468 value "1"; 2469 description 2470 "The ICMPv4 Protocol as defined in RFC 792"; 2471 } 2472 enum icmpv6 { 2473 value "2"; 2474 description 2475 "The ICMPv6 Protocol as defined in RFC 4443"; 2476 } 2477 } 2478 description 2479 "The ICMP version to be matched. This value 2480 affected the type and code values."; 2481 reference 2482 "RFC 792: Internet Control Message Protocol 2483 RFC 4443: Internet Control Message Protocol (ICMPv6) 2484 for the Internet Protocol Version 6 (IPv6) 2485 Specification"; 2486 } 2488 leaf-list type { 2489 type uint8; 2490 description 2491 "The security policy rule according to 2492 ICMPv4 or ICMPv6 type header field. 2494 The value of this leaf-list is affected by 2495 the value of the leaf version. 2497 If the version value is icmpv4, the type follows 2498 the IANA ICMP Parameters. 2500 If the version value is icmpv6, the type follows 2501 the IANA ICMPv6 Parameters."; 2502 reference 2503 "RFC 792: Internet Control Message Protocol 2504 RFC 4443: Internet Control Message Protocol (ICMPv6) 2505 for the Internet Protocol Version 6 (IPv6) 2506 Specification 2508 RFC 8335: PROBE: A Utility for Probing Interfaces 2509 IANA: Internet Control Message Protocol (ICMP) 2510 Parameters 2511 IANA: Internet Control Message Protocol version 6 2512 (ICMPv6) Parameters"; 2513 } 2515 leaf-list code { 2516 type uint8; 2517 description 2518 "The security policy rule according to 2519 ICMPv4 or ICMPv6 code header field. 2521 The value of this leaf-list is affected by 2522 the value of the leaf version. 2524 If the version value is icmpv4, the code follows 2525 the IANA ICMP parameters. 2527 If the version value is icmpv6, the code follows 2528 the IANA ICMPv6 parameters."; 2529 reference 2530 "RFC 792: Internet Control Message Protocol 2531 RFC 4443: Internet Control Message Protocol (ICMPv6) 2532 for the Internet Protocol Version 6 (IPv6) 2533 Specification 2534 RFC 8335: PROBE: A Utility for Probing Interfaces 2535 IANA: Internet Control Message Protocol (ICMP) 2536 Parameters 2537 IANA: Internet Control Message Protocol version 6 2538 (ICMPv6) Parameters"; 2539 } 2540 } 2542 container url-category { 2543 description 2544 "Condition for url category"; 2545 leaf description { 2546 type string; 2547 description 2548 "This is description for the condition of a URL's 2549 category such as SNS sites, game sites, ecommerce 2550 sites, company sites, and university sites."; 2551 } 2553 leaf-list pre-defined-category { 2554 type string; 2555 description 2556 "This is pre-defined-category."; 2557 } 2558 leaf-list user-defined-category { 2559 type string; 2560 description 2561 "This user-defined-category."; 2562 } 2563 } 2565 container voice { 2566 description 2567 "For the VoIP/VoLTE security system, a VoIP/ 2568 VoLTE security system can monitor each 2569 VoIP/VoLTE flow and manage VoIP/VoLTE 2570 security rules controlled by a centralized 2571 server for VoIP/VoLTE security service 2572 (called VoIP IPS). The VoIP/VoLTE security 2573 system controls each switch for the 2574 VoIP/VoLTE call flow management by 2575 manipulating the rules that can be added, 2576 deleted, or modified dynamically."; 2577 reference 2578 "RFC 3261: SIP: Session Initiation Protocol"; 2580 leaf description { 2581 type string; 2582 description 2583 "This is description for voice condition."; 2584 } 2586 leaf-list source-voice-id { 2587 type string; 2588 description 2589 "The security policy rule according to 2590 a source voice ID for VoIP and VoLTE."; 2591 } 2593 leaf-list destination-voice-id { 2594 type string; 2595 description 2596 "The security policy rule according to 2597 a destination voice ID for VoIP and VoLTE."; 2598 } 2600 leaf-list user-agent { 2601 type string; 2602 description 2603 "The security policy rule according to 2604 an user agent for VoIP and VoLTE."; 2605 } 2606 } 2608 container ddos { 2609 description 2610 "Condition for DDoS attack."; 2612 leaf description { 2613 type string; 2614 description 2615 "This is description for ddos condition."; 2616 } 2618 leaf alert-packet-rate { 2619 type uint32; 2620 units "pps"; 2621 description 2622 "The alert rate of flood detection for 2623 packets per second (PPS) of an IP address."; 2624 } 2626 leaf alert-flow-rate { 2627 type uint32; 2628 description 2629 "The alert rate of flood detection for 2630 flows per second of an IP address."; 2631 } 2633 leaf alert-byte-rate { 2634 type uint32; 2635 units "BPS"; 2636 description 2637 "The alert rate of flood detection for 2638 bytes per second of an IP address."; 2639 } 2640 } 2642 container anti-virus { 