idnits 2.17.1 draft-ietf-i2nsf-nsf-facing-interface-dm-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 256 has weird spacing: '...w start uin...' == Line 260 has weird spacing: '...w start uin...' == Line 265 has weird spacing: '...w start uin...' == Line 268 has weird spacing: '...w start uin...' == Line 283 has weird spacing: '...w start ine...' == (10 more instances...) -- The document date (13 November 2021) is 896 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-28) exists of draft-ietf-tcpm-rfc793bis-25 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-tcpm-rfc793bis' == Outdated reference: A later version (-32) exists of draft-ietf-i2nsf-capability-data-model-21 == Outdated reference: A later version (-20) exists of draft-ietf-i2nsf-nsf-monitoring-data-model-11 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-15 Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Kim, Ed. 3 Internet-Draft J. Jeong, Ed. 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 17 May 2022 J. Park 6 ETRI 7 S. Hares 8 Q. Lin 9 Huawei 10 13 November 2021 12 I2NSF Network Security Function-Facing Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-facing-interface-dm-16 15 Abstract 17 This document defines a YANG data model for configuring security 18 policy rules on Network Security Functions (NSF) in the Interface to 19 Network Security Functions (I2NSF) framework. The YANG data model in 20 this document corresponds to the information model for NSF-Facing 21 Interface in the I2NSF framework. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 17 May 2022. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Simplified BSD License text 51 as described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. YANG Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. General I2NSF Security Policy Rule . . . . . . . . . . . 3 60 3.2. Event Clause . . . . . . . . . . . . . . . . . . . . . . 5 61 3.3. Condition Clause . . . . . . . . . . . . . . . . . . . . 6 62 3.4. Action Clause . . . . . . . . . . . . . . . . . . . . . . 11 63 4. YANG Data Model of NSF-Facing Interface . . . . . . . . . . . 12 64 4.1. YANG Module of NSF-Facing Interface . . . . . . . . . . . 13 65 5. XML Configuration Examples of Low-Level Security Policy 66 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 65 67 5.1. Security Requirement 1: Block Social Networking Service 68 (SNS) Access during Business Hours . . . . . . . . . . . 65 69 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets 70 Coming to a Company . . . . . . . . . . . . . . . . . . . 69 71 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood 72 Attacks on a Company Web Server . . . . . . . . . . . . . 72 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 75 74 7. Security Considerations . . . . . . . . . . . . . . . . . . . 75 75 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 76 76 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 76 77 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 77 78 10.1. Normative References . . . . . . . . . . . . . . . . . . 77 79 10.2. Informative References . . . . . . . . . . . . . . . . . 80 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 81 82 1. Introduction 84 This document defines a YANG [RFC6020][RFC7950] data model for 85 security policy rule configuration of Network Security Functions 86 (NSF). The YANG data model in this document is based on the 87 information and data model in [I-D.ietf-i2nsf-capability-data-model] 88 for the NSF-Facing Interface in the Interface to Network Security 89 Functions (I2NSF) architecture [RFC8329]. The YANG data model in 90 this document focuses on security policy configuration for the NSFs 91 discussed in [I-D.ietf-i2nsf-capability-data-model], i.e., generic 92 NSF (. 94 This YANG data model uses an "Event-Condition-Action" (ECA) policy 95 model that is used as the basis for the design of I2NSF Policy 96 described in [RFC8329] and [I-D.ietf-i2nsf-capability-data-model]. 98 The "ietf-i2nsf-policy-rule-for-nsf" YANG module defined in this 99 document provides the configuration of the following features. 101 * A security policy rule of a network security function. 103 * An event clause of a generic network security function. 105 * A condition clause of a generic network security function. 107 * An action clause of a generic network security function. 109 2. Terminology 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 113 "OPTIONAL" in this document are to be interpreted as described in BCP 114 14 [RFC2119] [RFC8174] when, and only when, they appear in all 115 capitals, as shown here. 117 This document uses the terminology described in [RFC8329]. 119 This document follows the guidelines of [RFC8407], uses the common 120 YANG types defined in [RFC6991], and adopts the Network Management 121 Datastore Architecture (NMDA). The meaning of the symbols in tree 122 diagrams is defined in [RFC8340]. 124 3. YANG Tree Diagram 126 This section shows a YANG tree diagram of policy for network security 127 functions. [I-D.ietf-i2nsf-capability-data-model]. 129 3.1. General I2NSF Security Policy Rule 131 This section shows a YANG tree diagram for a general I2NSF security 132 policy rule for generic network security functions. 134 module: ietf-i2nsf-policy-rule-for-nsf 135 +--rw i2nsf-security-policy* [system-policy-name] 136 +--rw system-policy-name string 137 +--rw priority-usage? identityref 138 +--rw resolution-strategy? identityref 139 +--rw default-action? identityref 140 +--rw rules* [rule-name] 141 | +--rw rule-name string 142 | +--rw rule-description? string 143 | +--rw rule-priority? uint8 144 | +--rw rule-enable? boolean 145 | +--rw session-aging-time? uint16 146 | +--rw long-connection 147 | | +--rw enable? boolean 148 | | +--rw duration? uint16 149 | +--rw event 150 | ... 151 | +--rw action 152 | ... 153 +--rw rule-group 154 +--rw groups* [group-name] 155 +--rw group-name string 156 +--rw rule-range 157 | +--rw start-rule? string 158 | +--rw end-rule? string 159 +--rw enable? boolean 160 +--rw description? string 162 Figure 1: YANG Tree Diagram for Network Security Policy 164 The system policy provides for multiple system policies in one NSF, 165 and each system policy is used by one virtual instance of the NSF/ 166 device. The system policy includes system policy name, priority 167 usage, resolution strategy, default action, and rules. 169 A resolution strategy is used to decide how to resolve conflicts that 170 occur between the actions of the same or different policy rules that 171 are matched and contained in a particular NSF. The resolution 172 strategy is defined as First Matching Rule (FMR), Last Matching Rule 173 (LMR), Prioritized Matching Rule (PMR) with Errors (PMRE), and 174 Prioritized Matching Rule with No Errors (PMRN). The resolution 175 strategy can be extended according to specific vendor action 176 features. The resolution strategy is described in detail in 177 [I-D.ietf-i2nsf-capability-data-model]. 179 A default action is used to execute I2NSF policy rule when no rule 180 matches a packet. The default action is defined as pass, drop, rate- 181 limit, and mirror. The default action can be extended according to 182 specific vendor action features. The default action is described in 183 detail in [I-D.ietf-i2nsf-capability-data-model]. 185 The rules include rule name, rule description, rule priority, rule 186 enable, event, condition, and action. 188 3.2. Event Clause 190 This section shows a YANG tree diagram for an event clause for a 191 general I2NSF security policy rule for generic network security 192 functions. 194 module: ietf-i2nsf-policy-rule-for-nsf 195 +--rw i2nsf-security-policy* [system-policy-name] 196 ... 197 +--rw rules* [rule-name] 198 | ... 199 | +--rw event 200 | | +--rw event-clause-description? string 201 | | +--rw time 202 | | | +--rw start-date-time? yang:date-and-time 203 | | | +--rw end-date-time? yang:date-and-time 204 | | | +--rw period 205 | | | | +--rw start-time? time 206 | | | | +--rw end-time? time 207 | | | | +--rw day* identityref 208 | | | | +--rw date* int32 209 | | | | +--rw month* string 210 | | | +--rw frequency? enumeration 211 | | +--rw event-clauses 212 | | +--rw system-event* identityref 213 | | +--rw system-alarm* identityref 214 | +--rw condition 215 | | ... 216 | +--rw action 217 | ... 218 +--rw rule-group 219 ... 221 Figure 2: YANG Tree Diagram for an Event Clause 223 An event clause is any important occurrence at a specific time of a 224 change in the system being managed, and/or in the environment of the 225 system being managed. An event clause is used to trigger the 226 evaluation of the condition clause of the I2NSF Policy Rule. The 227 event clause is defined as a system event, system alarm 228 [I-D.ietf-i2nsf-nsf-monitoring-data-model] and time. The event 229 clause can be extended according to specific vendor event features. 230 The event clause is described in detail in 231 [I-D.ietf-i2nsf-capability-data-model]. 233 3.3. Condition Clause 235 This section shows a YANG tree diagram for a condition clause for a 236 general I2NSF security policy rule for generic network security 237 functions. 239 module: ietf-i2nsf-policy-rule-for-nsf 240 +--rw i2nsf-security-policy* [system-policy-name] 241 ... 242 +--rw rules* [rule-name] 243 | ... 244 | +--rw event 245 | ... 246 | +--rw condition 247 | | +--rw condition-clause-description? string 248 | | +--rw ethernet 249 | | | +--rw ethernet-description? string 250 | | | +--rw source-address* yang:mac-address 251 | | | +--rw destination-address* yang:mac-address 252 | | | +--rw ether-type* uint16 253 | | +--rw ipv4 254 | | | +--rw description? string 255 | | | +--rw header-length* [start end] 256 | | | | +--rw start uint8 257 | | | | +--rw end uint8 258 | | | +--rw dscp* inet:dscp 259 | | | +--rw total-length* [start end] 260 | | | | +--rw start uint16 261 | | | | +--rw end uint16 262 | | | +--rw identification* uint16 263 | | | +--rw fragment-flags* identityref 264 | | | +--rw fragment-offset* [start end] 265 | | | | +--rw start uint16 266 | | | | +--rw end uint16 267 | | | +--rw ttl* [start end] 268 | | | | +--rw start uint8 269 | | | | +--rw end uint8 270 | | | +--rw protocol* uint8 271 | | | +--rw source-address 272 | | | | +--rw (match-type)? 273 | | | | +--:(prefix) 274 | | | | | +--rw ipv4-prefix* [ipv4] 275 | | | | | +--rw ipv4 inet:ipv4-address-no-zone 276 | | | | | +--rw (subnet)? 277 | | | | | +--:(prefix-length) 278 | | | | | | +--rw prefix-length? uint8 279 | | | | | +--:(netmask) 280 | | | | | +--rw netmask? yang:dotted-quad 281 | | | | +--:(range) 282 | | | | +--rw ipv4-range* [start end] 283 | | | | +--rw start inet:ipv4-address-no-zone 284 | | | | +--rw end inet:ipv4-address-no-zone 285 | | | +--rw destination-address 286 | | | | +--rw (match-type)? 287 | | | | +--:(prefix) 288 | | | | | +--rw ipv4-prefix* [ipv4] 289 | | | | | +--rw ipv4 inet:ipv4-address-no-zone 290 | | | | | +--rw (subnet)? 291 | | | | | +--:(prefix-length) 292 | | | | | | +--rw prefix-length? uint8 293 | | | | | +--:(netmask) 294 | | | | | +--rw netmask? yang:dotted-quad 295 | | | | +--:(range) 296 | | | | +--rw ipv4-range* [start end] 297 | | | | +--rw start inet:ipv4-address-no-zone 298 | | | | +--rw end inet:ipv4-address-no-zone 299 | | | +--rw ipopts* identityref 300 | | +--rw ipv6 301 | | | +--rw description? string 302 | | | +--rw dscp* inet:dscp 303 | | | +--rw flow-label* [start end] 304 | | | | +--rw start inet:ipv6-flow-label 305 | | | | +--rw end inet:ipv6-flow-label 306 | | | +--rw payload-length* [start end] 307 | | | | +--rw start uint16 308 | | | | +--rw end uint16 309 | | | +--rw next-header* uint8 310 | | | +--rw hop-limit* [start end] 311 | | | | +--rw start uint8 312 | | | | +--rw end uint8 313 | | | +--rw source-address 314 | | | | +--rw (match-type)? 315 | | | | +--:(prefix) 316 | | | | | +--rw ipv6-prefix* [ipv6] 317 | | | | | +--rw ipv6 inet:ipv6-address-no-zone 318 | | | | | +--rw prefix-length? uint8 319 | | | | +--:(range) 320 | | | | +--rw ipv6-range* [start end] 321 | | | | +--rw start inet:ipv6-address-no-zone 322 | | | | +--rw end inet:ipv6-address-no-zone 323 | | | +--rw destination-address 324 | | | +--rw (match-type)? 