idnits 2.17.1 draft-jeong-i2nsf-consumer-facing-interface-dm-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 9 instances of too long lines in the document, the longest one being 14 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 174 has weird spacing: '...tion-id str...' == Line 187 has weird spacing: '...-method str...' == Line 194 has weird spacing: '...role-id uin...' == Line 197 has weird spacing: '...profile str...' == Line 208 has weird spacing: '...thod-id uin...' == (8 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (November 14, 2017) is 2348 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 3444 Summary: 3 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft E. Kim 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: May 18, 2018 T. Ahn 6 Korea Telecom 7 R. Kumar 8 Juniper Networks 9 S. Hares 10 Huawei 11 November 14, 2017 13 I2NSF Consumer-Facing Interface YANG Data Model 14 draft-jeong-i2nsf-consumer-facing-interface-dm-05 16 Abstract 18 This document describes a YANG data model for the Consumer-Facing 19 Interface between an Interface to Network Security Functions (I2NSF) 20 User and Security Controller in an I2NSF system in a Network 21 Functions Virtualization (NFV) environment. The data model is 22 required for enabling different users of a given I2NSF system to 23 define, manage, and monitor security policies for specific flows 24 within an administrative domain. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on May 18, 2018. 43 Copyright Notice 45 Copyright (c) 2017 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 4. Data Modeling for Consumer-Facing Interface . . . . . . . . . 3 64 5. YANG Data Model for Consumer-Facing Interface . . . . . . . . 7 65 6. Security Considerations . . . . . . . . . . . . . . . . . . . 34 66 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 67 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 35 68 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 69 9.1. Normative References . . . . . . . . . . . . . . . . . . 35 70 9.2. Informative References . . . . . . . . . . . . . . . . . 35 71 Appendix A. Changes from draft-jeong-i2nsf-consumer-facing- 72 interface-dm-04 . . . . . . . . . . . . . . . . . . 36 73 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE 74 Security Services . . . . . . . . . . . . . . . . . 36 75 Appendix C. Policy Instance YANG Example for VoIP/VoLTE Security 76 Services . . . . . . . . . . . . . . . . . . . . . . 38 77 Appendix D. Example XML output for VoIP service . . . . . . . . 43 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 80 1. Introduction 82 This document provides a YANG [RFC6020] data model that defines the 83 required data for the Consumer-Facing Interface between an Interface 84 to Network Security Functions (I2NSF) User and Security Controller in 85 an I2NSF system [i2nsf-framework] in a Network Functions 86 Virtualization (NFV) environment. The data model is required for 87 enabling different users of a given I2NSF system to define, manage 88 and monitor security policies for specific flows within an 89 administrative domain. This document defines a YANG data model based 90 on the information model of I2NSF Consumer-Facing Interface 91 [client-facing-inf-im]. 93 Data models are defined at a lower level of abstraction and provide 94 many details. They provide details about the implementation of a 95 protocol's specification, e.g., rules that explain how to map managed 96 objects onto lower-level protocol constructs. Since conceptual 97 models can be implemented in different ways, multiple data models can 98 be derived by a single information model. 100 The efficient and flexible provisioning of network functions by NFV 101 leads to a rapid advance in the network industry. As practical 102 applications, network security functions (NSFs), such as firewall, 103 intrusion detection system (IDS)/intrusion protection system (IPS), 104 and attack mitigation, can also be provided as virtual network 105 functions (VNF) in the NFV system. By the efficient virtual 106 technology, these VNFs might be automatically provisioned and 107 dynamically migrated based on real-time security requirements. This 108 document presents a YANG data model to implement security functions 109 based on NFV. 111 2. Requirements Language 113 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 114 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 115 document are to be interpreted as described in RFC 2119 [RFC3444]. 117 3. Terminology 119 This document uses the terminology described in 120 [i2nsf-terminology][client-facing-inf-im][client-facing-inf-req]. 122 4. Data Modeling for Consumer-Facing Interface 124 The main objective of this data model is to fully transform the 125 information model [client-facing-inf-im] into a YANG data model that 126 can be used for delivering control and management messages via the 127 Consumer-Facing Interface between an I2NSF User and Security 128 Controller for the I2NSF User's high-level security policies. 130 The semantics of the data model must be aligned with the information 131 model of the Consumer-Facing Interface. The transformation of the 132 information model was performed so that this YANG data model can 133 facilitate the efficient delivery of the control or management 134 messages. 136 This data model is designed to support the I2NSF framework that can 137 be extended according to the security needs. In other words, the 138 model design is independent of the content and meaning of specific 139 policies as well as the implementation approach. This document 140 suggests a VoIP/VoLTE security service as a use case for policy rule 141 generation. 143 module: ietf-i2nsf-cf-interface 144 +--rw ietf-i2nsf-consumer-facing-interface 145 +--rw policy 146 | +--rw rule* [rule-id] 147 | | +--rw rule-id* uint16 148 | | +--rw name? string 149 | | +--rw date? yang:date-and-time 150 | +--rw event* [event-id] 151 | | +--rw event-id string 152 | | +--rw name? string 153 | | +--rw date? yang:date-and-time 154 | | +--rw event-type? string 155 | | +--rw time-information? 