idnits 2.17.1 draft-jeong-i2nsf-capability-interface-yang-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 139 has weird spacing: '...cy-name strin...' == Line 140 has weird spacing: '...licy-id strin...' == Line 142 has weird spacing: '...le-name strin...' == Line 143 has weird spacing: '...rule-id uint ...' == Line 146 has weird spacing: '...vent-id uint ...' == (23 more instances...) -- The document date (October 5, 2016) is 2753 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft J. Kim 4 Intended status: Standards Track D. Hyun 5 Expires: April 8, 2017 Sungkyunkwan University 6 J. Park 7 ETRI 8 T. Ahn 9 Korea Telecom 10 October 5, 2016 12 YANG Data Model of Interface to Network Security Functions Capability 13 Interface 14 draft-jeong-i2nsf-capability-interface-yang-03 16 Abstract 18 This document defines a data model corresponding to the information 19 model for Interface to Network Security Functions (I2NSF) capability 20 interface. It describes a data model for three security capabilities 21 (i.e., network security functions), such as network security control, 22 content security control, and attack mitigation control, as defined 23 in the information model for the I2NSF capability interface. 25 Status of This Memo 27 This Internet-Draft is submitted to IETF in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF), its areas, and its working groups. Note that 32 other groups may also distribute working documents as Internet- 33 Drafts. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 The list of current Internet-Drafts can be accessed at 41 http://www.ietf.org/ietf/1id-abstracts.txt. 43 The list of Internet-Draft Shadow Directories can be accessed at 44 http://www.ietf.org/shadow.html. 46 This Internet-Draft will expire on April 8, 2017. 48 Copyright Notice 49 Copyright (c) 2016 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 66 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 68 4. Information Model Structure . . . . . . . . . . . . . . . . . 4 69 5. YANG Model . . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 6. Security Considerations . . . . . . . . . . . . . . . . . . . 44 71 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 45 72 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 45 73 8.1. Normative References . . . . . . . . . . . . . . . . . . . 45 74 8.2. Informative References . . . . . . . . . . . . . . . . . . 45 75 Appendix A. Changes from 76 draft-jeong-i2nsf-capability-interface-yang-02 . . . 46 78 1. Introduction 80 This document defines a YANG [RFC6020] model for security services 81 with the information model of Interface to Network Security Functions 82 (I2NSF) capability interface. It provides a specific information 83 model and the corresponding data model for three security 84 capabilities (i.e., network security functions), such as network 85 security control, content security control, and attack mitigation 86 control, as defined in [i2nsf-cap-interface-im]. 88 2. Requirements Language 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in [RFC2119]. 94 3. Terminology 96 This document uses the terminology described in 97 [i2nsf-cap-interface-im][i2rs-rib-data-model] 98 [supa-policy-info-model]. Especially, the following terms are from 99 [supa-policy-info-model]: 101 o Data Model: A data model is a representation of concepts of 102 interest to an environment in a form that is dependent on data 103 repository, data definition language, query language, 104 implementation language, and protocol. 106 o Information Model: An information model is a representation of 107 concepts of interest to an environment in a form that is 108 independent of data repository, data definition language, query 109 language, implementation language, and protocol. 111 3.1. Tree Diagrams 113 A simplified graphical representation of the data model is used in 114 this document. The meaning of the symbols in these diagrams 115 [i2rs-rib-data-model] is as follows: 117 o Brackets "[" and "]" enclose list keys. 119 o Abbreviations before data node names: "rw" means configuration 120 (read-write) and "ro" state data (read-only). 122 o Symbols after data node names: "?" means an optional node and "*" 123 denotes a "list" and "leaf-list". 125 o Parentheses enclose choice and case nodes, and case nodes are also 126 marked with a colon (":"). 128 o Ellipsis ("...") stands for contents of subtrees that are not 129 shown. 131 4. Information Model Structure 133 Figure 1 shows an overview of a structure tree of network security 134 control, content security control, and attack mitigation control, as 135 defined in the [i2nsf-cap-interface-im]. 137 module : ietf-i2nsf-capability-interface 138 +--rw policy 139 +--rw policy-name string 140 +--rw policy-id string 141 +--rw rule* [rule-id] 142 +--rw rule-name string 143 +--rw rule-id uint 8 144 +--rw event 145 | +--rw user-security-event* [usr-sec-event-id] 146 | | +--rw usr-sec-event-id uint 8 147 | | +--rw usr-sec-event-content string 148 | | +--rw usr-sec-event-format uint 8 149 | | +--rw usr-sec-event-type uint 8 150 | +--rw device-security-event* [dev-sec-event-id] 151 | | +--rw dev-sec-event-id uint 8 152 | | +--rw dev-sec-event-content string 153 | | +--rw dev-sec-event-format uint 8 154 | | +--rw dev-sec-event-type uint 8 155 | | +--rw dev-sec-event-type-severity uint 8 156 | +--rw system-security-event* [sys-sec-event-id] 157 | | +--rw sys-sec-event-id uint 8 158 | | +--rw sys-sec-event-content string 159 | | +--rw sys-sec-event-format uint 8 160 | | +--rw sys-sec-event-type uint 8 161 | +--rw time-security-event* [time-sec-event-id] 162 | | +--rw time-sec-event-id uint 8 163 | | +--rw time-sec-event-period-begin yang:date-and-time 164 | | +--rw time-sec-event-period-end yang:date-and-time 165 | | +--rw time-sec-evnet-time-zone string 166 +--rw condition 167 | +--rw packet-security-condition 168 | | +--rw packet-security-mac-condition* [pkt-sec-cond-mac-id] 169 | | | +--rw pkt-sec-cond-mac-id uint 8 170 | | | +--rw pkt-sec-cond-mac-dest inet:port-number 171 | | | +--rw pkt-sec-cond-mac-src inet:port-number 172 | | | +--rw pkt-sec-cond-mac-8021q string 173 | | | +--rw pkt-sec-cond-mac-ether-type string 174 | | | +--rw pkt-sec-cond-mac-tci string 175 | | +--rw packet-security-ipv4-condition* [pkt-sec-cond-ipv4-id] 176 | | | +--rw pkt-sec-cond-ipv4-id uint 8 177 | | | +--rw pkt-sec-cond-ipv4-src inet:ipv4-address 178 | | | +--rw pkt-sec-cond-ipv4-dest inet:ipv4-address 179 | | | +--rw pkt-sec-cond-ipv4-protocol string 180 | | | +--rw pkt-sec-cond-ipv4-dscp string 181 | | | +--rw pkt-sec-cond-ipv4-ecn string 182 | | | +--rw pkt-sec-cond-ipv4-length string 183 | | | +--rw pkt-sec-cond-ipv4-ttl 184 | | +--rw packet-security-ipv6-condition* [pkt-sec-cond-ipv6-id] 185 | | | +--rw pkt-sec-cond-ipv6-id uint 8 186 | | | +--rw pkt-sec-cond-ipv6-src inet:ipv6-address 187 | | | +--rw pkt-sec-cond-ipv6-dest inet:ipv6-address 188 | | | +--rw pkt-sec-cond-ipv6-dscp string 189 | | | +--rw pkt-sec-cond-ipv6-ecn string 190 | | | +--rw pkt-sec-cond-ipv6-flow-label string 191 | | | +--rw pkt-sec-cond-ipv6-payload-length string 192 | | | +--rw pkt-sec-cond-ipv6-next-header string 193 | | | +--rw pkt-sec-cond-ipv6-hop-limit string 194 | | +--rw packet-security-tcp-condition* [pkt-sec-cond-tcp-id] 195 | | | +--rw pkt-sec-cond-tcp-id uint 8 196 | | | +--rw pkt-sec-cond-tcp-src-port inet:port-number 197 | | | +--rw pkt-sec-cond-tcp-dest-port inet:port-number 198 | | | +--rw pkt-sec-cond-tcp-seq-num string 199 | | | +--rw pkt-sec-cond-tcp-falgs string 200 | | +--rw packet-security-udp-condition* [pkt-sec-cond-udp-id] 201 | | +--rw pkt-sec-cond-udp-id uint 8 202 | | +--rw pkt-sec-cond-udp-src-port inet:port-number 