325 | | | +--:(prefix) 326 | | | | +--rw ipv6-prefix* [ipv6] 327 | | | | +--rw ipv6 inet:ipv6-address-no-zone 328 | | | | +--rw prefix-length? uint8 329 | | | +--:(range) 330 | | | +--rw ipv6-range* [start end] 331 | | | +--rw start inet:ipv6-address-no-zone 332 | | | +--rw end inet:ipv6-address-no-zone 333 | | +--rw tcp 334 | | | +--rw description? string 335 | | | +--rw source-port-number* [start end] 336 | | | | +--rw start inet:port-number 337 | | | | +--rw end inet:port-number 338 | | | +--rw destination-port-number* [start end] 339 | | | | +--rw start inet:port-number 340 | | | | +--rw end inet:port-number 341 | | | +--rw flags* identityref 342 | | +--rw udp 343 | | | +--rw description? string 344 | | | +--rw source-port-number 345 | | | | +--rw start? inet:port-number 346 | | | | +--rw end? inet:port-number 347 | | | +--rw destination-port-number 348 | | | | +--rw start? inet:port-number 349 | | | | +--rw end? inet:port-number 350 | | | +--rw total-length* [start end] 351 | | | +--rw start uint32 352 | | | +--rw end uint32 353 | | +--rw sctp 354 | | | +--rw description? string 355 | | | +--rw source-port-number 356 | | | | +--rw start? inet:port-number 357 | | | | +--rw end? inet:port-number 358 | | | +--rw destination-port-number 359 | | | | +--rw start? inet:port-number 360 | | | | +--rw end? inet:port-number 361 | | | +--rw verification-tag* uint32 362 | | | +--rw chunk-type* uint8 363 | | +--rw dccp 364 | | | +--rw description? string 365 | | | +--rw source-port-number 366 | | | | +--rw start? inet:port-number 367 | | | | +--rw end? inet:port-number 368 | | | +--rw destination-port-number 369 | | | | +--rw start? inet:port-number 370 | | | | +--rw end? inet:port-number 371 | | | +--rw service-code* uint32 372 | | +--rw icmp* [version] 373 | | | +--rw description? string 374 | | | +--rw version enumeration 375 | | | +--rw type* uint8 376 | | | +--rw code* uint8 377 | | +--rw url-category 378 | | | +--rw description? string 379 | | | +--rw pre-defined-category* string 380 | | | +--rw user-defined-category* string 381 | | +--rw voice 382 | | | +--rw description? string 383 | | | +--rw source-voice-id* string 384 | | | +--rw destination-voice-id* string 385 | | | +--rw user-agent* string 386 | | +--rw ddos 387 | | | +--rw description? string 388 | | | +--rw alert-packet-rate? uint32 389 | | | +--rw alert-flow-rate? uint32 390 | | | +--rw alert-byte-rate? uint32 391 | | +--rw anti-virus 392 | | | +--rw profile* string 393 | | | +--rw exception-files* string 394 | | +--rw payload 395 | | | +--rw packet-payload-description? string 396 | | | +--rw payload-content* string 397 | | +--rw context 398 | | +--rw context-description? string 399 | | +--rw application 400 | | | +--rw description? string 401 | | | +--rw object* string 402 | | | +--rw group* string 403 | | | +--rw label* string 404 | | | +--rw category 405 | | | +--rw application-category* [name subcategory] 406 | | | +--rw name string 407 | | | +--rw subcategory string 408 | | +--rw target 409 | | | +--rw description? string 410 | | | +--rw device* identityref 411 | | +--rw users 412 | | | +--rw users-description? string 413 | | | +--rw user* [user-id] 414 | | | | +--rw user-id uint32 415 | | | | +--rw user-name? string 416 | | | +--rw group* [group-id] 417 | | | | +--rw group-id uint32 418 | | | | +--rw group-name? string 419 | | | +--rw security-group? string 420 | | +--rw geography-location 421 | | +--rw description? string 422 | | +--rw source* string 423 | | +--rw destination* string 424 | +--rw action 425 | ... 426 +--rw rule-group 427 ... 429 Figure 3: YANG Tree Diagram for a Condition Clause 431 A condition clause is defined as a set of attributes, features, and/ 432 or values that are to be compared with a set of known attributes, 433 features, and/or values in order to determine whether or not the set 434 of actions in that (imperative) I2NSF policy rule can be executed or 435 not. A condition clause is classified as a condition of generic 436 network security functions, advanced network security functions, or 437 context. A condition clause of generic network security functions is 438 defined as IPv4 condition, IPv6 condition, TCP condition, UDP 439 condition, SCTP condition, DCCP condition, and ICMP (ICMPv4 and 440 ICMPv6) condition. 442 Note that the data model in this document does not focus on only IP 443 addresses, but focuses on all the fields of IPv4 and IPv6 headers. 444 The IPv4 and IPv6 headers have similarity with some different fields. 445 In this case, it is better to handle separately the IPv4 and IPv6 446 headers such that the different fields can be used to handle IPv4 and 447 IPv6 packets. 449 A condition clause of advanced network security functions is defined 450 as url category condition, voice condition, DDoS condition, or 451 payload condition. A condition clause of context is defined as 452 application condition, target condition, users condition, and 453 geography condition. 455 Note that this document deals only with conditions of several 456 advanced network security functions such as url filter (i.e., web 457 filter), VoIP/VoLTE security, and DDoS-attack mitigator. A condition 458 clause of other advanced network security functions such as Intrusion 459 Prevention System (IPS) and Data Loss Prevention (DLP) can be defined 460 as an extension in future. A condition clause can be extended 461 according to specific vendor condition features. A condition clause 462 is described in detail in [I-D.ietf-i2nsf-capability-data-model]. 464 3.4. Action Clause 466 This section shows a YANG tree diagram for an action clause for a 467 general I2NSF security policy rule for generic network security 468 functions. 470 module: ietf-i2nsf-policy-rule-for-nsf 471 +--rw i2nsf-security-policy* [system-policy-name] 472 ... 473 +--rw rules* [rule-name] 474 | ... 475 | +--rw event 476 | ... 477 | +--rw condition 478 | ... 479 | +--rw action 480 | +--rw action-clause-description? string 481 | +--rw packet-action 482 | | +--rw ingress-action? identityref 483 | | +--rw egress-action? identityref 484 | | +--rw log-action? identityref 485 | +--rw flow-action 486 | | +--rw ingress-action? identityref 487 | | +--rw egress-action? identityref 488 | | +--rw log-action? identityref 489 | +--rw advanced-action 490 | +--rw content-security-control* identityref 491 | +--rw attack-mitigation-control* identityref 492 +--rw rule-group 493 ... 495 Figure 4: YANG Tree Diagram for an Action Clause 497 An action is used to control and monitor aspects of flow-based NSFs 498 when the policy rule event and condition clauses are satisfied. NSFs 499 provide security services by executing various actions. The action 500 clause is defined as ingress action, egress action, or log action for 501 packet action, flow action, and advanced action for additional 502 inspection. The packet action is an action for an individual packet 503 such as an IP datagram as a stateless process that uses the packet's 504 header and payload. The flow action is an action of a traffic flow 505 such as the packets of a TCP session (e.g., an HTTP/HTTPS session) as 506 a stateful process that uses the traffic flow information such as 507 5-tuple information, packet counts, and byte counts. The advanced 508 action is an action for an advanced security service (e.g., url 509 filter, DDoS-attack mitigator, and VoIP/VoLTE filter) for either a 510 packet or a traffic flow according to the intention of such an 511 advanced security service. The action clause can be extended 512 according to specific vendor action features. The action clause is 513 described in detail in [I-D.ietf-i2nsf-capability-data-model]. 515 4. YANG Data Model of NSF-Facing Interface 517 The main objective of this data model is to provide both an 518 information model and the corresponding YANG data model of I2NSF NSF- 519 Facing Interface. This interface can be used to deliver control and 520 management messages between Security Controller and NSFs for the 521 I2NSF low-level security policies. 523 This data model is designed to support the I2NSF framework that can 524 be extended according to the security needs. In other words, the 525 model design is independent of the content and meaning of specific 526 policies as well as the implementation approach. 528 With the YANG data model of I2NSF NSF-Facing Interface, this document 529 suggests use cases for security policy rules such as time-based 530 firewall, web filter, VoIP/VoLTE security service, and DDoS-attack 531 mitigation in Section 5. 533 4.1. YANG Module of NSF-Facing Interface 535 This section describes a YANG module of NSF-Facing Interface. This 536 document provides identities in the data model for the configuration 537 of an NSF. The identity has the same concept with the corresponding 538 identity in [I-D.ietf-i2nsf-consumer-facing-interface-dm] This YANG 539 module imports from [RFC6991]. It makes references to [RFC0768] 540 [RFC0791] [RFC0792] [RFC2474] [RFC3261] [RFC4340] [RFC4443] [RFC4960] 541 [RFC5595] [RFC6335] [RFC8075] [RFC8200] [RFC8329] [RFC8335] [RFC8344] 542 [IEEE-802.3] [ISO-Country-Codes] [IANA-Protocol-Numbers] 543 [IANA-ICMP-Parameters] [IANA-ICMPv6-Parameters] 544 [I-D.ietf-tcpm-rfc793bis] [I-D.ietf-i2nsf-capability-data-model] 545 [I-D.ietf-i2nsf-nsf-monitoring-data-model]. 547 file "ietf-i2nsf-policy-rule-for-nsf@2021-11-13.yang" 548 module ietf-i2nsf-policy-rule-for-nsf { 549 yang-version 1.1; 550 namespace 551 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"; 552 prefix 553 nsfintf; 555 import ietf-inet-types{ 556 prefix inet; 557 reference 558 "Section 4 of RFC 6991"; 559 } 560 import ietf-yang-types { 561 prefix yang; 562 reference 563 "Section 3 of RFC 6991"; 564 } 566 organization 567 "IETF I2NSF (Interface to Network Security Functions) 568 Working Group"; 570 contact 571 "WG Web: 572 WG List: 574 Editor: Jinyong Tim Kim 575 577 Editor: Jaehoon Paul Jeong 578 "; 580 description 581 "This module is a YANG module for Network Security Functions 582 (NSF)-Facing Interface. 584 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 585 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 586 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 587 document are to be interpreted as described in BCP 14 588 (RFC 2119) (RFC 8174) when, and only when, they appear 589 in all capitals, as shown here. 591 Copyright (c) 2021 IETF Trust and the persons identified as 592 authors of the code. All rights reserved. 594 Redistribution and use in source and binary forms, with or 595 without modification, is permitted pursuant to, and subject to 596 the license terms contained in, the Simplified BSD License set 597 forth in Section 4.c of the IETF Trust's Legal Provisions 598 Relating to IETF Documents 599 (https://trustee.ietf.org/license-info). 601 This version of this YANG module is part of RFC XXXX 602 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 603 for full legal notices."; 605 revision "2021-11-13"{ 606 description "The latest revision."; 607 reference 608 "RFC XXXX: I2NSF Network Security Function-Facing Interface 609 YANG Data Model"; 610 } 612 /* 613 * Identities 614 */ 616 identity priority-usage { 617 description 618 "Base identity for priority usage type."; 619 } 621 identity priority-by-order { 622 base priority-usage; 623 description 624 "Identity for priority by order"; 625 } 627 identity priority-by-number { 628 base priority-usage; 629 description 630 "Identity for priority by number"; 631 } 633 identity event { 634 description 635 "Base identity for policy events"; 636 reference 637 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 638 Monitoring YANG Data Model - Event"; 639 } 641 identity system-event { 642 base event; 643 description 644 "Identity for system events"; 645 reference 646 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 647 Monitoring YANG Data Model - System event"; 648 } 650 identity system-alarm { 651 base event; 652 description 653 "Identity for system alarms"; 654 reference 655 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 656 Monitoring YANG Data Model - System alarm"; 657 } 659 identity access-violation { 660 base system-event; 661 description 662 "Identity for access violation 663 system events"; 664 reference 665 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 666 Monitoring YANG Data Model - System event for access 667 violation"; 668 } 670 identity configuration-change { 671 base system-event; 672 description 673 "Identity for configuration change 674 system events"; 675 reference 676 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 677 Monitoring YANG Data Model - System event for configuration 678 change"; 679 } 681 identity memory-alarm { 682 base system-alarm; 683 description 684 "Identity for memory alarm 685 system alarms"; 686 reference 687 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 688 Monitoring YANG Data Model - System alarm for memory"; 689 } 691 identity cpu-alarm { 692 base system-alarm; 693 description 694 "Identity for CPU alarm 695 system alarms"; 696 reference 697 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 698 Monitoring YANG Data Model - System alarm for CPU"; 699 } 701 identity disk-alarm { 702 base system-alarm; 703 description 704 "Identity for disk alarm 705 system alarms"; 706 reference 707 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 708 Monitoring YANG Data Model - System alarm for disk"; 709 } 711 identity hardware-alarm { 712 base system-alarm; 713 description 714 "Identity for hardware alarm 715 system alarms"; 716 reference 717 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 718 Monitoring YANG Data Model - System alarm for hardware"; 719 } 721 identity interface-alarm { 722 base system-alarm; 723 description 724 "Identity for interface alarm 725 system alarms"; 726 reference 727 "draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF NSF 728 Monitoring YANG Data Model - System alarm for interface"; 729 } 731 identity fragmentation-flags { 732 description 733 "Base identity for fragmentation flags type"; 734 reference 735 "RFC 791: Internet Protocol - Fragmentation Flags"; 736 } 738 identity fragment { 739 base fragmentation-flags; 740 description 741 "Identity for 'More fragment' flag"; 742 reference 743 "RFC 791: Internet Protocol - Fragmentation Flags"; 744 } 746 identity no-fragment { 747 base fragmentation-flags; 748 description 749 "Identity for 'Do not fragment' flag"; 750 reference 751 "RFC 791: Internet Protocol - Fragmentation Flags"; 752 } 754 identity reserved { 755 base fragmentation-flags; 756 description 757 "Identity for reserved flags"; 758 reference 759 "RFC 791: Internet Protocol - Fragmentation Flags"; 760 } 762 identity ipopts { 763 description 764 "Base identity for