156 | | | +-- start-time yang:date-and-time 157 | | | +-- end-time yang:date-and-time 158 | | +--rw event-map-group? -> /ietf-i2nsf-consumer-facing-interface/ 159 | | | threat-feed/threat-feed/ 160 | | | threat-feed-id 161 | | +--rw enable? boolean 162 | +--rw condition* [condition-id] 163 | | +--rw condition-id string 164 | | +--rw source? -> /ietf-i2nsf-consumer-facing-interface/ 165 | | | threat-feed/threat-feed/ 166 | | | threat-feed-id 167 | | +--rw destination? -> /ietf-i2nsf-consumer-facing-interface/ 168 | | | threat-feed/threat-feed/ 169 | | | custom-list-id 170 | | +--rw match? boolean 171 | | +--rw match-direction? string 172 | | +--rw exception? string 173 | +--rw policy-action* [policy-action-id] 174 | | +--rw policy-action-id string 175 | | +--rw name? string 176 | | +--rw date? yang:date-and-time 177 | | +--rw primary-action? string 178 | | +--rw secondary-action? string 179 | | +--rw owner? string 180 +--rw multi-tenancy 181 | +--rw policy-domain* [policy-domain-id] 182 | | +--rw policy-domain-id* uint16 183 | | +--rw name string 184 | | +--rw address? string 185 | | +--rw contact string 186 | | +--rw date yang:date-and-time 187 | | +--rw authentication-method string 188 | +--rw policy-tenant* [policy-tenant-id] 189 | | +--rw policy-tenant-id* uint16 190 | | +--rw name string 191 | | +--rw date yang:date-and-time 192 | | +--rw domain string 193 | +--rw policy-role* [policy-role-id] 194 | | +--rw policy-role-id uint16 195 | | +--rw name string 196 | | +--rw date yang:date-and-time 197 | | +--rw access-profile string 198 | +--rw policy-user* [policy-user-id] 199 | | +--rw policy-user-id uint16 200 | | +--rw name string 201 | | +--rw date yang:date-and-time 202 | | +--rw password string 203 | | +--rw email string 204 | | +--rw scope-type? string 205 | | +--rw scope-reference? string 206 | | +--rw role string 207 | +--rw policy-mgmt-auth-method* [policy-mgnt-auth-method-id] 208 | +--rw policy-mgnt-auth-method-id uint16 209 | +--rw name string 210 | +--rw date yang:date-and-time 211 | +--rw authentication-method string 212 | +--rw mutual-authentication boolean 213 | +--rw token-server string 214 | +--rw certificate-server string 215 | +--rw single-sing-on-server string 216 +--rw end-group 217 | +--rw meta-data-source* [meta-data-source-id] 218 | | +--rw meta-data-source-id uint16 219 | | +--rw name string 220 | | +--rw date yang:date-and-time 221 | | +--rw tag-type? boolean 222 | | +--rw tag-server-information? string 223 | | +--rw tag-application-protocol? string 224 | | +--rw tag-server-credential? string 225 | +--rw user-group* [user-group-id] 226 | | +--rw user-group-id uint16 227 | | +--rw name? string 228 | | +--rw date? yang:date-and-time 229 | | +--rw group-type? string 230 | | +--rw meta-data-server? string 231 | | +--rw group-member? string 232 | | +--rw risk-level? uint16 233 | +--rw device-group* [device-group-id] 234 | | +--rw device-group-id uint16 235 | | +--rw name? string 236 | | +--rw date? yang:date-and-time 237 | | +--rw group-type? string 238 | | +--rw meta-data-server? string 239 | | +--rw group-member? string 240 | | +--rw risk-level? uint16 241 | +--rw application-group* [application-group-id] 242 | | +--rw application-group-id uint16 243 | | +--rw name? string 244 | | +--rw date? yang:date-and-time 245 | | +--rw group-type? string 246 | | +--rw meta-data-server? string 247 | | +--rw group-member? string 248 | | +--rw risk-level? uint16 249 | +--rw location-group* [location-group-id] 250 | +--rw location-group-id uint16 251 | +--rw name? string 252 | +--rw date? yang:date-and-time 253 | +--rw group-type? string 254 | +--rw meta-data-server? string 255 | +--rw group-member? string 256 | +--rw risk-level? uint16 257 +--rw threat-feed 258 | +--rw threat-feed* [threat-feed-id] 259 | | +--rw threat-feed-id uint16 260 | | +--rw name? string 261 | | +--rw date? yang:date-and-time 262 | | +--rw feed-type enumeration 263 | | +--rw feed-server? string 264 | | +--rw feed-priority? uint16 265 | +--rw custom-list* [custom-list-id] 266 | | +--rw custom-list-id uint16 267 | | +--rw name? string 268 | | +--rw date? yang:date-and-time 269 | | +--rw list-type enumeration 270 | | +--rw list-property enumeration 271 | | +--rw list-content? string 272 | +--rw malware-scan-group* [malware-scan-group-id] 273 | | +--rw malware-scan-group-id uint16 274 | | +--rw name? string 275 | | +--rw date? yang:date-and-time 276 | | +--rw signature-server? string 277 | | +--rw file-types? string 278 | | +--rw malware-signatures? string 279 | +--rw event-map-group* [event-map-group-id] 280 | +--rw event-map-group-id uint16 281 | +--rw name? string 282 | +--rw date? yang:date-and-time 283 | +--rw security-events? string 284 | +--rw threat-map? string 285 +--rw telemetry-data 286 +--rw telemetry-data* [telemetry-data-id] 287 | +--rw telemetry-data-id uint16 288 | +--rw name? string 289 | +--rw date? yang:date-and-time 290 | +--rw logs? boolean 291 | +--rw syslogs? boolean 292 | +--rw snmp? boolean 293 | +--rw sflow? boolean 294 | +--rw netflow? boolean 295 | +--rw interface-stats? boolean 296 +--rw telemetry-source* [telemetry-source-id] 297 | +--rw telemetry-source-id uint16 298 | +--rw name? string 299 | +--rw date? yang:date-and-time 300 | +--rw source-type? string 301 | +--rw nsf-access-parameters? string 302 | +--rw nsf-access-credentials? string 303 | +--rw collection-interval? uint16 304 | +--rw collection-method? enumeration 305 | +--rw heartbeat-interval? uint16 306 | +--rw qos-marking? uint8 307 +--rw telemetry-destination* [telemetry-destination-id] 308 +--rw telemetry-destination-id uint16 309 +--rw name? string 310 +--rw date? yang:date-and-time 311 +--rw collector-state? string 312 +--rw collector-credentials? string 313 +--rw collector-source? string 314 +--rw data-encoding? string 315 +--rw data-transport? string 317 Figure 1: Generic Data Model for cf Interface 319 5. YANG Data Model for Consumer-Facing Interface 321 This section describes a YANG data model for Consumer-Facing 322 Interface, based on the information model of Consumer-Facing 323 Interface to security controller [client-facing-inf-im]. 325 file "ietf-i2nsf-cf-interface.yang" 326 module ietf-i2nsf-cf-interface { 327 namespace 328 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-cf-interface"; 329 prefix 330 cf-interface; 332 import ietf-yang-types{ 333 prefix yang; 334 } 336 organization 337 "IETF I2NSF (Interface to Network Security Functions) 338 Working Group"; 340 contact 341 "WG Web: 342 WG List: 344 WG Chair: Adrian Farrel 345 347 WG Chair: Linda Dunbar 348 350 Editor: Jaehoon Paul Jeong 351 "; 353 description 354 "This module defines a YANG data module for consumer-facing 355 interface to security controller."; 357 revision "2017-11-14"{ 358 description "Fifth revision"; 359 reference 360 "draft-kumar-i2nsf-client-facing-interface-im-04"; 361 } 363 //Groupings 364 container ietf-i2nsf-consumer-facing-interface { 365 description 366 "grouping Policy"; 367 container policy { 368 description 369 "This object is a policy instance to have 370 complete information such as where and when 371 a policy need to be applied."; 373 list rule { 374 key "rule-id"; 375 leaf rule-id { 376 type uint16; 377 description 378 "This is ID for rules."; 379 } 380 description 381 "This is a container for rules."; 382 leaf name { 383 type string; 384 description 385 "This field idenfifies the name of this object."; 386 } 388 leaf date { 389 type yang:date-and-time; 390 description 391 "Date this object was created or last 392 modified"; 393 } 395 list event { 396 key "event-id"; 397 