idnits 2.17.1 draft-jeong-i2nsf-consumer-facing-interface-dm-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 322 has weird spacing: '...reshold uint1...' == Line 324 has weird spacing: '...er-name strin...' == Line 325 has weird spacing: '...ter-url stri...' == Line 327 has weird spacing: '...ll-name stri...' == Line 328 has weird spacing: '...ll-type stri...' == (2 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 2, 2017) is 2399 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 3444 Summary: 2 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft E. Kim 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: April 5, 2018 T. Ahn 6 Korea Telecom 7 R. Kumar 8 Juniper Networks 9 S. Hares 10 Huawei 11 October 2, 2017 13 I2NSF Consumer-Facing Interface YANG Data Model 14 draft-jeong-i2nsf-consumer-facing-interface-dm-04 16 Abstract 18 This document describes a YANG data model for high-level security 19 policies through the Consumer-Facing Interface between an Interface 20 to Network Security Functions (I2NSF) User and Security Controller in 21 an I2NSF system under a Network Functions Virtualization (NFV) 22 environment. The data model is required for enabling different users 23 of a given I2NSF system to define, manage, and monitor security 24 policies for specific flows within an administrative domain. 26 Status of This Memo 28 This Internet-Draft is submitted to IETF in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF), its areas, and its working groups. Note that 33 other groups may also distribute working documents as Internet- 34 Drafts. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 The list of current Internet-Drafts can be accessed at 42 http://www.ietf.org/ietf/1id-abstracts.txt. 44 The list of Internet-Draft Shadow Directories can be accessed at 45 http://www.ietf.org/shadow.html. 47 This Internet-Draft will expire on April 5, 2018. 49 Copyright Notice 51 Copyright (c) 2017 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 68 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 4. Data Modeling for Consumer-Facing Interface . . . . . . . . . 3 70 5. YANG Data Model for Consumer-Facing Interface . . . . . . . . 8 71 6. Security Considerations . . . . . . . . . . . . . . . . . . . 38 72 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 38 73 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39 74 8.1. Normative References . . . . . . . . . . . . . . . . . . . 39 75 8.2. Informative References . . . . . . . . . . . . . . . . . . 39 76 Appendix A. Changes from 77 draft-jeong-i2nsf-consumer-facing-interface-dm-03 . . 39 78 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE 79 Security Services . . . . . . . . . . . . . . . . . . 40 80 Appendix C. Policy Instance YANG Example for VoIP/VoLTE 81 Security Services . . . . . . . . . . . . . . . . . . 42 82 Appendix D. Example XML Output for VoIP Service . . . . . . . . . 48 84 1. Introduction 86 This document provides a data model defined by YANG [RFC6020] for 87 high-level security policies through the Consumer-Facing Interface 88 between an Interface to Network Security Functions (I2NSF) User and 89 Security Controller in an I2NSF system [i2nsf-framework] under a 90 Network Functions Virtualization (NFV) environment. The data model 91 is required for enabling different users of a given I2NSF system to 92 define, manage and monitor security policies for specific flows 93 within an administrative domain. This document defines a YANG data 94 model based on the information model of I2NSF Consumer-Facing 95 Interface [client-facing-inf-im]. 97 High-level security policies based on the YANG data model can be 98 translated by Security Controller into low-level security policies 99 that have many details for security services at Network Securty 100 Functions (NSFs). Thus, a data model for low-level security policies 101 needs to provide details of how the required security services can be 102 performed for the NSFs, e.g., rules explaining how to map managed 103 objects onto lower-level protocol constructs. Also, since conceptual 104 models can be implemented in different ways, multiple data models can 105 be derived by a single information model. 107 The efficient and flexible provisioning of network functions by NFV 108 leads to a rapid advance in the network industry. As practical 109 applications, NSFs (e.g., firewall, intrusion detection system (IDS)/ 110 intrusion prevention system (IPS), and attack mitigation) can also be 111 provided as virtual network functions (VNF) in the NFV system. By 112 the efficient virtual technology, these VNFs might be automatically 113 provisioned and dynamically migrated based on real-time security 114 requirements. This document presents a YANG data model to implement 115 security functions based on NFV. 117 2. Requirements Language 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 121 document are to be interpreted as described in RFC 2119 [RFC3444]. 123 3. Terminology 125 This document uses the terminology described in 126 [i2nsf-terminology][client-facing-inf-im][client-facing-inf-req]. 128 4. Data Modeling for Consumer-Facing Interface 130 The main objective of this data model is to fully transform the 131 information model [client-facing-inf-im] into a YANG data model that 132 can be used for delivering control and management messages via the 133 Consumer-Facing Interface between an I2NSF User and Security 134 Controller for the I2NSF User's high-level security policies. 136 The semantics of the data model must be aligned with the information 137 model of the Consumer-Facing Interface. The transformation of the 138 information model was performed so that this YANG data model can 139 facilitate the efficient delivery of the control or management 140 messages. 142 This data model is designed to support the I2NSF framework that can 143 be extended according to the security needs. In other words, the 144 model design is independent of the content and meaning of specific 145 policies as well as the implementation approach. This document 146 suggests a VoIP/VoLTE security service as a use case for policy rule 147 generation. 149 module: ieft-i2nsf-cf-interface 150 +--rw ietf-i2nsf-cf-interface 151 +--rw multi-tenancy 152 | +--rw policy-domain* [policy-domain-id] 153 | | +--rw policy-domain-id uint16 154 | | +--rw name string 155 | | +--rw address string 156 | | +--rw contact string 157 | | +--rw date yang:date-and-time 158 | | +--rw authentication-method string 159 | +--rw policy-tenant* [policy-tenant-id] 160 | | +--rw policy-tenant-id uint16 161 | | +--rw name string 162 | | +--rw date yang:date-and-time 163 | | +--rw domain string 164 | +--rw policy-role* [policy-role-id] 165 | | +--rw policy-role-id uint16 166 | | +--rw name string 167 | | +--rw date yang:date-and-time 168 | | +--rw access-profile string 169 | +--rw policy-user* [policy-user-id] 170 | | +--rw policy-user-id uint16 171 | | +--rw name string 172 | | +--rw date yang:date-and-time 173 | | +--rw password string 174 | | +--rw email string 175 | | +--rw scope-type? string 176 | | +--rw scope-reference? string 177 | | +--rw role string 178 | +--rw policy-mgmt-auth-method* [policy-mgnt-auth-method-id] 179 | +--rw policy-mgnt-auth-method-id uint16 180 | +--rw name string 181 | +--rw date yang:date-and-time 182 | +--rw authentication-method string 183 | +--rw mutual-authentication boolean 184 | +--rw token-server string 185 | +--rw certificate-server string 186 | +--rw single-sing-on-server string 187 +--rw policy-endpoint-groups 188 | +--rw