IP options"; 765 reference 766 "RFC 791: Internet Protocol - Options"; 767 } 769 identity rr { 770 base ipopts; 771 description 772 "Identity for 'Record Route' IP Option"; 774 reference 775 "RFC 791: Internet Protocol - Options"; 776 } 778 identity eol { 779 base ipopts; 780 description 781 "Identity for 'End of List' IP Option"; 782 reference 783 "RFC 791: Internet Protocol - Options"; 784 } 786 identity nop { 787 base ipopts; 788 description 789 "Identity for 'No Operation' IP Option"; 790 reference 791 "RFC 791: Internet Protocol - Options"; 792 } 794 identity ts { 795 base ipopts; 796 description 797 "Identity for 'Timestamp' IP Option"; 798 reference 799 "RFC 791: Internet Protocol - Options"; 800 } 802 identity sec { 803 base ipopts; 804 description 805 "Identity for 'IP security' IP Option"; 806 reference 807 "RFC 791: Internet Protocol - Options"; 808 } 810 identity esec { 811 base ipopts; 812 description 813 "Identity for 'IP extended security' IP Option"; 814 reference 815 "RFC 791: Internet Protocol - Options"; 816 } 818 identity lsrr { 819 base ipopts; 820 description 821 "Identity for 'Loose Source Routing' IP Option"; 823 reference 824 "RFC 791: Internet Protocol - Options"; 825 } 827 identity ssrr { 828 base ipopts; 829 description 830 "Identity for 'Strict Source Routing' IP Option"; 831 reference 832 "RFC 791: Internet Protocol - Options"; 833 } 835 identity satid { 836 base ipopts; 837 description 838 "Identity for 'Stream Identifier' IP Option"; 839 reference 840 "RFC 791: Internet Protocol - Options"; 841 } 843 identity any { 844 base ipopts; 845 description 846 "Identity for 'any IP options 847 included in IPv4 packet"; 848 reference 849 "RFC 791: Internet Protocol - Options"; 850 } 852 identity tcp-flags { 853 description 854 "Base identity for TCP flags"; 855 reference 856 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 857 (TCP) Specification - TCP Header Flags 858 RFC 3168: The Addition of Explicit Congestion Notification 859 (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window 860 Reduced (CWR) Flag 861 draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback 862 in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced 863 (CWR) Flag"; 864 } 866 identity cwr { 867 base tcp-flags; 868 description 869 "Identity for 'Congestion Window Reduced' TCP flag"; 870 reference 871 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 872 (TCP) Specification - TCP Header Flags 873 RFC 3168: The Addition of Explicit Congestion Notification 874 (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window 875 Reduced (CWR) Flag 876 draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback 877 in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced 878 (CWR) Flag"; 879 } 881 identity ece { 882 base tcp-flags; 883 description 884 "Identity for 'Explicit Congestion Notification-Echo' 885 TCP flag"; 886 reference 887 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 888 (TCP) Specification - TCP Header Flags 889 RFC 3168: The Addition of Explicit Congestion Notification 890 (ECN) to IP - ECN-Echo (ECE) Flag and Congestion Window 891 Reduced (CWR) Flag 892 draft-ietf-tcpm-accurate-ecn-15: More Accurate ECN Feedback 893 in TCP - ECN-Echo (ECE) Flag and Congestion Window Reduced 894 (CWR) Flag"; 895 } 897 identity urg { 898 base tcp-flags; 899 description 900 "Identity for 'Urgent' TCP flag"; 901 reference 902 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 903 (TCP) Specification - Flags"; 904 } 906 identity ack { 907 base tcp-flags; 908 description 909 "Identity for 'acknowledgement' TCP flag"; 910 reference 911 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 912 (TCP) Specification - Flags"; 913 } 915 identity psh { 916 base tcp-flags; 917 description 918 "Identity for 'Push' TCP flag"; 920 reference 921 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 922 (TCP) Specification - Flags"; 923 } 925 identity rst { 926 base tcp-flags; 927 description 928 "Identity for 'Reset' TCP flag"; 929 reference 930 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 931 (TCP) Specification - Flags"; 932 } 934 identity syn { 935 base tcp-flags; 936 description 937 "Identity for 'Synchronize' TCP flag"; 938 reference 939 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 940 (TCP) Specification - Flags"; 941 } 943 identity fin { 944 base tcp-flags; 945 description 946 "Identity for 'Finish' TCP flag"; 947 reference 948 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 949 (TCP) Specification - Flags"; 950 } 952 identity target-device { 953 description 954 "Base identity for target devices"; 955 reference 956 "draft-ietf-i2nsf-capability-data-model-21: 957 I2NSF Capability YANG Data Model"; 958 } 960 identity computer { 961 base target-device; 962 description 963 "Identity for computer such as personal computer (PC) 964 and server"; 965 } 967 identity mobile-phone { 968 base target-device; 969 description 970 "Identity for mobile-phone such as smartphone and 971 cellphone"; 972 } 974 identity voip-volte-phone { 975 base target-device; 976 description 977 "Identity for voip-volte-phone"; 978 } 980 identity tablet { 981 base target-device; 982 description 983 "Identity for tablet"; 984 } 986 identity network-infrastructure-device { 987 base target-device; 988 description 989 "Identity for network infrastructure devices 990 such as switch, router, and access point"; 991 } 993 identity iot-device { 994 base target-device; 995 description 996 "Identity for IoT (Internet of Things) devices"; 997 } 999 identity ot { 1000 base target-device; 1001 description 1002 "Identity for Operational Technology"; 1003 } 1005 identity vehicle { 1006 base target-device; 1007 description 1008 "Identity for vehicle that connects to and shares 1009 data through the Internet"; 1010 } 1012 identity advanced-nsf { 1013 description 1014 "Base identity for advanced Network Security Function (NSF) 1015 capability. This can be used for advanced NSFs such as 1016 Anti-DDoS Attack, IPS, URL-Filtering, Antivirus, 1017 and VoIP/VoLTE Filter."; 1018 reference 1019 "draft-ietf-i2nsf-capability-data-model-21: 1020 I2NSF Capability YANG Data Model"; 1021 } 1023 identity content-security-control { 1024 base advanced-nsf; 1025 description 1026 "Base identity for content security control"; 1027 reference 1028 "draft-ietf-i2nsf-capability-data-model-21: 1029 I2NSF Capability YANG Data Model"; 1030 } 1032 identity ips { 1033 base content-security-control; 1034 description 1035 "Identity for IPS (Intrusion Prevention System) 1036 that prevents malicious activity within a network"; 1037 } 1039 identity url-filtering { 1040 base content-security-control; 1041 description 1042 "Identity for url filtering that limits access by comparing the 1043 web traffic's URL with the URLs for web filtering in a 1044 database"; 1045 } 1047 identity anti-virus { 1048 base content-security-control; 1049 description 1050 "Identity for antivirus to protect the network by detecting and 1051 removing viruses or malwares."; 1052 } 1054 identity voip-volte-filter { 1055 base content-security-control; 1056 description 1057 "Identity for VoIP/VoLTE security service that filters out the 1058 packets or flows of malicious users with a deny list of 1059 malicious users in a database"; 1060 } 1062 identity attack-mitigation-control { 1063 base advanced-nsf; 1064 description 1065 "Base identity for attack mitigation control"; 1066 reference 1067 "draft-ietf-i2nsf-capability-data-model-21: 1068 I2NSF Capability YANG Data Model"; 1069 } 1071 identity anti-ddos { 1072 base attack-mitigation-control; 1073 description 1074 "Identity for advanced NSF Anti-DDoS or DDoS Mitigator 1075 capability."; 1076 } 1078 identity action { 1079 description 1080 "Base identity for action"; 1081 } 1083 identity ingress-action { 1084 base action; 1085 description 1086 "Base identity for ingress action"; 1087 reference 1088 "draft-ietf-i2nsf-capability-data-model-21: 1089 I2NSF Capability YANG Data Model - Ingress Action"; 1090 } 1092 identity egress-action { 1093 base action; 1094 description 1095 "Base identity for egress action"; 1096 reference 1097 "draft-ietf-i2nsf-capability-data-model-21: 1098 I2NSF Capability YANG Data Model - Egress Action"; 1099 } 1101 identity default-action { 1102 base action; 1103 description 1104 "Base identity for default action"; 1105 reference 1106 "draft-ietf-i2nsf-capability-data-model-21: 1107 I2NSF Capability YANG Data Model - Default Action"; 1108 } 1110 identity pass { 1111 base ingress-action; 1112 base egress-action; 1113 base default-action; 1114 description 1115 "Identity for pass"; 1116 reference 1117 "draft-ietf-i2nsf-capability-data-model-21: 1118 I2NSF Capability YANG Data Model - Actions and 1119 Default Action"; 1120 } 1122 identity drop { 1123 base ingress-action; 1124 base egress-action; 1125 base default-action; 1126 description 1127 "Identity for drop"; 1128 reference 1129 "draft-ietf-i2nsf-capability-data-model-21: 1130 I2NSF Capability YANG Data Model - Actions and 1131 Default Action"; 1132 } 1134 identity mirror { 1135 base ingress-action; 1136 base egress-action; 1137 base default-action; 1138 description 1139 "Identity for mirror"; 1140 reference 1141 "draft-ietf-i2nsf-capability-data-model-21: 1142 I2NSF Capability YANG Data Model - Actions and 1143 Default Action"; 1144 } 1146 identity rate-limit { 1147 base ingress-action; 1148 base egress-action; 1149 base default-action; 1150 description 1151 "Identity for rate limiting action"; 1152 reference 1153 "draft-ietf-i2nsf-capability-data-model-21: 1154 I2NSF Capability YANG Data Model - Actions and 1155 Default Action"; 1156 } 1158 identity log-action { 1159 base action; 1160 description 1161 "Base identity for log action"; 1162 } 1164 identity rule-log { 1165 base log-action; 1166 description 1167 "Identity for rule log"; 1168 } 1170 identity session-log { 1171 base log-action; 1172 description 1173 "Identity for session log"; 1174 } 1176 identity invoke-signaling { 1177 base egress-action; 1178 description 1179 "Identity for invoke signaling. This action conveys 1180 information of the event triggering this action to a 1181 monitoring entity."; 1182 } 1184 identity tunnel-encapsulation { 1185 base egress-action; 1186 description 1187 "Identity for tunnel encapsulation. This action encapsulates 1188 the packet to be tunneled across the network to enable 1189 a secure connection."; 1190 } 1192 identity forwarding { 1193 base egress-action; 1194 description 1195 "Identity for forwarding. This action forwards the packet to 1196 another node in the network."; 1197 } 1199 identity transformation { 1200 base egress-action; 1201 description 1202 "Identity for transformation. This action transforms the 1203 packet by modifying its protocol header such as HTTP-to-CoAP 1204 translation."; 1205 reference 1206 "RFC 8075: Guidelines for Mapping Implementations: HTTP to the 1207 Constrained Application Protocol (CoAP) - Translation between 1208 HTTP and CoAP."; 1209 } 1211 identity redirection { 1212 base egress-action; 1213 description 1214 "Identity for redirection"; 1215 } 1217 identity resolution-strategy { 1218 description 1219 "Base identity for resolution strategy"; 1220 reference 1221 "draft-ietf-i2nsf-capability-data-model-21: 1222 I2NSF Capability YANG Data Model - Resolution Strategy"; 1223 } 1225 identity fmr { 1226 base resolution-strategy; 1227 description 1228 "Identity for First Matching Rule (FMR)"; 1229 reference 1230 "draft-ietf-i2nsf-capability-data-model-21: 1231 I2NSF Capability YANG Data Model - Resolution Strategy"; 1232 } 1234 identity lmr { 1235 base resolution-strategy; 1236 description 1237 "Identity for Last Matching Rule (LMR)"; 1238 reference 1239 "draft-ietf-i2nsf-capability-data-model-21: 1240 I2NSF Capability YANG Data Model - Resolution Strategy"; 1241 } 1243 identity pmr { 1244 base resolution-strategy; 1245 description 1246 "Identity for Prioritized Matching Rule (PMR)"; 1247 reference 1248 "draft-ietf-i2nsf-capability-data-model-21: 1249 I2NSF Capability YANG Data Model - Resolution Strategy"; 1250 } 1252 identity pmre { 1253 base resolution-strategy; 1254 description 1255 "Identity for Prioritized Matching Rule 1256 with Errors (PMRE)"; 1257 reference 1258 "draft-ietf-i2nsf-capability-data-model-21: 1259 I2NSF Capability YANG Data Model - Resolution Strategy"; 1260 } 1262 identity pmrn { 1263 base resolution-strategy; 1264 description 1265 "Identity for Prioritized Matching Rule 1266 with No Errors (PMRN)"; 1267 reference 1268 "draft-ietf-i2nsf-capability-data-model-21: 1269 I2NSF Capability YANG Data Model - Resolution Strategy"; 1270 } 1272 identity day { 1273 description 1274 "This represents the base for days."; 1275 } 1277 identity monday { 1278 base day; 1279 description 1280 "This represents Monday."; 1281 } 1283 identity tuesday { 1284 base day; 1285 description 1286 "This represents Tuesday."; 1287 } 1289 identity wednesday { 1290 base day; 1291 description 1292 "This represents Wednesday."; 1293 } 1295 identity thursday { 1296 base day; 1297 description 1298 "This represents Thursday."; 1299 } 1301 identity friday { 1302 base day; 1303 description 1304 "This represents Friday."; 1305 } 1307 identity saturday { 1308 base day; 1309 description 1310 "This represents Saturday."; 1311 } 1313 identity sunday { 1314 base day; 1315 description 1316 "This represents Sunday."; 1317 } 1319 /* 1320 * Typedefs 1321 */ 1323 typedef time { 1324 type string { 1325 pattern '(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.