2643 description 2644 "Condition for antivirus"; 2646 leaf-list profile { 2647 type string; 2648 description 2649 "The security profile for antivirus. This is used to 2650 update the security profile for improving the 2651 security. The security profile is used to scan 2652 the viruses."; 2653 } 2655 leaf-list exception-files { 2656 type string; 2657 description 2658 "The type or name of the files to be excluded by the 2659 anti-virus. This can be used to keep the known 2660 harmless files."; 2661 } 2662 } 2664 container payload { 2665 description 2666 "Condition for packet payload"; 2667 leaf packet-payload-description { 2668 type string; 2669 description 2670 "This is description for payload condition."; 2671 } 2672 leaf-list payload-content { 2673 type string; 2674 description 2675 "This is a condition for packet payload content."; 2676 } 2677 } 2679 container context { 2680 description 2681 "Condition for context"; 2682 leaf context-description { 2683 type string; 2684 description 2685 "This is description for context condition."; 2686 } 2688 container application { 2689 description 2690 "Condition for application"; 2691 leaf description { 2692 type string; 2693 description 2694 "This is description for application condition."; 2695 } 2696 leaf-list object { 2697 type string; 2698 description 2699 "This is application object."; 2701 } 2702 leaf-list group { 2703 type string; 2704 description 2705 "This is application group."; 2706 } 2707 leaf-list label { 2708 type string; 2709 description 2710 "This is application label."; 2711 } 2712 container category { 2713 description 2714 "This is application category"; 2715 list application-category { 2716 key "name subcategory"; 2717 description 2718 "This is application category list"; 2720 leaf name { 2721 type string; 2722 description 2723 "This is name for application category."; 2724 } 2725 leaf subcategory { 2726 type string; 2727 description 2728 "This is application subcategory."; 2729 } 2730 } 2731 } 2732 } 2734 container target { 2735 description 2736 "Condition for target"; 2737 leaf description { 2738 type string; 2739 description 2740 "This is description for target condition. 2741 Vendors can write instructions for target condition 2742 that vendor made"; 2743 } 2745 leaf-list device { 2746 type identityref { 2747 base target-device; 2748 } 2749 description 2750 "The device attribute that can identify a device, 2751 including the device type (i.e., router, switch, 2752 pc, ios, or android) and the device's owner as 2753 well."; 2754 } 2755 } 2757 container users { 2758 description 2759 "Condition for users"; 2760 leaf users-description { 2761 type string; 2762 description 2763 "This is the description for users' condition."; 2764 } 2765 list user { 2766 key "user-id"; 2767 description 2768 "The user with which the traffic flow is associated 2769 can be identified by either a user id or user name. 2770 The user-to-IP address mapping is assumed to be 2771 provided by the unified user management system via 2772 network."; 2773 leaf user-id { 2774 type uint32; 2775 description 2776 "The ID of the user."; 2777 } 2778 leaf user-name { 2779 type string; 2780 description 2781 "The name of the user."; 2782 } 2783 } 2784 list group { 2785 key "group-id"; 2786 description 2787 "The user group with which the traffic flow is 2788 associated can be identified by either a group id 2789 or group name. The group-to-IP address and 2790 user-to-group mappings are assumed to be provided by 2791 the unified user management system via network."; 2792 leaf group-id { 2793 type uint32; 2794 description 2795 "The ID of the group."; 2796 } 2797 leaf group-name { 2798 type string; 2799 description 2800 "The name of the group."; 2801 } 2802 } 2804 leaf security-group { 2805 type string; 2806 description 2807 "security-group."; 2808 } 2809 } 2811 container geography-location { 2812 description 2813 "The location which network traffic flow is associated 2814 with. The region can be the geographical location 2815 such as country, province, and city, 2816 as well as the logical network location such as 2817 IP address, network section, and network domain."; 2819 leaf description { 2820 type string; 2821 description 2822 "This is description for generic context condition. 