203 | | +--rw pkt-sec-cond-udp-dest-port inet:port-number 204 | | +--rw pkt-sec-cond-udp-length string 205 | +--rw packet-payload-security-condition* [pkt-payload-id] 206 | | +--rw pkt-payload-id uint 8 207 | +--rw target-security-condition* [target-sec-cond-id] 208 | | +--rw target-sec-cond-id uint 8 209 | | +--rw service-sec-context-cond? 210 | | | +--rw name string 211 | | | +--rw protocol 212 | | | | +--rw TCP? boolean 213 | | | | +--rw UDP? boolean 214 | | | | +--rw ICMP? boolean 215 | | | | +--rw ICMPv6? boolean 216 | | | | +--rw IP? boolean 217 | | | +--rw src-port? inet:port-number 218 | | | +--rw dest-port? inet:port-number 219 | | +--rw application-sec-context-cond? 220 | | | +--rw name string 221 | | | +--rw category 222 | | | | +--rw business-system? boolean 223 | | | | +--rw entertainment? boolean 224 | | | | +--rw internet? boolean 225 | | | | +--rw network? boolean 226 | | | | +--rw general? boolean 227 | | | +--rw subcategory 228 | | | | +--rw finance? boolean 229 | | | | +--rw email? boolean 230 | | | | +--rw game? boolean 231 | | | | +--rw media-sharing? boolean 232 | | | | +--rw social-network? boolean 233 | | | | +--rw web-posting? boolean 234 | | | +--rw data-transmission-model 235 | | | | +--rw client-server? boolean 236 | | | | +--rw browser-based? boolean 237 | | | | +--rw networking? boolean 238 | | | | +--rw peer-to-peer? boolean 239 | | | | +--rw unassigned? boolean 240 | | | +--rw risk-level 241 | | | +--rw exploitable? boolean 242 | | | +--rw productivity-loss? boolean 243 | | | +--rw evasive? boolean 244 | | | +--rw data-loss? boolean 245 | | | +--rw malware-vehicle? boolean 246 | | | +--rw bandwidth-consuming? boolean 247 | | | +--rw tunneling? boolean 248 | | +--rw device-sec-context-cond? 249 | | +--rw pc? boolean 250 | | +--rw mobile-phone? boolean 251 | | +--rw tablet? boolean 252 | | +--rw voip-phone boolean 253 | +--rw user-security-cond* [usr-sec-cond-id] 254 | | +--rw usr-sec-cond-id uint 8 255 | | +--rw user 256 | | | +--rw (user-name)? 257 | | | +--: (tenant) 258 | | | | +--rw tenant uint 8 259 | | | +--: (vn-id) 260 | | | +--rw vn-id uint 8 261 | | +--rw group 262 | | +--rw (group-name)? 263 | | +--: (tenant) 264 | | | +--rw tenant uint 8 265 | | +--: (vn-id) 266 | | +--rw vn-id uint 8 267 | +--rw security-context-condition* [sec-context-cond-id] 268 | | +--rw sec-context-cond-id uint 8 269 | | +--rw (state)? 270 | | | +--: (session-state) 271 | | | | +--rw tcp-session-state 272 | | | | +--rw new? boolean 273 | | | | +--rw established? boolean 274 | | | | +--rw related? boolean 275 | | | | +--rw invalid? boolean 276 | | | | +--rw untracked? boolean 277 | | | +--: (session-aaa-state) 278 | | | | +--rw session-sip-state 279 | | | | +--rw auth-state? boolean 280 | | | | +--rw call-state? boolean 281 | | | +--: (access-mode) 282 | | | | +--rw access-mode string 283 | +--rw generic-context-condition* [gen-context-cond-id] 284 | +--rw gen-context-cond-id uint 8 285 | +--rw geographic-location 286 | | +--rw geographic-location-id* uint 8 287 +--rw action 288 +--rw (action-type)? 289 +--: (ingress-action) 290 | +--rw (ingress-action-type)? 291 | +--: (permit) 292 | | +--rw permit boolean 293 | +--: (deny) 294 | | +--rw deny boolan 295 | +--: (mirror) 296 | +--rw mirror boolean 297 +--: (egress-action) 298 | +--rw (egress-action-type)? 299 | +--: (invoke-signaling) 300 | | +--rw invoke-signaling boolean 301 | +--: (tunnel-encapsulation) 302 | | +--rw tunnel-encapsulation boolean 303 | +--: (forwarding) 304 | +--rw forwarding boolean 305 +--: (apply-profile-action) 306 +--rw (apply-profile-action-type)? 307 +--: (content-security-control) 308 | +--rw (content-security-control-type)? 309 | +--: (antivirus) 310 | | +--rw antivirus? boolean 311 | +--: (ips) 312 | | +--rw ips? boolean 313 | +--: (url-filtering) 314 | | +--rw url-filtering? boolean 315 | +--: (file-blocking) 316 | | +--rw file-blocking? boolean 317 | +--: (data-filtering) 318 | | +--rw data-filtering? boolean 319 | +--: (application-control) 320 | | +--rw application-control? boolean 321 | +--: (voip-volte) 322 | +--rw voip-volte-rule* [voip-volte-rule-id] 323 | +--rw voip-volte-rule-id uint 8 324 | +--rw event 325 | | +--rw called-voip boolean 326 | | +--rw called-volte boolean 327 | +--rw condition 328 | | +--rw sip-header* [sip-header-uri] 329 | | | +--rw sip-header-uri string 330 | | | +--rw sip-header-method string 331 | | | +--rw expire-time yang:date-and-time 332 | | | +--rw sip-header-user-agent uint32 333 | | +--rw cell-region?* [cell-id-region] 334 | | +--rw cell-id-region uint 32 335 | +--rw action 336 | +--rw (action-type)? 337 | +--: (ingress-action) 338 | | +--rw (ingress-action-type)? 339 | | +--: (permit) 340 | | | +--rw permit boolean 341 | | +--: (deny) 342 | | | +--rw deny boolean 343 | | +--: (mirror) 344 | | +--rw mirror boolean 345 | +--: (egress-action) 346 | +--: (egress-action-type)? 347 | +--: (redirection) 348 | +--rw redirection? boolean 349 +--: (attack-mitigation-control) 350 +--rw (attack-mitigation-control-type)? 351 +--: (ddos-attack) 352 | +--rw (ddos-attack-type)? 353 | +--: (network-layer-ddos-attack) 354 | | +--rw (network-layer-ddos-attack-type)? 355 | | +--: (syn-flood-attack) 356 | | | +--rw syn-flood boolean 357 | | +--: (udp-flood-attack) 358 | | | +--rw udp-flood boolean 359 | | +--: (icmp-flood-attack) 360 | | | +--rw icmp-flood boolean 361 | | +--: (ip-fragment-flood-attack) 362 | | | +--rw ip-fragment-flood boolean 363 | | +--: (ipv6-related-attacks) 364 | | +--rw ipv6-related boolean 365 | +--: (app-layer-ddos-attack) 366 | +--rw (app-layer-ddos-attack-type)? 367 | +--: (http-flood-attack) 368 | | +--rw http-flood boolean 369 | +--: (https-flood-attack) 370 | | +--rw https-flood boolean 371 | +--: (dns-flood-attack) 372 | | +--rw dns-flood boolean 373 | +--: (dns-amp-flood-attack) 374 | | +--rw dns-amp-flood boolean 375 | +--: (ssl-ddos-attack) 376 | +--rw ssl-ddos boolean 377 +--: (single-packet-attack) 378 +--rw (single-packet-attack-type)? 379 +--: (scan-and-sniff-attack) 380 | +--rw (scan-and-sniff-attack-type)? 381 | | +--: (ip-sweep-attack) 382 | | | +--rw ip-sweep boolean 383 | | +--: (port-scanning-attack) 384 | | | +--rw port-scanning boolean 385 +--: (malformed-packet-attack) 386 | +--rw (malformed-packet-attack-type)? 387 | | +--: (ping-of-death-attack) 388 | | | +--rw ping-of-death boolean 389 | | +--: (teardrop-attack) 390 | | | +--rw teardrop boolean 391 +--: (special-packet-attack) 392 +--rw (special-packet-attack-type)? 393 +--: (oversized-icmp-attack) 394 | +--rw oversized-icmp boolean 395 +--: (tracert-attack) 396 +--rw tracert boolean 398 Figure 1: Information Model of I2NSF Capability Interface 400 5. YANG Model 402 This section introduces a YANG model for the information model of 403 network security functions, as defined in the 404 [i2nsf-cap-interface-im]. 406 file "ietf-i2nsf-capability-interface@2016-10-05.yang" 408 module ietf-i2nsf-capability-interface { 409 namespace 410 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability-interface"; 411 prefix 412 capability-interface; 414 import ietf-inet-types{ 415 prefix inet; 416 } 417 import ietf-yang-types{ 418 prefix yang; 419 } 421 organization 422 "IETF I2NSF (Interface to Network Security Functions) 423 Working Group"; 425 contact 426 "WG Web: 427 WG List: 429 WG Chair: Adrian Farrel 430 432 WG Chair: Linda Dunbar 433 435 Editor: Jaehoon Paul Jeong 436 "; 438 description 439 "This module defines a YANG data module for network security 440 functions."; 441 revision "2016-10-05"{ 442 description "Initial revision"; 443 reference 444 "draft-xia-i2nsf-capability-interface-im-06"; 445 } 447 //Groupings 448 grouping policy { 449 description 450 "policy is a grouping 451 including a set of security rules according to certain logic, 452 i.e., their similarity or mutual relations, etc. The network 453 security policy is able to apply over both the unidirectional 454 and bidirectional traffic across the NSF."; 456 leaf policy-name { 457 type string; 458 mandatory true; 459 description 460 "The name of the policy. 