\d+)?' 1326 + '(Z|[\+\-]((1[0-3]|0[0-9]):([0-5][0-9])|14:00))?'; 1327 } 1328 description 1329 "The time type represents an instance of time of zero-duration 1330 that recurs every day."; 1331 } 1333 /* 1334 * Groupings 1335 */ 1337 grouping ipv4-prefix { 1338 description 1339 "The list of IPv4 addresses."; 1340 leaf ipv4 { 1341 type inet:ipv4-address-no-zone; 1342 description 1343 "The value of IPv4 address."; 1344 } 1345 choice subnet { 1346 description 1347 "The subnet can be specified as a prefix length or 1348 netmask."; 1349 leaf prefix-length { 1350 type uint8 { 1351 range "0..32"; 1353 } 1354 description 1355 "The length of the subnet prefix."; 1356 } 1357 leaf netmask { 1358 type yang:dotted-quad; 1359 description 1360 "The subnet specified as a netmask."; 1361 } 1362 } 1363 reference 1364 "RFC 791: Internet Protocol - IPv4 address 1365 RFC 8344: A YANG Data Model for IP Management"; 1366 } 1368 grouping ipv6-prefix { 1369 description 1370 "The list of IPv6 addresses."; 1371 leaf ipv6 { 1372 type inet:ipv6-address-no-zone; 1373 description 1374 "The value of IPv6 address."; 1375 } 1376 leaf prefix-length { 1377 type uint8 { 1378 range "0..128"; 1379 } 1380 description 1381 "The length of the subnet prefix."; 1382 } 1383 reference 1384 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1385 Specification - IPv6 address 1386 RFC 8344: A YANG Data Model for IP Management"; 1387 } 1389 grouping ipv4-range { 1390 description 1391 "Range match for the IPv4 addresses. If only one value is 1392 needed, then set both start and end to the same value. 1393 The end IPv4 address MUST be equal or greater than the 1394 start IPv4 address."; 1395 leaf start { 1396 type inet:ipv4-address-no-zone; 1397 description 1398 "Starting IPv4 address for a range match."; 1399 } 1400 leaf end { 1401 type inet:ipv4-address-no-zone; 1402 description 1403 "Ending IPv4 address for a range match."; 1404 } 1405 reference 1406 "RFC 791: Internet Protocol - IPv4 address"; 1407 } 1409 grouping ipv6-range { 1410 description 1411 "Range match for the IPv6 addresses. If only one value is 1412 needed, then set both start and end to the same value. 1413 The end IPv6 address number MUST be equal to or greater than 1414 the start IPv6 address."; 1415 leaf start { 1416 type inet:ipv6-address-no-zone; 1417 description 1418 "Starting IPv6 address for a range match."; 1419 } 1421 leaf end { 1422 type inet:ipv6-address-no-zone; 1423 description 1424 "Ending IPv6 address for a range match."; 1425 } 1426 reference 1427 "RFC 8200: Internet Protocol, Version 6 (IPv6) 1428 Specification - IPv6 address"; 1429 } 1431 grouping ipv4-address { 1432 description 1433 "Grouping for IPv4 address. IPv4 address can be in the form of 1434 prefix or range."; 1435 choice match-type { 1436 description 1437 "Choose between Prefix or Range"; 1438 case prefix { 1439 list ipv4-prefix { 1440 key "ipv4"; 1441 uses ipv4-prefix; 1442 description 1443 "The list of IPv4 addresses specified with an 1444 IPv4 address and a prefix-length or 1445 a netmask."; 1446 } 1447 } 1448 case range { 1449 list ipv4-range { 1450 key "start end"; 1451 uses ipv4-range; 1452 description 1453 "The list of IPv4 address specified with a 1454 start IPv4 address and an end IPv4 address. 1455 If only one value is needed, then set both 1456 start and end to the same value."; 1457 } 1458 } 1459 } 1460 } 1462 grouping ipv6-address { 1463 description 1464 "Grouping for IPv6 address. IPv6 address can be in the form of 1465 prefix or range."; 1466 choice match-type { 1467 description 1468 "Choose between Prefix or Range"; 1469 case prefix { 1470 list ipv6-prefix { 1471 key "ipv6"; 1472 uses ipv6-prefix; 1473 description 1474 "The list of IPv6 addresses specified with an 1475 IPv6 address and a prefix-length."; 1476 } 1477 } 1478 case range { 1479 list ipv6-range { 1480 key "start end"; 1481 uses ipv6-range; 1482 description 1483 "The list of IPv6 address specified with a 1484 start IPv6 address and an end IPv6 address. 1485 If only one value is needed, then set both 1486 start and end to the same value."; 1487 } 1488 } 1489 } 1490 } 1492 grouping port-range { 1493 leaf start { 1494 type inet:port-number; 1495 description 1496 "Starting port number for a range match."; 1498 } 1499 leaf end { 1500 type inet:port-number; 1501 must '. >= ../start' { 1502 error-message 1503 "The end port number MUST be equal to or greater than the 1504 start port number."; 1505 } 1506 description 1507 "Ending port number for a range match."; 1508 } 1509 description 1510 "Range match for the port numbers. If only one value is needed, 1511 then set both start and end to the same value."; 1512 reference 1513 "draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 1514 (TCP) Specification - Port Number 1515 RFC 768: User Datagram Protocol - Port Number 1516 RFC 4960: Stream Control Transmission Protocol - Port Number 1517 RFC 4340: Datagram Congestion Control Protocol (DCCP) 1518 - Port Number"; 1519 } 1521 /* 1522 * Data nodes 1523 */ 1525 list i2nsf-security-policy { 1527 key "system-policy-name"; 1529 description 1530 "Container for security policy 1531 including a set of security rules according to certain logic, 1532 i.e., their similarity or mutual relations, etc. The network 1533 security policy can be applied to both the unidirectional 1534 and bidirectional traffic across the NSF. 1535 The I2NSF security policies use the Event-Condition-Action 1536 (ECA) policy model "; 1538 reference 1539 "RFC 8329: Framework for Interface to Network Security 1540 Functions - I2NSF Flow Security Policy Structure 1541 draft-ietf-i2nsf-capability-data-model-21: 1542 I2NSF Capability YANG Data Model - Design Principles and 1543 ECA Policy Model Overview"; 1545 leaf system-policy-name { 1546 type string; 1547 description 1548 "The name of the policy. 1549 This must be unique."; 1550 } 1552 leaf priority-usage { 1553 type identityref { 1554 base priority-usage; 1555 } 1556 default priority-by-order; 1557 description 1558 "Priority usage type for security policy rule: 1559 priority by order and priority by number"; 1560 } 1562 leaf resolution-strategy { 1563 type identityref { 1564 base resolution-strategy; 1565 } 1566 default fmr; 1567 description 1568 "The resolution strategies that can be used to 1569 specify how to resolve conflicts that occur between 1570 actions of the same or different policy rules that 1571 are matched and contained in this particular NSF"; 1573 reference 1574 "draft-ietf-i2nsf-capability-data-model-21: 1575 I2NSF Capability YANG Data Model - Resolution strategy"; 1576 } 1578 leaf default-action { 1579 type identityref { 1580 base default-action; 1581 } 1582 default mirror; 1583 description 1584 "This default action can be used to specify a predefined 1585 action when no other alternative action was matched 1586 by the currently executing I2NSF Policy Rule. An analogy 1587 is the use of a default statement in a C switch statement."; 1588 reference 1589 "draft-ietf-i2nsf-capability-data-model-21: 1590 I2NSF Capability YANG Data Model - Default Action"; 1591 } 1593 list rules { 1594 key "rule-name"; 1595 description 1596 "This is a rule for network security functions."; 1598 leaf rule-name { 1599 type string; 1600 description 1601 "The name of the rule."; 1602 } 1604 leaf rule-description { 1605 type string; 1606 description 1607 "This description gives more information about 1608 rules."; 1609 } 1611 leaf rule-priority { 1612 type uint8 { 1613 range "1..255"; 1614 } 1615 description 1616 "The priority keyword comes with a mandatory 1617 numeric value which can range from 1 up to 255. 1618 Note that a higher number means a higher priority"; 1619 } 1621 leaf rule-enable { 1622 type boolean; 1623 description 1624 "True is enable. 1625 False is not enable."; 1626 } 1628 leaf session-aging-time { 1629 type uint16; 1630 units "second"; 1631 description 1632 "This is session aging time."; 1633 } 1635 container long-connection { 1636 description 1637 "A container for long connection. A long connection is a 1638 connection that is maintained after the socket connection 1639 is established, regardless of whether it is used for data 1640 traffic or not."; 1642 leaf enable { 1643 type boolean; 1644 description 1645 "True is enabled. 1646 False is not enabled."; 1647 } 1649 leaf duration { 1650 type uint16; 1651 units "second"; 1652 description 1653 "This is the duration of the long-connection."; 1654 } 1655 } 1657 container event { 1658 description 1659 "An event is defined as any important 1660 occurrence in time of a change in the system being 1661 managed, and/or in the environment of the system being 1662 managed. When used in the context of policy rules for 1663 a flow-based NSF, it is used to determine whether the 1664 Condition clause of the Policy Rule can be evaluated 1665 or not. Examples of an I2NSF event include time and 1666 user actions (e.g., logon, logoff, and actions that 1667 violate any ACL.)."; 1669 reference 1670 "RFC 8329: Framework for Interface to Network Security 1671 Functions - I2NSF Flow Security Policy Structure 1672 draft-ietf-i2nsf-capability-data-model-21: 1673 I2NSF Capability YANG Data Model - Design Principles and 1674 ECA Policy Model Overview 1675 draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF 1676 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 1677 and Counters"; 1679 leaf event-clause-description { 1680 type string; 1681 description 1682 "Description for an event clause"; 1683 } 1685 container time { 1686 description 1687 "Time to determine when the policy should be applied"; 1688 leaf start-date-time { 1689 type yang:date-and-time; 1690 description 1691 "This is the start date and time for a security policy 1692 rule."; 1693 } 1695 leaf end-date-time { 1696 type yang:date-and-time; 1697 description 1698 "This is the end date and time for a policy rule. The 1699 policy rule will stop working after the specified 1700 end-date-time."; 1701 } 1703 container period { 1704 when 1705 "../frequency!='only-once'"; 1706 description 1707 "This represents the repetition time. In the case 1708 where the frequency is weekly, the days can be set."; 1709 leaf start-time { 1710 type time; 1711 description 1712 "This is a period's start time for an event."; 1713 } 1714 leaf end-time { 1715 type time; 1716 description 1717 "This is a period's end time for an event."; 1718 } 1719 leaf-list day { 1720 when 1721 "../../frequency='weekly'"; 1722 type identityref{ 1723 base day; 1724 } 1725 min-elements 1; 1726 description 1727 "This represents the repeated day of every week 1728 (e.g., Monday and Tuesday). More than one day can 1729 be specified."; 1730 } 1731 leaf-list date { 1732 when 1733 "../../frequency='monthly'"; 1734 type int32{ 1735 range "1..31"; 1736 } 1737 min-elements 1; 1738 description 1739 "This represents the repeated date of every month. 1740 More than one date can be specified."; 1741 } 1742 leaf-list month { 1743 when 1744 "../../frequency='yearly'"; 1745 type string{ 1746 pattern '\d{2}-\d{2}'; 1747 } 1748 min-elements 1; 1749 description 1750 "This represents the repeated date and month of every 1751 year. More than one can be specified. A pattern 1752 used here is Month and Date (MM-DD)."; 1753 } 1754 } 1756 leaf frequency { 1757 type enumeration { 1758 enum only-once { 1759 description 1760 "This represents that the rule is immediately 1761 enforcedonly once and not repeated. The policy 1762 will continuously be active from the start-time 1763 to the end-time."; 1764 } 1765 enum daily { 1766 description 1767 "This represents that the rule is enforced on a 1768 daily basis. The policy will be repeated 1769 daily until the end-date."; 1770 } 1771 enum weekly { 1772 description 1773 "This represents that the rule is enforced on a 1774 weekly basis. The policy will be repeated weekly 1775 until the end-date. The repeated days can be 1776 specified."; 1777 } 1778 enum monthly { 1779 description 1780 "This represents that the rule is enforced on a 1781 monthly basis. The policy will be repeated monthly 1782 until the end-date."; 1783 } 1784 enum yearly { 1785 description 1786 "This represents that the rule is enforced on 1787 a yearly basis. The policy will be repeated 1788 yearly until the end-date."; 1789 } 1790 } 1791 default only-once; 1792 description 1793 "This represents how frequently the rule 1794 should be enforced."; 1795 } 1796 } 1798 container event-clauses { 1799 description 1800 "System Event Clause - either a system event or 1801 system alarm"; 1802 reference 1803 "RFC 8329: Framework for Interface to Network Security 1804 Functions - I2NSF Flow Security Policy Structure 1805 draft-ietf-i2nsf-capability-data-model-21: 1806 I2NSF Capability YANG Data Model - Design Principles and 1807 ECA Policy Model Overview 1808 draft-ietf-i2nsf-nsf-monitoring-data-model-11: I2NSF 1809 NSF Monitoring YANG Data Model - Alarms, Events, Logs, 1810 and Counters"; 1812 leaf-list system-event { 1813 type identityref { 1814 base system-event; 1815 } 1816 description 1817 "The security policy rule according to 1818 system events."; 1819 } 1821 leaf-list system-alarm { 1822 type identityref { 1823 base system-alarm; 1824 } 1825 description 1826 "The security policy rule according to 1827 system alarms."; 1828 } 1829 } 1830 } 1832 container condition { 1833 description 1834 "A condition is defined as a set 1835 of attributes, features, and/or values that are to