meta-data-source* [meta-data-source-id] 189 | | +--rw meta-data-source-id uint16 190 | | +--rw name string 191 | | +--rw date yang:date-and-time 192 | | +--rw tag-type? boolean 193 | | +--rw tag-server-information? string 194 | | +--rw tag-application-protocol? string 195 | | +--rw tag-server-credential? string 196 | +--rw user-group* [user-group-id] 197 | | +--rw user-group-id uint16 198 | | +--rw name? string 199 | | +--rw date? yang:date-and-time 200 | | +--rw group-type? string 201 | | +--rw meta-data-server? string 202 | | +--rw group-member? string 203 | | +--rw risk-level? uint16 204 | +--rw device-group* [device-group-id] 205 | | +--rw device-group-id uint16 206 | | +--rw name? string 207 | | +--rw date? yang:date-and-time 208 | | +--rw group-type? string 209 | | +--rw meta-data-server? string 210 | | +--rw group-member? string 211 | | +--rw risk-level? uint16 212 | +--rw application-group* [application-group-id] 213 | | +--rw application-group-id uint16 214 | | +--rw name? string 215 | | +--rw date? yang:date-and-time 216 | | +--rw group-type? string 217 | | +--rw meta-data-server? string 218 | | +--rw group-member? string 219 | | +--rw risk-level? uint16 220 | +--rw location-group* [location-group-id] 221 | +--rw location-group-id uint16 222 | +--rw name? string 223 | +--rw date? yang:date-and-time 224 | +--rw group-type? string 225 | +--rw meta-data-server? string 226 | +--rw group-member? string 227 | +--rw risk-level? uint16 228 +--rw threat-prevention 229 | +--rw threat-feed* [threat-feed-id] 230 | | +--rw threat-feed-id uint16 231 | | +--rw name? string 232 | | +--rw date? yang:date-and-time 233 | | +--rw feed-type? enumeration 234 | | +--rw feed-server? string 235 | | +--rw feed-priority? uint16 236 | +--rw custom-list* [custom-list-id] 237 | | +--rw custom-list-id uint16 238 | | +--rw name? string 239 | | +--rw date? yang:date-and-time 240 | | +--rw list-type? enumeration 241 | | +--rw list-property? enumeration 242 | | +--rw list-content? string 243 | +--rw malware-scan-group* [malware-scan-group-id] 244 | | +--rw malware-scan-group-id uint16 245 | | +--rw name? string 246 | | +--rw date? yang:date-and-time 247 | | +--rw signature-server? string 248 | | +--rw file-types? string 249 | | +--rw malware-signatures? string 250 | +--rw event-map-group* [event-map-group-id] 251 | +--rw event-map-group-id uint16 252 | +--rw name? string 253 | +--rw date? yang:date-and-time 254 | +--rw security-events? string 255 | +--rw threat-map? string 256 +--rw telemetry-data 257 | +--rw telemetry-data* [telemetry-data-id] 258 | | +--rw telemetry-data-id uint16 259 | | +--rw name? string 260 | | +--rw date? yang:date-and-time 261 | | +--rw logs? boolean 262 | | +--rw syslogs? boolean 263 | | +--rw snmp? boolean 264 | | +--rw sflow? boolean 265 | | +--rw netflow? boolean 266 | | +--rw interface-stats? boolean 267 | +--rw telemetry-source* [telemetry-source-id] 268 | | +--rw telemetry-source-id uint16 269 | | +--rw name? string 270 | | +--rw date? yang:date-and-time 271 | | +--rw source-type? string 272 | | +--rw nsf-access-parameters? string 273 | | +--rw nsf-access-credentials? string 274 | | +--rw collection-interval? uint16 275 | | +--rw collection-method? enumeration 276 | | +--rw heartbeat-interval? uint16 277 | | +--rw qos-marking? uint8 278 | +--rw telemetry-destination* [telemetry-destination-id] 279 | +--rw telemetry-destination-id uint16 280 | +--rw name? string 281 | +--rw date? yang:date-and-time 282 | +--rw collector-state? string 283 | +--rw collector-access-parameters? string 284 | +--rw collector-access-credentials? string 285 | +--rw data-encoding? string 286 | +--rw data-transport? string 287 +--rw security-policy-instance 288 +--rw policy-rule* [policy-rule-id] 289 | +--rw policy-rule-id uint16 290 | +--rw name? string 291 | +--rw date? yang:date-and-time 292 | +--rw source? -> /ietf-i2nsf-cf-interface 293 | | /threat-prevention 294 | | /threat-feed 295 | | /threat-feed-id 296 | +--rw destination? -> /ietf-i2nsf-cf-interface 297 | | /policy-endpoint-groups 298 | | /user-group/user-group-id 299 | +--rw exception? boolean 300 | +--rw exception-detail? string 301 +--rw action* [action-id] 302 | +--rw action-id uint16 303 | +--rw name? string 304 | +--rw date? yang:date-and-time 305 | +--rw primary-action? string 306 | +--rw secondary-action? string 307 +--rw precedence* [precedence-id] 308 | +--rw precedence-id uint16 309 | +--rw rule-exist? boolean 310 +--rw event* [event-id] 311 | +--rw event-id uint16 312 | +--rw security-event? string 313 | +--rw threat-map? string 314 | +--rw enable? boolean 315 +--rw condition* [condition-id] 316 | +--rw condition-id uint16 317 | +--rw condition-type string 318 | +--rw service* [service-id] uint16 319 | | +--rw service-name string 320 | | +--rw service-type string 321 | +--rw traffic* [traffic-id] 322 | | +--rw traffic-threshold uint16 323 | +--rw webfilter* [webfilter-id] 324 | | +--rw webfilter-name string 325 | | +--rw webfilter-url string 326 | +--rw firewall* [firewall-id] 327 | +--rw firewall-name string 328 | +--rw firewall-type string 329 | +--rw firewall-address -> /ietf-i2nsf-cf-interface 330 | /threat-prevention 331 | /threat-feed 332 | /threat-feed-id 333 | 334 +--rw policy-calendar* [policy-calendar-id] 335 | +--rw policy-calendar-id uint16 336 | +--rw name? string 337 | +--rw date? yang:date-and-time 338 | +--rw enforcement-type? string 339 | +--rw begin-time? yang:date-and-time 340 | +--rw end-time? yang:date-and-time 341 +--rw policy-instance* [policy-instance-id] 342 +--rw policy-instance-id string 343 +--rw name? string 344 +--rw date? yang:date-and-time 345 +--rw rules? -> /ietf-i2nsf-cf-interface 346 | /security-policy-instance 347 | /policy-rule 348 | /policy-rule-id 349 +--rw scheduling? -> /ietf-i2nsf-cf-interface 350 | /security-policy-instance 351 | /policy-calendar 352 | /policy-calendar-id 353 +--rw owner? string 355 Figure 1: Generic Data Model for cf Interface 357 5. YANG Data Model for Consumer-Facing Interface 359 This section describes a YANG data model for Consumer-Facing 360 Interface, based on the information model of Consumer-Facing 361 Interface to security controller [client-facing-inf-im]. 363 file "ietf-i2nsf-cf-interface.yang" 364 module ietf-i2nsf-cf-interface { 365 namespace 366 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-cf-interface"; 367 prefix 368 cf-interface; 370 import ietf-inet-types{ 371 prefix inet; 372 } 373 import ietf-yang-types{ 374 prefix yang; 375 } 377 organization 378 "IETF I2NSF (Interface to Network Security Functions) 379 Working Group"; 381 contact 382 "WG Web: 383 WG List: 385 WG Chair: Adrian Farrel 386 388 WG Chair: Linda Dunbar 389 391 Editor: Jaehoon Paul Jeong 392 "; 394 description 395 "This module defines a YANG data module for consumer-facing 396 interface to security controller."; 398 revision "2017-10-02"{ 399 description "Initial revision"; 400 reference 401 "draft-kumar-i2nsf-client-facing-interface-im-02"; 402 } 404 //Groupings 405 container ietf-i2nsf-consumer-facing-interface { 406 description 407 "grouping container"; 408 container multi-tenancy { 409 description 410 "The descriptions of multi-tenancy."; 412 list policy-domain { 413 key "policy-domain-id"; 414 leaf policy-domain-id { 415 type uint16; 416 mandatory true; 417 description 418 "This represents the list of domains."; 419 } 420 description 421 "this represent the list of policy domains"; 422 leaf name { 423 type string; 424 mandatory true; 425 description 426 "Name of the organization or customer representing 427 this domain."; 428 } 430 