description 398 "This represents the security event of a 399 policy-rule."; 400 leaf event-id { 401 type string; 402 mandatory true; 403 description 404 "This represents the event-id."; 405 } 406 leaf name { 407 type string; 408 description 409 "This field idenfifies the name of this object."; 410 } 411 leaf date { 412 type yang:date-and-time; 413 description 414 "Date this object was created or last 415 modified"; 416 } 417 leaf event-type { 418 type string; 419 description 420 "This field identifies the event of 421 policy enforcement trigger type."; 422 } 423 list time-information { 424 key "time-information-id"; 425 leaf time-information-id{ 426 type string; 427 description 428 "this is a time information id."; 430 } 431 leaf start-time { 432 type yang:date-and-time; 433 description 434 "start time information."; 435 } 436 leaf end-time { 437 type yang:date-and-time; 438 description 439 "end time information."; 440 } 441 description 442 "This field contains time calendar such as 443 BEGIN-TIME and END-TIME for one time 444 enforcement or recurring time calendar for 445 periodic enforcement."; 446 } 447 leaf event-map-group { 448 type string; 449 description 450 "This field contains security events or threat 451 map in order to determine when a policy need 452 to be activated. This is a reference to 453 Evnet-Map-Group."; 454 } 455 leaf enable { 456 type boolean; 457 description 458 "This determines whether the condition 459 matches the security event or not."; 460 } 461 } 462 list condition { 463 key "condition-id"; 464 description 465 "This represents the condition of a 466 policy-rule."; 467 leaf condition-id { 468 type string; 469 description 470 "This represents the condition-id."; 471 } 472 leaf source { 473 type string; 475 description 476 "This field identifies the source of 477 the traffic. This could be reference to 478 either 'Policy Endpoint Group' or 479 'Threat-Feed' or 'Custom-List' if Security 480 Admin wants to specify the source; otherwise, 481 the default is to match all traffic."; 482 } 483 leaf destination { 484 type string; 486 description 487 "This field identifies the source of 488 the traffic. This could be reference to 489 either 'Policy Endpoint Group' or 490 'Threat-Feed' or 'Custom-List' if Security 491 Admin wants to specify the source; otherwise, 492 the default is to match all traffic."; 493 } 494 leaf match { 495 type boolean; 496 description 497 "This field identifies the match criteria used to 498 evaluate whether the specified action need to be 499 taken or not. This could be either a Policy- 500 Endpoint-Group identifying a Application set or a 501 set of traffic rules."; 502 } 503 leaf match-direction { 504 type enumeration{ 505 enum one-direction{ 506 value 0; 507 description 508 "one direction traffic."; 509 } 510 enum both-direction{ 511 value 1; 512 description 513 "both direction traffic."; 514 } 515 } 516 description 517 "This field identifies if the match criteria is 518 to evaluated for both direction of the traffic or 519 only in one direction with default of allowing in 520 the other direction for stateful match conditions. 521 This is optional and by default rule should apply 522 in both directions."; 523 } 524 leaf exception { 525 type string; 526 description 527 "This field identifies the exception 528 consideration when a rule is evaluated for a 529 given communication. This could be reference to 530 Policy-Endpoint-Group object or set of traffic 531 matching criteria."; 532 } 534 list policy-action { 535 key "policy-action-id"; 536 leaf policy-action-id { 537 type string; 538 mandatory true; 539 description 540 "this represents the policy-action-id."; 541 } 542 description 543 "This object represents actions that a 544 Security Admin wants to perform based on 545 a certain traffic class."; 546 leaf name { 547 type string; 548 description 549 "The name of the policy-action object."; 550 } 552 leaf date { 553 type yang:date-and-time; 554 description 555 "When the object was created or last 556 modified."; 557 } 559 leaf primary-action { 560 type enumeration{ 561 enum permit{ 562 value 0; 563 description 564 "permit."; 565 } 566 enum deny{ 567 value 1; 568 description 569 "deny."; 570 } 571 enum rate-limit{ 572 value 2; 573 description 574 "rate-limit."; 575 } 576 enum traffic-class{ 577 value 3; 578 description 579 "traffic-class."; 580 } 581 enum authenticate-session{ 582 value 4; 583 description 584 "authenticate-session"; 585 } 586 enum ips{ 587 value 5; 588 description 589 "ips."; 590 } 591 enum app-firewall{ 592 value 6; 593 description 594 "app-firewall."; 595 } 596 } 597 description 598 "This field identifies the action when a rule 599 is matched by NSF. The action could be one of 600 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 601 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc."; 602 } 604 leaf secondary-action { 605 type enumeration{ 606 enum log{ 607 value 0; 608 description 609 "log."; 610 } 611 enum syslog{ 612 value 1; 613 description 614 "syslog."; 615 } 616 enum session-log{ 617 value 2; 618 description 619 "session-log."; 620 } 621 } 622 description 623 "This field identifies additional actions if 624 a rule is matched. This could be one of 'LOG', 625 'SYSLOG', 'SESSION-LOG', etc."; 626 } 628 leaf owner { 629 type string; 630 description 631 "This field defines the owner of this 632 policy. Only the owner is authorized to 633 modify the contents of the policy."; 634 } 635 } 636 } 637 container multi-tenancy { 638 description 639 "The descriptions of multi-tenancy."; 641 list policy-domain { 642 key "policy-domain-id"; 643 leaf policy-domain-id { 644 type uint16; 645 description 646 "This represents the list of domains."; 647 } 648 description 649 "this represent the list of policy domains"; 650 leaf name { 651 type string; 652 mandatory true; 653 description 654 "Name of the organization or customer representing 655 this domain."; 656 } 658 leaf address { 659 type string; 660 description 661 "address of an organization or customer."; 662 } 664 leaf contact { 665 type string; 666 mandatory true; 667 description 668 "contact information of the organization 669 or customer."; 670 } 672 leaf date { 673 type yang:date-and-time; 674 mandatory true; 675 description 676 "The date when this account was created 677 or last modified."; 678 } 680 leaf authentication-method { 681 type string; 682 mandatory true; 683 description 684 "The description of authentication method; 685 token-based, password, certificate, 686 single-sign-on"; 687 } 688 } 690 list policy-tenant { 691 key "policy-tenant-id"; 692 leaf policy-tenant-id { 693 type uint16; 694 description 695 "The policy tenant id."; 696 } 697 description 698 "This represents the list of tenants"; 699 leaf name { 700 type string; 701 mandatory true; 702 description 703 "Name of the Department or Division