be 1836 compared with a set of known attributes, features, 1837 and/or values in order to determine whether or not the 1838 set of Actions in that (imperative) I2NSF Policy Rule 1839 can be executed or not. Examples of I2NSF Conditions 1840 include matching attributes of a packet or flow, and 1841 comparing the internal state of an NSF to a desired 1842 state."; 1843 reference 1844 "RFC 8329: Framework for Interface to Network Security 1845 Functions - I2NSF Flow Security Policy Structure 1846 draft-ietf-i2nsf-capability-data-model-21: 1847 I2NSF Capability YANG Data Model - Design Principles and 1848 ECA Policy Model Overview"; 1850 leaf condition-clause-description { 1851 type string; 1852 description 1853 "Description for a condition clause."; 1854 } 1856 container ethernet { 1857 description 1858 "The purpose of this container is to represent layer 2 1859 packet header information to determine the set of policy 1860 actions in this ECA policy rule should be executed or 1861 not."; 1862 reference 1863 "IEEE 802.3: IEEE Standard for Ethernet"; 1865 leaf ethernet-description { 1866 type string; 1867 description 1868 "The MAC Condition description"; 1869 } 1871 leaf-list source-address { 1872 type yang:mac-address; 1873 description 1874 "The condition for source Media Access Control (MAC) 1875 Address of a Layer 2 packet. Multiple source MAC 1876 Addresses can be given in a single rule."; 1877 reference 1878 "IEEE 802.3: IEEE Standard for Ethernet"; 1879 } 1881 leaf-list destination-address { 1882 type yang:mac-address; 1883 description 1884 "The condition for destination Media Access Control 1885 (MAC) Address of a Layer 2 packet. Multiple 1886 destination MAC Addresses can be given in a 1887 single rule."; 1888 reference 1889 "IEEE 802.3: IEEE Standard for Ethernet"; 1890 } 1892 leaf-list ether-type { 1893 type uint16; 1894 description 1895 "The condition for matching the 2-octet of IEEE 802.3 1896 Length/Type field. Can be specified with decimal or 1897 hexadecimal from 0 through 65535 (0xFFFF) 1899 A value from 0 through 1500 (0x05DC) specifies the 1900 number of MAC client data octets contained in the 1901 subsequent MAC Client Data Field of the basic frame 1903 A value greater than or equal to 1536 (0x0600) 1904 specifies that the Length/Type field indicates 1905 Ethertype of the MAC client protocol"; 1906 reference 1907 "IEEE 802.3: IEEE Standard for Ethernet"; 1908 } 1909 } 1911 container ipv4 { 1912 description 1913 "The purpose of this container is to represent IPv4 1914 packet header information to determine if the set 1915 of policy actions in this ECA policy rule should be 1916 executed or not."; 1917 reference 1918 "RFC 791: Internet Protocol"; 1920 leaf description { 1921 type string; 1922 description 1923 "ipv4 condition textual description."; 1924 } 1926 list header-length { 1927 key "start end"; 1928 leaf start{ 1929 type uint8 { 1930 range "5..15"; 1931 } 1932 description 1933 "Starting IPv4 header length for a range match."; 1934 } 1936 leaf end { 1937 type uint8 { 1938 range "5..15"; 1939 } 1940 must '. >= ../start' { 1941 error-message 1942 "The end header length MUST be equal to or greater 1943 than the start header length."; 1944 } 1945 description 1946 "Ending IPv4 header length for a range match."; 1947 } 1948 description 1949 "The security policy rule according to 1950 IPv4 header length. If only one value is needed, then 1951 set both start and end to the same value."; 1952 reference 1953 "RFC 791: Internet Protocol - Header length"; 1954 } 1956 leaf-list dscp { 1957 type inet:dscp; 1958 description 1959 "The security policy rule according to 1960 IPv4 type of service for DSCP."; 1961 reference 1962 "RFC 791: Internet Protocol - Type of service 1963 RFC 2474: Definition of the Differentiated 1964 Services Field (DS Field) in the IPv4 and 1965 IPv6 Headers."; 1966 } 1968 list total-length { 1969 key "start end"; 1970 leaf start { 1971 type uint16; 1972 description 1973 "Starting IPv4 total length for a range match."; 1974 } 1975 leaf end { 1976 type uint16; 1977 must '. >= ../start' { 1978 error-message 1979 "The end total length MUST be equal to or greater 1980 than the start total length."; 1981 } 1982 description 1983 "Ending IPv4 total length for a range match."; 1984 } 1985 description 1986 "The security policy rule according to 1987 IPv4 total length. If only one value is needed, then 1988 set both start and end to the same value."; 1989 reference 1990 "RFC 791: Internet Protocol - Total length"; 1991 } 1993 leaf-list identification { 1994 type uint16; 1995 description 1996 "The security policy rule according to 1997 IPv4 identification."; 1998 reference 1999 "RFC 791: Internet Protocol - Identification"; 2000 } 2002 leaf-list fragment-flags { 2003 type identityref { 2004 base fragmentation-flags; 2005 } 2006 description 2007 "The security policy rule according to 2008 IPv4 fragment flags."; 2009 reference 2010 "RFC 791: Internet Protocol - Fragment flags"; 2011 } 2013 list fragment-offset { 2014 key "start end"; 2015 leaf start { 2016 type uint16 { 2017 range "0..16383"; 2018 } 2019 description 2020 "Starting IPv4 fragment offset for a range match."; 2021 } 2022 leaf end { 2023 type uint16 { 2024 range "0..16383"; 2025 } 2026 must '. >= ../start' { 2027 error-message 2028 "The end fragment offset MUST be equal or greater 2029 than the start fragment offset."; 2030 } 2031 description 2032 "Ending IPv4 fragment offset for a range match."; 2033 } 2034 description 2035 "The security policy rule according to 2036 IPv4 fragment offset."; 2037 reference 2038 "RFC 791: Internet Protocol - Fragment offset"; 2039 } 2041 list ttl { 2042 key "start end"; 2043 leaf start { 2044 type uint8; 2045 description 2046 "Starting IPv4 TTL for a range match."; 2047 } 2048 leaf end { 2049 type uint8; 2050 must '. >= ../start' { 2051 error-message 2052 "The end TTL MUST be equal or greater than 2053 the start TTL."; 2054 } 2055 description 2056 "Ending IPv4 TTL for a range match."; 2057 } 2058 description 2059 "The security policy rule according to 2060 IPv4 time-to-live (TTL). If only one value is needed, 2061 then set both start and end to the same value."; 2062 reference 2063 "RFC 791: Internet Protocol - Time to live"; 2064 } 2066 leaf-list protocol { 2067 type uint8; 2068 description 2069 "The security policy rule according to 2070 IPv4 protocol header field."; 2071 reference 2072 "RFC 791: Internet Protocol - Protocol 2073 IANA: Assigned Internet Protocol Numbers"; 2075 } 2077 container source-address { 2078 uses ipv4-address; 2079 description 2080 "The security policy rule according to 2081 IPv4 source address."; 2082 reference 2083 "RFC 791: Internet Protocol - IPv4 Address"; 2084 } 2086 container destination-address { 2087 uses ipv4-address; 2088 description 2089 "The security policy rule according to 2090 IPv4 destination address."; 2091 reference 2092 "RFC 791: Internet Protocol - IPv4 Address"; 2093 } 2095 leaf-list ipopts { 2096 type identityref { 2097 base ipopts; 2098 } 2099 description 2100 "The security policy rule according to 2101 IPv4 options."; 2102 reference 2103 "RFC 791: Internet Protocol - Options"; 2104 } 2105 } 2107 container ipv6 { 2108 description 2109 "The purpose of this container is to represent 2110 IPv6 packet header information to determine 2111 if the set of policy actions in this ECA policy 2112 rule should be executed or not."; 2113 reference 2114 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2115 Specification"; 2117 leaf description { 2118 type string; 2119 description 2120 "This is description for ipv6 condition."; 2121 } 2122 leaf-list dscp { 2123 type inet:dscp; 2124 description 2125 "The security policy rule according to 2126 IPv6 traffic class for DSCP."; 2127 reference 2128 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2129 Specification - Traffic class 2130 RFC 2474: Definition of the Differentiated 2131 Services Field (DS Field) in the IPv4 and 2132 IPv6 Headers."; 2133 } 2135 list flow-label { 2136 key "start end"; 2137 leaf start { 2138 type inet:ipv6-flow-label; 2139 description 2140 "Starting IPv6 flow label for a range match."; 2141 } 2142 leaf end { 2143 type inet:ipv6-flow-label; 2144 must '. >= ../start' { 2145 error-message 2146 "The end flow label MUST be equal or greater than 2147 the start flow label."; 2148 } 2149 description 2150 "Ending IPv6 flow label for a range match."; 2151 } 2152 description 2153 "The security policy rule according to 2154 IPv6 flow label. If only one value is needed, 2155 then set both start and end to the same value."; 2156 reference 2157 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2158 Specification - Flow label"; 2159 } 2161 list payload-length { 2162 key "start end"; 2163 leaf start { 2164 type uint16; 2165 description 2166 "Starting IPv6 payload length for a range match."; 2167 } 2168 leaf end { 2169 type uint16; 2170 must '. >= ../start' { 2171 error-message 2172 "The end payload length MUST be equal or greater 2173 than the start payload length."; 2174 } 2175 description 2176 "Ending IPv6 payload length for a range match."; 2177 } 2178 description 2179 "The security policy rule according to 2180 IPv6 payload length. If only one value is needed, 2181 then set both start and end to the same value."; 2182 reference 2183 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2184 Specification - Payload length"; 2185 } 2187 leaf-list next-header { 2188 type uint8; 2189 description 2190 "The security policy rule according to 2191 IPv6 next header."; 2192 reference 2193 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2194 Specification - Next header 2195 IANA: Assigned Internet Protocol Numbers"; 2196 } 2198 list hop-limit { 2199 key "start end"; 2200 leaf start { 2201 type uint8; 2202 description 2203 "Start IPv6 hop limit for a range match."; 2204 } 2205 leaf end { 2206 type uint8; 2207 must '. >= ../start' { 2208 error-message 2209 "The end hop limit MUST be equal or greater than 2210 the start hop limit."; 2211 } 2212 description 2213 "End IPv6 hop limit for a range match."; 2214 } 2215 description 2216 "The security policy rule according to 2217 IPv6 hop limit. If only one value is needed, 2218 then set both start and end to the same value."; 2219 reference 2220 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2221 Specification - Hop limit"; 2222 } 2224 container source-address { 2225 uses ipv6-address; 2226 description 2227 "The security policy rule according to 2228 IPv6 source address."; 2229 reference 2230 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2231 Specification - IPv6 address"; 2232 } 2234 container destination-address { 2235 uses ipv6-address; 2236 description 2237 "The security policy rule according to 2238 IPv6 destination address."; 2239 reference 2240 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2241 Specification - IPv6 address"; 2242 } 2243 } 2245 container tcp { 2246 description 2247 "The purpose of this container is to represent 2248 TCP packet header information to determine 2249 if the set of policy actions in this ECA policy 2250 rule should be executed or not."; 2251 reference 2252 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2253 Protocol (TCP) Specification"; 2255 leaf description { 2256 type string; 2257 description 2258 "This is description for tcp condition."; 2259 } 2261 list source-port-number { 2262 key "start end"; 2263 uses port-range; 2264 description 2265 "The security policy rule according to 2266 tcp source port number."; 2267 reference 2268 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2269 Protocol (TCP) Specification - Port Number"; 2270 } 2272 list destination-port-number { 2273 key "start end"; 2274 uses port-range; 2275 description 2276 "The security policy rule according to 2277 tcp destination port number."; 2278 reference 2279 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2280 Protocol (TCP) Specification - Port Number"; 2281 } 2283 leaf-list flags { 2284 type identityref { 2285 base tcp-flags; 2286 } 2287 description 2288 "The security policy rule according to 2289 tcp flags."; 2290 reference 2291 "draft-ietf-tcpm-rfc793bis-25: Transmission Control 2292 Protocol (TCP) Specification - Flags"; 2293 } 2294 } 2296 container udp { 2297 description 2298 "The purpose of this container is to represent 2299 UDP packet header information to determine 2300 if the set of policy actions in this ECA policy 2301 rule should be executed or not."; 2302 reference 2303 "RFC 768: User Datagram Protocol"; 2305 leaf description { 2306 type string; 2307 description 2308 "This is description for udp condition."; 2309 } 2311 container source-port-number { 2312 uses port-range; 2313 description 2314 "The security policy rule according to 2315 udp source port number."; 2316 reference 2317 "RFC 768: User Datagram Protocol - Port Number"; 2318 } 2320 container destination-port-number { 2321 uses port-range; 2322 description 2323 "The security policy rule according to 2324 udp destination port number."; 2325 reference 2326 "RFC 768: User Datagram Protocol - Port Number"; 2327 } 2329 list total-length { 2330 key "start end"; 2331 leaf start { 2332 type uint32; 2333 description 2334 "Start udp total length for a range match."; 2335 } 2336 leaf end { 2337 type uint32; 2338 must '. >= ../start' { 2339 error-message 2340 "The end hop limit MUST be equal or greater than 2341 the start hop limit."; 2342 } 2343 description 2344 "End udp total length for a range