leaf address { 431 type string; 432 description 433 "address of an organization or customer."; 434 } 436 leaf contact { 437 type string; 438 mandatory true; 439 description 440 "contact information of the organization 441 or customer."; 442 } 444 leaf date { 445 type yang:date-and-time; 446 mandatory true; 447 description 448 "The date when this account was created 449 or last modified."; 450 } 452 leaf authentication-method { 453 type string; 454 mandatory true; 455 description 456 "The description of authentication method; 457 token-based, password, certificate, 458 single-sign-on"; 459 } 460 } 462 list policy-tenant { 463 key "policy-tenant-id"; 464 leaf policy-tenant-id { 465 type uint16; 466 mandatory true; 467 description 468 "The policy tenant id."; 469 } 470 description 471 "This represents the list of tenants"; 472 leaf name { 473 type string; 474 mandatory true; 475 description 476 "Name of the Department or Division within 477 an organization."; 478 } 480 leaf date { 481 type yang:date-and-time; 482 mandatory true; 483 description 484 "Date this account was created or last modified."; 485 } 487 leaf domain { 488 type string; 489 mandatory true; 490 description 491 "This field identifies the domain to which this 492 tenant belongs. This should be reference to a 493 'Policy-Domain' object."; 494 } 495 } 497 list policy-role { 498 key "policy-role-id"; 499 leaf policy-role-id { 500 type uint16; 501 mandatory true; 502 description 503 "This defines a set of permissions assigned 504 to a user in an organization that want to manage 505 its own Security Policies."; 506 } 507 description 508 "This represents the list of policy roles."; 509 leaf name { 510 type string; 511 mandatory true; 512 description 513 "This field identifies name of the role."; 515 } 517 leaf date { 518 type yang:date-and-time; 519 mandatory true; 520 description 521 "Date this role was created or last modified."; 522 } 524 leaf access-profile { 525 type string; 526 mandatory true; 527 description 528 "This field identifies the access profile for the 529 role. The profile grants or denies access to policy 530 objects. Multiple access profiles can be 531 concatenated together."; 532 } 533 } 535 list policy-user { 536 key "policy-user-id"; 537 leaf policy-user-id { 538 type uint16; 539 description 540 "This represents the policy-user-id."; 541 } 542 description 543 "This represents the list of policy users."; 544 leaf name { 545 type string; 546 mandatory true; 547 description 548 "The name of a user."; 549 } 551 leaf date { 552 type yang:date-and-time; 553 mandatory true; 554 description 555 "Date this user was created or last modified"; 556 } 558 leaf password { 559 type string; 560 mandatory true; 561 description 562 "User password for basic authentication"; 564 } 566 leaf email { 567 type string; 568 mandatory true; 569 description 570 "The email account of a user"; 571 } 573 leaf scope-type { 574 type string; 575 description 576 "identifies whether a user has domain-wide 577 or tenant-wide privileges"; 578 } 580 leaf scope-reference { 581 type string; 582 description 583 "This references policy-domain or policy-tenant 584 to identify the scope."; 585 } 587 leaf role { 588 type string; 589 mandatory true; 590 description 591 "This references policy-role to define specific 592 permissions"; 593 } 594 } 596 list policy-mgmt-auth-method { 597 key "policy-mgnt-auth-method-id"; 598 leaf policy-mgnt-auth-method-id { 599 type uint16; 600 description 601 "This represents the authentication method id."; 602 } 603 description 604 "The descriptions of policy management 605 authentication methods."; 606 leaf name { 607 type string; 608 mandatory true; 609 description 610 "name of the authentication method"; 611 } 612 leaf date { 613 type yang:date-and-time; 614 mandatory true; 615 description 616 "date when the authentication method 617 was created"; 618 } 620 leaf authentication-method { 621 type string; 622 mandatory true; 623 description 624 "The description of authentication method; 625 token-based, password, certificate, 626 single-sign-on"; 627 } 629 leaf mutual-authentication { 630 type boolean; 631 mandatory true; 632 description 633 "To identify whether the authentication 634 is mutual"; 635 } 637 leaf token-server { 638 type string; 639 mandatory true; 640 description 641 "The token-server information if the 642 authentication method is token-based"; 643 } 645 leaf certificate-server { 646 type string; 647 mandatory true; 648 description 649 "The certificate-server information if 650 the authentication method is certificate-based"; 651 } 653 leaf single-sing-on-server { 654 type string; 655 mandatory true; 656 description 657 "The single-sign-on-server information 658 if the authentication method is 659 single-sign-on-based"; 661 } 662 } 663 } 665 container policy-endpoint-groups { 666 description 667 "A logical entity in their business 668 environment, where a security policy 669 is to be applied."; 671 list meta-data-source { 672 key "meta-data-source-id"; 673 leaf meta-data-source-id { 674 type uint16; 675 mandatory true; 676 description 677 "This represents the meta-data source id."; 678 } 679 description 680 "This represents the meta-data source."; 681 leaf name { 682 type string; 683 mandatory true; 684 description 685 "This identifies the name of the 686 meta-datas-ource."; 687 } 688 leaf date { 689 type yang:date-and-time; 690 mandatory true; 691 description 692 "This identifies the date this object was 693 created or last modified."; 694 } 696 leaf tag-type { 697 type boolean; 698 description 699 "This identifies the group type; user group, 700 app group or device group."; 701 } 703 leaf tag-server-information { 704 type string; 705 description 706 "The description of suthentication method; 707 token-based, password, certificate, 708 single-sign-on"; 710 } 711 leaf tag-application-protocol { 712 type string; 713 description 714 "This filed identifies the protocol e.g. LDAP, 715 Active Directory, or CMDB"; 716 } 717 leaf tag-server-credential { 718 type string; 719 description 720 "This field identifies the credential 721 information needed to access the tag server"; 722 } 723 } 725 list user-group{ 726 key "user-group-id"; 727 leaf user-group-id { 728 type uint16; 729 mandatory true; 730 description 731 "This represents the the user group id."; 732 } 733 description 734 "This represents the user group."; 735 leaf name { 736 type string; 737 description 738 "This field identifies the name of user-group."; 739 } 741 leaf date { 742 type yang:date-and-time; 743 description 744 "when this user-group was created or last modified."; 745 } 746 leaf group-type { 747 type string; 748 description 749 "This describes the group type; User-tag, 750 User-name or IP-address."; 751 } 753 leaf meta-data-server { 754 type string; 755 description 756 "This references metadata source"; 757 } 758 leaf group-member { 759 type string; 760 description 761 "This describes the user-tag information"; 762 } 764 leaf risk-level { 765 type uint16; 766 description 767 "This represents the threat level; valid range 768 may be 0 to 9."; 769 } 770 } 772 list device-group{ 773 key "device-group-id"; 774 leaf device-group-id { 775 type uint16; 776 description 777 "This represents a device group id."; 778 } 779 description 780 "This represents a device group."; 781 leaf name { 782 type string; 783 description 784 "This field identifies the name of 785 a device-group."; 786 } 787 leaf date { 788 type yang:date-and-time; 789 description 790 "The date when this group was create or 791 last