2823 Vendors can write instructions for generic context 2824 condition that vendor made"; 2825 } 2827 leaf-list source { 2828 type string; 2829 description 2830 "The src-geography-location is a geographical 2831 location mapped into an IP address. It matches the 2832 mapped IP address to the source IP address of the 2833 traffic flow."; 2834 reference 2835 "ISO 3166: Codes for the representation of 2836 names of countries and their subdivisions"; 2837 } 2839 leaf-list destination { 2840 type string; 2841 description 2842 "The dest-geography-location is a geographical 2843 location mapped into an IP address. It matches the 2844 mapped IP address to the destination IP address of 2845 the traffic flow."; 2846 reference 2847 "ISO 3166: Codes for the representation of 2848 names of countries and their subdivisions"; 2849 } 2850 } 2851 } 2852 } 2854 container action { 2855 description 2856 "An action is used to control and monitor aspects of 2857 flow-based NSFs when the event and condition clauses 2858 are satisfied. NSFs provide security functions by 2859 executing various Actions. Examples of I2NSF Actions 2860 include providing intrusion detection and/or protection, 2861 web and flow filtering, and deep packet inspection 2862 for packets and flows."; 2863 reference 2864 "RFC 8329: Framework for Interface to Network Security 2865 Functions - I2NSF Flow Security Policy Structure 2866 draft-ietf-i2nsf-capability-data-model-17: 2867 I2NSF Capability YANG Data Model - Design Principles and 2868 ECA Policy Model Overview"; 2870 leaf action-clause-description { 2871 type string; 2872 description 2873 "Description for an action clause."; 2874 } 2876 container packet-action { 2877 description 2878 "Action for packets"; 2879 reference 2880 "RFC 8329: Framework for Interface to Network Security 2881 Functions - I2NSF Flow Security Policy Structure 2882 draft-ietf-i2nsf-capability-data-model-17: 2883 I2NSF Capability YANG Data Model - Design Principles and 2884 ECA Policy Model Overview"; 2886 leaf ingress-action { 2887 type identityref { 2888 base ingress-action; 2889 } 2890 description 2891 "Ingress Action: pass, drop, rate-limit, and 2892 mirror."; 2894 } 2896 leaf egress-action { 2897 type identityref { 2898 base egress-action; 2899 } 2900 description 2901 "Egress action: pass, drop, rate-limit, mirror, 2902 invoke-signaling, tunnel-encapsulation, forwarding, 2903 and redirection."; 2904 } 2906 leaf log-action { 2907 type identityref { 2908 base log-action; 2909 } 2910 description 2911 "Log action: rule log and session log"; 2912 } 2914 } 2916 container flow-action { 2917 description 2918 "Action for flows"; 2919 reference 2920 "RFC 8329: Framework for Interface to Network Security 2921 Functions - I2NSF Flow Security Policy Structure 2922 draft-ietf-i2nsf-capability-data-model-17: 2923 I2NSF Capability YANG Data Model - Design Principles and 2924 ECA Policy Model Overview"; 2926 leaf ingress-action { 2927 type identityref { 2928 base ingress-action; 2929 } 2930 description 2931 "Action: pass, drop, rate-limit, and mirror."; 2932 } 2934 leaf egress-action { 2935 type identityref { 2936 base egress-action; 2937 } 2938 description 2939 "Egress action: pass, drop, rate-limit, mirror, 2940 invoke-signaling, tunnel-encapsulation, forwarding, 2941 and redirection."; 2943 } 2945 leaf log-action { 2946 type identityref { 2947 base log-action; 2948 } 2949 description 2950 "Log action: rule log and session log"; 2951 } 2952 } 2954 container advanced-action { 2955 description 2956 "If the packet needs to be additionally inspected, 2957 the packet is passed to advanced network 2958 security functions according to the profile. 2959 The profile means the types of NSFs where the packet 2960 will be forwarded in order to additionally 2961 inspect the packet. 2962 The advanced action activates Service Function 2963 Chaining (SFC) for further inspection of a packet."; 2964 reference 2965 "draft-ietf-i2nsf-capability-data-model-17: 2966 I2NSF Capability YANG Data Model - YANG Tree 2967 Diagram"; 2969 leaf-list content-security-control { 2970 type identityref { 2971 base content-security-control; 2972 } 2973 description 2974 "Content-security-control is the NSFs that 2975 inspect the payload of the packet. 2976 The profile for the types of NSFs for mitigation is 2977 divided into content security control and 2978 attack-mitigation-control. 2979 Content security control: ips, url filtering, 2980 anti-virus, and voip-volte-filter. This can be 2981 extended according to the provided NSFs."; 2982 reference 2983 "draft-ietf-i2nsf-capability-data-model-17: 2984 I2NSF Capability YANG Data Model - YANG Tree Diagram"; 2985 } 2987 leaf-list attack-mitigation-control { 2988 type identityref { 2989 base attack-mitigation-control; 2990 } 2991 description 2992 "Attack-mitigation-control is the NSFs that weaken 2993 the attacks related to a denial of service 2994 and reconnaissance. 