match."; 2345 } 2346 description 2347 "The security policy rule according to 2348 udp total length. If only one value is needed, 2349 then set both start and end to the same value"; 2350 reference 2351 "RFC 768: User Datagram Protocol - Total Length"; 2352 } 2353 } 2355 container sctp { 2356 description 2357 "The purpose of this container is to represent 2358 SCTP packet header information to determine 2359 if the set of policy actions in this ECA policy 2360 rule should be executed or not."; 2362 leaf description { 2363 type string; 2364 description 2365 "This is description for sctp condition."; 2366 } 2368 container source-port-number { 2369 uses port-range; 2370 description 2371 "The security policy rule according to 2372 sctp source port number."; 2373 reference 2374 "RFC 4960: Stream Control Transmission Protocol 2375 - Port number"; 2376 } 2378 container destination-port-number { 2379 uses port-range; 2380 description 2381 "The security policy rule according to 2382 sctp destination port number."; 2383 reference 2384 "RFC 4960: Stream Control Transmission Protocol 2385 - Port Number"; 2386 } 2388 leaf-list verification-tag { 2389 type uint32; 2390 description 2391 "The security policy rule according to 2392 udp total length."; 2393 reference 2394 "RFC 4960: Stream Control Transmission Protocol 2395 - Verification Tag"; 2396 } 2398 leaf-list chunk-type { 2399 type uint8; 2400 description 2401 "The security policy rule according to 2402 sctp chunk type ID Value."; 2403 reference 2404 "RFC 4960: Stream Control Transmission Protocol 2405 - Chunk Type"; 2406 } 2407 } 2408 container dccp { 2409 description 2410 "The purpose of this container is to represent 2411 DCCP packet header information to determine 2412 if the set of policy actions in this ECA policy 2413 rule should be executed or not."; 2414 leaf description { 2415 type string; 2416 description 2417 "This is description for dccp condition."; 2418 } 2420 container source-port-number { 2421 uses port-range; 2422 description 2423 "The security policy rule according to 2424 dccp source port number."; 2425 reference 2426 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2427 - Port number"; 2428 } 2430 container destination-port-number { 2431 uses port-range; 2432 description 2433 "The security policy rule according to 2434 dccp destination port number."; 2435 reference 2436 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2437 - Port number"; 2438 } 2440 leaf-list service-code { 2441 type uint32; 2442 description 2443 "The security policy rule according to 2444 dccp service code."; 2445 reference 2446 "RFC 4340: Datagram Congestion Control Protocol (DCCP) 2447 - Service Codes 2448 RFC 5595: The Datagram Congestion Control Protocol 2449 (DCCP) Service Codes 2450 RFC 6335: Internet Assigned Numbers Authority (IANA) 2451 Procedures for the Management of the Service 2452 Name and Transport Protocol Port Number 2453 Registry - Service Code"; 2454 } 2455 } 2456 list icmp { 2457 key "version"; 2458 description 2459 "The purpose of this container is to represent 2460 ICMP packet header information to determine 2461 if the set of policy actions in this ECA policy 2462 rule should be executed or not."; 2463 reference 2464 "RFC 792: Internet Control Message Protocol 2465 RFC 8335: PROBE: A Utility for Probing Interfaces"; 2467 leaf description { 2468 type string; 2469 description 2470 "This is description for icmp condition."; 2471 } 2473 leaf version { 2474 type enumeration { 2475 enum icmpv4 { 2476 value "1"; 2477 description 2478 "The ICMPv4 Protocol as defined in RFC 792"; 2479 } 2480 enum icmpv6 { 2481 value "2"; 2482 description 2483 "The ICMPv6 Protocol as defined in RFC 4443"; 2484 } 2485 } 2486 description 2487 "The ICMP version to be matched. This value 2488 affected the type and code values."; 2489 reference 2490 "RFC 792: Internet Control Message Protocol 2491 RFC 4443: Internet Control Message Protocol (ICMPv6) 2492 for the Internet Protocol Version 6 (IPv6) 2493 Specification"; 2494 } 2496 leaf-list type { 2497 type uint8; 2498 description 2499 "The security policy rule according to 2500 ICMPv4 or ICMPv6 type header field. 2502 The value of this leaf-list is affected by 2503 the value of the leaf version. 2505 If the version value is icmpv4, the type follows 2506 the IANA ICMP Parameters. 2508 If the version value is icmpv6, the type follows 2509 the IANA ICMPv6 Parameters."; 2510 reference 2511 "RFC 792: Internet Control Message Protocol 2512 RFC 4443: Internet Control Message Protocol (ICMPv6) 2513 for the Internet Protocol Version 6 (IPv6) 2514 Specification 2515 RFC 8335: PROBE: A Utility for Probing Interfaces 2516 IANA: Internet Control Message Protocol (ICMP) 2517 Parameters 2518 IANA: Internet Control Message Protocol version 6 2519 (ICMPv6) Parameters"; 2520 } 2522 leaf-list code { 2523 type uint8; 2524 description 2525 "The security policy rule according to 2526 ICMPv4 or ICMPv6 code header field. 2528 The value of this leaf-list is affected by 2529 the value of the leaf version. 2531 If the version value is icmpv4, the code follows 2532 the IANA ICMP parameters. 2534 If the version value is icmpv6, the code follows 2535 the IANA ICMPv6 parameters."; 2536 reference 2537 "RFC 792: Internet Control Message Protocol 2538 RFC 4443: Internet Control Message Protocol (ICMPv6) 2539 for the Internet Protocol Version 6 (IPv6) 2540 Specification 2541 RFC 8335: PROBE: A Utility for Probing Interfaces 2542 IANA: Internet Control Message Protocol (ICMP) 2543 Parameters 2544 IANA: Internet Control Message Protocol version 6 2545 (ICMPv6) Parameters"; 2546 } 2547 } 2549 container url-category { 2550 description 2551 "Condition for url category"; 2552 leaf description { 2553 type string; 2554 description 2555 "This is description for the condition of a URL's 2556 category such as SNS sites, game sites, ecommerce 2557 sites, company sites, and university sites."; 2558 } 2560 leaf-list pre-defined-category { 2561 type string; 2562 description 2563 "This is pre-defined-category."; 2564 } 2565 leaf-list user-defined-category { 2566 type string; 2567 description 2568 "This user-defined-category."; 2569 } 2570 } 2572 container voice { 2573 description 2574 "For the VoIP/VoLTE security system, a VoIP/ 2575 VoLTE security system can monitor each 2576 VoIP/VoLTE flow and manage VoIP/VoLTE 2577 security rules controlled by a centralized 2578 server for VoIP/VoLTE security service 2579 (called VoIP IPS). The VoIP/VoLTE security 2580 system controls each switch for the 2581 VoIP/VoLTE call flow management by 2582 manipulating the rules that can be added, 2583 deleted, or modified dynamically."; 2584 reference 2585 "RFC 3261: SIP: Session Initiation Protocol"; 2587 leaf description { 2588 type string; 2589 description 2590 "This is description for voice condition."; 2591 } 2593 leaf-list source-voice-id { 2594 type string; 2595 description 2596 "The security policy rule according to 2597 a source voice ID for VoIP and VoLTE."; 2598 } 2600 leaf-list destination-voice-id { 2601 type string; 2602 description 2603 "The security policy rule according to 2604 a destination voice ID for VoIP and VoLTE."; 2605 } 2607 leaf-list user-agent { 2608 type string; 2609 description 2610 "The security policy rule according to 2611 an user agent for VoIP and VoLTE."; 2612 } 2613 } 2615 container ddos { 2616 description 2617 "Condition for DDoS attack."; 2619 leaf description { 2620 type string; 2621 description 2622 "This is description for ddos condition."; 2623 } 2625 leaf alert-packet-rate { 2626 type uint32; 2627 units "pps"; 2628 description 2629 "The alert rate of flood detection for 2630 packets per second (PPS) of an IP address."; 2631 } 2633 leaf alert-flow-rate { 2634 type uint32; 2635 description 2636 "The alert rate of flood detection for 2637 flows per second of an IP address."; 2638 } 2640 leaf alert-byte-rate { 2641 type uint32; 2642 units "BPS"; 2643 description 2644 "The alert rate of flood detection for 2645 bytes per second of an IP address."; 2646 } 2647 } 2648 container anti-virus { 2649 description 2650 "Condition for antivirus"; 2652 leaf-list profile { 2653 type string; 2654 description 2655 "The security profile for antivirus. This is used to 2656 update the security profile for improving the 2657 security. The security profile is used to scan 2658 the viruses."; 2659 } 2661 leaf-list exception-files { 2662 type string; 2663 description 2664 "The type or name of the files to be excluded by the 2665 anti-virus. This can be used to keep the known 2666 harmless files."; 2667 } 2668 } 2670 container payload { 2671 description 2672 "Condition for packet payload"; 2673 leaf packet-payload-description { 2674 type string; 2675 description 2676 "This is description for payload condition."; 2677 } 2678 leaf-list payload-content { 2679 type string; 2680 description 2681 "This is a condition for packet payload content."; 2682 } 2683 } 2685 container context { 2686 description 2687 "Condition for context"; 2688 leaf context-description { 2689 type string; 2690 description 2691 "This is description for context condition."; 2692 } 2694 container application { 2695 description 2696 "Condition for application"; 2697 leaf description { 2698 type string; 2699 description 2700 "This is description for application condition."; 2701 } 2702 leaf-list object { 2703 type string; 2704 description 2705 "This is application object."; 2706 } 2707 leaf-list group { 2708 type string; 2709 description 2710 "This is application group."; 2711 } 2712 leaf-list label { 2713 type string; 2714 description 2715 "This is application label."; 2716 } 2717 container category { 2718 description 2719 "This is application category"; 2720 list application-category { 2721 key "name subcategory"; 2722 description 2723 "This is application category list"; 2725 leaf name { 2726 type string; 2727 description 2728 "This is name for application category."; 2729 } 2730 leaf subcategory { 2731 type string; 2732 description 2733 "This is application subcategory."; 2734 } 2735 } 2736 } 2737 } 2739 container target { 2740 description 2741 "Condition for target"; 2742 leaf description { 2743 type string; 2744 description 2745 "This is description for target condition. 2746 Vendors can write instructions for target condition 2747 that vendor made"; 2748 } 2750 leaf-list device { 2751 type identityref { 2752 base target-device; 2753 } 2754 description 2755 "The device attribute that can identify a device, 2756 including the device type (i.e., router, switch, 2757 pc, ios, or android) and the device's owner as 2758 well."; 2759 } 2760 } 2762 container users { 2763 description 2764 "Condition for users"; 2765 leaf users-description { 2766 type string; 2767 description 2768 "This is the description for users' condition."; 2769 } 2770 list user { 2771 key "user-id"; 2772 description 2773 "The user with which the traffic flow is associated 2774 can be identified by either a user id or user name. 2775 The user-to-IP address mapping is assumed to be 2776 provided by the unified user management system via 2777 network."; 2778 leaf user-id { 2779 type uint32; 2780 description 2781 "The ID of the user."; 2782 } 2783 leaf user-name { 2784 type string; 2785 description 2786 "The name of the user."; 2787 } 2788 } 2789 list group { 2790 key "group-id"; 2791 description 2792 "The user group with which the traffic flow is 2793 associated can be identified by either a group id 2794 or group name. The group-to-IP address and 2795 user-to-group mappings are assumed to be provided by 2796 the unified user management system via network."; 2797 leaf group-id { 2798 type uint32; 2799 description 2800 "The ID of the group."; 2801 } 2802 leaf group-name { 2803 type string; 2804 description 2805 "The name of the group."; 2806 } 2807 } 2809 leaf security-group { 2810 type string; 2811 description 2812 "security-group."; 2813 } 2814 } 2816 container geography-location { 2817 description 2818 "The location which network traffic flow is associated 2819 with. The region can be the geographical location 2820 such as country, province, and city, 2821 as well as the logical network location such as 2822 IP address, network section, and network domain."; 2824 leaf description { 2825 type string; 2826 description 2827 "This is description for generic context condition. 