461 This must be unique."; 462 } 463 leaf policy-id { 464 type string; 465 mandatory true; 466 description 467 "The ID of the policy. 468 This must be unique."; 469 } 471 list rule { 472 key "rule-id"; 473 description 474 "This is a rule for network security control."; 476 leaf rule-name { 477 type string; 478 mandatory true; 479 description 480 "The name of the rule. 481 This must be unique."; 482 } 484 leaf rule-id { 485 type uint8; 486 mandatory true; 487 description 488 "The ID of the rule. 489 This is key for rule-list. 490 This must be unique."; 491 } 493 container event { 494 description 495 " An Event is defined as any important occurrence in time 496 of a change in the system being managed, and/or in the 497 environment of the system being managed. When used in 498 the context of policy rules for a flow-based NSF, it is 499 used to determine whether the Condition clause of the 500 Policy Rule can be evaluated or not. Examples of an 501 I2NSF Event include time and user actions (e.g., logon, 502 logoff, and actions that violate any ACL.)."; 503 list user-security-event { 504 key usr-sec-event-id; 505 description 506 "The purpose of this class is to represent Events that 507 are initiated by a user, such as logon and logoff 508 Events. Information in this Event may be used as part 509 of a test to determine if the Condition clause in 510 this ECA Policy Rule should be evaluated or not. 511 Examples include user identification data and the 512 type of connection used by the user."; 514 leaf usr-sec-event-id { 515 type uint8; 516 mandatory true; 517 description 518 "The ID of the usr-sec-event. 519 This is key for usr-sec-event-list. 520 This must be unique."; 521 } 523 leaf usr-sec-event-content { 524 type string; 525 mandatory true; 526 description 527 "This is a mandatory string that contains the content 528 of the UserSecurityEvent. The format of the content 529 is specified in the usrSecEventFormat class 530 attribute, and the type of Event is defined in the 531 usrSecEventType class attribute. An example of the 532 usrSecEventContent attribute is a string hrAdmin 533 with the usrSecEventFormat set to 1 (GUID) and the 534 usrSecEventType attribute set to 5 (new logon)."; 535 } 537 leaf usr-sec-event-format { 538 type uint8; 539 mandatory true; 540 description 541 "This is a mandatory uint 8 enumerated integer, which 542 is used to specify the data type of the 543 usrSecEventContent attribute. The content is 544 specified in the usrSecEventContent class attribute, 545 and the type of Event is defined in the 546 usrSecEventType class attribute. An example of the 547 usrSecEventContent attribute is string hrAdmin with 548 the usrSecEventFormat attribute set to 1 (GUID) and 549 the usrSecEventType attribute set to 5 (new logon). 550 "; 551 } 553 leaf usr-sec-event-type { 554 type uint8; 555 mandatory true; 556 description 557 "This is a mandatory uint 8 enumerated integer, which 558 is used to specify the type of Event that involves 559 this user. The content and format are specified in 560 the usrSecEventContent and usrSecEventFormat class 561 attributes, respectively. An example of the 562 usrSecEventContent attribute is string hrAdmin 563 with the usrSecEventFormat attribute set to 1 (GUID) 564 and the usrSecEventType attribute set to 5 (new 565 logon)."; 566 } 567 } 569 list device-security-event { 570 key dev-sec-event-id; 571 description 572 "The purpose of a DeviceSecurityEvent is to represent 573 Events that provide information from the Device that 574 are important to I2NSF Security. Information in this 575 Event may be used as part of a test to determine if 576 the Condition clause in this ECA Policy Rule should be 577 evaluated or not. Examples include alarms and various 578 device statistics (e.g., a type of threshold that was 579 exceeded), which may signal the need for further 580 action."; 582 leaf dev-sec-event-id { 583 type uint8; 584 mandatory true; 585 description 586 "The ID of the dev-sec-event. 587 This is key for dev-sec-event-list. 588 This must be unique."; 589 } 591 leaf dev-sec-event-content { 592 type string; 593 mandatory true; 594 description 595 "This is a mandatory string that contains the content 596 of the DeviceSecurityEvent. The format of the 597 content is specified in the devSecEventFormat class 598 attribute, and the type of Event is defined in the 599 devSecEventType class attribute. An example of the 600 devSecEventContent attribute is alarm with the 601 devSecEventFormat attribute set to 1 (GUID) and the 602 devSecEventType attribute set to 5 (new logon)."; 604 } 606 leaf dev-sec-event-format { 607 type uint8; 608 mandatory true; 609 description 610 "This is a mandatory uint 8 enumerated integer, which 611 is used to specify the data type of the 612 devSecEventContent attribute."; 613 } 615 leaf dev-sec-event-type { 616 type uint8; 617 mandatory true; 618 description 619 "This is a mandatory uint 8 enumerated integer, which 620 is used to specify the type of Event that was 621 generated by this device."; 622 } 624 leaf dev-sec-event-type-severity { 625 type uint8; 626 mandatory true; 627 description 628 "This is a mandatory uint 8 enumerated integer, which 629 is used to specify the perceived severity of the 630 Event generated by this Device."; 631 } 632 } 634 list system-security-event { 635 key sys-sec-event-id; 636 description 637 "The purpose of a SystemSecurityEvent is to represent 638 Events that are detected by the management system, 639 instead of Events that are generated by a user or a 640 device. Information in this Event may be used as part 641 of a test to determine if the Condition clause in 642 this ECA Policy Rule should be evaluated or not. 643 Examples include an event issued by an analytics 644 system that warns against a particular pattern of 645 unknown user accesses, or an Event issued by a 646 management system that represents a set of correlated 647 and/or filtered Events."; 649 leaf sys-sec-event-id { 650 type uint8; 651 mandatory true; 652 description 653 "The ID of the sys-sec-event. 654 This is key for sys-sec-event-list. 655 This must be unique."; 656 } 658 leaf sys-sec-event-content { 659 type string; 660 mandatory true; 661 description 662 "This is a mandatory string that contains a content 663 of the SystemSecurityEvent. The format of a content 664 is specified in a sysSecEventFormat class attribute, 665 and the type of Event is defined in the 666 sysSecEventType class attribute. An example of the 667 sysSecEventContent attribute is string sysadmin3 668 with the sysSecEventFormat attribute set to 1 (GUID) 669 and the sysSecEventType attribute set to 2 (audit 670 log cleared)."; 671 } 673 leaf sys-sec-event-format { 674 type uint8; 675 mandatory true; 676 description 677 "This is a mandatory uint 8 enumerated integer, which 678 is used to specify the data type of the 679 sysSecEventContent attribute."; 680 } 682 leaf sys-sec-event-type { 683 type uint8; 684 mandatory true; 685 description 686 "This is a mandatory uint 8 enumerated integer, which 687 is used to specify the type of Event that involves 688 this device."; 689 } 690 } 692 list time-security-event { 693 key time-sec-event-id; 694 description 695 "Purpose of a TimeSecurityEvent is to represent Events 696 that are temporal in nature (e.g., the start or end of 697 a period of time). Time events signify an individual 698 occurrence, or a time period, in which a significant 699 event happened. Information in the Event may be used as 700 part of a test to determine if the Condition clause in 701 this ECA Rule should be evaluated or not. Examples 702 include issuing an Event at a specific time to indicate 703 that a particular resource should not be accessed, or 704 that different authentication and authorization 705 mechanisms should now be used (e.g., because it is now 706 past regular business hours)."; 708 leaf time-sec-event-id { 709 type uint8; 710 mandatory true; 711 description 712 "The ID of the time-sec-event. 