2995 The profile for the types of NSFs for mitigation is 2996 divided into content security control and 2997 attack-mitigation-control. 2998 Attack mitigation control: Anti-DDoS or DDoS 2999 mitigator. This can be extended according to the 3000 provided NSFs such as mitigators for ip sweep, 3001 port scanning, ping of death, teardrop, oversized 3002 icmp, and tracert."; 3003 reference 3004 "draft-ietf-i2nsf-capability-data-model-17: 3005 I2NSF Capability YANG Data Model - YANG Tree Diagram"; 3006 } 3007 } 3008 } 3009 } 3010 container rule-group { 3011 description 3012 "This is rule group"; 3014 list groups { 3015 key "group-name"; 3016 description 3017 "This is a group for rules"; 3019 leaf group-name { 3020 type string; 3021 description 3022 "This is a group for rules"; 3023 } 3025 leaf-list rule-name { 3026 type leafref { 3027 path 3028 "../../../rules/rule-name"; 3029 } 3030 description 3031 "The names of the rules to be grouped."; 3032 } 3034 leaf enable { 3035 type boolean; 3036 description 3037 "True is enabled, and False is not enabled."; 3038 } 3039 leaf description { 3040 type string; 3041 description 3042 "This is a description for rule-group"; 3043 } 3044 } 3045 } 3046 } 3047 } 3048 3050 Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 3052 5. XML Configuration Examples of Low-Level Security Policy Rules 3054 This section shows XML configuration examples of low-level security 3055 policy rules that are delivered from the Security Controller to NSFs 3056 over the NSF-Facing Interface. For security requirements, we assume 3057 that the NSFs (i.e., General firewall, Time-based firewall, URL 3058 filter, VoIP/VoLTE filter, and http and https flood mitigation ) 3059 described in of [I-D.ietf-i2nsf-capability-data-model] are registered 3060 in the I2NSF framework. With the registered NSFs, we show 3061 configuration examples for security policy rules of network security 3062 functions according to the following three security requirements: (i) 3063 Block Social Networking Service (SNS) access during business hours, 3064 (ii) Block malicious VoIP/VoLTE packets coming to the company, and 3065 (iii) Mitigate http and https flood attacks on company web server. 3067 5.1. Security Requirement 1: Block Social Networking Service (SNS) 3068 Access during Business Hours 3070 This section shows a configuration example for blocking SNS access 3071 during business hours in IPv4 networks or IPv6 networks. 3073 3075 sns_access 3076 3077 block_sns_access_during_operation_time 3078 3079 3092 weekly 3093 3094 3095 3096 3097 3098 192.0.2.11 3099 192.0.2.90 3100 3101 3102 3103 3104 3105 3106 3107 url-filtering 3108 3109 3110 3111 3112 3114 Figure 6: Configuration XML for Time-based Firewall to Block SNS 3115 Access during Business Hours in IPv4 Networks 3117 3119 sns_access 3120 3121 block_sns_access_during_operation_time 3122 3123 3136 weekly 3137 3138 3139 3140 3141 3142 2001:DB8:0:1::11 3143 2001:DB8:0:1::90 3144 3145 3146 3147 3148 3149 3150 3151 url-filtering 3152 3153 3154 3155 3156 3158 Figure 7: Configuration XML for Time-based Firewall to Block SNS 3159 Access during Business Hours in IPv6 Networks 3161 3163 sns_access 3164 3165 block_sns_access_during_operation_time 3166 3167 3168 SNS_1 3169 SNS_2 3170 3171 3172 3173 3174 drop 3175 3176 3177 3178 3180 Figure 8: Configuration XML for Web Filter to Block SNS Access 3181 during Business Hours 3183 Figure 6 (or Figure 7) and Figure 8 show the configuration XML 3184 documents for time-based firewall and web filter to block SNS access 3185 during business hours in IPv4 networks (or IPv6 networks). For the 3186 security requirement, two NSFs (i.e., a time-based firewall and a web 3187 filter) were used because one NSF cannot meet the security 3188 requirement. The instances of XML documents for the time-based 3189 firewall and the web filter are as follows: Note that a detailed data 3190 model for the configuration of the advanced network security function 3191 (i.e., web filter) can be defined as an extension in future. 3193 Time-based Firewall is as follows: 3195 1. The name of the system policy is sns_access. 3197 2. The name of the rule is block_sns_access_during_operation_time. 3199 3. The rule is started from 2021-03-11 at 9 a.m. to 2021-12-31 at 6 3200 p.m. 3202 4. The rule is operated weekly every weekday (i.e., Monday, Tuesday, 3203 Wednesday, Thursday, and Friday) during the business hours (i.e., 3204 from 9 a.m. to 6 p.m.) . 