within 704 an organization."; 705 } 707 leaf date { 708 type yang:date-and-time; 709 mandatory true; 710 description 711 "Date this account was created or last modified."; 712 } 714 leaf domain { 715 type string; 716 mandatory true; 717 description 718 "This field identifies the domain to which this 719 tenant belongs. This should be reference to a 720 'Policy-Domain' object."; 721 } 722 } 724 list policy-role { 725 key "policy-role-id"; 726 leaf policy-role-id { 727 type uint16; 728 mandatory true; 729 description 730 "This defines a set of permissions assigned 731 to a user in an organization that want to manage 732 its own Security Policies."; 733 } 734 description 735 "This represents the list of policy roles."; 736 leaf name { 737 type string; 738 mandatory true; 739 description 740 "This field identifies name of the role."; 741 } 743 leaf date { 744 type yang:date-and-time; 745 mandatory true; 746 description 747 "Date this role was created or last modified."; 748 } 750 leaf access-profile { 751 type string; 752 mandatory true; 753 description 754 "This field identifies the access profile for the 755 role. The profile grants or denies access to policy 756 objects. Multiple access profiles can be 757 concatenated together."; 758 } 759 } 761 list policy-user { 762 key "policy-user-id"; 763 leaf policy-user-id { 764 type uint16; 765 description 766 "This represents the policy-user-id."; 767 } 768 description 769 "This represents the list of policy users."; 770 leaf name { 771 type string; 772 mandatory true; 773 description 774 "The name of a user."; 775 } 777 leaf date { 778 type yang:date-and-time; 779 mandatory true; 780 description 781 "Date this user was created or last modified"; 782 } 784 leaf password { 785 type string; 786 mandatory true; 787 description 788 "User password for basic authentication"; 789 } 791 leaf email { 792 type string; 793 mandatory true; 794 description 795 "The email account of a user"; 796 } 798 leaf scope-type { 799 type string; 800 description 801 "identifies whether a user has domain-wide 802 or tenant-wide privileges"; 803 } 805 leaf scope-reference { 806 type string; 807 description 808 "This references policy-domain or policy-tenant 809 to identify the scope."; 810 } 812 leaf role { 813 type string; 814 mandatory true; 815 description 816 "This references policy-role to define specific 817 permissions"; 818 } 819 } 821 list policy-mgmt-auth-method { 822 key "policy-mgnt-auth-method-id"; 823 leaf policy-mgnt-auth-method-id { 824 type uint16; 825 description 826 "This represents the authentication method id."; 827 } 828 description 829 "The descriptions of policy management 830 authentication methods."; 831 leaf name { 832 type string; 833 mandatory true; 834 description 835 "name of the authentication method"; 836 } 838 leaf date { 839 type yang:date-and-time; 840 mandatory true; 841 description 842 "date when the authentication method 843 was created"; 844 } 846 leaf authentication-method { 847 type string; 848 mandatory true; 849 description 850 "The description of authentication method; 851 token-based, password, certificate, 852 single-sign-on"; 853 } 855 leaf mutual-authentication { 856 type boolean; 857 mandatory true; 858 description 859 "To identify whether the authentication 860 is mutual"; 862 } 864 leaf token-server { 865 type string; 866 mandatory true; 867 description 868 "The token-server information if the 869 authentication method is token-based"; 870 } 872 leaf certificate-server { 873 type string; 874 mandatory true; 875 description 876 "The certificate-server information if 877 the authentication method is certificate-based"; 878 } 880 leaf single-sing-on-server { 881 type string; 882 mandatory true; 883 description 884 "The single-sign-on-server information 885 if the authentication method is 886 single-sign-on-based"; 887 } 888 } 889 } 891 container end-group { 892 description 893 "A logical entity in their business 894 environment, where a security policy 895 is to be applied."; 897 list meta-data-source { 898 key "meta-data-source-id"; 899 leaf meta-data-source-id { 900 type uint16; 901 mandatory true; 902 description 903 "This represents the meta-data source id."; 904 } 905 description 906 "This represents the meta-data source."; 907 leaf name { 908 type string; 909 mandatory true; 910 description 911 "This identifies the name of the 912 meta-datas-ource."; 913 } 914 leaf date { 915 type yang:date-and-time; 916 mandatory true; 917 description 918 "This identifies the date this object was 919 created or last modified."; 920 } 922 leaf tag-type { 923 type boolean; 924 description 925 "This identifies the group type; user group, 926 app group or device group."; 927 } 929 leaf tag-server-information { 930 type string; 931 description 932 "The description of suthentication method; 933 token-based, password, certificate, 934 single-sign-on"; 935 } 936 leaf tag-application-protocol { 937 type string; 938 description 939 "This filed identifies the protocol e.g. LDAP, 940 Active Directory, or CMDB"; 941 } 942 leaf tag-server-credential { 943 type string; 944 description 945 "This field identifies the credential 946 information needed to access the tag server"; 947 } 948 } 950 list user-group{ 951 key "user-group-id"; 952 leaf user-group-id { 953 type uint16; 954 mandatory true; 955 description 956 "This represents the the user group id."; 957 } 958 description 959 "This represents the user group."; 960 leaf name { 961 type string; 962 description 963 "This field identifies the name of user-group."; 964 } 966 leaf date { 967 type yang:date-and-time; 968 description 969 "when this user-group was created or last modified."; 970 } 971 leaf group-type { 972 type string; 973 description 974 "This describes the group type; User-tag, 975 User-name or IP-address."; 976 } 978 leaf meta-data-server { 979 type string; 980 description 981 "This references metadata source"; 982 } 984 leaf group-member { 985 type string; 986 description 987 "This describes the user-tag information"; 988 } 990 leaf risk-level { 991 type uint16; 992 description 993 "This represents the threat level; valid range 994 may be 0 to 9."; 995 } 996 } 998 list device-group{ 999 key "device-group-id"; 1000 leaf device-group-id { 1001 type uint16; 1002 description 1003 "This represents a device group id."; 1004 } 1005 description 1006 "This represents a device group."; 1007 leaf name { 1008 type string; 1009 description 1010 "This field identifies the name of 1011 a device-group."; 1012 } 1013 leaf date { 1014 type yang:date-and-time; 1015 description 1016 "The date when this group was create or 1017 last modified."; 1018 } 1020 leaf group-type { 1021 type string; 1022 description 1023 "This describes the group type; device-tag, 1024 device-name or IP-address."; 1025 } 1027 leaf meta-data-server { 1028 type string; 