713 This is key for time-sec-event-list. 714 This must be unique."; 715 } 717 leaf time-sec-event-period-begin { 718 type yang:date-and-time; 719 mandatory true; 720 description 721 "This is a mandatory DateTime attribute, and 722 represents the beginning of a time period. 723 It has a value that has a date and/or a time 724 component (as in the Java or Python libraries)."; 725 } 727 leaf time-sec-event-period-end { 728 type yang:date-and-time; 729 mandatory true; 730 description 731 "This is a mandatory DateTime attribute, and 732 represents the end of a time period. It has 733 a value that has a date and/or a time component 734 (as in the Java or Python libraries). If this is 735 a single Event occurrence, and not a time period 736 when the Event can occur, then the 737 timeSecEventPeriodEnd attribute may be ignored."; 738 } 740 leaf time-sec-event-time-zone { 741 type string; 742 mandatory true; 743 description 744 "This is a mandatory string attribute, and defines a 745 time zone that this Event occurred in using the 746 format specified in ISO8601."; 747 } 749 } 750 } 751 container condition { 752 description 753 "TBD"; 754 container packet-security-condition { 755 description 756 "The purpose of this Class is to represent packet header 757 information that can be used as part of a test to 758 determine if the set of Policy Actions in this ECA 759 Policy Rule should be executed or not. This class is 760 abstract, and serves as the superclass of more detailed 761 conditions that involve different types of packet 762 formats."; 764 list packet-security-mac-condition { 765 key pkt-sec-cond-mac-id; 766 description 767 "The purpose of this Class is to represent packet MAC 768 packet header information that can be used as part of 769 a test to determine if the set of Policy Actions in 770 this ECA Policy Rule should be executed or not."; 772 leaf pkt-sec-cond-mac-id { 773 type uint8; 774 mandatory true; 775 description 776 "The ID of the pkt-sec-cond-mac. 777 This is key for pkt-sec-cond-mac-list. 778 This must be unique."; 779 } 781 leaf pkt-sec-cond-mac-dest { 782 type inet:port-number; 783 mandatory true; 784 description 785 "This is a mandatory uint 32 attribute, and defines 786 the MAC destination address (6 octets long)."; 787 } 789 leaf pkt-sec-cond-mac-src { 790 type inet:port-number; 791 mandatory true; 792 description 793 "This is a mandatory uint 32 attribute, and defines 794 the MAC source address (6 octets long)."; 795 } 796 leaf pkt-sec-cond-mac-8021q { 797 type string; 798 mandatory true; 799 description 800 "This is an optional string attribute, and defines 801 the 802.1Q tag value (2 octets long). This defines 802 VLAN membership and 802.1p priority values."; 803 } 805 leaf pkt-sec-cond-mac-ether-type { 806 type string; 807 mandatory true; 808 description 809 "This is a mandatory string attribute, and defines 810 the EtherType field (2 octets long). Values up to 811 and including 1500 indicate the size of the payload 812 in octets; values of 1536 and above define which 813 protocol is encapsulated in the payload of the 814 frame."; 815 } 817 leaf pkt-sec-cond-mac-tci { 818 type string; 819 mandatory true; 820 description 821 "This is an optional string attribute, and defines 822 the Tag Control Information. This consists of a 3 823 bit user priority field, a drop eligible indicator 824 (1 bit), and a VLAN identifier (12 bits)."; 825 } 826 } 828 list packet-security-ipv4-condition { 829 key pkt-sec-cond-ipv4-id; 830 description 831 "The purpose of this Class is to represent packet IPv4 832 packet header information that can be used as part of 833 a test to determine if the set of Policy Actions in 834 this ECA Policy Rule should be executed or not."; 836 leaf pkt-sec-cond-ipv4-id { 837 type uint8; 838 mandatory true; 839 description 840 "The ID of the pkt-sec-cond-ipv4. 841 This is key for pkt-sec-cond-ipv4-list. 842 This must be unique."; 843 } 844 leaf pkt-sec-cond-ipv4-src { 845 type inet:ipv4-address; 846 mandatory true; 847 description 848 "This is a mandatory inet:ipv4-address attribute, 849 and defines the IPv4 Source Address (32 bits)."; 850 } 852 leaf pkt-sec-cond-ipv4-dest { 853 type inet:ipv4-address; 854 mandatory true; 855 description 856 "This is a mandatory inet:ipv4-address attribute, 857 and defines the IPv4 Destination Address 858 (32 bits)."; 859 } 861 leaf pkt-sec-cond-ipv4-protocol { 862 type string; 863 mandatory true; 864 description 865 "This is a mandatory string attribute, and defines 866 he protocol used in the data portion of the IP 867 datagram (8 bits)."; 868 } 870 leaf pkt-sec-cond-ipv4-dscp { 871 type string; 872 mandatory true; 873 description 874 "This is a mandatory string attribute, and defines 875 the Differentiated Services Code Point field 876 (6 bits)."; 877 } 879 leaf pkt-sec-cond-ipv4-ecn { 880 type string; 881 mandatory true; 882 description 883 "This is an optional string attribute, and defines 884 the Explicit Congestion Notification field 885 (2 bits)."; 886 } 888 leaf pkt-sec-cond-ipv4-length { 889 type string; 890 mandatory true; 891 description 892 "This is a mandatory string attribute, and defines 893 the total length of the packet (including header 894 and data) in bytes (16 bits)."; 895 } 897 leaf pkt-sec-cond-ipv4-ttl { 898 type string; 899 mandatory true; 900 description 901 "This is a mandatory string attribute, and defines 902 the Time To Live in seconds (8 bits)."; 903 } 904 } 906 list packet-security-ipv6-condition { 907 key pkt-sec-cond-ipv6-id; 908 description 909 "The purpose of this Class is to represent packet 910 IPv6 packet header information that can be used as 911 part of a test to determine if the set of Policy 912 Actions in this ECA Policy Rule should be executed 913 or not."; 915 leaf pkt-sec-cond-ipv6-id { 916 type uint8; 917 mandatory true; 918 description 919 "The ID of the pkt-sec-cond-ipv6. 920 This is key for pkt-sec-cond-ipv6-list. 921 This must be unique."; 922 } 924 leaf pkt-sec-cond-ipv6-src { 925 type inet:ipv6-address; 926 mandatory true; 927 description 928 "This is a mandatory inet:ipv6-address attribute, 929 and defines the IPv6 Source Address (128 bits)."; 930 } 932 leaf pkt-sec-cond-ipv6-dest { 933 type inet:ipv6-address; 934 mandatory true; 935 description 936 "This is a mandatory inet:ipv6-address attribute, 937 and defines the IPv6 Destination Address 938 (128 bits)."; 939 } 940 leaf pkt-sec-cond-ipv6-dscp { 941 type string; 942 mandatory true; 943 description 944 "This is a mandatory string attribute, and defines 945 the Differentiated Services Code Point field 946 (6 bits). It consists of the six most significant 947 bits of the Traffic Class field in the IPv6 948 header."; 949 } 951 leaf pkt-sec-cond-ipv6-ecn { 952 type string; 953 mandatory true; 954 description 955 "This is a mandatory string attribute, and defines 956 the Explicit Congestion Notification field (2 bits). 