2828 Vendors can write instructions for generic context 2829 condition that vendor made"; 2830 } 2832 leaf-list source { 2833 type string; 2834 description 2835 "The src-geography-location is a geographical 2836 location mapped into an IP address. It matches the 2837 mapped IP address to the source IP address of the 2838 traffic flow."; 2839 reference 2840 "ISO 3166: Codes for the representation of 2841 names of countries and their subdivisions"; 2842 } 2844 leaf-list destination { 2845 type string; 2846 description 2847 "The dest-geography-location is a geographical 2848 location mapped into an IP address. It matches the 2849 mapped IP address to the destination IP address of 2850 the traffic flow."; 2851 reference 2852 "ISO 3166: Codes for the representation of 2853 names of countries and their subdivisions"; 2854 } 2855 } 2856 } 2857 } 2859 container action { 2860 description 2861 "An action is used to control and monitor aspects of 2862 flow-based NSFs when the event and condition clauses 2863 are satisfied. NSFs provide security functions by 2864 executing various Actions. Examples of I2NSF Actions 2865 include providing intrusion detection and/or protection, 2866 web and flow filtering, and deep packet inspection 2867 for packets and flows."; 2868 reference 2869 "RFC 8329: Framework for Interface to Network Security 2870 Functions - I2NSF Flow Security Policy Structure 2871 draft-ietf-i2nsf-capability-data-model-21: 2872 I2NSF Capability YANG Data Model - Design Principles and 2873 ECA Policy Model Overview"; 2875 leaf action-clause-description { 2876 type string; 2877 description 2878 "Description for an action clause."; 2879 } 2881 container packet-action { 2882 description 2883 "Action for packets"; 2884 reference 2885 "RFC 8329: Framework for Interface to Network Security 2886 Functions - I2NSF Flow Security Policy Structure 2887 draft-ietf-i2nsf-capability-data-model-21: 2889 I2NSF Capability YANG Data Model - Design Principles and 2890 ECA Policy Model Overview"; 2892 leaf ingress-action { 2893 type identityref { 2894 base ingress-action; 2895 } 2896 description 2897 "Ingress Action: pass, drop, rate-limit, and 2898 mirror."; 2899 } 2901 leaf egress-action { 2902 type identityref { 2903 base egress-action; 2904 } 2905 description 2906 "Egress action: pass, drop, rate-limit, mirror, 2907 invoke-signaling, tunnel-encapsulation, forwarding, 2908 and redirection."; 2909 } 2911 leaf log-action { 2912 type identityref { 2913 base log-action; 2914 } 2915 description 2916 "Log action: rule log and session log"; 2917 } 2919 } 2921 container flow-action { 2922 description 2923 "Action for flows"; 2924 reference 2925 "RFC 8329: Framework for Interface to Network Security 2926 Functions - I2NSF Flow Security Policy Structure 2927 draft-ietf-i2nsf-capability-data-model-21: 2928 I2NSF Capability YANG Data Model - Design Principles and 2929 ECA Policy Model Overview"; 2931 leaf ingress-action { 2932 type identityref { 2933 base ingress-action; 2934 } 2935 description 2936 "Action: pass, drop, rate-limit, and mirror."; 2938 } 2940 leaf egress-action { 2941 type identityref { 2942 base egress-action; 2943 } 2944 description 2945 "Egress action: pass, drop, rate-limit, mirror, 2946 invoke-signaling, tunnel-encapsulation, forwarding, 2947 and redirection."; 2948 } 2950 leaf log-action { 2951 type identityref { 2952 base log-action; 2953 } 2954 description 2955 "Log action: rule log and session log"; 2956 } 2957 } 2959 container advanced-action { 2960 description 2961 "If the packet needs to be additionally inspected, 2962 the packet is passed to advanced network 2963 security functions according to the profile. 2964 The profile means the types of NSFs where the packet 2965 will be forwarded in order to additionally 2966 inspect the packet. 2967 The advanced action activates Service Function 2968 Chaining (SFC) for further inspection of a packet."; 2969 reference 2970 "draft-ietf-i2nsf-capability-data-model-21: 2971 I2NSF Capability YANG Data Model - YANG Tree 2972 Diagram"; 2974 leaf-list content-security-control { 2975 type identityref { 2976 base content-security-control; 2977 } 2978 description 2979 "Content-security-control is the NSFs that 2980 inspect the payload of the packet. 2981 The profile for the types of NSFs for mitigation is 2982 divided into content security control and 2983 attack-mitigation-control. 2984 Content security control: ips, url filtering, 2985 anti-virus, and voip-volte-filter. This can be 2986 extended according to the provided NSFs."; 2987 reference 2988 "draft-ietf-i2nsf-capability-data-model-21: 2989 I2NSF Capability YANG Data Model - YANG Tree Diagram"; 2990 } 2992 leaf-list attack-mitigation-control { 2993 type identityref { 2994 base attack-mitigation-control; 2995 } 2996 description 2997 "Attack-mitigation-control is the NSFs that weaken 2998 the attacks related to a denial of service 2999 and reconnaissance. 3000 The profile for the types of NSFs for mitigation is 3001 divided into content security control and 3002 attack-mitigation-control. 3003 Attack mitigation control: Anti-DDoS or DDoS 3004 mitigator. This can be extended according to the 3005 provided NSFs such as mitigators for ip sweep, 3006 port scanning, ping of death, teardrop, oversized 3007 icmp, and tracert."; 3008 reference 3009 "draft-ietf-i2nsf-capability-data-model-21: 3010 I2NSF Capability YANG Data Model - YANG Tree Diagram"; 3011 } 3012 } 3013 } 3014 } 3015 container rule-group { 3016 description 3017 "This is rule group"; 3019 list groups { 3020 key "group-name"; 3021 description 3022 "This is a group for rules"; 3024 leaf group-name { 3025 type string; 3026 description 3027 "This is a group for rules"; 3028 } 3030 leaf-list rule-name { 3031 type leafref { 3032 path 3033 "../../../rules/rule-name"; 3035 } 3036 description 3037 "The names of the rules to be grouped."; 3038 } 3040 leaf enable { 3041 type boolean; 3042 description 3043 "True is enabled, and False is not enabled."; 3044 } 3046 leaf description { 3047 type string; 3048 description 3049 "This is a description for rule-group"; 3050 } 3051 } 3052 } 3053 } 3054 } 3055 3057 Figure 5: YANG Data Module of I2NSF NSF-Facing-Interface 3059 5. XML Configuration Examples of Low-Level Security Policy Rules 3061 This section shows XML configuration examples of low-level security 3062 policy rules that are delivered from the Security Controller to NSFs 3063 over the NSF-Facing Interface. For security requirements, we assume 3064 that the NSFs (i.e., General firewall, Time-based firewall, URL 3065 filter, VoIP/VoLTE filter, and http and https flood mitigation) 3066 described in Appendix A of [I-D.ietf-i2nsf-capability-data-model] are 3067 registered with the I2NSF framework. With the registered NSFs, we 3068 show configuration examples for security policy rules of network 3069 security functions according to the following three security 3070 requirements: (i) Block Social Networking Service (SNS) access during 3071 business hours, (ii) Block malicious VoIP/VoLTE packets coming to the 3072 company, and (iii) Mitigate http and https flood attacks on company 3073 web server. 3075 5.1. Security Requirement 1: Block Social Networking Service (SNS) 3076 Access during Business Hours 3078 This section shows a configuration example for blocking SNS access 3079 during business hours in IPv4 networks or IPv6 networks. 3081 3083 sns_access 3084 3085 block_sns_access_during_operation_time 3086 3087 3100 weekly 3101 3102 3103 3104 3105 3106 192.0.2.11 3107 192.0.2.90 3108 3109 3110 3111 3112 3113 3114 3115 url-filtering 3116 3117 3118 3119 3120 3122 Figure 6: Configuration XML for Time-based Firewall to Block SNS 3123 Access during Business Hours in IPv4 Networks 3125 3127 sns_access 3128 3129 block_sns_access_during_operation_time 3130 3131 3144 weekly 3145 3146 3147 3148 3149 3150 2001:DB8:0:1::11 3151 2001:DB8:0:1::90 3152 3153 3154 3155 3156 3157 3158 3159 url-filtering 3160 3161 3162 3163 3164 3166 Figure 7: Configuration XML for Time-based Firewall to Block SNS 3167 Access during Business Hours in IPv6 Networks 3169 3171 sns_access 3172 3173 block_sns_access_during_operation_time 3174 3175 3176 SNS_1 3177 SNS_2 3178 3179 3180 3181 3182 drop 3183 3184 3185 3186 3188 Figure 8: Configuration XML for Web Filter to Block SNS Access 3189 during Business Hours 3191 Figure 6 (or Figure 7) and Figure 8 show the configuration XML 3192 documents for time-based firewall and web filter to block SNS access 3193 during business hours in IPv4 networks (or IPv6 networks). For the 3194 security requirement, two NSFs (i.e., a time-based firewall and a web 3195 filter) were used because one NSF cannot meet the security 3196 requirement. The instances of XML documents for the time-based 3197 firewall and the web filter are as follows: Note that a detailed data 3198 model for the configuration of the advanced network security function 3199 (i.e., web filter) can be defined as an extension in future. 3201 Time-based Firewall is as follows: 3203 1. The name of the system policy is sns_access. 3205 2. The name of the rule is block_sns_access_during_operation_time. 3207 3. The rule is started from 2021-03-11 at 9 a.m. to 2021-12-31 at 6 3208 p.m. 3210 4. The rule is operated weekly every weekday (i.e., Monday, Tuesday, 3211 Wednesday, Thursday, and Friday) during the business hours (i.e., 3212 from 9 a.m. to 6 p.m.) . 3214 5. The rule inspects a source IPv4 address (i.e., from 192.0.2.11 to 3215 192.0.2.90) to inspect the outgoing packets of employees. For 3216 the case of IPv6 networks, the rule inspects a source IPv6 3217 address (i.e., from 2001:DB8:0:1::11 to 2001:DB8:0:1::90) to 3218 inspect the outgoing packets of employees. 3220 6. If the outgoing packets match the rules above, the time-based 3221 firewall sends the packets to url filtering for additional 3222 inspection because the time-based firewall can not inspect 3223 contents of the packets for the SNS URL. 3225 Web Filter is as follows: 3227 1. The name of the system policy is sns_access. 3229 2. The name of the rule is block_SNS_1_and_SNS_2. 3231 3. The rule inspects URL address to block the access packets to the 3232 SNS_1 or the SNS_2. 3234 4. If the outgoing packets match the rules above, the packets are 3235 blocked. 3237 5.2. Security Requirement 2: Block Malicious VoIP/VoLTE Packets Coming 3238 to a Company 3240 This section shows a configuration example for blocking malicious 3241 VoIP/VoLTE packets coming to a company. 3243 3245 voip_volte_inspection 3246 3247 block_malicious_voice_id 3248 3249 3250 3251 3252 192.0.2.11 3253 192.0.2.90 3254 3255 3256 3257 3258 3259 5060 3260 5061 3261 3262 3263 3264 3265 3266 3267 voip-volte-filter 3268 3269 3270 3271 3272 3274 Figure 9: Configuration XML for General Firewall to Block 3275 Malicious VoIP/VoLTE Packets Coming to a Company 3277 3279 voip_volte_inspection 3280 3281 block_malicious_voice_id 3282 3283 3284 3285 user1@voip.malicious.example.com 3286 3287 3288 user2@voip.malicious.example.com 3289 3290 3291 3292 3293 3294 drop 3295 3296 3297 3298 3300 Figure 10: Configuration XML for VoIP/VoLTE Filter to Block 3301 Malicious VoIP/VoLTE Packets Coming to a Company 3303 Figure 9 and Figure 10 show the configuration XML documents for 3304 general firewall and VoIP/VoLTE filter to block malicious VoIP/VoLTE 3305 packets coming to a company. For the security requirement, two NSFs 3306 (i.e., a general firewall and a VoIP/VoLTE filter) were used because 3307 one NSF can not meet the security requirement. The instances of XML 3308 documents for the general firewall and the VoIP/VoLTE filter are as 3309 follows: Note that a detailed data model for the configuration of the 3310 advanced network security function (i.e., VoIP/VoLTE filter) can be 3311 described as an extension in future. 3313 General Firewall is as follows: 3315 1. The name of the system policy is voip_volte_inspection. 3317 2. The name of the rule is block_malicious_voip_volte_packets. 3319 3. The rule inspects a destination IPv4 address (i.e., from 3320 192.0.2.11 to 192.0.2.90) to inspect the packets coming into the 3321 company. 3323 4. The rule inspects a port number (i.e., 5060 and 5061) to inspect 3324 VoIP/VoLTE packet. 3326 5. If the incoming packets match the rules above, the general 3327 firewall sends the packets to VoIP/VoLTE filter for additional 3328 inspection because the general firewall can not inspect contents 3329 of the VoIP/VoLTE packets. 3331 VoIP/VoLTE Filter is as follows: 3333 1. The name of the system policy is malicious_voice_id. 3335 2. The name of the rule is block_malicious_voice_id. 3337 3. The rule inspects the voice id of the VoIP/VoLTE packets to block 3338 the malicious VoIP/VoLTE packets (i.e., 3339 user1@voip.malicious.example.com and 3340 user2@voip.malicious.example.com). 3342 4. If the incoming packets match the rules above, the packets are 3343 blocked. 3345 5.3. Security Requirement 3: Mitigate HTTP and HTTPS Flood Attacks on a 3346 Company Web Server 3348 This section shows a configuration example for mitigating http and 3349 https flood attacks on a company web server. 3351 3353 flood_attack_mitigation 3354 3355 mitigate_http_and_https_flood_attack 3356 3357 3358 3359 3360 192.0.2.11 3361 192.0.2.11 3362 3363 3364 3365 3366 3367 80 3368 80 3369 3370 3371 443 3372 443 3373 3374 3375 3376 3377 3378 3379 anti-ddos 3380 3381 3382 3383 3384 3386 Figure 11: Configuration XML for General Firewall to Mitigate 3387 HTTP and HTTPS Flood Attacks on a Company Web Server 3389 3391 flood_attack_mitigation 3392 3393 mitigate_http_and_https_flood_attack 3394 3395 3396 1000 3397 3398 3399 3400 3401 drop 3402 3403 3404 3405 3407 Figure 12: Configuration XML for Anti-DDoS to Mitigate HTTP and 3408 HTTPS Flood Attacks on a Company Web Server 3410 Figure 11 and Figure 12 show the configuration XML documents for 3411 general firewall and http and https flood attack mitigation to 3412 mitigate http and https flood attacks on a company web server. For 3413 the security requirement, two NSFs (i.e., a general firewall and a 3414 http and https flood attack mitigation) were used because one NSF can 3415 not meet the security requirement. The instances of XML documents 3416 for the general firewall and http and https flood attack mitigation 3417 are as follows: Note that a detailed data model for the configuration 3418 of the advanced network security function (i.e., http and https flood 3419 attack mitigation) can be defined as an extension in future. 3421 General Firewall is as follows: 3423 1. The name of the system policy is flood_attack_mitigation. 