1029 description 1030 "This references meta-data-source 1031 object."; 1032 } 1034 leaf group-member { 1035 type string; 1036 description 1037 "This describes the device-tag, device-name or 1038 IP-address information"; 1039 } 1041 leaf risk-level { 1042 type uint16; 1043 description 1044 "This represents the threat level; valid range 1045 may be 0 to 9."; 1046 } 1047 } 1049 list application-group{ 1050 key "application-group-id"; 1051 leaf application-group-id { 1052 type uint16; 1053 description 1054 "This represents an application group id."; 1055 } 1056 description 1057 "This represents an application group."; 1058 leaf name { 1059 type string; 1060 description 1061 "This field identifies the name of 1062 an application group"; 1063 } 1065 leaf date { 1066 type yang:date-and-time; 1067 description 1068 "The date when this group was created or 1069 last modified."; 1070 } 1072 leaf group-type { 1073 type string; 1074 description 1075 "This identifies the group type; 1076 application-tag, application-name or 1077 IP-address."; 1078 } 1080 leaf meta-data-server { 1081 type string; 1082 description 1083 "This references meta-data-source 1084 object."; 1085 } 1087 leaf group-member { 1088 type string; 1089 description 1090 "This describes the application-tag, 1091 application-name or IP-address information"; 1092 } 1094 leaf risk-level { 1095 type uint16; 1096 description 1097 "This represents the threat level; valid range 1098 may be 0 to 9."; 1099 } 1100 } 1101 list location-group{ 1102 key "location-group-id"; 1103 leaf location-group-id { 1104 type uint16; 1105 description 1106 "This represents a location group id."; 1107 } 1108 description 1109 "This represents a location group."; 1110 leaf name { 1111 type string; 1112 description 1113 "This field identifies the name of 1114 a location group"; 1116 } 1118 leaf date { 1119 type yang:date-and-time; 1120 description 1121 "The date when this group was created or 1122 last modified."; 1123 } 1125 leaf group-type { 1126 type string; 1127 description 1128 "This identifies the group type; 1129 location-tag, location-name or 1130 IP-address."; 1131 } 1133 leaf meta-data-server { 1134 type string; 1135 description 1136 "This references meta-data-source 1137 object."; 1138 } 1140 leaf group-member { 1141 type string; 1142 description 1143 "This describes the location-tag, 1144 location-name or IP-address information"; 1145 } 1147 leaf risk-level { 1148 type uint16; 1149 description 1150 "This represents the threat level; valid range 1151 may be 0 to 9."; 1152 } 1153 } 1154 } 1156 container threat-feed { 1157 description 1158 "this describes the list of threat-feed."; 1160 list threat-feed { 1161 key "threat-feed-id"; 1162 leaf threat-feed-id { 1163 type uint16; 1164 mandatory true; 1165 description 1166 "This represents the threat-feed-id."; 1167 } 1168 description 1169 "This represents the threat feed within the 1170 threat-prevention-list."; 1171 leaf name { 1172 type string; 1173 description 1174 "Name of the theat feed."; 1175 } 1177 leaf date { 1178 type yang:date-and-time; 1179 description 1180 "when the threat-feed was created."; 1181 } 1183 leaf feed-type { 1184 type enumeration { 1185 enum unknown { 1186 description 1187 "feed-type is unknown."; 1188 } 1189 enum ip-address { 1190 description 1191 "feed-type is IP address."; 1192 } 1193 enum url { 1194 description 1195 "feed-type is URL."; 1196 } 1198 } 1199 mandatory true; 1200 description 1201 "This determined whether the feed-type is IP address 1202 based or URL based."; 1203 } 1205 leaf feed-server { 1206 type string; 1207 description 1208 "this contains threat feed server information."; 1209 } 1211 leaf feed-priority { 1212 type uint16; 1213 description 1214 "this describes the priority of the threat from 1215 0 to 5, where 0 means the threat is minimum and 1216 5 meaning the maximum."; 1217 } 1218 } 1220 list custom-list { 1221 key "custom-list-id"; 1222 leaf custom-list-id { 1223 type uint16; 1224 description 1225 "this describes the custom-list-id."; 1226 } 1227 description 1228 "this describes the threat-prevention custom list."; 1229 leaf name { 1230 type string; 1231 description 1232 "Name of the custom-list."; 1233 } 1235 leaf date { 1236 type yang:date-and-time; 1237 description 1238 "when the custom list was created."; 1239 } 1241 leaf list-type { 1242 type enumeration { 1243 enum unknown { 1244 description 1245 "list-type is unknown."; 1247 } 1248 enum ip-address { 1249 description 1250 "list-type is IP address."; 1251 } 1252 enum mac-address { 1253 description 1254 "list-type is MAC address."; 1255 } 1256 enum url { 1257 description 1258 "list-type is URL."; 1259 } 1260 } 1261 mandatory true; 1262 description 1263 "This determined whether the feed-type is IP address 1264 based or URL based."; 1265 } 1267 leaf list-property { 1268 type enumeration { 1269 enum unknown { 1270 description 1271 "list-property is unknown."; 1272 } 1273 enum blacklist { 1274 description 1275 "list-property is blacklist."; 1276 } 1277 enum whitelist { 1278 description 1279 "list-property is whitelist."; 1280 } 1281 } 1282 mandatory true; 1283 description 1284 "This determined whether the list-type is blacklist 1285 or whitelist."; 1286 } 1288 leaf list-content { 1289 type string; 1290 description 1291 "This describes the contents of the custom-list."; 1292 } 1293 } 1294 list malware-scan-group { 1295 key "malware-scan-group-id"; 1296 leaf malware-scan-group-id { 1297 type uint16; 1298 mandatory true; 1299 description 1300 "This is the malware-scan-group-id."; 1301 } 1302 description 1303 "This represents the malware-scan-group."; 1304 leaf name { 1305 type string; 1306 description 1307 "Name of the malware-scan-group."; 1308 } 1310 leaf date { 1311 type yang:date-and-time; 1312 description 1313 "when the malware-scan-group was created."; 1314 } 1316 leaf signature-server { 1317 type string; 1318 description 1319 "This describes the signature server of the 1320 malware-scan-group."; 1321 } 1323 leaf file-types { 1324 type string; 1325 description 1326 "This contains a list of file types needed to 1327 be scanned for the virus."; 1328 } 1330 leaf malware-signatures { 1331 type string; 1332 description 1333 "This contains a list of malware signatures or hash."; 1334 } 1335 } 1337 list event-map-group { 1338 key "event-map-group-id"; 1339 leaf event-map-group-id { 1340 type uint16; 1341 mandatory true; 1342 description 1343 "This is the event-map-group-id."; 1344 } 1345 description 1346 "This represents the event map group."; 1348 leaf name { 1349 type string; 1350 description 1351 "Name of the event-map."; 1352 } 1354 leaf date { 1355 type yang:date-and-time; 1356 description 1357 "when the event-map was created."; 1358 } 1360 leaf security-events { 1361 type string; 1362 description 1363 "This contains a list of security events."; 