modified."; 792 } 794 leaf group-type { 795 type string; 796 description 797 "This describes the group type; device-tag, 798 device-name or IP-address."; 799 } 801 leaf meta-data-server { 802 type string; 803 description 804 "This references meta-data-source 805 object."; 807 } 809 leaf group-member { 810 type string; 811 description 812 "This describes the device-tag, device-name or 813 IP-address information"; 814 } 816 leaf risk-level { 817 type uint16; 818 description 819 "This represents the threat level; valid range 820 may be 0 to 9."; 821 } 822 } 824 list application-group{ 825 key "application-group-id"; 826 leaf application-group-id { 827 type uint16; 828 description 829 "This represents an application group id."; 830 } 831 description 832 "This represents an application group."; 833 leaf name { 834 type string; 835 description 836 "This field identifies the name of 837 an application group"; 838 } 840 leaf date { 841 type yang:date-and-time; 842 description 843 "The date when this group was created or 844 last modified."; 845 } 847 leaf group-type { 848 type string; 849 description 850 "This identifies the group type; 851 application-tag, application-name or 852 IP-address."; 853 } 854 leaf meta-data-server { 855 type string; 856 description 857 "This references meta-data-source 858 object."; 859 } 861 leaf group-member { 862 type string; 863 description 864 "This describes the application-tag, 865 application-name or IP-address information"; 866 } 868 leaf risk-level { 869 type uint16; 870 description 871 "This represents the threat level; valid range 872 may be 0 to 9."; 873 } 874 } 876 list location-group{ 877 key "location-group-id"; 878 leaf location-group-id { 879 type uint16; 880 description 881 "This represents a location group id."; 882 } 883 description 884 "This represents a location group."; 885 leaf name { 886 type string; 887 description 888 "This field identifies the name of 889 a location group"; 891 } 893 leaf date { 894 type yang:date-and-time; 895 description 896 "The date when this group was created or 897 last modified."; 898 } 900 leaf group-type { 901 type string; 902 description 903 "This identifies the group type; 904 location-tag, location-name or 905 IP-address."; 906 } 908 leaf meta-data-server { 909 type string; 910 description 911 "This references meta-data-source 912 object."; 913 } 915 leaf group-member { 916 type string; 917 description 918 "This describes the location-tag, 919 location-name or IP-address information"; 920 } 922 leaf risk-level { 923 type uint16; 924 description 925 "This represents the threat level; valid range 926 may be 0 to 9."; 927 } 928 } 929 } 931 container threat-prevention { 932 description 933 "this describes the list of threat-preventions."; 935 list threat-feed { 936 key "threat-feed-id"; 937 leaf threat-feed-id { 938 type uint16; 939 mandatory true; 940 description 941 "This represents the threat-feed-id."; 942 } 943 description 944 "This represents the threat feed within the 945 threat-prevention-list."; 946 leaf name { 947 type string; 948 description 949 "Name of the theat feed."; 951 } 953 leaf date { 954 type yang:date-and-time; 955 description 956 "when the threat-feed was created."; 957 } 959 leaf feed-type { 960 type enumeration { 961 enum unknown { 962 description 963 "feed-type is unknown."; 964 } 965 enum ip-address { 966 description 967 "feed-type is IP address."; 968 } 969 enum url { 970 description 971 "feed-type is URL."; 972 } 973 } 974 mandatory true; 975 description 976 "This determined whether the feed-type is IP address 977 based or URL based."; 978 } 980 leaf feed-server { 981 type string; 982 description 983 "this contains threat feed server information."; 984 } 986 leaf feed-priority { 987 type uint16; 988 description 989 "this describes the priority of the threat from 990 0 to 5, where 0 means the threat is minimum and 991 5 meaning the maximum."; 992 } 993 } 995 list custom-list { 996 key "custom-list-id"; 997 leaf custom-list-id { 998 type uint16; 999 description 1000 "this describes the custom-list-id."; 1001 } 1002 description 1003 "this describes the threat-prevention custom list."; 1004 leaf name { 1005 type string; 1006 description 1007 "Name of the custom-list."; 1008 } 1010 leaf date { 1011 type yang:date-and-time; 1012 description 1013 "when the custom list was created."; 1014 } 1016 leaf list-type { 1017 type enumeration { 1018 enum unknown { 1019 description 1020 "list-type is unknown."; 1021 } 1022 enum ip-address { 1023 description 1024 "list-type is IP address."; 1025 } 1026 enum mac-address { 1027 description 1028 "list-type is MAC address."; 1029 } 1030 enum url { 1031 description 1032 "list-type is URL."; 1033 } 1034 } 1035 mandatory true; 1036 description 1037 "This determined whether the feed-type is IP address 1038 based or URL based."; 1039 } 1041 leaf list-property { 1042 type enumeration { 1043 enum unknown { 1044 description 1045 "list-property is unknown."; 1046 } 1047 enum blacklist { 1048 description 1049 "list-property is blacklist."; 1050 } 1051 enum whitelist { 1052 description 1053 "list-property is whitelist."; 1054 } 1055 } 1056 mandatory true; 1057 description 1058 "This determined whether the list-type is blacklist 1059 or whitelist."; 1060 } 1062 leaf list-content { 1063 type string; 1064 description 1065 "This describes the contents of the custom-list."; 1066 } 1067 } 1068 list malware-scan-group { 1069 key "malware-scan-group-id"; 1070 leaf malware-scan-group-id { 1071 type uint16; 1072 mandatory true; 1073 description 1074 "This is the malware-scan-group-id."; 1075 } 1076 description 1077 "This represents the malware-scan-group."; 1078 leaf name { 1079 type string; 1080 description 1081 "Name of the malware-scan-group."; 1082 } 1084 leaf date { 1085 type yang:date-and-time; 1086 description 1087 "when the malware-scan-group was created."; 1088 } 1090 leaf signature-server { 1091 type string; 1092 description 1093 "This describes the signature server of the 1094 malware-scan-group."; 1096 } 1098 leaf file-types { 1099 type string; 1100 description 1101 "This contains a list of file types needed to 1102 be scanned for the virus."; 1103 } 1105 leaf malware-signatures { 1106 type string; 1107 description 1108 "This contains a list of malware signatures or hash."; 1109 } 1110 } 1112 list event-map-group { 1113 key "event-map-group-id"; 1114 leaf event-map-group-id { 1115 type uint16; 1116 mandatory true; 1117 description 1118 "This is the event-map-group-id."; 1119 } 1120 description 1121 "This represents the event map group."; 1123 leaf name { 1124 type string; 1125 description 1126 "Name of the event-map."; 1127 } 1129 leaf date { 1130 type yang:date-and-time; 1131 description 1132 "when the event-map was created."; 1133 } 1135 leaf security-events { 1136 type string; 1137 description 1138 "This contains a list of security events."; 1139 } 1141 leaf threat-map { 1142 type string; 1143 description 1144 "This contains a list of threat levels."; 1145 } 1146 } 1147 } 1149 container telemetry-data { 1150 description 1151 "Telemetry provides visibility into the network 1152 activities which can be tapped for further 1153 security analytics, e.g., detecting potential 1154 vulnerabilities, malicious activities, etc."; 1156 list telemetry-data { 1157 key "telemetry-data-id"; 1158 leaf telemetry-data-id { 1159 type uint16; 1160 mandatory true; 1161 description 1162 "This is ID for telemetry-data-id."; 1163 } 1164 description 1165 "This is ID for telemetry-data."; 1166 leaf name { 1167 type string; 1168 