3425 2. The name of the rule is mitigate_http_and_https_flood_attack. 3427 3. The rule inspects a destination IPv4 address (i.e., 192.0.2.11) 3428 to inspect the access packets coming into the company web server. 3430 4. The rule inspects a port number (i.e., 80 and 443) to inspect 3431 http and https packet. 3433 5. If the packets match the rules above, the general firewall sends 3434 the packets to anti-DDoS for additional inspection because the 3435 general firewall can not control the amount of packets for http 3436 and https packets. 3438 Anti DDoS for HTTP and HTTPS Flood Attack Mitigation is as follows: 3440 1. The name of the system policy is flood_attack_mitigation. 3442 2. The name of the rule is mitigate_http_and_https_flood_attack. 3444 3. The rule controls the http and https packets according to the 3445 amount of incoming packets (1000 packets per second). 3447 4. If the incoming packets match the rules above, the packets are 3448 blocked. 3450 6. IANA Considerations 3452 This document requests IANA to register the following URI in the 3453 "IETF XML Registry" [RFC3688]: 3455 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 3456 Registrant Contact: The IESG. 3457 XML: N/A; the requested URI is an XML namespace. 3459 This document requests IANA to register the following YANG module in 3460 the "YANG Module Names" registry [RFC7950][RFC8525]: 3462 name: ietf-i2nsf-policy-rule-for-nsf 3463 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf 3464 prefix: nsfintf 3465 reference: RFC XXXX 3467 7. Security Considerations 3469 The YANG module specified in this document defines a data schema 3470 designed to be accessed through network management protocols such as 3471 NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is 3472 the secure transport layer, and the required secure transport is 3473 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 3474 and the required secure transport is TLS [RFC8446]. 3476 The NETCONF access control model [RFC8341] provides a means of 3477 restricting access to specific NETCONF or RESTCONF users to a 3478 preconfigured subset of all available NETCONF or RESTCONF protocol 3479 operations and content. 3481 There are a number of data nodes defined in this YANG module that are 3482 writable/creatable/deletable (i.e., config true, which is the 3483 default). These data nodes may be considered sensitive or vulnerable 3484 in some network environments. Write operations (e.g., edit-config) 3485 to these data nodes without proper protection can have a negative 3486 effect on network operations. These are the subtrees and data nodes 3487 and their sensitivity/vulnerability: 3489 * ietf-i2nsf-policy-rule-for-nsf: Writing to almost any element of 3490 this YANG module would directly impact on the configuration of 3491 NSFs, e.g., completely turning off security monitoring and 3492 mitigation capabilities; altering the scope of this monitoring and 3493 mitigation; creating an overwhelming logging volume to overwhelm 3494 downstream analytics or storage capacity; creating logging 3495 patterns which are confusing; or rendering useless trained 3496 statistics or artificial intelligence models. 3498 Some of the readable data nodes in this YANG module may be considered 3499 sensitive or vulnerable in some network environments. It is thus 3500 important to control read access (e.g., via get, get-config, or 3501 notification) to these data nodes. These are the subtrees and data 3502 nodes and their sensitivity/vulnerability: 3504 * ietf-i2nsf-policy-rule-for-nsf: The attacker may gather the 3505 security policy information of any target NSFs and misuse the 3506 security policy information for subsequent attacks. 3508 Policy rules identifying the specified users and user groups can be 3509 specified with "rules/condition/context/users". As with other data 3510 in this YANG module, this user information is provided by the 3511 Security Controller to the NSFs and is protected via the transport 3512 and access control mechanisms described above. 3514 8. Acknowledgments 3516 This work was supported by Institute of Information & Communications 3517 Technology Planning & Evaluation (IITP) grant funded by the Korea 3518 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 3519 Security Intelligence Technology Development for the Customized 3520 Security Service Provisioning). This work was supported in part by 3521 the IITP (2020-0-00395, Standard Development of Blockchain based 3522 Network Management Automation Technology). 3524 9. Contributors 3526 This document is made by the group effort of I2NSF working group. 3527 Many people actively contributed to this document, such as Acee 3528 Lindem and Roman Danyliw. The authors sincerely appreciate their 3529 contributions. 3531 The following are co-authors of this document: 3533 Patrick Lingga Department of Electrical and Computer Engineering 3534 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3535 16419 Republic of Korea EMail: patricklink@skku.edu 3537 Hyoungshick Kim Department of Computer Science and Engineering 3538 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3539 16419 Republic of Korea EMail: hyoung@skku.edu 3541 Daeyoung Hyun Department of Computer Science and Engineering 3542 Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, Gyeonggi-do 3543 16419 Republic of Korea EMail: dyhyun@skku.edu 3545 Dongjin Hong Department of Electronic, Electrical and Computer 3546 Engineering Sungkyunkwan University 2066 Seo-ro Jangan-gu Suwon, 3547 Gyeonggi-do 16419 Republic of Korea EMail: dong.jin@skku.edu 3549 Liang Xia Huawei 101 Software Avenue Nanjing, Jiangsu 210012 China 3550 EMail: Frank.Xialiang@huawei.com 3552 Tae-Jin Ahn Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 3553 Republic of Korea EMail: taejin.ahn@kt.com 3555 Se-Hui Lee Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon, 305-811 3556 Republic of Korea EMail: sehuilee@kt.com 3558 10. References 3560 10.1. Normative References 3562 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3563 DOI 10.17487/RFC0768, August 1980, 3564 . 3566 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 3567 DOI 10.17487/RFC0791, September 1981, 3568 . 3570 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 3571 RFC 792, DOI 10.17487/RFC0792, September 1981, 3572 . 3574 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3575 Requirement Levels", BCP 14, RFC 2119, 3576 DOI 10.17487/RFC2119, March 1997, 3577 . 3579 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 3580 "Definition of the Differentiated Services Field (DS 3581 Field) in the IPv4 and IPv6 Headers", RFC 2474, 3582 DOI 10.17487/RFC2474, December 1998, 3583 . 3585 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 3586 A., Peterson, J., Sparks, R., Handley, M., and E. 3587 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 3588 DOI 10.17487/RFC3261, June 2002, 3589 . 3591 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3592 DOI 10.17487/RFC3688, January 2004, 3593 . 3595 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 3596 Congestion Control Protocol (DCCP)", RFC 4340, 3597 DOI 10.17487/RFC4340, March 2006, 3598 . 3600 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 3601 Control Message Protocol (ICMPv6) for the Internet 3602 Protocol Version 6 (IPv6) Specification", STD 89, 3603 RFC 4443, DOI 10.17487/RFC4443, March 2006, 3604 . 3606 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 3607 RFC 4960, DOI 10.17487/RFC4960, September 2007, 3608 . 3610 [RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol 3611 (DCCP) Service Codes", RFC 5595, DOI 10.17487/RFC5595, 3612 September 2009, . 3614 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 3615 the Network Configuration Protocol (NETCONF)", RFC 6020, 3616 DOI 10.17487/RFC6020, October 2010, 3617 . 3619 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3620 and A. Bierman, Ed., "Network Configuration Protocol 3621 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3622 . 3624 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3625 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3626 . 3628 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 3629 Cheshire, "Internet Assigned Numbers Authority (IANA) 3630 Procedures for the Management of the Service Name and 3631 Transport Protocol Port Number Registry", BCP 165, 3632 RFC 6335, DOI 10.17487/RFC6335, August 2011, 3633 . 3635 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3636 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3637 . 3639 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3640 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3641 . 3643 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3644 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3645 . 3647 [RFC8075] Castellani, A., Loreto, S., Rahman, A., Fossati, T., and 3648 E. Dijk, "Guidelines for Mapping Implementations: HTTP to 3649 the Constrained Application Protocol (CoAP)", RFC 8075, 3650 DOI 10.17487/RFC8075, February 2017, 3651 . 3653 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 3654 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 3655 May 2017, . 3657 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 3658 (IPv6) Specification", STD 86, RFC 8200, 3659 DOI 10.17487/RFC8200, July 2017, 3660 . 3662 [RFC8335] Bonica, R., Thomas, R., Linkova, J., Lenart, C., and M. 3663 Boucadair, "PROBE: A Utility for Probing Interfaces", 3664 RFC 8335, DOI 10.17487/RFC8335, February 2018, 3665 . 3667 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3668 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3669 . 3671 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3672 Access Control Model", STD 91, RFC 8341, 3673 DOI 10.17487/RFC8341, March 2018, 3674 . 3676 [RFC8344] Bjorklund, M., "A YANG Data Model for IP Management", 3677 RFC 8344, DOI 10.17487/RFC8344, March 2018, 3678 . 3680 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 3681 Documents Containing YANG Data Models", BCP 216, RFC 8407, 3682 DOI 10.17487/RFC8407, October 2018, 3683 . 3685 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 3686 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 3687 . 3689 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 3690 and R. Wilton, "YANG Library", RFC 8525, 3691 DOI 10.17487/RFC8525, March 2019, 3692 . 3694 [I-D.ietf-tcpm-rfc793bis] 3695 Eddy, W. M., "Transmission Control Protocol (TCP) 3696 Specification", Work in Progress, Internet-Draft, draft- 3697 ietf-tcpm-rfc793bis-25, 7 September 2021, 3698 . 3701 [I-D.ietf-i2nsf-capability-data-model] 3702 Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. 3703 Lin, "I2NSF Capability YANG Data Model", Work in Progress, 3704 Internet-Draft, draft-ietf-i2nsf-capability-data-model-21, 3705 13 November 2021, . 3708 [I-D.ietf-i2nsf-nsf-monitoring-data-model] 3709 Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. 3710 Birkholz, "I2NSF NSF Monitoring Interface YANG Data 3711 Model", Work in Progress, Internet-Draft, draft-ietf- 3712 i2nsf-nsf-monitoring-data-model-11, 15 October 2021, 3713 . 3716 10.2. Informative References 3718 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 3719 Kumar, "Framework for Interface to Network Security 3720 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 3721 . 3723 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 3724 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 3725 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 3726 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 3727 facing-interface-dm-15, 15 September 2021, 3728 . 3731 [ISO-Country-Codes] 3732 "Codes for the representation of names of countries and 3733 their subdivisions", ISO 3166, September 2018, 3734 . 3736 [IANA-Protocol-Numbers] 3737 Internet Assigned Numbers Authority (IANA), "Assigned 3738 Internet Protocol Numbers", September 2020, 3739 . 3742 [IANA-ICMP-Parameters] 3743 Internet Assigned Numbers Authority (IANA), "Internet 3744 Control Message Procotol (ICMP) Parameters", February 3745 2021, . 3748 [IANA-ICMPv6-Parameters] 3749 Internet Assigned Numbers Authority (IANA), "Internet 3750 Control Message Procotol version 6 (ICMPv6) Parameters", 3751 February 2021, . 3754 [IEEE-802.3] 3755 Institute of Electrical and Electronics Engineers, "IEEE 3756 Standard for Ethernet", 2018, 3757 . 3759 Authors' Addresses 3761 Jinyong (Tim) Kim (editor) 3762 Department of Electronic, Electrical and Computer Engineering 3763 Sungkyunkwan University 3764 2066 Seobu-Ro, Jangan-Gu 3765 Suwon 3766 Gyeonggi-Do 3767 16419 3768 Republic of Korea 3770 Phone: +82 10 8273 0930 3771 Email: timkim@skku.edu 3773 Jaehoon (Paul) Jeong (editor) 3774 Department of Computer Science and Engineering 3775 Sungkyunkwan University 3776 2066 Seobu-Ro, Jangan-Gu 3777 Suwon 3778 Gyeonggi-Do 3779 16419 3780 Republic of Korea 3782 Phone: +82 31 299 4957 3783 Email: pauljeong@skku.edu 3784 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3786 Jung-Soo Park 3787 Electronics and Telecommunications Research Institute 3788 218 Gajeong-Ro, Yuseong-Gu 3789 Daejeon 3790 34129 3791 Republic of Korea 3793 Phone: +82 42 860 6514 3794 Email: pjs@etri.re.kr 3796 Susan Hares 3797 Huawei 3798 7453 Hickory Hill 3799 Saline, MI 48176 3800 United States of America 3802 Phone: +1-734-604-0332 3803 Email: shares@ndzh.com 3805 Qiushi Lin 3806 Huawei 3807 Huawei Industrial Base 3808 Shenzhen 3809 Guangdong 518129, 3810 China 3812 Email: linqiushi@huawei.com