1364 } 1366 leaf threat-map { 1367 type string; 1368 description 1369 "This contains a list of threat levels."; 1370 } 1371 } 1372 } 1374 container telemetry-data { 1375 description 1376 "Telemetry provides visibility into the network 1377 activities which can be tapped for further 1378 security analytics, e.g., detecting potential 1379 vulnerabilities, malicious activities, etc."; 1381 list telemetry-data { 1382 key "telemetry-data-id"; 1383 leaf telemetry-data-id { 1384 type uint16; 1385 mandatory true; 1386 description 1387 "This is ID for telemetry-data-id."; 1388 } 1389 description 1390 "This is ID for telemetry-data."; 1391 leaf name { 1392 type string; 1393 description 1394 "Name of the telemetry-data object."; 1395 } 1397 leaf date { 1398 type yang:date-and-time; 1399 description 1400 "This field states when the telemery-data 1401 object was created."; 1402 } 1404 leaf logs { 1405 type boolean; 1406 description 1407 "This field identifies whether logs 1408 need to be collected."; 1409 } 1411 leaf syslogs { 1412 type boolean; 1413 description 1414 "This field identifies whether System logs 1415 need to be collected."; 1416 } 1418 leaf snmp { 1419 type boolean; 1420 description 1421 "This field identifies whether 'SNMP traps' and 1422 'SNMP alarms' need to be collected."; 1423 } 1425 leaf sflow { 1426 type boolean; 1427 description 1428 "This field identifies whether 'sFlow' data 1429 need to be collected."; 1430 } 1432 leaf netflow { 1433 type boolean; 1434 description 1435 "This field identifies whether 'NetFlow' data 1436 need to be collected."; 1437 } 1438 leaf interface-stats { 1439 type boolean; 1440 description 1441 "This field identifies whether 'Interface' data 1442 such as packet bytes and counts need to be 1443 collected."; 1444 } 1445 } 1447 list telemetry-source { 1448 key "telemetry-source-id"; 1449 leaf telemetry-source-id { 1450 type uint16; 1451 mandatory true; 1452 description 1453 "This is ID for telemetry-source-id."; 1454 } 1455 description 1456 "This is ID for telemetry-source."; 1457 leaf name { 1458 type string; 1459 description 1460 "This identifies the name of this object."; 1461 } 1463 leaf date { 1464 type yang:date-and-time; 1465 description 1466 "Date this object was created or last modified"; 1467 } 1469 leaf source-type { 1470 type string; 1471 description 1472 "This should have one of the following type of 1473 the NSF telemetry source: NETWORK-NSF, 1474 FIREWALL-NSF, IDS-NSF, IPS-NSF, 1475 PROXY-NSF, VPN-NSF, DNS, ACTIVE-DIRECTORY, 1476 IP Reputation Authority, Web Reputation 1477 Authority, Anti-Malware Sandbox, Honey Pot, 1478 DHCP, Other Third Party, ENDPOINT"; 1479 } 1481 leaf nsf-access-parameters { 1482 type string; 1483 description 1484 "This field contains information such as 1485 IP address and protocol (UDP or TCP) port 1486 number of the NSF providing telemetry data."; 1487 } 1489 leaf nsf-access-credentials { 1490 type string; 1491 description 1492 "This field contains username and password 1493 to authenticate with the NSF."; 1494 } 1496 leaf collection-interval { 1497 type uint16; 1498 units seconds; 1499 default 5000; 1500 description 1501 "This field contains time in milliseconds 1502 between each data collection. For example, 1503 a value of 5000 means data is streamed to 1504 collector every 5 seconds. Value of 0 means 1505 data streaming is event-based"; 1506 } 1508 leaf collection-method { 1509 type enumeration { 1510 enum unknown { 1511 description 1512 "collection-method is unknown."; 1513 } 1514 enum push-based { 1515 description 1516 "collection-method is PUSH-based."; 1517 } 1518 enum pull-based { 1519 description 1520 "collection-method is PULL-based."; 1521 } 1522 } 1523 description 1524 "This field contains a method of collection, 1525 i.e., whether it is PUSH-based or PULL-based."; 1526 } 1528 leaf heartbeat-interval { 1529 type uint16; 1530 units seconds; 1531 description 1532 "time in seconds the source sends telemetry 1533 heartbeat."; 1535 } 1537 leaf qos-marking { 1538 type uint8; 1539 description 1540 "DSCP value must be contained in this field."; 1541 } 1542 } 1543 list telemetry-destination { 1544 key "telemetry-destination-id"; 1545 leaf telemetry-destination-id { 1546 type uint16; 1547 description 1548 "this represents the telemetry-destination-id"; 1549 } 1550 description 1551 "This object contains information related to 1552 telemetry destination. The destination is 1553 usually a collector which is either a part of 1554 Security Controller or external system 1555 such as Security Information and Event 1556 Management (SIEM)."; 1558 leaf name { 1559 type string; 1560 description 1561 "This identifies the name of this object."; 1562 } 1564 leaf date { 1565 type yang:date-and-time; 1566 description 1567 "Date this object was created or last 1568 modified"; 1569 } 1571 leaf collector-state { 1572 type string; 1573 description 1574 "This describes collector state information."; 1575 } 1576 leaf collector-credentials { 1577 type string; 1578 description 1579 "iThis field contains the username and 1580 password for the collector."; 1581 } 1582 leaf collector-source { 1583 type string; 1584 description 1585 "This field contains information such as 1586 IP address and protocol (UDP or TCP) port 1587 number for the collector's destination."; 1588 } 1590 leaf data-encoding { 1591 type string; 1592 description 1593 "This field contains the telemetry data encoding 1594 in the form of schema."; 1595 } 1597 leaf data-transport { 1598 type string; 1599 description 1600 "This field contains streaming telemetry data 1601 protocols. This could be gRPC, protocol 1602 buffer over UDP, etc."; 1603 } 1604 } 1605 } 1606 } 1607 } 1608 } 1609 } 1610 1612 Figure 2: YANG for cf_interface 1614 6. Security Considerations 1616 The data model for the I2NSF Consumer-Facing Interface is derived 1617 from the I2NSF Consumer-Facing Interface Information Model 1618 [client-facing-inf-im], so the same security considerations with the 1619 information model should be included in this document. The data 1620 model needs to support a mechanism to protect Consumer-Facing 1621 Interface to Security Controller. 1623 7. Acknowledgements 1625 This work was supported by Institute for Information & communications 1626 Technology Promotion (IITP) grant funded by the Korea government 1627 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 1628 Technology Development for the Customized Security Service 1629 Provisioning). 1631 8. Contributors 1633 I2NSF is a group effort. This document has greatly benefited from 1634 inputs by Mahdi F. Dachmehchi, Jinyong Tim Kim, and Daeyoung Hyun. 1635 I2NSF has a number of contributing authors. The following are 1636 considered co-authors: 1638 o Hyoungshick Kim (Sungkyunkwan University) 1640 o Seungjin Lee (Sungkyunkwan University) 1642 9. References 1644 9.1. Normative References 1646 [RFC3444] Pras, A., "On the Difference between Information Models 1647 and Data Models", RFC 3444, January 2003. 