3206 5. The rule inspects a source IPv4 address (i.e., from 192.0.2.11 to 3207 192.0.2.90) to inspect the outgoing packets of employees. For 3208 the case of IPv6 networks, the rule inspects a source IPv6 3209 address (i.e., from 2001:DB8:0:1::11 to 2001:DB8:0:1::90) to 3210 inspect the outgoing packets of employees. 3212 6. If the outgoing packets match the rules above, the time-based 3213 firewall sends the packets to url filtering for additional 3214 inspection because the time-based firewall can not inspect 3215 contents of the packets for the SNS URL. 3217 Web Filter is as follows: 3219 1. The name of the system policy is sns_access. 3221 2. The name of the rule is block_SNS_1_and_SNS_2. 3223 3. The rule inspects URL address to block the access packets to the 3224 SNS_1 or the SNS_2. 3226 4. If the outgoing packets match the rules above, the packets are 3227 blocked. 3229 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 3230 to a Company 3232 This section shows a configuration example for blocking malicious 3233 VoIP/VoLTE packets coming to a company. 3235 3237 voip_volte_inspection 3238 3239 block_malicious_voice_id 3240 3241 3242 3243 3244 192.0.2.11 3245 192.0.2.90 3246 3247 3248 3249 3250 3251 5060 3252 5061 3253 3254 3255 3256 3257 3258 3259 voip-volte-filter 3260 3261 3262 3263 3264 3266 Figure 9: Configuration XML for General Firewall to Block 3267 Malicious VoIP/VoLTE Packets Coming to a Company 3269 3271 voip_volte_inspection 3272 3273 block_malicious_voice_id 3274 3275 3276 3277 user1@voip.malicious.example.com 3278 3279 3280 user2@voip.malicious.example.com 3281 3282 3283 3284 3285 3286 drop 3287 3288 3289 3290 3292 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block 3293 Malicious VoIP/VoLTE Packets Coming to a Company 3295 Figure 9 and Figure 10 show the configuration XML documents for 3296 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 3297 packets coming to a company. For the security requirement, two NSFs 3298 (i.e., a general firewall and a VoIP/VoLTE filter) were used because 3299 one NSF can not meet the security requirement. The instances of XML 3300 documents for the general firewall and the VoIP/VoLTE filter are as 3301 follows: Note that a detailed data model for the configuration of the 3302 advanced network security function (i.e., VoIP/VoLTE filter) can be 3303 described as an extension in future. 3305 General Firewall is as follows: 3307 1. The name of the system policy is voip_volte_inspection. 3309 2. The name of the rule is block_malicious_voip_volte_packets. 3311 3. The rule inspects a destination IPv4 address (i.e., from 3312 192.0.2.11 to 192.0.2.90) to inspect the packets coming into the 3313 company. 3315 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 3316 VoIP/VoLTE packet. 3318 5. If the incoming packets match the rules above, the general 3319 firewall sends the packets to VoIP/VoLTE filter for additional 3320 inspection because the general firewall can not inspect contents 3321 of the VoIP/VoLTE packets. 3323 VoIP/VoLTE Filter is as follows: 3325 1. The name of the system policy is malicious_voice_id. 3327 2. The name of the rule is block_malicious_voice_id. 3329 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 3330 the malicious VoIP/VoLTE packets (i.e., 3331 user1@voip.malicious.example.com and 3332 user2@voip.malicious.example.com). 3334 4. If the incoming packets match the rules above, the packets are 3335 blocked. 3337 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 3338 Company Web Server 3340 This section shows a configuration example for mitigating http and 3341 https flood attacks on a company web server. 3343 3345 flood_attack_mitigation 3346 3347 mitigate_http_and_https_flood_attack 3348 3349 3350 3351 3352 192.0.2.11 3353 192.0.2.11 3354 3355 3356 3357 3358 3359 80 3360 80 3361 3362 3363 443 3364 443 3365 3366 3367 3368 3369 3370 3371 anti-ddos 3372 3373 3374 3375 3376 3378 Figure 11: Configuration XML for General Firewall to Mitigate 3379 HTTP and HTTPS Flood Attacks on a Company Web Server 3381 3383 flood_attack_mitigation 3384 3385 mitigate_http_and_https_flood_attack 3386 3387 3388 1000 3389 3390 3391 3392 3393 drop 3394 3395 3396 3397 3399 Figure 12: Configuration XML for Anti-DDoS to Mitigate HTTP and 3400 HTTPS Flood Attacks on a Company Web Server 3402 Figure 11 and Figure 12 show the configuration XML documents for 3403 general firewall and http and https flood attack mitigation to 3404 mitigate http and https flood attacks on a company web server. For 3405 the security requirement, two NSFs (i.e., a general firewall and a 3406 http and https flood attack mitigation) were used because one NSF can 3407 not meet the security requirement. The instances of XML documents 3408 for the general firewall and http and https flood attack mitigation 3409 are as follows: Note that a detailed data model for the configuration 3410 of the advanced network security function (i.e., http and https flood 3411 attack mitigation) can be defined as an extension in future. 