957 It consists of the two least significant bits of 958 the Traffic Class field in the IPv6 header."; 959 } 961 leaf pkt-sec-cond-ipv6-flow-label { 962 type string; 963 mandatory true; 964 description 965 "This is a mandatory string attribute, and defines 966 an IPv6 flow label. This, in combination with the 967 Source and Destination Address fields, enables 968 efficient IPv6 flow classification by using only 969 the IPv6 main header fields (20 bits)."; 970 } 972 leaf pkt-sec-cond-ipv6-payload-length { 973 type string; 974 mandatory true; 975 description 976 "This is a mandatory string attribute, and defines 977 the total length of the packet (including the 978 fixed and any extension headers, and data) in 979 bytes (16 bits)."; 980 } 982 leaf pkt-sec-cond-ipv6-next-header { 983 type string; 984 mandatory true; 985 description 986 "This is a mandatory string attribute, and defines 987 the type of the next header (e.g., which extension 988 header to use) (8 bits)."; 989 } 991 leaf pkt-sec-cond-ipv6-hop-limit { 992 type string; 993 mandatory true; 994 description 995 "This is a mandatory string attribute, and defines 996 the maximum number of hops that this packet can 997 traverse (8 bits)."; 998 } 999 } 1001 list packet-security-tcp-condition { 1002 key pkt-sec-cond-tcp-id; 1003 description 1004 "The purpose of this Class is to represent packet 1005 TCP packet header information that can be used as 1006 part of a test to determine if the set of Policy 1007 Actions in this ECA Policy Rule should be executed 1008 or not."; 1010 leaf pkt-sec-cond-tcp-id { 1011 type uint8; 1012 mandatory true; 1013 description 1014 "The ID of the pkt-sec-cond-tcp. 1015 This is key for pkt-sec-cond-tcp-list. 1016 This must be unique."; 1017 } 1019 leaf pkt-sec-cond-tcp-src-port { 1020 type inet:port-number; 1021 mandatory true; 1022 description 1023 "This is a mandatory port attribute, and defines 1024 the Source Port (16 bits)."; 1025 } 1027 leaf pkt-sec-cond-tcp-dest-port { 1028 type inet:port-number; 1029 mandatory true; 1030 description 1031 "This is a mandatory port attribute, and defines 1032 the Destination Port (16 bits)."; 1033 } 1035 leaf pkt-sec-cond-tcp-seq-num { 1036 type string; 1037 mandatory true; 1038 description 1039 "This is a mandatory string attribute, and defines 1040 the sequence number (32 bits)."; 1041 } 1043 leaf pkt-sec-cond-tcp-falgs { 1044 type string; 1045 mandatory true; 1046 description 1047 "This is a mandatory string attribute, and defines 1048 the nine Control bit flags (9 bits)."; 1049 } 1050 } 1052 list packet-security-udp-condition { 1053 key pkt-sec-cond-udp-id; 1054 description 1055 "The purpose of this Class is to represent packet UDP 1056 packet header information that can be used as part 1057 of a test to determine if the set of Policy Actions 1058 in this ECA Policy Rule should be executed or not."; 1060 leaf pkt-sec-cond-udp-id { 1061 type uint8; 1062 mandatory true; 1063 description 1064 "The ID of the pkt-sec-cond-udp. 1065 This is key for pkt-sec-cond-udp-list. 1066 This must be unique."; 1067 } 1069 leaf pkt-sec-cond-udp-src-port { 1070 type inet:port-number; 1071 mandatory true; 1072 description 1073 "This is a mandatory port attribute, and defines 1074 the UDP Source Port (16 bits)."; 1075 } 1077 leaf pkt-sec-cond-udp-dest-port { 1078 type inet:port-number; 1079 mandatory true; 1080 description 1081 "This is a mandatory port attribute, and defines 1082 the UDP Destination Port (16 bits)."; 1083 } 1084 leaf pkt-sec-cond-udp-length { 1085 type string; 1086 mandatory true; 1087 description 1088 "This is a mandatory string attribute, and defines 1089 the length in bytes of the UDP header and data 1090 (16 bits)."; 1091 } 1092 } 1093 } 1094 list packet-payload-security-condition { 1095 key "pkt-payload-id"; 1096 description 1097 "The ID of the pkt-payload. 1098 This is key for pkt-payload-list. 1099 This must be unique."; 1100 leaf pkt-payload-id { 1101 type uint8; 1102 mandatory true; 1103 description 1104 "The ID of the packet payload. 1105 This must be unique."; 1106 } 1107 } 1108 list target-security-condition { 1109 key "target-sec-cond-id"; 1110 description 1111 "Under the circumstances of network, it mainly 1112 refers to the service, application, and device."; 1113 leaf target-sec-cond-id { 1114 type uint8; 1115 mandatory true; 1116 description 1117 "The ID of the target. 1118 This must be unique."; 1119 } 1120 container service-sec-context-cond{ 1121 description 1122 "A service is an application identified by a 1123 protocol type and port number, such as TCP, 1124 UDP, ICMP, and IP."; 1125 leaf name { 1126 type string; 1127 mandatory true; 1128 description 1129 "The name of the service. 1130 This must be unique."; 1131 } 1132 leaf id { 1133 type uint8; 1134 mandatory true; 1135 description 1136 "The ID of the service. 1137 This must be unique."; 1138 } 1139 container protocol { 1140 description 1141 "Protocol types: 1142 TCP, UDP, ICMP, ICMPv6, IP, and etc."; 1143 leaf tcp { 1144 type boolean; 1145 mandatory true; 1146 description 1147 "TCP protocol type."; 1148 } 1149 leaf udp { 1150 type boolean; 1151 mandatory true; 1152 description 1153 "UDP protocol type."; 1154 } 1155 leaf icmp { 1156 type boolean; 1157 mandatory true; 1158 description 1159 "ICMP protocol type."; 1160 } 1161 leaf icmpv6 { 1162 type boolean; 1163 mandatory true; 1164 description 1165 "ICMPv6 protocol type."; 1166 } 1167 leaf ip { 1168 type boolean; 1169 mandatory true; 1170 description 1171 "IP protocol type."; 1172 } 1173 } 1174 leaf src-port{ 1175 type inet:port-number; 1176 description 1177 "It can be used for finding programs."; 1178 } 1179 leaf dest-port{ 1180 type inet:port-number; 1181 description 1182 "It can be used for finding programs."; 1183 } 1184 } 1185 container application-sec-context-cond { 1186 description 1187 "An application is a computer program for 1188 a specific task or purpose. It provides 1189 a finer granularity than service in matching 1190 traffic."; 1191 leaf name{ 1192 type string; 1193 mandatory true; 1194 description 1195 "The name of the application. 1196 This must be unique."; 1197 } 1198 leaf id{ 1199 type uint8; 1200 mandatory true; 1201 description 1202 "The ID of the application. 1203 This must be unique."; 1204 } 1205 container category{ 1206 description 1207 "Category types: Business system, Entertainment, 1208 Interest, Network, General, and etc."; 1209 leaf business-system { 1210 type boolean; 1211 description 1212 "Business system category."; 1213 } 1214 leaf entertainment { 1215 type boolean; 1216 description 1217 "Entertainment category."; 1218 } 1219 leaf interest { 1220 type boolean; 1221 description 1222 "Interest category."; 1223 } 1224 leaf network { 1225 type boolean; 1226 description 1227 "Network category."; 1229 } 1230 leaf general { 1231 type boolean; 1232 description 1233 "General category."; 1234 } 1235 } 1236 container subcategory{ 1237 description 1238 "Subcategory types: Finance, Email, Game, 1239 Media sharing, Social network, Web posting, 1240 and etc."; 1241 leaf finance { 1242 type boolean; 1243 description 1244 "Finance subcategory."; 1245 } 1246 leaf email { 1247 type boolean; 1248 description 1249 "Email subcategory."; 1250 } 1251 leaf game { 1252 type boolean; 1253 description 1254 "Game subcategory."; 1255 } 1256 leaf media-sharing { 1257 type boolean; 1258 description 1259 "Media sharing subcategory."; 1260 } 1261 leaf social-network { 1262 type boolean; 1263 description 1264 "Social network subcategory."; 1265 } 1266 leaf web-posting { 1267 type boolean; 1268 description 1269 "Web posting subcategory."; 1270 } 1271 } 1272 container data-transmission-model{ 1273 description 1274 "Data transmission model types: Client-server, 1275 Browser-based, Networking, Peer-to-Peer, 1276 Unassigned, and etc."; 1278 leaf