1649 9.2. Informative References 1651 [client-facing-inf-im] 1652 Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, 1653 S., and L. Xia, "Information model for Client-Facing 1654 Interface to Security Controller", draft-kumar-i2nsf- 1655 client-facing-interface-im-04 (work in progress), July 1656 2017. 1658 [client-facing-inf-req] 1659 Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, 1660 S., and L. Xia, "Requirements for Client-Facing Interface 1661 to Security Controller", draft-ietf-i2nsf-client-facing- 1662 interface-req-03 (work in progress), July 2017. 1664 [i2nsf-framework] 1665 Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1666 Kumar, "Framework for Interface to Network Security 1667 Functions", draft-ietf-i2nsf-framework-08 (work in 1668 progress), October 2017. 1670 [i2nsf-terminology] 1671 Hares, S., Strassner, J., Lopez, D., Birkholz, H., and L. 1672 Xia, "Information model for Client-Facing Interface to 1673 Security Controller", draft-ietf-i2nsf-terminology-04 1674 (work in progress), July 2017. 1676 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1677 Network Configuration Protocol (NETCONF)", RFC 6020, 1678 October 2010. 1680 Appendix A. Changes from draft-jeong-i2nsf-consumer-facing-interface- 1681 dm-04 1683 The following changes have been made from draft-jeong-i2nsf-consumer- 1684 facing-interface-dm-04: 1686 o Sections 4 and 5 have been revised to produce a data tree model 1687 and YANG data model according to the information model and Event- 1688 Condition-Action (ECA) based policy generation as suggested in the 1689 most recent draft about the I2NSF Consumer-Facing Interface 1690 Information Model [client-facing-inf-im] and I2NSF Framework 1691 [i2nsf-framework]. 1693 o The data tree model in Appendix B and Yang in Appendix C have also 1694 been modified for better adoption of ECA based policy generation. 1696 o An example XML format output has been modified in Appendix D for 1697 VoIP service policy based on Yang in Appendix C. 1699 o Overall editorial errors have been corrected. 1701 Appendix B. Use Case: Policy Instance Example for VoIP/VoLTE Security 1702 Services 1704 A common scenario for VoIP/VoLTE policy enforcement could be that a 1705 malicious call is made to a benign user of any telecommunication 1706 company. For example, imagine a case wherea company "A" employs a 1707 hacker with a malicious attempt to hack a user's phone with malware. 1708 The company "A" is located in a country, such as Africa, and uses the 1709 user's hacked phone to call the company. The hacked user is unaware 1710 of the company "A" so complains about the international call that was 1711 made to the company "B", which is the user's telecommunications 1712 company. The company "A" charges the company "B" for the 1713 international call. The company "B" cannot charge the user for the 1714 call, and has no choice but to pay the company "A". The following 1715 shows the example data tree model for the VoIP/VoLTE services. 1716 Multi-tenancy, endpoint groups, threat prevention, and telemetry data 1717 components are general part of the tree model, so we can just modify 1718 the policy instance in order to generate and enforce high-level 1719 policies. The policy-calendar can act as a scheduler to set the star 1720 and end time to block calls which uses suspicious ids, or calls from 1721 other countries. 1723 module: ietf-i2nsf-cf-interface-voip 1724 +--rw ietf-i2nsf-consumer-facing-interface 1725 +--rw policy-voip 1726 +--rw rule-voip* [rule-voip-id] 1727 | +--rw rule-voip-id* uint16 1728 | +--rw name? string 1729 | +--rw date? yang:date-and-time 1730 | +--rw event* [event-id] 1731 | | +--rw event-id string 1732 | | +--rw name? string 1733 | | +--rw date? yang:date-and-time 1734 | | +--rw event-type? string 1735 | | +--rw time-information? 1736 | | +-- start-time yang:date-and-time 1737 | | +-- end-time yang:date-and-time; 1738 | | +--rw event-map-group? -> /ietf-i2nsf-consumer-facing-interface/ 1739 | | | threat-prevention/threat-feed/ 1740 | | | threat-feed-id 1741 | | +--rw enable? boolean 1742 | +--rw condition* [condition-id] 1743 | | +--rw condition-id string 1744 | | +--rw source-caller? -> /ietf-i2nsf-consumer-facing-interface/ 1745 | | | threat-prevention/custom-list/ 1746 | | | custom-list-id 1747 | | +--rw destination-callee? -> /ietf-i2nsf-consumer-facing-interface/ 1748 | | | end-group/user-group/ 1749 | | | user-group-id 1750 | | +--rw match? boolean 1751 | | +--rw match-direction? enum 1752 | | +--rw exception? string 1753 | +--rw action* [action-id] 1754 | | +--rw action-id string 1755 | | +--rw name? string 1756 | | +--rw date? yang:date-and-time 1757 | | +--rw primary-action? enum 1758 | | +--rw secondary-action? enum 1759 | +--rw precedence? uint8 1760 +--rw owner? string 1762 Figure 3: Policy Instance Example for VoIP/VoLTE Security Services 1764 Appendix C. Policy Instance YANG Example for VoIP/VoLTE Security 1765 Services 1767 The following YANG data model is a policy instance for VoIP/VoLTE 1768 security services. The policy-calendar can act as a scheduler to set 1769 the start time and end time to block malicious calls which use 1770 suspicious IDs, or calls from other countries. 1772 file "ietf-i2nsf-cf-interface-voip.yang" 1774 container ietf-i2nsf-consumer-facing-interface { 1775 description 1776 "grouping Policy-VoIP"; 1777 container policy-voip { 1778 description 1779 "This object is a policy instance to have 1780 complete information such as where and when 1781 a policy need to be applied."; 1783 list rule-voip { 1784 key "rule-voip-id"; 1785 leaf-list rule-voip-id { 1786 type uint16; 1787 mandatory true; 1788 description 1789 "This is ID for rules."; 1790 } 1791 description 1792 "This is a container for rules."; 1793 leaf name { 1794 type string; 1795 description 1796 "This field idenfifies the name of this object."; 1797 } 1799 leaf date { 1800 type yang:date-and-time; 1801 description 1802 "Date this object was created or last 1803 modified"; 1804 } 1806 list event { 1807 key "event-id"; 1808 description 1809 "This represents the security event of a 1810 policy-rule."; 1812 leaf event-id { 1813 type string; 1814 mandatory true; 1815 description 1816 "This represents the event-id."; 1817 } 1818 leaf name { 1819 type string; 1820 description 1821 "This field idenfifies the name of this object."; 1822 } 1823 leaf date { 1824 type yang:date-and-time; 1825 description 1826 "Date this object was created or last 1827 modified"; 1828 } 1829 leaf event-type { 1830 type string; 1831 description 1832 "This field identifies the event event type 1833 ."; 1834 } 1835 list time-information { 1836 key "time-information-id"; 1837 leaf start-time { 1838 type yang:date-and-time; 1839 description 1840 "start time information."; 1841 } 1842 leaf end-time { 1843 type yang:date-and-time; 1844 description 1845 "end time information."; 1846 } 1847 description 1848 "This field contains time calendar such as 1849 BEGIN-TIME and END-TIME for one time 1850 enforcement or recurring time calendar for 1851 periodic enforcement."; 1852 } 1853 leaf event-map-group { 1854 type leafref{ 1855 path "/ietf-i2nsf-consumer-facing-interface/ 1856 threat-prevention/threat-feed/threat-feed-id"; 1857 } 1858 description 1859 "This field contains security events or threat 1860 map in order to determine when a policy need 1861 to be activated. This is a reference to 1862 Evnet-Map-Group."; 1863 } 1864 leaf enable { 1865 type boolean; 1866 description 1867 "This determines whether the condition 1868 matches the security event or not. 1869 There can be a negation rule, such that an 1870 action to be applied when there is no event"; 1871 } 1872 } 1873 list condition { 1874 key "condition-id"; 1875 description 1876 "This represents the condition of a 1877 policy-rule."; 1878 leaf condition-id { 1879 type string; 1880 description 1881 "This represents the condition-id."; 1882 } 1883 leaf source-caller { 1884 type leafref { 1885 path "/ietf-i2nsf-consumer-facing-interface/ 1886 threat-prevention/custom-list/custom-list-id"; 1887 } 1888 description 1889 "This field identifies the source of 1890 the traffic. This could be reference to 1891 either 'Policy Endpoint Group' or 1892 'Threat-Feed' or 'Custom-List' if Security 1893 Admin wants to specify the source; otherwise, 1894 the default is to match all traffic."; 1895 } 1896 leaf destination-callee { 1897 type leafref { 1898 path "/ietf-i2nsf-consumer-facing-interface/ 1899 end-group/user-group/user-group-id"; 1900 } 1901 description 1902 "This field identifies the source of 1903 the traffic. This could be reference to 1904 either 'Policy Endpoint Group' or 1905 'Threat-Feed' or 'Custom-List' if Security 1906 Admin wants to specify the source; otherwise, 1907 the default is to match all traffic."; 1909 } 1910 leaf match { 1911 type boolean; 1912 description 1913 "This field identifies the match criteria used to 1914 evaluate whether the specified action need to be 1915 taken or not. This could be either a Policy- 1916 Endpoint-Group identifying a Application set or a 1917 set of traffic rules."; 1918 } 1919 leaf match-direction { 1920 type string; 1921 description 1922 "This field identifies if the match criteria is 1923 to evaluated for both direction of the traffic or 1924 only in one direction with default of allowing in 1925 the other direction for stateful match conditions. 1926 This is optional and by default rule should apply 1927 in both directions."; 1928 } 1929 leaf exception { 1930 type string; 1931 description 1932 "This field identifies the exception 1933 consideration when a rule is evaluated for a 1934 given communication. This could be reference to 1935 Policy-Endpoint-Group object or set of traffic 1936 matching criteria."; 1937 } 1938 } 1940 list action { 1941 key "action-id"; 1942 leaf action-id { 1943 type string; 1944 mandatory true; 1945 description 1946 "this represents the policy-action-id."; 1947 } 1948 description 1949 "This object represents actions that a 1950 Security Admin wants to perform based on 1951 a certain traffic class."; 1952 leaf name { 1953 type string; 1954 description 1955 "The name of the policy-action object."; 1956 } 1957 leaf date { 1958 type yang:date-and-time; 1959 description 1960 "When the object was created or last 1961 modified."; 1962 } 1964 leaf primary-action { 1965 type string; 1966 description 1967 "This field identifies the action when a rule 1968 is matched by NSF. The action could be one of 1969 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 1970 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc."; 1971 } 1973 leaf secondary-action { 1974 type string; 1975 description 1976 "This field identifies additional actions if 1977 a rule is matched. This could be one of 'LOG', 1978 'SYSLOG', 'SESSION-LOG', etc."; 1979 } 1981 } 1982 leaf precedence { 1983 type uint8; 1984 description 1985 "This field identifies the precedence 1986 assigned to this rule by Security Admin. 1987 This is helpful in conflict resolution 1988 when two or more rules match a given 1989 traffic class."; 1990 } 1992 } 1993 list action { 1994 key "owner-id"; 1995 leaflist owner-id { 1996 type string; 1997 mandatory true; 1998 description 1999 "this represents the owner-id."; 2000 } 2001 description 2002 "This field defines the owner of this policy. 2003 Only the owner is authorized to modify the 2004 contents of the policy."; 2006 leaf name { 2007 type string; 2008 description 2009 "The name of the owner."; 2010 } 2011 leaf date { 2012 type yang:date-and-time; 2013 description 2014 "When the object was created or last 2015 modified."; 2016 } 2017 } 2018 } 2019 } 2020 } 2022 2024 Figure 4: Policy Instance YANG Example for VoIP Security Services 2026 Appendix D. Example XML output for VoIP service 2028 In this section, we present an XML example for VoIP service. Here, 2029 we are going to drop calls commin from a country with an Ip from 2030 South Africa that is classified as malicious. 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 01 2043 voip-policy-example 2044 2017.10.25/20:30:32 2045 2046 01 2047 voip_call 2048 2017.10.25/20:30:32 2049 malicious 2050 2051 22:00 2052 08:00 2053 2054 19 2055 True 2056 2057 2058 01 2059 105.176.0.0 2060 192.168.171.35 2061 default 2062 00 2063 2064 2065 01 2066 action-voip 2067 2017.10.25/20:30:32 2068 DENY 2069 LOG 2070 2071 none 2072 2073 01 2074 i2nsf-admin 2075 2076 2077 2078 2079 2080 2081 2083 Figure 5: An XML example for VoIP service 2085 Authors' Addresses 2087 Jaehoon Paul Jeong 2088 Department of Software 2089 Sungkyunkwan University 2090 2066 Seobu-Ro, Jangan-Gu 2091 Suwon, Gyeonggi-Do 16419 2092 Republic of Korea 2094 Phone: +82 31 299 4957 2095 Fax: +82 31 290 7996 2096 EMail: pauljeong@skku.edu 2097 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2098 Eunsoo Kim 2099 Department of Electrical and Computer Engineering 2100 Sungkyunkwan University 2101 2066 Seobu-Ro, Jangan-Gu 2102 Suwon, Gyeonggi-Do 16419 2103 Republic of Korea 2105 Phone: +82 31 299 4104 2106 EMail: eskim86@skku.edu 2107 URI: http://seclab.skku.edu/people/eunsoo-kim/ 2109 Tae-Jin Ahn 2110 Korea Telecom 2111 70 Yuseong-Ro, Yuseong-Gu 2112 Daejeon 305-811 2113 Republic of Korea 2115 Phone: +82 42 870 8409 2116 EMail: taejin.ahn@kt.com 2118 Rakesh Kumar 2119 Juniper Networks 2120 1133 Innovation Way 2121 Sunnyvale, CA 94089 2122 USA 2124 EMail: rkkumar@juniper.net 2126 Susan Hares 2127 Huawei 2128 7453 Hickory Hill 2129 Saline, MI 48176 2130 USA 2132 Phone: +1-734-604-0332 2133 EMail: shares@ndzh.com