3413 General Firewall is as follows: 3415 1. The name of the system policy is flood_attack_mitigation. 3417 2. The name of the rule is mitigate_http_and_https_flood_attack. 3419 3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11) 3420 to inspect the access packets coming into the company web server. 3422 4. The rule inspects a port number (i.e., 80 and 443) to inspect 3423 http and https packet. 3425 5. If the packets match the rules above, the general firewall sends 3426 the packets to anti-DDoS for additional inspection because the 3427 general firewall can not control the amount of packets for http 3428 and https packets. 3430 Anti DDoS for HTTP and HTTPS Flood Attack Mitigation is as follows: 3432 1. The name of the system policy is flood_attack_mitigation. 3434 2. The name of the rule is mitigate_http_and_https_flood_attack. 3436 3. The rule controls the http and https packets according to the 3437 amount of incoming packets (1000 packets per second). 3439 4. If the incoming packets match the rules above, the packets are 3440 blocked. 3442 6. IANA Considerations 3444 This document requests IANA to register the following URI in the 3445 "IETF XML Registry" [RFC3688]: 3447 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 3448 Registrant Contact: The IESG. 3449 XML: N/A; the requested URI is an XML namespace. 3451 This document requests IANA to register the following YANG module in 3452 the "YANG Module Names" registry [RFC7950][RFC8525]. 3454 name: ietf-i2nsf-policy-rule-for-nsf 3455 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 3456 prefix: nsfintf 3457 reference: RFC XXXX 3459 7. Security Considerations 3461 The YANG module specified in this document defines a data schema 3462 designed to be accessed through network management protocols such as 3463 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 3464 the secure transport layer, and the required secure transport is 3465 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 3466 and the required secure transport is TLS [RFC8446]. 3468 The NETCONF access control model [RFC8341] provides a means of 3469 restricting access to specific NETCONF or RESTCONF users to a 3470 preconfigured subset of all available NETCONF or RESTCONF protocol 3471 operations and content. 3473 There are a number of data nodes defined in this YANG module that are 3474 writable/creatable/deletable (i.e., config true, which is the 3475 default). These data nodes may be considered sensitive or vulnerable 3476 in some network environments. Write operations (e.g., edit-config) 3477 to these data nodes without proper protection can have a negative 3478 effect on network operations. These are the subtrees and data nodes 3479 and their sensitivity/vulnerability: 3481 * ietf-i2nsf-policy-rule-for-nsf: Writing to almost any element of 3482 this YANG module would directly impact on the configuration of 3483 NSFs, e.g., completely turning off security monitoring and 3484 mitigation capabilities; altering the scope of this monitoring and 3485 mitigation; creating an overwhelming logging volume to overwhelm 3486 downstream analytics or storage capacity; creating logging 3487 patterns which are confusing; or rendering useless trained 3488 statistics or artificial intelligence models. 3490 Some of the readable data nodes in this YANG module may be considered 3491 sensitive or vulnerable in some network environments. It is thus 3492 important to control read access (e.g., via get, get-config, or 3493 notification) to these data nodes. These are the subtrees and data 3494 nodes and their sensitivity/vulnerability: 3496 * ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the 3497 security policy information of any target NSFs and misuse the 3498 security policy information for subsequent attacks. 3500 Policy rules identifying the specified users and user groups can be 3501 specified with "rules/condition/context/users". As with other data 3502 in this YANG module, this user information is provided by the 3503 Security Controller to the NSFs and is protected via the transport 3504 and access control mechanisms described above. 