idnits 2.17.1 draft-kim-i2nsf-nsf-facing-interface-data-model-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 280 has weird spacing: '...p-phone boole...' == Line 310 has weird spacing: '...ss-mode strin...' == Line 334 has weird spacing: '...warding boole...' == Line 368 has weird spacing: '...od-insp boo...' == Line 370 has weird spacing: '...od-insp boo...' == (38 more instances...) -- The document date (March 12, 2017) is 2592 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Kim 3 Internet-Draft J. Jeong 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: September 13, 2017 J. Park 6 ETRI 7 S. Hares 8 L. Xia 9 Huawei 10 March 12, 2017 12 I2NSF Network Security Functions Facing Interface YANG Data Model 13 draft-kim-i2nsf-nsf-facing-interface-data-model-01 15 Abstract 17 This document defines a YANG data model corresponding to the 18 information model for Network Security Functions (NSF) facing 19 interface in Interface to Network Security Functions (I2NSF). It 20 describes a data model for three security capabilities (i.e., network 21 security functions), such as network security control, content 22 security control, and attack mitigation control, as defined in the 23 information model for the I2NSF NSF capabilities. 25 Status of This Memo 27 This Internet-Draft is submitted to IETF in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF), its areas, and its working groups. Note that 32 other groups may also distribute working documents as Internet- 33 Drafts. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 The list of current Internet-Drafts can be accessed at 41 http://www.ietf.org/ietf/1id-abstracts.txt. 43 The list of Internet-Draft Shadow Directories can be accessed at 44 http://www.ietf.org/shadow.html. 46 This Internet-Draft will expire on September 13, 2017. 48 Copyright Notice 49 Copyright (c) 2017 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 66 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 68 4. Information Model Structure . . . . . . . . . . . . . . . . . 4 69 5. YANG Model . . . . . . . . . . . . . . . . . . . . . . . . . . 12 70 6. Security Considerations . . . . . . . . . . . . . . . . . . . 65 71 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 65 72 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65 73 8.1. Normative References . . . . . . . . . . . . . . . . . . . 65 74 8.2. Informative References . . . . . . . . . . . . . . . . . . 66 75 Appendix A. Changes from 76 draft-kim-i2nsf-nsf-facing-interface-data-model-00 . 66 78 1. Introduction 80 This document defines a YANG [RFC6020] data model for security 81 services with the information model for Network Security Functions 82 (NSF) facing interface in Interface to Network Security Functions 83 (I2NSF). It provides a specific information model and the 84 corresponding data models for three security capabilities (i.e., 85 network security functions), such as network security control, 86 content security control, and attack mitigation control, as defined 87 in [i2nsf-cap-interface-im]. With these data model, I2NSF controller 88 can control the capabilities of NSFs. 90 2. Requirements Language 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 94 document are to be interpreted as described in [RFC2119]. 