description 1169 "Name of the telemetry-data object."; 1170 } 1172 leaf date { 1173 type yang:date-and-time; 1174 description 1175 "This field states when the telemery-data 1176 object was created."; 1177 } 1179 leaf logs { 1180 type boolean; 1181 description 1182 "This field identifies whether logs 1183 need to be collected."; 1184 } 1186 leaf syslogs { 1187 type boolean; 1188 description 1189 "This field identifies whether System logs 1190 need to be collected."; 1191 } 1192 leaf snmp { 1193 type boolean; 1194 description 1195 "This field identifies whether 'SNMP traps' and 1196 'SNMP alarms' need to be collected."; 1197 } 1199 leaf sflow { 1200 type boolean; 1201 description 1202 "This field identifies whether 'sFlow' data 1203 need to be collected."; 1204 } 1206 leaf netflow { 1207 type boolean; 1208 description 1209 "This field identifies whether 'NetFlow' data 1210 need to be collected."; 1211 } 1213 leaf interface-stats { 1214 type boolean; 1215 description 1216 "This field identifies whether 'Interface' data 1217 such as packet bytes and counts need to be 1218 collected."; 1219 } 1220 } 1222 list telemetry-source { 1223 key "telemetry-source-id"; 1224 leaf telemetry-source-id { 1225 type uint16; 1226 mandatory true; 1227 description 1228 "This is ID for telemetry-source-id."; 1229 } 1230 description 1231 "This is ID for telemetry-source."; 1232 leaf name { 1233 type string; 1234 description 1235 "This identifies the name of this object."; 1236 } 1238 leaf date { 1239 type yang:date-and-time; 1240 description 1241 "Date this object was created or last modified"; 1242 } 1244 leaf source-type { 1245 type string; 1246 description 1247 "This should have one of the following type of 1248 the NSF telemetry source: NETWORK-NSF, 1249 FIREWALL-NSF, IDS-NSF, IPS-NSF, 1250 PROXY-NSF, VPN-NSF, DNS, ACTIVE-DIRECTORY, 1251 IP Reputation Authority, Web Reputation 1252 Authority, Anti-Malware Sandbox, Honey Pot, 1253 DHCP, Other Third Party, ENDPOINT"; 1254 } 1256 leaf nsf-access-parameters { 1257 type string; 1258 description 1259 "This field contains information such as 1260 IP address and protocol (UDP or TCP) port 1261 number of the NSF providing telemetry data."; 1262 } 1264 leaf nsf-access-credentials { 1265 type string; 1266 description 1267 "This field contains username and password 1268 to authenticate with the NSF."; 1269 } 1271 leaf collection-interval { 1272 type uint16; 1273 units seconds; 1274 default 5000; 1275 description 1276 "This field contains time in milliseconds 1277 between each data collection. For example, 1278 a value of 5000 means data is streamed to 1279 collector every 5 seconds. Value of 0 means 1280 data streaming is event-based"; 1281 } 1283 leaf collection-method { 1284 type enumeration { 1285 enum unknown { 1286 description 1287 "collection-method is unknown."; 1289 } 1290 enum push-based { 1291 description 1292 "collection-method is PUSH-based."; 1293 } 1294 enum pull-based { 1295 description 1296 "collection-method is PULL-based."; 1297 } 1298 } 1299 description 1300 "This field contains a method of collection, 1301 i.e., whether it is PUSH-based or PULL-based."; 1302 } 1304 leaf heartbeat-interval { 1305 type uint16; 1306 units seconds; 1307 description 1308 "time in seconds the source sends telemetry 1309 heartbeat."; 1310 } 1312 leaf qos-marking { 1313 type uint8; 1314 description 1315 "DSCP value must be contained in this field."; 1316 } 1317 } 1318 list telemetry-destination { 1319 key "telemetry-destination-id"; 1320 leaf telemetry-destination-id { 1321 type uint16; 1322 description 1323 "this represents the telemetry-destination-id"; 1324 } 1325 description 1326 "This object contains information related to 1327 telemetry destination. The destination is 1328 usually a collector which is either a part of 1329 Security Controller or external system 1330 such as Security Information and Event 1331 Management (SIEM)."; 1333 leaf name { 1334 type string; 1335 description 1336 "This identifies the name of this object."; 1338 } 1340 leaf date { 1341 type yang:date-and-time; 1342 description 1343 "Date this object was created or last 1344 modified"; 1345 } 1347 leaf collector-state { 1348 type string; 1349 description 1350 "This describes collector state information."; 1351 } 1352 leaf collector-credentials { 1353 type string; 1354 description 1355 "iThis field contains the username and 1356 password for the collector."; 1357 } 1359 leaf collector-source { 1360 type string; 1361 description 1362 "This field contains information such as 1363 IP address and protocol (UDP or TCP) port 1364 number for the collector's destination."; 1365 } 1367 leaf data-encoding { 1368 type string; 1369 description 1370 "This field contains the telemetry data encoding 1371 in the form of schema."; 1372 } 1374 leaf data-transport { 1375 type string; 1376 description 1377 "This field contains streaming telemetry data 1378 protocols. This could be gRPC, protocol 1379 buffer over UDP, etc."; 1380 } 1381 } 1382 } 1384 container security-policy-instance { 1385 description 1386 "This object is a policy instance to have 1387 complete information such as where and when 1388 a policy need to be applied."; 1390 list policy-calendar { 1391 key "policy-calendar-id"; 1392 leaf policy-calendar-id { 1393 type uint16; 1394 description 1395 "this represents the policy-calendar-id."; 1396 } 1397 description 1398 "This object contains information related to 1399 scheduling a policy. The policy could be 1400 activated based on a time calendar or security 1401 event including threat level changes."; 1403 leaf name { 1404 type string; 1405 description 1406 "Name of the policy-calendar object."; 1407 } 1409 leaf date { 1410 type yang:date-and-time; 1411 description 1412 "The date when this object was created or 1413 last modified."; 1414 } 1416 leaf enforcement-type { 1417 type enumeration { 1418 enum unknown { 1419 description 1420 "enforcement-type is unknown."; 1421 } 1422 enum admin-enforced { 1423 description 1424 "enforcement-type is ADMIN-ENFORCED."; 1425 } 1426 enum time-enforced { 1427 description 1428 "enforcement-type is TIME-ENFORCED."; 1429 } 1430 enum event-enforced { 1431 description 1432 "enforcement-type is EVENT-ENFORCED."; 1433 } 1435 } 1436 description 1437 "This field identifies whether the policy 1438 enforcement is 'ADMIN-ENFORCED' or 1439 'TIME-ENFORCED', or 'EVENT-ENFORCED'."; 1440 } 1442 leaf time-information { 1443 type string; 1444 description 1445 "This field contains time calendar such as 1446 'BEGIN-TIME' and 'END-TIME' for one time 1447 enforcement or recurring time calendar for 1448 periodic enforcement."; 1449 } 1451 leaf event-map { 1452 type string; 1453 description 1454 "This field contains security events and 1455 threat map in order to determine when a 1456 policy need to be activated."; 1457 } 1458 } 1459 list policy-event { 1460 key "policy-event-id"; 1461 description 1462 "This represents the security event of a 1463 policy-rule."; 1464 leaf policy-event-id { 1465 type string; 1466 mandatory true; 1467 description 1468 "This represents the event-id."; 1469 } 1470 leaf security-event { 1471 type string; 1472 description 1473 "This references the security event in the 1474 threat-prevention ."; 1475 } 1476 leaf threat-map { 1477 type string; 1478 description 1479 "This references the threat-map in the 1480 threat-prevention."; 1481 } 1482 leaf enable { 1483 type boolean; 1484 description 1485 "This determines whether the condition 1486 matches the security event or not."; 1487 } 1488 } 1489 list condition { 1490 key "condition-id"; 1491 description 1492 "This represents the condition of a 1493 policy-rule."; 1494 leaf condition-id { 1495 type string; 1496 description 1497 "This represents the condition-id."; 1498 } 1499 leaf condition-type { 1500 type string; 1501 description 1502 "this is the type of the condition."; 1503 } 1504 list service { 1505 key "service-id"; 1506 description 1507 "this represents the list of services."; 1508 leaf service-id { 1509 type uint16; 1510 description 1511 "The id of the service."; 1512 } 1513 leaf name { 1514 type string; 1515 description 1516 "The action name."; 1517 } 1518 } 1519 list traffic { 1520 key "traffic-id"; 1521 description 1522 "this represents the network traffic."; 1523 leaf traffic-id { 1524 type uint16; 1525 description 1526 "The id of the traffic."; 1527 } 1528 leaf traffic-threshold { 1529 type uint16; 1530 description 1531 "The threshold for the traffic."; 1532 } 1533 list webfilter { 1534 key "webfilter-id"; 1535 description 1536 "this represents the webfilter-id."; 1537 leaf webfilter-id { 1538 type uint16; 1539 description 1540 "The id of the webfilter."; 1541 } 1542 leaf webfilter-name { 1543 type string; 1544 description 1545 "The name of the webfilter."; 1546 } 1547 leaf webfilter-url { 1548 type string; 1549 description 1550 "url of the web that action is going to 1551 be performed upon."; 1552 } 1553 list Firewall { 1554 key "firewall-id"; 1555 description 1556 "this represents the firewall-id."; 1557 leaf firewall-id { 1558 type uint16; 1559 description 1560 "The id of the firewall."; 1561 } 1562 leaf firewall-name { 1563 type string; 1564 description 1565 "The name of the firewall."; 1566 } 1567 leaf firewall-type { 1568 type string; 1569 description 1570 "the type of a firewall (blacklist/whitelist)"; 1571 } 1572 leaf firewall-address { 1573 type string; 1574 description 1575 "the address that action is going to 1576 be performed upon."; 1577 } 1578 } 1580 list policy-action { 1581 key "policy-action-id"; 1582 leaf policy-action-id { 1583 type string; 1584 mandatory true; 1585 description 1586 "this represents the policy-action-id."; 1587 } 1588 description 1589 "This object represents actions that a 1590 Security Admin wants to perform based on 1591 a certain traffic class."; 1592 leaf name { 1593 type string; 1594 description 1595 "The name of the policy-action object."; 1596 } 1598 leaf date { 1599 type yang:date-and-time; 1600 description 1601 "When the object was created or last 1602 modified."; 1603 } 1605 leaf primary-action { 1606 type string; 1607 description 1608 "This field identifies the action when a rule 1609 is matched by NSF. The action could be one of 1610 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 1611 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc."; 1612 } 1614 leaf secondary-action { 1615 type string; 1616 description 1617 "This field identifies additional actions if 1618 a rule is matched. This could be one of 'LOG', 1619 'SYSLOG', 'SESSION-LOG', etc."; 1620 } 1621 } 1623 list policy-rule { 1624 key "policy-rule-id"; 1625 leaf policy-rule-id { 1626 type string; 1627 mandatory true; 1628 description 1629 "this represents the policy-rule-id"; 1630 } 1631 description 1632 "This object represents rules that a 1633 Security Admin want to define in order 1634 to express its business objectives in 1635 a Security Policy."; 1636 leaf name { 1637 type string; 1638 description 1639 "This field identifies the name of 1640 this object."; 1641 } 1643 leaf date { 1644 type yang:date-and-time; 1645 description 1646 "When the object was created or last 1647 modified."; 1648 } 1650 leaf source { 1651 type leafref { 1652 path "/ietf-i2nsf-consumer-facing-interface/ 1653 threat-prevention/threat-feed/threat-feed-id"; 1654 } 1655 description 1656 "This field identifies the source of 1657 the traffic. This could be reference to 1658 either 'Policy Endpoint Group' or 1659 'Threat-Feed' or 'Custom-List' if Security 1660 Admin wants to specify the source; otherwise, 1661 the default is to match all traffic."; 1662 } 1664 leaf destination { 1665 type leafref { 1666 path "/ietf-i2nsf-consumer-facing-interface/ 1667 policy-endpoint-groups/user-group/user-group-id"; 1668 } 1669 description 1670 "This field identifies the destination of 1671 the traffic. This could be reference to 1672 either 'Policy Endpoint Group' or 1673 'Threat-Feed' or 'Custom-List' if Security 1674 Admin wants to specify the destination; 1675 otherwise, the default is to match all 1676 traffic."; 1677 } 1679 leaf exception { 1680 type string; 1681 description 1682 "This field identifies the exception 1683 consideration when 'Source' and 1684 'Destination' are matched for a given 1685 communication. This should be reference 1686 to 'Policy Endpoint Group' object."; 1687 } 1689 leaf action { 1690 type string; 1691 description 1692 "This field identifies the action taken 1693 when 'Source' and 'Destination' are matched 1694 for a given communication."; 1695 } 1697 leaf precedence { 1698 type uint8; 1699 description 1700 "This field identifies the precedence 1701 assigned to this rule by Security Admin. 1702 This is helpful in conflict resolution 1703 when two or more rules match a given 1704 traffic class."; 1705 } 1706 } 1708 list policy-instance { 1709 key "policy-instance-id"; 1710 leaf policy-instance-id { 1711 type string; 1712 mandatory true; 1713 description 1714 "this represents the policy-instance-id"; 1715 } 1716 description 1717 "This object represents a mechanism to 1718 express a Security Policy by Security Admin 1719 to Security Controller via Consumer-Facing 1720 Interface. The policy would be enforced by 1721 an NSF."; 1722 leaf name { 1723 type string; 1724 description 1725 "This field identifies the name of this 1726 object."; 1727 } 1729 leaf date { 1730 type yang:date-and-time; 1731 description 1732 "Date this object was created or last 1733 modified."; 1734 } 1736 leaf-list rules { 1737 type leafref { 1738 path "/ietf-i2nsf-consumer-facing-interface/ 1739 security-policy-instance/policy-rule/policy-rule-id"; 1740 } 1741 description 1742 "This field contains a list of rules. 1743 If the rule does not have a user-defined 1744 precedence, then any conflict must be 1745 manually resolved."; 1746 } 1748 leaf scheduling-type { 1749 type enumeration { 1750 enum unknown { 1751 description 1752 "scheduling-type is unknown."; 1753 } 1754 enum time-calendar { 1755 description 1756 "scheduling-type is time-calendar."; 1757 } 1758 enum event-map { 1759 description 1760 "scheduling-type is event-map."; 1761 } 1762 } 1763 description 1764 "This field specifies when this policy 1765 should be scheduled. The policy could be 1766 scheduled based on time calendar or 1767 event-map."; 1768 } 1770 leaf scheduling-information { 1771 type leafref { 1772 path "/ietf-i2nsf-consumer-facing-interface 1773 /security-policy-instance/policy-calendar 1774 /policy-calendar-id"; 1775 } 1776 description 1777 "This field contains either the 'Calendar' 1778 or 'Event-map' based on 'Schedule type'."; 1779 } 1781 leaf owner { 1782 type string; 1783 description 1784 "This field defines the owner of this 1785 policy. Only the owner is authorized to 1786 modify the contents of the policy."; 1787 } 1788 } 1789 } 1790 } 1791 } 1792 1794 Figure 2: YANG for cf_interface 1796 6. Security Considerations 1798 The data model for the I2NSF Consumer-Facing Interface is derived 1799 from the I2NSF Consumer-Facing Interface Information Model 1800 [client-facing-inf-im], so the same security considerations with the 1801 information model should be included in this document. The data 1802 model needs to support a mechanism to protect Consumer-Facing 1803 Interface to Security Controller. 