3506 8. Acknowledgments 3508 This work was supported by Institute of Information & Communications 3509 Technology Planning & Evaluation (IITP) grant funded by the Korea 3510 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3511 Security Intelligence Technology Development for the Customized 3512 Security Service Provisioning). This work was supported in part by 3513 the IITP (2020-0-00395, Standard Development of Blockchain based 3514 Network Management Automation Technology). 3516 9. Contributors 3518 This document is made by the group effort of I2NSF working group. 3519 Many people actively contributed to this document, such as Acee 3520 Lindem and Roman Danyliw. The authors sincerely appreciate their 3521 contributions. 3523 The following are co-authors of this document: 3525 Patrick Lingga Department of Electrical and Computer Engineering 3526 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3527 16419 Republic of Korea EMail: patricklink@skku.edu 3529 Hyoungshick Kim Department of Computer Science and Engineering 3530 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3531 16419 Republic of Korea EMail: hyoung@skku.edu 3533 Daeyoung Hyun Department of Computer Science and Engineering 3534 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3535 16419 Republic of Korea EMail: dyhyun@skku.edu 3537 Dongjin Hong Department of Electronic, Electrical and Computer 3538 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3539 Gyeonggi-do 16419 Republic of Korea EMail: dong.jin@skku.edu 3541 Liang Xia Huawei 101 Software Avenue Nanjing, Jiangsu 210012 China 3542 EMail: Frank.Xialiang@huawei.com 3544 Tae-Jin Ahn Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 3545 Republic of Korea EMail: taejin.ahn@kt.com 3547 Se-Hui Lee Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 3548 Republic of Korea EMail: sehuilee@kt.com 3550 10. References 3552 10.1. Normative References 3554 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3555 DOI 10.17487/RFC0768, August 1980, 3556 . 3558 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3559 DOI 10.17487/RFC0791, September 1981, 3560 . 3562 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 3563 RFC 792, DOI 10.17487/RFC0792, September 1981, 3564 . 3566 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3567 Requirement Levels", BCP 14, RFC 2119, 3568 DOI 10.17487/RFC2119, March 1997, 3569 . 3571 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 3572 "Definition of the Differentiated Services Field (DS 3573 Field) in the IPv4 and IPv6 Headers", RFC 2474, 3574 DOI 10.17487/RFC2474, December 1998, 3575 . 3577 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 3578 A., Peterson, J., Sparks, R., Handley, M., and E. 3579 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 3580 DOI 10.17487/RFC3261, June 2002, 3581 . 3583 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3584 DOI 10.17487/RFC3688, January 2004, 3585 . 3587 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 3588 Congestion Control Protocol (DCCP)", RFC 4340, 3589 DOI 10.17487/RFC4340, March 2006, 3590 . 3592 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 3593 Control Message Protocol (ICMPv6) for the Internet 3594 Protocol Version 6 (IPv6) Specification", STD 89, 3595 RFC 4443, DOI 10.17487/RFC4443, March 2006, 3596 . 3598 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 3599 RFC 4960, DOI 10.17487/RFC4960, September 2007, 3600 . 3602 [RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol 3603 (DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595, 3604 September 2009, . 3606 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 3607 the Network Configuration Protocol (NETCONF)", RFC 6020, 3608 DOI 10.17487/RFC6020, October 2010, 3609 . 3611 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3612 and A. Bierman, Ed., "Network Configuration Protocol 3613 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3614 . 3616 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3617 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3618 . 3620 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 3621 Cheshire, "Internet Assigned Numbers Authority (IANA) 3622 Procedures for the Management of the Service Name and 3623 Transport Protocol Port Number Registry", BCP 165, 3624 RFC 6335, DOI 10.17487/RFC6335, August 2011, 3625 . 3627 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3628 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3629 . 3631 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3632 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3633 . 