96 3. Terminology 98 This document uses the terminology described in 99 [i2nsf-cap-interface-im][i2rs-rib-data-model] 100 [supa-policy-info-model]. Especially, the following terms are from 101 [supa-policy-info-model]: 103 o Data Model: A data model is a representation of concepts of 104 interest to an environment in a form that is dependent on data 105 repository, data definition language, query language, 106 implementation language, and protocol. 108 o Information Model: An information model is a representation of 109 concepts of interest to an environment in a form that is 110 independent of data repository, data definition language, query 111 language, implementation language, and protocol. 113 3.1. Tree Diagrams 115 A simplified graphical representation of the data model is used in 116 this document. The meaning of the symbols in these diagrams 117 [i2rs-rib-data-model] is as follows: 119 o Brackets "[" and "]" enclose list keys. 121 o Abbreviations before data node names: "rw" means configuration 122 (read-write) and "ro" state data (read-only). 124 o Symbols after data node names: "?" means an optional node and "*" 125 denotes a "list" and "leaf-list". 127 o Parentheses enclose choice and case nodes, and case nodes are also 128 marked with a colon (":"). 130 o Ellipsis ("...") stands for contents of subtrees that are not 131 shown. 133 4. Information Model Structure 135 Figure 1 shows an overview of a structure tree of network security 136 control, content security control, and attack mitigation control, as 137 defined in the [i2nsf-cap-interface-im]. 139 module : ietf-i2nsf-nsf-facing-interface 140 +--rw cfg-network-security-control 141 | +--rw policy 142 | +--rw policy-name string 143 | +--rw policy-id string 144 | +--rw rules* [rule-id] 145 | +--rw rule-name string 146 | +--rw rule-id uint 8 147 | +--rw rule-msg string 148 | +--rw rule-rev uint 8 149 | +--rw rule-gid uint 8 150 | +--rw rule-class-type string 151 | +--rw rule-reference string 152 | +--rw rule-priority uint 8 153 | +--rw event 154 | | +--rw user-security-event* [usr-sec-event-id] 155 | | | +--rw usr-sec-event-id uint 8 156 | | | +--rw usr-sec-event-content string 157 | | | +--rw usr-sec-event-format uint 8 158 | | | +--rw usr-sec-event-type uint 8 159 | | +--rw device-security-event* [dev-sec-event-id] 160 | | | +--rw dev-sec-event-id uint 8 161 | | | +--rw dev-sec-event-content string 162 | | | +--rw dev-sec-event-format uint 8 163 | | | +--rw dev-sec-event-type uint 8 164 | | | +--rw dev-sec-event-type-severity uint 8 165 | | +--rw system-security-event* [sys-sec-event-id] 166 | | | +--rw sys-sec-event-id uint 8 167 | | | +--rw sys-sec-event-content string 168 | | | +--rw sys-sec-event-format uint 8 169 | | | +--rw sys-sec-event-type uint 8 170 | | +--rw time-security-event* [time-sec-event-id] 171 | | | +--rw time-sec-event-id uint 8 172 | | | +--rw time-sec-event-period-begin yang:date-and-time 173 | | | +--rw time-sec-event-period-end yang:date-and-time 174 | | | +--rw time-sec-evnet-time-zone string 175 | +--rw condition 176 | | +--rw packet-security-condition* [pkt-security-id] 177 | | | +--rw pkt-security-id uint 8 178 | | | +--rw packet-security-mac-condition 179 | | | | +--rw pkt-sec-cond-mac-dest* inet:port-number 180 | | | | +--rw pkt-sec-cond-mac-src* inet:port-number 181 | | | | +--rw pkt-sec-cond-mac-8021q* string 182 | | | | +--rw pkt-sec-cond-mac-ether-type* string 183 | | | | +--rw pkt-sec-cond-mac-tci* string 184 | | | +--rw packet-security-ipv4-condition 185 | | | | +--rw pkt-sec-cond-ipv4-header-length* uint 8 186 | | | | +--rw pkt-sec-cond-ipv4-tos* uint 8 187 | | | | +--rw pkt-sec-cond-ipv4-total-length* uint 16 188 | | | | +--rw pkt-sec-cond-ipv4-id* uint 16 189 | | | | +--rw pkt-sec-cond-ipv4-fragment* uint 8 190 | | | | +--rw pkt-sec-cond-ipv4-fragment-offset* uint 16 191 | | | | +--rw pkt-sec-cond-ipv4-ttl* uint 8 192 | | | | +--rw pkt-sec-cond-ipv4-protocol* uint 8 193 | | | | +--rw pkt-sec-cond-ipv4-src* inet:ipv4-address 194 | | | | +--rw pkt-sec-cond-ipv4-dest* inet:ipv4-address 195 | | | | +--rw pkt-sec-cond-ipv4-ipopts string 196 | | | | +--rw pkt-sec-cond-ipv4-sameip boolean 197 | | | | +--rw pkt-sec-cond-ipv4-geoip* string 198 | | | +--rw packet-security-ipv6-condition 199 | | | | +--rw pkt-sec-cond-ipv6-dscp* string 200 | | | | +--rw pkt-sec-cond-ipv6-ecn* string 201 | | | | +--rw pkt-sec-cond-ipv6-traffic-class* uint 8 202 | | | | +--rw pkt-sec-cond-ipv6-flow-label* uint 32 203 | | | | +--rw pkt-sec-cond-ipv6-payload-length* uint 16 204 | | | | +--rw pkt-sec-cond-ipv6-next-header* uint 8 205 | | | | +--rw pkt-sec-cond-ipv6-hop-limit* uint 8 206 | | | | +--rw pkt-sec-cond-ipv6-src* inet:ipv6-address 207 | | | | +--rw pkt-sec-cond-ipv6-dest* inet:ipv6-address 208 | | | +--rw packet-security-tcp-condition 209 | | | | +--rw pkt-sec-cond-tcp-seq-num* uint 32 210 | | | | +--rw pkt-sec-cond-tcp-ack-num* uint 32 211 | | | | +--rw pkt-sec-cond-tcp-window-size* uint 16 212 | | | | +--rw pkt-sec-cond-tcp-falgs* uint 8 213 | | | +--rw packet-security-udp-condition 214 | | | | +--rw pkt-sec-cond-udp-length* string 215 | | | +--rw packet-security-icmp-condition 216 | | | +--rw pkt-sec-cond-icmp-type* uint 8 217 | | | +--rw pkt-sec-cond-icmp-code* uint 8 218 | | | +--rw pkt-sec-cond-icmp-seq-num* uint 32 219 | | +--rw packet-payload-security-condition* [pkt-payload-id] 220 | | | +--rw pkt-payload-id uint 8 221 | | | +--rw pkt-payload-content string 222 | | | +--rw pkt-payload-nocase boolean 223 | | | +--rw pkt-payload-depth uint 32 224 | | | +--rw pkt-payload-offset uint 32 225 | | | +--rw pkt-payload-distance uint 32 226 | | | +--rw pkt-payload-within uint 32 227 | | | +--rw pkt-payload-isdataat uint 32 228 | | | +--rw pkt-payload-dsize uint 32 229 | | | +--rw pkt-payload-replace string 230 | | | +--rw pkt-payload-pcre string 231 | | | +--rw pkt-payload-rpc 232 | | | +--rw pkt-payload-rpc-app-num uint 32 233 | | | +--rw pkt-payload-rpc-version-num uint 32 234 | | | +--rw pkt-payload-rpc-procedure-num uint 32 235 | | +--rw target-security-condition* [target-sec-cond-id] 236 | | | +--rw target-sec-cond-id uint 8 237 | | | +--rw service-sec-context-cond? 238 | | | | +--rw name string 239 | | | | +--rw protocol 240 | | | | | +--rw TCP? boolean 241 | | | | | +--rw UDP? boolean 242 | | | | | +--rw ICMP? boolean 243 | | | | | +--rw ICMPv6? boolean 244 | | | | | +--rw IP? boolean 245 | | | | +--rw src-port? inet:port-number 246 | | | | +--rw dest-port? inet:port-number 247 | | | +--rw application-sec-context-cond? 248 | | | | +--rw name string 249 | | | | +--rw category 250 | | | | | +--rw business-system? boolean 251 | | | | | +--rw entertainment? boolean 252 | | | | | +--rw internet? boolean 253 | | | | | +--rw network? boolean 254 | | | | | +--rw general? boolean 255 | | | | +--rw subcategory 256 | | | | | +--rw finance? boolean 257 | | | | | +--rw email? boolean 258 | | | | | +--rw game? boolean 259 | | | | | +--rw media-sharing? boolean 260 | | | | | +--rw social-network? boolean 261 | | | | | +--rw web-posting? boolean 262 | | | | +--rw data-transmission-model 263 | | | | | +--rw client-server? boolean 264 | | | | | +--rw browser-based? boolean 265 | | | | | +--rw networking? boolean 266 | | | | | +--rw peer-to-peer? boolean 267 | | | | | +--rw unassigned? boolean 268 | | | | +--rw risk-level 269 | | | | +--rw exploitable? boolean 270 | | | | +--rw productivity-loss? boolean 271 | | | | +--rw evasive? boolean 272 | | | | +--rw data-loss? boolean 273 | | | | +--rw malware-vehicle? boolean 274 | | | | +--rw bandwidth-consuming? boolean 275 | | | | +--rw tunneling? boolean 276 | | | +--rw device-sec-context-cond? 277 | | | +--rw pc? boolean 278 | | | +--rw mobile-phone? boolean 279 | | | +--rw tablet? boolean 280 | | | +--rw voip-phone boolean 281 | | +--rw user-security-cond* [usr-sec-cond-id] 282 | | | +--rw usr-sec-cond-id uint 8 283 | | | +--rw user 284 | | | | +--rw (user-name)? 285 | | | | +--: (tenant) 286 | | | | | +--rw tenant uint 8 287 | | | | +--: (vn-id) 288 | | | | +--rw vn-id uint 8 289 | | | +--rw group 290 | | | +--rw (group-name)? 291 | | | +--: (tenant) 292 | | | | +--rw tenant uint 8 293 | | | +--: (vn-id) 294 | | | +--rw vn-id uint 8 295 | | +--rw security-context-condition* [sec-context-cond-id] 296 | | | +--rw sec-context-cond-id uint 8 297 | | | +--rw (state)? 298 | | | | +--: (session-state) 299 | | | | | +--rw tcp-session-state 300 | | | | | +--rw new? boolean 301 | | | | | +--rw established? boolean 302 | | | | | +--rw related? boolean 303 | | | | | +--rw invalid? boolean 304 | | | | | +--rw untracked? boolean 305 | | | | +--: (session-aaa-state) 306 | | | | | +--rw session-sip-state 307 | | | | | +--rw auth-state? boolean 308 | | | | | +--rw call-state? boolean 309 | | | | +--: (access-mode) 310 | | | | | +--rw access-mode string 311 | | +--rw generic-context-condition* [gen-context-cond-id] 312 | | +--rw gen-context-cond-id uint 8 313 | | +--rw geographic-location 314 | | +--rw geographic-location-id* uint 8 315 | +--rw action 316 | +--rw (action-type)? 317 | +--: (ingress-action) 318 | | +--rw (ingress-action-type)? 319 | | +--: (pass) 320 | | | +--rw pass boolean 321 | | +--: (drop) 322 | | | +--rw drop boolan 323 | | +--: (reject) 324 | | | +--rw reject boolean 325 | | +--: (mirror) 326 | | +--rw mirror boolean 327 | +--: (egress-action) 328 | | +--rw (egress-action-type)? 