client-server { 1279 type boolean; 1280 description 1281 "client-server data transmission model."; 1282 } 1283 leaf browser-based { 1284 type boolean; 1285 description 1286 "Browser-based data transmission model."; 1287 } 1288 leaf networking { 1289 type boolean; 1290 description 1291 "Networking data transmission model."; 1292 } 1293 leaf peer-to-peer { 1294 type boolean; 1295 description 1296 "Peer-to-Peer data transmission model."; 1297 } 1298 leaf unassigned { 1299 type boolean; 1300 description 1301 "Unassigned data transmission model."; 1302 } 1303 } 1304 container risk-level{ 1305 description 1306 "Risk level types: Exploitable, 1307 Productivity loss, Evasive, Data loss, 1308 Malware vehicle, Bandwidth consuming, 1309 Tunneling, and etc."; 1310 leaf exploitable { 1311 type boolean; 1312 description 1313 "Exploitable risk level."; 1314 } 1315 leaf productivity-loss { 1316 type boolean; 1317 description 1318 "Productivity loss risk level."; 1319 } 1320 leaf evasive { 1321 type boolean; 1322 description 1323 "Evasive risk level."; 1324 } 1325 leaf data-loss { 1326 type boolean; 1327 description 1328 "Data loss risk level."; 1329 } 1330 leaf malware-vehicle { 1331 type boolean; 1332 description 1333 "Malware vehicle risk level."; 1334 } 1335 leaf bandwidth-consuming { 1336 type boolean; 1337 description 1338 "Bandwidth consuming risk level."; 1339 } 1340 leaf tunneling { 1341 type boolean; 1342 description 1343 "Tunneling risk level."; 1344 } 1345 } 1346 } 1347 container device-sec-context-cond { 1348 description 1349 "The device attribute that can identify a device, 1350 including the device type (i.e., router, switch, 1351 pc, ios, or android) and the device's owner as 1352 well."; 1353 leaf pc { 1354 type boolean; 1355 description 1356 "If type of a device is PC."; 1357 } 1358 leaf mobile-phone { 1359 type boolean; 1360 description 1361 "If type of a device is mobile-phone."; 1362 } 1363 leaf tablet { 1364 type boolean; 1365 description 1366 "If type of a device is tablet."; 1367 } 1368 leaf voip-volte-phone { 1369 type boolean; 1370 description 1371 "If type of a device is voip-volte-phone."; 1372 } 1373 } 1375 } 1376 list user-security-cond { 1377 key "usr-sec-cond-id"; 1378 description 1379 "TBD"; 1380 leaf usr-sec-cond-id { 1381 type uint8; 1382 description 1383 "The ID of the user-sec-cond. 1384 This is key for user-sec-cond-list. 1385 This must be unique."; 1386 } 1387 container user{ 1388 description 1389 "The user (or user group) information with which 1390 network flow is associated: The user has many 1391 attributes such as name, id, password, type, 1392 authentication mode and so on. Name/id is often 1393 used in the security policy to identify the user. 1394 Besides, NSF is aware of the IP address of the 1395 user provided by a unified user management system 1396 via network. Based on name-address association, 1397 NSF is able to enforce the security functions 1398 over the given user (or user group)"; 1399 choice user-name { 1400 description 1401 "The name of the user. 1402 This must be unique."; 1403 case tenant { 1404 description 1405 "Tenant information."; 1406 leaf tenant { 1407 type uint8; 1408 mandatory true; 1409 description 1410 "User's tenant information."; 1411 } 1412 } 1413 case vn-id { 1414 description 1415 "VN-ID information."; 1416 leaf vn-id { 1417 type uint8; 1418 mandatory true; 1419 description 1420 "User's VN-ID information."; 1421 } 1422 } 1424 } 1425 } 1426 container group { 1427 description 1428 "The user (or user group) information with which 1429 network flow is associated: The user has many 1430 attributes such as name, id, password, type, 1431 authentication mode and so on. Name/id is often 1432 used in the security policy to identify the user. 1433 Besides, NSF is aware of the IP address of the 1434 user provided by a unified user management system 1435 via network. Based on name-address association, 1436 NSF is able to enforce the security functions 1437 over the given user (or user group)"; 1438 choice group-name { 1439 description 1440 "The name of the user. 1441 This must be unique."; 1442 case tenant { 1443 description 1444 "Tenant information."; 1445 leaf tenant { 1446 type uint8; 1447 mandatory true; 1448 description 1449 "User's tenant information."; 1450 } 1451 } 1452 case vn-id { 1453 description 1454 "VN-ID information."; 1455 leaf vn-id { 1456 type uint8; 1457 mandatory true; 1458 description 1459 "User's VN-ID information."; 1460 } 1461 } 1462 } 1463 } 1464 } 1465 list generic-context-condition { 1466 key "gen-context-cond-id"; 1467 description 1468 "TBD"; 1469 leaf gen-context-cond-id { 1470 type uint8; 1471 description 1472 "The ID of the gen-context-cond. 1473 This is key for gen-context-cond-list. 1474 This must be unique."; 1475 } 1476 container geographic-location { 1477 description 1478 "The location which network traffic is associated 1479 with. The region can be the geographic location 1480 such as country, province, and city as well as 1481 the logical network location such as IP address, 1482 network section, and network domain."; 1483 leaf-list geographic-location { 1484 type uint8; 1485 description 1486 "This is mapped to ip address. We can acquire 1487 region through ip address stored the database."; 1488 } 1489 } 1490 } 1491 } 1492 container action { 1493 description 1494 "TBD."; 1495 choice action-type { 1496 description 1497 "The flow-based NSFs realize the network security 1498 functions by executing various Actions, which at least 1499 includes ingress-action, egress-action, and 1500 advanced-action."; 1501 case ingress-action { 1502 description 1503 "The ingress actions consist of permit, deny, 1504 and mirror."; 1505 choice ingress-action-type { 1506 description 1507 "Ingress action type: permit, deny, and mirror."; 1508 case permit { 1509 description 1510 "Permit case."; 1511 leaf permit { 1512 type boolean; 1513 mandatory true; 1514 description 1515 "Packet flow is permitted."; 1516 } 1517 } 1518 case deny { 1519 description 1520 "Deny case."; 1521 leaf deny { 1522 type boolean; 1523 mandatory true; 1524 description 1525 "Packet flow is denied."; 1526 } 1527 } 1528 case mirror { 1529 description 1530 "Mirror case."; 1531 leaf mirror { 1532 type boolean; 1533 mandatory true; 1534 description 1535 "Packet flow is mirroried."; 1536 } 1537 } 1538 } 1539 } 1540 case egress-action { 1541 description 1542 "The egress actions consist of invoke-signaling, 1543 tunnel-encapsulation, and forwarding."; 1544 choice egress-action-type { 1545 description 1546 "Egress-action-type: invoke-signaling, 1547 tunnel-encapsulation, and forwarding."; 1548 case invoke-signaling { 1549 description 1550 "Invoke-signaling case."; 1551 leaf invoke-signaling { 1552 type boolean; 1553 mandatory true; 1554 description 1555 "TBD."; 1556 } 1557 } 1558 case tunnel-encapsulation { 1559 description 1560 "tunnel-encapsulation case."; 1561 leaf tunnel-encapsulation { 1562 type boolean; 1563 mandatory true; 1564 description 1565 "TBD."; 1566 } 1567 } 1568 case forwarding { 1569 description 1570 "forwarding case."; 1571 leaf forwarding { 1572 type boolean; 1573 mandatory true; 1574 description 1575 "TBD."; 1576 } 1577 } 1578 } 1579 } 1580 case apply-profile-action { 1581 description 1582 "Applying a specific Functional Profile or signature 1583 - e.g., an IPS Profile, a signature file, an 1584 anti-virus file, or a URL filtering file. The 1585 functional profile or signature file corresponds to 1586 the security capability for the content security 1587 control and attack mitigation control which will be 1588 described afterwards. It is one of the key properties 1589 that determine the effectiveness of the NSF, and is 1590 mostly vendor specific today. One goal of I2NSF is 1591 to standardize the form and functional interface of 1592 those security capabilities while supporting vendor- 1593 specific implementations of each."; 1594 choice apply-profile-action-type { 1595 description 1596 "Advanced action types: Content Security Control 1597 and Attack Mitigation Control."; 1598 case content-security-control { 1599 description 1600 "Content security control is another category of 1601 security capabilities applied to application layer. 