3635 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3636 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3637 . 3639 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 3640 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 3641 May 2017, . 3643 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 3644 (IPv6) Specification", STD 86, RFC 8200, 3645 DOI 10.17487/RFC8200, July 2017, 3646 . 3648 [RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M. 3649 Boucadair, "PROBE: A Utility for Probing Interfaces", 3650 RFC 8335, DOI 10.17487/RFC8335, February 2018, 3651 . 3653 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3654 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3655 . 3657 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3658 Access Control Model", STD 91, RFC 8341, 3659 DOI 10.17487/RFC8341, March 2018, 3660 . 3662 [RFC8344] Bjorklund, M., "A YANG Data Model for IP Management", 3663 RFC 8344, DOI 10.17487/RFC8344, March 2018, 3664 . 3666 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 3667 Documents Containing YANG Data Models", BCP 216, RFC 8407, 3668 DOI 10.17487/RFC8407, October 2018, 3669 . 3671 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3672 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3673 . 3675 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 3676 and R. Wilton, "YANG Library", RFC 8525, 3677 DOI 10.17487/RFC8525, March 2019, 3678 . 3680 [I-D.ietf-tcpm-rfc793bis] 3681 Eddy, W. M., "Transmission Control Protocol (TCP) 3682 Specification", Work in Progress, Internet-Draft, draft- 3683 ietf-tcpm-rfc793bis-25, 7 September 2021, 3684 . 3687 [I-D.ietf-i2nsf-capability-data-model] 3688 Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. 3689 Lin, "I2NSF Capability YANG Data Model", Work in Progress, 3690 Internet-Draft, draft-ietf-i2nsf-capability-data-model-19, 3691 28 September 2021, . 3694 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 3695 Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. 3696 Birkholz, "I2NSF NSF Monitoring Interface YANG Data 3697 Model", Work in Progress, Internet-Draft, draft-ietf- 3698 i2nsf-nsf-monitoring-data-model-10, 15 September 2021, 3699 . 3702 10.2. Informative References 3704 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3705 Kumar, "Framework for Interface to Network Security 3706 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 3707 . 3709 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3710 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 3711 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 3712 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 3713 facing-interface-dm-15, 15 September 2021, 3714 . 3717 [ISO-Country-Codes] 3718 "Codes for the representation of names of countries and 3719 their subdivisions", ISO 3166, September 2018, 3720 . 3722 [IANA-Protocol-Numbers] 3723 Internet Assigned Numbers Authority (IANA), "Assigned 3724 Internet Protocol Numbers", September 2020, 3725 . 3728 [IANA-ICMP-Parameters] 3729 Internet Assigned Numbers Authority (IANA), "Internet 3730 Control Message Procotol (ICMP) Parameters", February 3731 2021, . 3734 [IANA-ICMPv6-Parameters] 3735 Internet Assigned Numbers Authority (IANA), "Internet 3736 Control Message Procotol version 6 (ICMPv6) Parameters", 3737 February 2021, . 3740 [IEEE-802.3] 3741 Institute of Electrical and Electronics Engineers, "IEEE 3742 Standard for Ethernet", 2018, 3743 . 3745 Authors' Addresses 3747 Jinyong (Tim) Kim (editor) 3748 Department of Electronic, Electrical and Computer Engineering 3749 Sungkyunkwan University 3750 2066 Seobu-Ro, Jangan-Gu 3751 Suwon 3752 Gyeonggi-Do 3753 16419 3754 Republic of Korea 3756 Phone: +82 10 8273 0930 3757 Email: timkim@skku.edu 3759 Jaehoon (Paul) Jeong (editor) 3760 Department of Computer Science and Engineering 3761 Sungkyunkwan University 3762 2066 Seobu-Ro, Jangan-Gu 3763 Suwon 3764 Gyeonggi-Do 3765 16419 3766 Republic of Korea 3768 Phone: +82 31 299 4957 3769 Email: pauljeong@skku.edu 3770 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3772 Jung-Soo Park 3773 Electronics and Telecommunications Research Institute 3774 218 Gajeong-Ro, Yuseong-Gu 3775 Daejeon 3776 34129 3777 Republic of Korea 3779 Phone: +82 42 860 6514 3780 Email: pjs@etri.re.kr 3782 Susan Hares 3783 Huawei 3784 7453 Hickory Hill 3785 Saline, MI 48176 3786 United States of America 3788 Phone: +1-734-604-0332 3789 Email: shares@ndzh.com 3791 Qiushi Lin 3792 Huawei 3793 Huawei Industrial Base 3794 Shenzhen 3795 Guangdong 518129, 3796 China 3798 Email: linqiushi@huawei.com