1805 7. Acknowledgements 1807 This work was supported by Institute for Information & communications 1808 Technology Promotion(IITP) grant funded by the Korea government(MSIP) 1809 (No.R-20160222-002755, Cloud based Security Intelligence Technology 1810 Development for the Customized Security Service Provisioning). 1812 This document has greatly benefited from inputs by Hyoungshick Kim, 1813 Hoon Ko, Mahdi F. Dachmehchi, Seungjin Lee, Jinyong Tim Kim, and 1814 Daeyoung Hyun. 1816 8. References 1817 8.1. Normative References 1819 [RFC3444] Pras, A., "On the Difference between 1820 Information Models and Data Models", 1821 RFC 3444, January 2003. 1823 8.2. Informative References 1825 [i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., Strassner, 1826 J., and R. Kumar, "Framework for Interface 1827 to Network Security Functions", 1828 draft-ietf-i2nsf-framework-07 (work in 1829 progress), August 2017. 1831 [client-facing-inf-req] Kumar, R., Lohiya, A., Qi, D., Bitar, N., 1832 Palislamovic, S., and L. Xia, "Requirements 1833 for Client-Facing Interface to Security 1834 Controller", draft-ietf-i2nsf-client-facing- 1835 interface-req-03 (work in progress), 1836 July 2017. 1838 [client-facing-inf-im] Kumar, R., Lohiya, A., Qi, D., Bitar, N., 1839 Palislamovic, S., and L. Xia, "Information 1840 model for Client-Facing Interface to 1841 Security Controller", draft-kumar-i2nsf- 1842 client-facing-interface-im-03 (work in 1843 progress), July 2017. 1845 [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, 1846 L., and H. Birkholz, "Information model for 1847 Client-Facing Interface to Security 1848 Controller", draft-ietf-i2nsf-terminology-04 1849 (work in progress), July 2017. 1851 [RFC6020] Bjorklund, M., "YANG - A Data Modeling 1852 Language for the Network Configuration 1853 Protocol (NETCONF)", RFC 6020, October 2010. 1855 Appendix A. Changes from 1856 draft-jeong-i2nsf-consumer-facing-interface-dm-03 1858 The following changes have been made from 1859 draft-jeong-i2nsf-consumer-facing-interface-dm-03: 1861 o Sections 4 and 5 have been revised to produce a data tree model 1862 and a YANG data model according to the information model suggested 1863 in the draft about the I2NSF Consumer-Facing Interface Information 1864 Model in [client-facing-inf-im] and Event-Condition-Action (ECA) 1865 based policy generation as suggested in the I2NSF Framework 1866 [i2nsf-framework]. 1868 o The description for the use case scenario of VoIP/VoLTE security 1869 service have been added in Appendix B. 1871 o The data tree model in Appendix B and a YANG data model in 1872 Appendix C have also been modified for ECA-based policy 1873 generation. 1875 o An example XML output has been added in Appendix D for VoIP 1876 service policy. 1878 o Editorial errors have been corrected. 1880 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE Security 1881 Services 1883 A common scenario for VoIP/VoLTE policy enforcement could be that a 1884 malicious call is made to a benign user of any telecommunication 1885 company. For example, imagine a case wherea company "A" employs a 1886 hacker with a malicious attempt to hack a user's phone with malware. 1887 The company "A" is located in a country, such as Africa, and uses the 1888 user's hacked phone to call the company. The hacked user is unaware 1889 of the company "A" so complains about the international call that was 1890 made to the company "B", which is the user's telecommunications 1891 company. The company "A" charges the company "B" for the 1892 international call. The company "B" cannot charge the user for the 1893 call, and has no choice but to pay the company "A". The following 1894 shows the example data tree model for the VoIP/VoLTE services. 1895 Multi-tenancy, endpoint groups, threat prevention, and telemetry data 1896 components are general part of the tree model, so we can just modify 1897 the policy instance in order to generate and enforce high-level 1898 policies. The policy-calendar can act as a scheduler to set the star 1899 and end time to block calls which uses suspicious ids, or calls from 1900 other countries. 1902 module ietf-i2nsf-cf-interface-policy-instance 1903 +--rw security-policy-instance 1904 +--rw policy-rule* [policy-rule-id] 1905 | +--rw policy-rule-id uint16 1906 | +--rw name? string 1907 | +--rw date? yang:date-and-time 1908 | +--rw source? -> /ietf-i2nsf-cf-interface 1909 | | /threat-prevention 1910 | | /threat-feed 1911 | | /threat-feed-id 1912 | +--rw destination? -> /ietf-i2nsf-cf-interface 1913 | | /policy-endpoint-groups 1914 | | /user-group 1915 | | /user-group-id 1916 | +--rw exception? boolean 1917 | +--rw exception-detail? string 1918 +--rw action* [action-id] 1919 | +--rw action-id uint16 1920 | +--rw name? string 1921 | +--rw date? yang:date-and-time 1922 | +--rw primary-action? string 1923 | +--rw secondary-action? string 1924 +--rw precedence* [precedence-id] 1925 | +--rw precedence-id uint16 1926 | +--rw rule-exist? boolean 1927 +--rw event* [event-id] 1928 | +--rw event-id uint16 1929 | +--rw security-event? string 1930 | +--rw threat-map? string 1931 | +--rw enable? boolean 1932 +--rw condition* [condition-id] 1933 | +--rw condition-id uint16 1934 | +--rw service* [service-id] uint16 1935 | +--rw service-name string 1936 | +--rw service-type string 1937 | 1938 +--rw policy-calendar* [policy-calendar-id] 1939 | +--rw policy-calendar-id uint16 1940 | +--rw name? string 1941 | +--rw date? yang:date-and-time 1942 | +--rw enforcement-type? string 1943 | +--rw begin-time? yang:date-and-time 1944 | +--rw end-time? yang:date-and-time 1945 +--rw policy-instance* [policy-instance-id] 1946 +--rw policy-instance-id string 1947 +--rw name? string 1948 +--rw date? yang:date-and-time 1949 +--rw rules? -> /ietf-i2nsf-cf-interface 1950 | /security-policy-instance 1951 | /policy-rule 1952 | /policy-rule-id 1953 +--rw scheduling? -> /ietf-i2nsf-cf-interface 1954 | /security-policy-instance 1955 | /policy-calendar 1956 | /policy-calendar-id 1957 +--rw owner? string 1959 Figure 3: Policy Instance Example for VoIP/VoLTE Security Services 1961 Appendix C. Policy Instance YANG Example for VoIP/VoLTE Security 1962 Services 1964 The following YANG data model is a policy instance for VoIP/VoLTE 1965 security services. The policy-calendar can act as a scheduler to set 1966 the start time and end time to block malicious calls which use 1967 suspicious IDs or calls from other countries. 