1602 Through detecting the contents carried over the 1603 traffic in application layer, these capabilities 1604 can realize various security purposes, such as 1605 defending against intrusion, inspecting virus, 1606 filtering malicious URL or junk email, and blocking 1607 illegal web access or data retrieval."; 1608 choice content-security-control-type { 1609 description 1610 "Content Security types: Antivirus, IPS, 1611 url-filtering file-blocking, data-filtering, 1612 application-control, and voip-volte."; 1613 case antivirus { 1614 leaf antivirus { 1615 type boolean; 1616 description 1617 "Antivirus is computer software used to 1618 prevent, detect and remove malicious 1619 software."; 1620 } 1621 } 1622 case ips { 1623 leaf ips { 1624 type boolean; 1625 description 1626 "Intrusion prevention systems (IPS) are 1627 network security appliances that monitor 1628 network and/or system activities for 1629 malicious activities."; 1630 } 1631 } 1632 case url-filtering { 1633 leaf url-filtering { 1634 type boolean; 1635 description 1636 "URL filtering security service."; 1637 } 1638 } 1639 case file-blocking { 1640 leaf file-blocking { 1641 type boolean; 1642 description 1643 "File blocking security service."; 1644 } 1645 } 1646 case data-filtering { 1647 leaf data-filtering { 1648 type boolean; 1649 description 1650 "Data filtering security service."; 1651 } 1652 } 1653 case application-control { 1654 leaf application-control { 1655 type boolean; 1656 description 1657 "Application control security service."; 1658 } 1659 } 1660 case voip-volte { 1661 list voip-volte-rule { 1662 key "voip-volte-rule-id"; 1663 description 1664 "For the VoIP/VoLTE security system, a VoIP/ 1665 VoLTE security system can monitor each 1666 VoIP/VoLTE flow and manage VoIP/VoLTE 1667 security rules controlled by a centralized 1668 server for VoIP/VoLTE security service 1669 (called VoIP IPS). The VoIP/VoLTE security 1670 system controls each switch for the 1671 VoIP/VoLTE call flow management by 1672 manipulating the rules that can be added, 1673 deleted, or modified dynamically."; 1674 leaf voip-volte-rule-id { 1675 type uint8; 1676 mandatory true; 1677 description 1678 "The ID of the voip-volte-rule. 1679 This is the key for voip-volte-rule-list. 1680 This must be unique."; 1681 } 1682 container event { 1683 description 1684 "Event types: VoIP and VoLTE."; 1685 leaf called-voip { 1686 type boolean; 1687 mandatory true; 1688 description 1689 "If content-security-control-type is 1690 voip."; 1691 } 1692 leaf called-volte { 1693 type boolean; 1694 mandatory true; 1695 description 1696 "If content-security-control-type is 1697 volte."; 1698 } 1699 } 1700 container condition { 1701 description 1702 "TBD."; 1703 list sip-header { 1704 key "sip-header-uri"; 1705 description 1706 "TBD."; 1707 leaf sip-header-uri { 1708 type string; 1709 mandatory true; 1710 description 1711 "SIP header URI."; 1713 } 1714 leaf sip-header-method { 1715 type string; 1716 mandatory true; 1717 description 1718 "SIP header method."; 1719 } 1720 leaf sip-header-expire-time { 1721 type yang:date-and-time; 1722 mandatory true; 1723 description 1724 "SIP header expire time."; 1725 } 1726 leaf sip-header-user-agent { 1727 type uint32; 1728 mandatory true; 1729 description 1730 "SIP header user agent."; 1731 } 1732 } 1733 list cell-region { 1734 key "cell-id-region"; 1735 description 1736 "TBD."; 1737 leaf cell-id-region { 1738 type uint32; 1739 mandatory true; 1740 description 1741 "Cell region."; 1742 } 1743 } 1744 } 1745 container action { 1746 description 1747 "The flow-based NSFs realize the security 1748 functions by executing various Actions."; 1749 choice action-type { 1750 description 1751 "Action type: ingress action and 1752 egress action."; 1753 case ingress-action { 1754 description 1755 "The ingress actions consist of permit, 1756 deny, and mirror."; 1757 choice ingress-action-type { 1758 description 1759 "Ingress-action-type: permit, deny, 1760 and mirror."; 1762 case permit { 1763 description 1764 "Permit case."; 1765 leaf permit { 1766 type boolean; 1767 mandatory true; 1768 description 1769 "Packet flow is permitted."; 1770 } 1771 } 1772 case deny { 1773 description 1774 "Deny case."; 1775 leaf deny { 1776 type boolean; 1777 mandatory true; 1778 description 1779 "Packet flow is denied."; 1780 } 1781 } 1782 case mirror { 1783 description 1784 "Mirror case."; 1785 leaf mirror { 1786 type boolean; 1787 mandatory true; 1788 description 1789 "Packet flow is mirrored."; 1790 } 1791 } 1792 } 1793 } 1794 case egress-action { 1795 description 1796 "The engress actions consist of 1797 mirror and etc."; 1798 choice egress-action-type { 1799 description 1800 "Engress-action-type: redirection, 1801 and etc."; 1802 case redirection { 1803 description 1804 "Redirection case."; 1805 leaf redirection { 1806 type boolean; 1807 mandatory true; 1808 description "TBD."; 1809 } 1811 } 1812 } 1813 } 1814 } 1815 } 1816 } 1817 } 1818 } 1819 } 1820 case attack-mitigation-control { 1821 description 1822 "This category of security capabilities is 1823 specially used to detect and mitigate various 1824 types of network attacks."; 1825 choice attack-mitigation-control-type { 1826 description 1827 "Attack-mitigation types: DDoS-attack and 1828 Single-packet attack."; 1829 case ddos-attack { 1830 description 1831 "A distributed-denial-of-service (DDoS) is 1832 where the attack source is more than one, 1833 often thousands of unique IP addresses."; 1834 choice ddos-attack-type { 1835 description 1836 "DDoS-attack types: Network Layer DDoS Attacks 1837 and Application Layer DDoS Attacks."; 1838 case network-layer-ddos-attack { 1839 description 1840 "Network layer DDoS-attack."; 1841 choice network-layer-ddos-attack-type { 1842 description 1843 "Network layer DDoS attack types: 1844 Syn Flood Attack, UDP Flood Attack, 1845 ICMP Flood Attack, IP Fragment Flood, 1846 IPv6 Related Attacks, and etc"; 1847 case syn-flood-attack { 1848 description 1849 "If the network layer DDoS-attack is 1850 a syn flood attack."; 1851 leaf syn-flood { 1852 type boolean; 1853 mandatory true; 1854 description 1855 "Syn Flood Attack."; 1856 } 1857 } 1858 case udp-flood-attack { 1859 description 1860 "If the network layer DDoS-attack is 1861 a udp flood attack."; 1862 leaf udp-flood { 1863 type boolean; 1864 mandatory true; 1865 description 1866 "UDP Flood Attack."; 1867 } 1868 } 1869 case icmp-flood-attack { 1870 description 1871 "If the network layer DDoS-attack is 1872 an icmp flood attack."; 1873 leaf icmp-flood { 1874 type boolean; 1875 mandatory true; 1876 description 1877 "ICMP Flood Attack."; 1878 } 1879 } 1880 case ip-fragment-flood-attack { 1881 description 1882 "If the network layer DDoS-attack is 1883 an ip fragment flood attack."; 1884 leaf ip-fragment-flood { 1885 type boolean; 1886 mandatory true; 1887 description 1888 "IP Fragment Flood."; 1889 } 1890 } 1891 case ipv6-related-attacks { 1892 description 1893 "If the network layer DDoS-attack is 1894 ipv6 related attacks."; 1895 leaf ipv6-related { 1896 type boolean; 1897 mandatory true; 1898 description 1899 "IPv6 Related Attacks."; 1900 } 1901 } 1902 } 1903 } 1904 case app-layer-ddos-attack { 1905 