329 | | +--: (invoke-signaling) 330 | | | +--rw invoke-signaling boolean 331 | | +--: (tunnel-encapsulation) 332 | | | +--rw tunnel-encapsulation boolean 333 | | +--: (forwarding) 334 | | +--rw forwarding boolean 335 | +--: (apply-profile-action) 336 | +--rw (apply-profile-action-type)? 337 | +--: (content-security-control) 338 | | +--rw content-security-control-types 339 | | +--rw antivirus 340 | | | +--rw antivirus-insp? boolean 341 | | +--rw ips 342 | | | +--rw ips-insp? boolean 343 | | +--rw ids 344 | | | +--rw ids-insp? boolean 345 | | +--rw url-filtering 346 | | | +--rw url-filtering-insp? boolean 347 | | +--rw data-filtering 348 | | | +--rw data-filtering-insp? boolean 349 | | +--rw mail-filtering 350 | | | +--rw mail-filtering-insp? boolean 351 | | +--rw file-blocking 352 | | | +--rw file-blocking-insp? boolean 353 | | +--rw file-isolate 354 | | | +--rw file-isolate-insp? boolean 355 | | +--rw pkt-capture 356 | | | +--rw pkt-capture-insp? boolean 357 | | +--rw application-control 358 | | | +--rw application-control-insp? boolean 359 | | +--rw voip-volte 360 | | +--rw voip-volte-insp? boolean 361 | +--: (attack-mitigation-control) 362 | +--rw (attack-mitigation-control-type)? 363 | +--: (ddos-attack) 364 | | +--rw (ddos-attack-type)? 365 | | +--: (network-layer-ddos-attack) 366 | | | +--rw network-layer-ddos-attack-types 367 | | | +--rw syn-flood-attack 368 | | | | +--rw syn-flood-insp boolean 369 | | | +--rw udp-flood-attack 370 | | | | +--rw udp-flood-insp boolean 371 | | | +--rw icmp-flood-attack 372 | | | | +--rw icmp-flood-insp boolean 373 | | | +--rw ip-frag-flood-attack 374 | | | | +--rw ip-frag-flood-insp boolean 375 | | | +--rw ipv6-related-attacks 376 | | | +--rw ipv6-related-insp boolean 377 | | +--: (app-layer-ddos-attack) 378 | | +--rw app-layer-ddos-attack-types 379 | | +--rw http-flood-attack 380 | | | +--rw http-flood-insp boolean 381 | | +--rw https-flood-attack 382 | | | +--rw https-flood-insp boolean 383 | | +--rw dns-flood-attack 384 | | | +--rw dns-flood-insp boolean 385 | | +--rw dns-amp-flood-attack 386 | | | +--rw dns-amp-flood-insp boolean 387 | | +--rw ssl-ddos-attack 388 | | +--rw ssl-ddos-insp boolean 389 | +--: (single-packet-attack) 390 | +--rw (single-packet-attack-type)? 391 | +--: (scan-and-sniff-attack) 392 | | +--rw scan-and-sniff-attack-types 393 | | +--rw ip-sweep-attack 394 | | | +--rw ip-sweep-insp boolean 395 | | +--rw port-scanning-attack 396 | | +--rw port-scanning-insp boolean 397 | +--: (malformed-packet-attack) 398 | | +--rw malformed-packet-attack-types 399 | | +--rw ping-of-death-attack 400 | | | +--rw ping-of-death-insp boolean 401 | | +--rw teardrop-attack 402 | | +--rw teardrop-insp boolean 403 | +--: (special-packet-attack) 404 | +--rw special-packet-attack-types 405 | +--rw oversized-icmp-attack 406 | | +--rw oversized-icmp-insp boolean 407 | +--rw tracert-attack 408 | +--rw tracert-insp boolean 409 +--rw cfg-content-security-control 410 | +--rw (cfg-content-security-control-type)? 