1969 file "ietf-i2nsf-cf-interface-voip.yang" 1971 module ietf-i2nsf-cf-interface-voip{ 1972 namespace 1973 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-cf-interface-voip"; 1974 prefix 1975 cf-interface; 1977 import ietf-inet-types{ 1978 prefix inet; 1979 } 1980 import ietf-yang-types{ 1981 prefix yang; 1982 } 1984 organization 1985 "IETF I2NSF (Interface to Network Security Functions) 1986 Working Group"; 1988 contact 1989 "WG Web: 1990 WG List: 1992 WG Chair: Adrian Farrel 1993 1995 WG Chair: Linda Dunbar 1996 1998 Editor: Jaehoon Paul Jeong 1999 "; 2001 description 2002 "This module defines a YANG data module for consumer-facing 2003 interface to security controller."; 2005 revision "2017-10-02"{ 2006 description "The first version"; 2007 reference 2008 "draft-kumar-i2nsf-client-facing-interface-im-03"; 2009 } 2011 //Groupings 2012 container security-policy-instance { 2013 description 2014 "this describes the policy instances."; 2016 list policy-rule { 2017 key "policy-rule-id"; 2018 description 2019 "This represents the policy-rule of a 2020 policy instance."; 2022 leaf policy-rule-id { 2023 type uint16; 2024 description 2025 "policy rule id."; 2026 } 2028 leaf name { 2029 type string; 2030 description 2031 "Name of the policy-rule."; 2032 } 2034 leaf date { 2035 type yang:date-and-time; 2036 description 2037 "The date when the rule was created."; 2038 } 2040 leaf source { 2041 type leafref { 2042 path "/ietf-i2nsf-consumer-facing-interface/ 2043 threat-prevention/threat-feed/threat-feed-id"; 2044 } 2045 description 2046 "This references either end-point-group, 2047 threat-feed, or custom-list."; 2048 } 2050 leaf destination { 2051 type leafref { 2052 path "/ietf-i2nsf-consumer-facing-interface/ 2053 policy-endpoint-groups/user-group/user-group-id"; 2054 } 2055 description 2056 "This references either end-point-group, 2057 threat-feed, or custom-list."; 2058 } 2060 leaf exception { 2061 type boolean; 2062 description 2063 "This describes whether an exception has 2064 occurred or not."; 2065 } 2067 leaf exception-detail{ 2068 type string; 2069 description 2070 "This includes detailed information about 2071 source and destination of 2072 an exception."; 2073 } 2074 } 2075 list action { 2076 key "action-id"; 2077 description 2078 "This represents the action of a policy-rule."; 2079 leaf action-id { 2080 type string; 2081 mandatory true; 2082 description 2083 "This represents the action-id of a policy-rule."; 2084 } 2085 leaf name { 2086 type string; 2087 description 2088 "The action name."; 2089 } 2090 leaf date { 2091 type yang:date-and-time; 2092 description 2093 "When the action was taken."; 2094 } 2096 leaf primary-action { 2097 type string; 2098 description 2099 "This includes actions such as drop, forward, 2100 mirror, advanced action and etc."; 2101 } 2103 leaf secondary-action { 2104 type string; 2105 description 2106 "This includes optional actions such as 2107 logging, system logging and session logging."; 2108 } 2109 } 2110 list precedence { 2111 key "precedence-id"; 2112 description 2113 "This describes whether there is a preceeding 2114 rule and causes problems."; 2115 leaf precedence-id{ 2116 type string; 2117 mandatory true; 2118 description 2119 "This represent the precedence-id of 2120 a policy-rule."; 2121 } 2122 leaf rule-exist { 2123 type boolean; 2124 description 2125 "This determines whether there is a preceeding."; 2126 } 2127 } 2128 list event { 2129 key "event-id"; 2130 description 2131 "This represents the security event of a 2132 policy-rule."; 2133 leaf event-id { 2134 type string; 2135 mandatory true; 2136 description 2137 "This represents the event-id."; 2138 } 2139 leaf security-event { 2140 type string; 2141 description 2142 "This references the security event in the 2143 threat-prevention ."; 2144 } 2145 leaf threat-map { 2146 type string; 2147 description 2148 "This references the threat-map in the 2149 threat-prevention."; 2150 } 2151 leaf enable { 2152 type boolean; 2153 description 2154 "This determines whether the condition 2155 matches the security event or not."; 2156 } 2157 } 2158 list condition { 2159 key "condition-id"; 2160 description 2161 "This represents the condition of a 2162 policy-rule."; 2163 leaf condition-id { 2164 type string; 2165 description 2166 "This represents the condition-id."; 2167 } 2168 list service { 2169 key "service-id"; 2170 description 2171 "this represents the list of services."; 2172 leaf service-id { 2173 type uint16; 2174 description 2175 "The id of the service."; 2176 } 2177 leaf name { 2178 type string; 2179 description 2180 "The action name."; 2181 } 2182 } 2183 list caller { 2184 key "caller-id"; 2185 description 2186 "this represents the list of callers."; 2187 leaf caller-id { 2188 type uint16; 2189 description 2190 "The id of the caller."; 2191 } 2192 leaf caller-id-ip{ 2193 type inet:ipv4-address; 2194 description 2195 "The ip of the caller."; 2196 } 2197 leaf caller-country { 2198 type string; 2199 description 2200 "This determines the country of the caller."; 2201 } 2202 leaf caller-city { 2203 type string; 2204 description 2205 "This determines the city of the caller."; 2206 } 2207 } 2209 list callee { 2210 key "callee-id"; 2211 description 2212 "this represents the list of callees"; 2213 leaf callee-id { 2214 type uint16; 2215 description 2216 "The id of the callee."; 2217 } 2218 leaf callee-id-ip { 2219 type inet:ipv4-address; 2220 description 2221 "The callee's ip address."; 2222 } 2223 leaf callee-country { 2224 type string; 2225 description 2226 "This determines the country of the callee."; 2227 } 2228 leaf callee-city { 2229 type string; 2230 description 2231 "This determines the city of the callee."; 2232 } 2233 } 2234 } 2235 list policy-calendar { 2236 key "policy-calendar-id"; 2237 description 2238 "this represents the policy calendar list."; 2239 leaf policy-calendar-id { 2240 type uint16; 2241 description 2242 "The id of the policy calendar."; 2243 } 2244 leaf name { 2245 type string; 2246 description 2247 "The name of the policy-calendar."; 2249 } 2250 leaf date { 2251 type yang:date-and-time; 2252 description 2253 "The date when this calender was 2254 created or last modified."; 2255 } 2256 leaf enforcement-type { 2257 type string; 2258 description 2259 "Whether the policy enforcement is 2260 admin-enforced, time-enforced, or 2261 event-enforced."; 2262 } 2263 leaf begin-time { 2264 type yang:date-and-time; 2265 description 2266 "The starting time for blocking 2267 suspicious calls."; 2268 } 2269 leaf end-time { 2270 type yang:date-and-time; 2271 description 2272 "The time when blocking ends."; 2273 } 2274 } 2275 } 2276 } 2277 2279 Figure 4: Policy Instance YANG Example for VoIP Security Services 2281 Appendix D. Example XML Output for VoIP Service 2283 In this section, we present an example XML output for VoIP service. 2284 Here, we will drop calls commin from a country with an IP address 2285 from South Africa that is classified as malicious. 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 voip-policy-example 2297 rule_example_1 2298 2299 false 2300 2301 2302 2303 01 2304 2305 2306 2307 2308 01 2309 2310 2311 2312 voip-call 2313 high 2314 true 2315 2316 2317 2318 voip 2319 2320 105.176.0.0 2321 South-Africa 2322 192.168.171.35 2323 South-Korea 2324 2325 2326 drop 2327 log 2328 2329 2330 01 2331 22:00 2332 08:00 2333 time-enforced 2334 2335 2336 2337 2338 2339 2341 Figure 5: An Example XML Output for VoIP Service 2343 Authors' Addresses 2345 Jaehoon Paul Jeong 2346 Department of Software 2347 Sungkyunkwan University 2348 2066 Seobu-Ro, Jangan-Gu 2349 Suwon, Gyeonggi-Do 16419 2350 Republic of Korea 2352 Phone: +82 31 299 4957 2353 Fax: +82 31 290 7996 2354 EMail: pauljeong@skku.edu 2355 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2357 Eunsoo Kim 2358 Department of Electrical and Computer Engineering 2359 Sungkyunkwan University 2360 2066 Seobu-Ro, Jangan-Gu 2361 Suwon, Gyeonggi-Do 16419 2362 Republic of Korea 2364 Phone: +82 31 299 4104 2365 EMail: eskim86@skku.edu 2366 URI: http://seclab.skku.edu/people/eunsoo-kim/ 2368 Tae-Jin Ahn 2369 Korea Telecom 2370 70 Yuseong-Ro, Yuseong-Gu 2371 Daejeon 305-811 2372 Republic of Korea 2374 Phone: +82 42 870 8409 2375 EMail: taejin.ahn@kt.com 2377 Rakesh Kumar 2378 Juniper Networks 2379 1133 Innovation Way 2380 Sunnyvale, CA 94089 2381 USA 2383 Phone: 2384 EMail: rkkumar@juniper.net 2385 Susan Hares 2386 Huawei 2387 7453 Hickory Hill 2388 Saline, MI 48176 2389 USA 2391 Phone: +1-734-604-0332 2392 EMail: shares@ndzh.com