description 1906 "Application layer DDoS-attack."; 1908 choice app-ddos-attack-type { 1909 description 1910 "Application layer DDoS-attack types: 1911 Http Flood Attack, Https Flood Attack, 1912 DNS Flood Attack, and 1913 DNS Amplification Flood Attack, 1914 SSL DDoS Attack, and etc."; 1915 case http-flood-attack { 1916 description 1917 "If the application layer DDoS-attack is 1918 a http flood attack."; 1919 leaf http-flood { 1920 type boolean; 1921 mandatory true; 1922 description 1923 "Http Flood Attack."; 1924 } 1925 } 1926 case https-flood-attack { 1927 description 1928 "If the application layer DDoS-attack is 1929 a https flood attack."; 1930 leaf https-flood { 1931 type boolean; 1932 mandatory true; 1933 description 1934 "Https Flood Attack."; 1935 } 1936 } 1937 case dns-flood-attack { 1938 description 1939 "If the application layer DDoS-attack is 1940 a dns flood attack."; 1941 leaf dns-flood { 1942 type boolean; 1943 mandatory true; 1944 description 1945 "DNS Flood Attack."; 1946 } 1947 } 1948 case dns-amp-flood-attack { 1949 description 1950 "If the application layer DDoS-attack is 1951 a dns amplification flood attack."; 1952 leaf dns-amp-flood { 1953 type boolean; 1954 mandatory true; 1955 description 1956 "DNS Amplification Flood Attack."; 1957 } 1958 } 1959 case ssl-ddos-attack { 1960 description 1961 "If the application layer DDoS-attack is 1962 an ssl DDoS attack."; 1963 leaf ssl-ddos { 1964 type boolean; 1965 mandatory true; 1966 description 1967 "SSL Flood Attack."; 1968 } 1969 } 1970 } 1971 } 1972 } 1973 } 1974 case single-packet-attack { 1975 description 1976 "Single Packet Attacks."; 1977 choice single-packet-attack-type { 1978 description 1979 "DDoS-attack types: Scanning Attack, 1980 Sniffing Attack, Malformed Packet Attack, 1981 Special Packet Attack, and etc."; 1982 case scan-and-sniff-attack { 1983 description 1984 "Scanning and Sniffing Attack."; 1985 choice scan-and-sniff-attack-type { 1986 description 1987 "Scanning and sniffing attack types: 1988 IP Sweep attack, Port Scanning, 1989 and etc."; 1990 case ip-sweep-attack { 1991 description 1992 "If the scanning and sniffing attack is 1993 an ip sweep attack."; 1994 leaf ip-sweep { 1995 type boolean; 1996 mandatory true; 1997 description 1998 "IP Sweep Attack."; 1999 } 2000 } 2001 case port-scanning-attack { 2002 description 2003 "If the scanning and sniffing attack is 2004 a port scanning attack."; 2005 leaf port-scanning { 2006 type boolean; 2007 mandatory true; 2008 description 2009 "Port Scanning Attack."; 2010 } 2011 } 2012 } 2013 } 2014 case malformed-packet-attack { 2015 description 2016 "Malformed Packet Attack."; 2017 choice malformed-packet-attack-type { 2018 description 2019 "Malformed packet attack types: 2020 Ping of Death Attack, Teardrop Attack, 2021 and etc."; 2022 case ping-of-death-attack { 2023 description 2024 "If the malformed packet attack is 2025 a ping of death attack."; 2026 leaf ping-of-death { 2027 type boolean; 2028 mandatory true; 2029 description 2030 "Ping of Death Attack."; 2031 } 2032 } 2033 case teardrop-attack { 2034 description 2035 "If the malformed packet attack is 2036 a teardrop attack."; 2037 leaf teardrop { 2038 type boolean; 2039 mandatory true; 2040 description 2041 "Teardrop Attack."; 2042 } 2043 } 2044 } 2045 } 2046 case special-packet-attack { 2047 description 2048 "special Packet Attack."; 2049 choice special-packet-attack-type { 2050 description 2051 "Special packet attack types: 2053 Oversized ICMP Attack, Tracert Attack, 2054 and etc."; 2055 case oversized-icmp-attack { 2056 description 2057 "If the special packet attack is 2058 an oversized icmp attack."; 2059 leaf oversized-icmp { 2060 type boolean; 2061 mandatory true; 2062 description 2063 "Oversize ICMP Attack."; 2064 } 2065 } 2066 case tracert-attack { 2067 description 2068 "If the special packet attack is 2069 a tracert attack."; 2070 leaf tracert { 2071 type boolean; 2072 mandatory true; 2073 description 2074 "Tracrt Attack."; 2075 } 2076 } 2077 } 2078 } 2079 } 2080 } 2081 } 2082 } 2083 } 2084 } 2085 } 2086 } 2087 } 2088 } 2089 } 2091 2093 Figure 2: Data Model of I2NSF Capability Interface 2095 6. Security Considerations 2097 This document introduces no additional security threats and SHOULD 2098 follow the security requirements as stated in [i2nsf-framework]. 2100 7. Acknowledgements 2102 This work was supported by Institute for Information & communications 2103 Technology Promotion (IITP) grant funded by the Korea government 2104 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 2105 Technology Development for the Customized Security Service 2106 Provisioning). 2108 This document has greatly benefited from inputs by Hyoungshick Kim 2109 and Se-Hui Lee. 2111 8. References 2113 8.1. Normative References 2115 [RFC2119] Bradner, S., "Key words for use in RFCs to 2116 Indicate Requirement Levels", BCP 14, 2117 RFC 2119, March 1997. 2119 [RFC6020] Bjorklund, M., "YANG - A Data Modeling 2120 Language for the Network Configuration 2121 Protocol (NETCONF)", RFC 6020, 2122 October 2010. 2124 8.2. Informative References 2126 [i2nsf-cap-interface-im] Xia, L., Strassner, J., Li, K., Zhang, D., 2127 Lopez, E., BOUTHORS, N., and L. Fang, 2128 "Information Model of Interface to Network 2129 Security Functions Capability Interface", 2130 draft-xia-i2nsf-capability-interface-im-06 2131 (work in progress), June 2016. 2133 [i2rs-rib-data-model] Wang, L., Ananthakrishnan, H., Chen, M., 2134 Dass, A., Kini, S., and N. Bahadur, "A YANG 2135 Data Model for Routing Information Base 2136 (RIB)", draft-ietf-i2rs-rib-data-model-05 2137 (work in progress), March 2016. 2139 [supa-policy-info-model] Strassner, J. and J. Halpern, "Generic 2140 Policy Information Model for Simplified 2141 Use of Policy Abstractions (SUPA)", draft- 2142 ietf-supa-generic-policy-info-model-00 2143 (work in progress), June 2016. 2145 [i2nsf-framework] Lopez, E., Lopez, D., Dunbar, L., 2146 Strassner, J., Zhuang, X., Parrott, J., 2147 Krishnan, R., and S. Durbha, "Framework for 2148 Interface to Network Security Functions", 2149 draft-ietf-i2nsf-framework-00 (work in 2150 progress), May 2016. 2152 Appendix A. Changes from draft-jeong-i2nsf-capability-interface-yang-02 2154 The following changes were made from 2155 draft-jeong-i2nsf-capability-interface-yang-02: 2157 o This version reflects the information model for NSF facing 2158 interface in draft-xia-i2nsf-capability-interface-im-06. 2160 o Event, condition, and action are updated according to the above 2161 latest information model. 2163 Authors' Addresses 2165 Jaehoon Paul Jeong 2166 Department of Software 2167 Sungkyunkwan University 2168 2066 Seobu-Ro, Jangan-Gu 2169 Suwon, Gyeonggi-Do 16419 2170 Republic of Korea 2172 Phone: +82 31 299 4957 2173 Fax: +82 31 290 7996 2174 EMail: pauljeong@skku.edu 2175 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2177 Jin-Yong Kim 2178 Department of Computer Engineering 2179 Sungkyunkwan University 2180 2066 Seobu-Ro, Jangan-Gu 2181 Suwon, Gyeonggi-Do 16419 2182 Republic of Korea 2184 Phone: +82 10 8273 0930 2185 EMail: wlsdyd0930@nate.com 2186 Dae-Young Hyun 2187 Department of Software 2188 Sungkyunkwan University 2189 2066 Seobu-Ro, Jangan-Gu 2190 Suwon, Gyeonggi-Do 16419 2191 Republic of Korea 2193 Phone: +82 10 4776 5672 2194 EMail: guseodud1@naver.com 2196 Jung-Soo Park 2197 Electronics and Telecommunications Research Institute 2198 218 Gajeong-Ro, Yuseong-Gu 2199 Daejeon 305-700 2200 Republic of Korea 2202 Phone: +82 42 860 6514 2203 EMail: pjs@etri.re.kr 2205 Tae-Jin Ahn 2206 Korea Telecom 2207 70 Yuseong-Ro, Yuseong-Gu 2208 Daejeon 305-811 2209 Republic of Korea 2211 Phone: +82 42 870 8409 2212 EMail: taejin.ahn@kt.com