411 | +--: (cfg-antivirus) 412 | | +--rw antivirus-rule* [rule-id] 413 | | +--rw rule-id uint8 414 | +--: (cfg-ips) 415 | | +--rw ips-rule* [rule-id] 416 | | +--rw rule-id uint8 417 | +--: (cfg-ids) 418 | | +--rw ids-rule* [rule-id] 419 | | +--rw rule-id uint8 420 | +--: (cfg-url-filter) 421 | | +--rw url-filter-rule* [rule-id] 422 | | +--rw rule-id uint8 423 | +--: (cfg-data-filter) 424 | | +--rw data-filter-rule* [rule-id] 425 | | +--rw rule-id uint8 426 | +--: (cfg-mail-filter) 427 | | +--rw mail-filter-rule* [rule-id] 428 | | +--rw rule-id uint8 429 | +--: (cfg-file-blocking) 430 | | +--rw file-blocking-rule* [rule-id] 431 | | +--rw rule-id uint8 432 | +--: (cfg-file-isolate) 433 | | +--rw file-isolate-rule* [rule-id] 434 | | +--rw rule-id uint8 435 | +--: (cfg-pkt-capture) 436 | | +--rw pkt-capture-rule* [rule-id] 437 | | +--rw rule-id uint8 438 | +--: (cfg-app-control) 439 | | +--rw app-control-rule* [rule-id] 440 | | +--rw rule-id uint8 441 | +--: (cfg-voip-volte) 442 | +--rw voip-volte-rule* [rule-id] 443 | +--rw rule-id uint 8 444 | +--rw event 445 | | +--rw called-voip boolean 446 | | +--rw called-volte boolean 447 | +--rw condition 448 | | +--rw sip-header* [sip-header-uri] 449 | | | +--rw sip-header-uri string 450 | | | +--rw sip-header-method string 451 | | | +--rw expire-time yang:date-and-time 452 | | | +--rw sip-header-user-agent uint32 453 | | +--rw cell-region?* [cell-id-region] 454 | | +--rw cell-id-region uint 32 455 | +--rw action 456 | +--rw (action-type)? 457 | +--: (ingress-action) 458 | | +--rw (ingress-action-type)? 459 | | +--: (pass) 460 | | | +--rw pass boolean 461 | | +--: (drop) 462 | | | +--rw drop boolean 463 | | +--: (reject) 464 | | | +--rw reject boolean 465 | | +--: (alert) 466 | | | +--rw alert boolean 467 | | +--: (mirror) 468 | | +--rw mirror boolean 469 | +--: (egress-action) 470 | +--: (egress-action-type)? 471 | +--: (redirection) 472 | +--rw redirection? boolean 473 +--rw cfg-attack-mitigation-control 474 +--rw (cfg-attack-mitigation-control-type)? 475 +--: (cfg-ddos-attack) 476 | +--rw (cfg-ddos-attack-type)? 477 | +--: (cfg-network-layer-ddos-attack) 478 | | +--rw (cfg-network-layer-ddos-attack-type)? 479 | | +--: (cfg-syn-flood-attack) 480 | | | +--rw syn-flood-attack-rule* [rule-id] 481 | | | +--rw rule-id uint8 482 | | +--: (cfg-udp-flood-attack) 483 | | | +--rw udp-flood-attack-rule* [rule-id] 484 | | | +--rw rule-id uint8 485 | | +--: (cfg-icmp-flood-attack) 486 | | | +--rw icmp-flood-attack-rule* [rule-id] 487 | | | +--rw rule-id uint8 488 | | +--: (cfg-ip-frag-flood-attack) 489 | | | +--rw ip-frag-flood-attack-rule* [rule-id] 490 | | | +--rw rule-id uint8 491 | | +--: (cfg-ipv6-related-attacks) 492 | | +--rw ipv6-related-attacks-rule* [rule-id] 493 | | +--rw rule-id uint8 494 | +--: (cfg-app-layer-ddos-attack) 495 | +--rw (cfg-app-layer-ddos-attack-type)? 496 | +--: (cfg-http-flood-attack) 497 | | +--rw http-flood-attack-rule* [rule-id] 498 | | +--rw rule-id uint8 499 | +--: (cfg-https-flood-attack) 500 | | +--rw https-flood-attack-rule* [rule-id] 501 | | +--rw rule-id uint8 502 | +--: (cfg-dns-flood-attack) 503 | | +--rw dns-flood-attack-rule* [rule-id] 504 | | +--rw rule-id uint8 505 | +--: (cfg-dns-amp-flood-attack) 506 | | +--rw dns-amp-flood-attack-rule* [rule-id] 507 | | +--rw rule-id uint8 508 | +--: (cfg-ssl-ddos-attack) 509 | +--rw ssl-ddos-attack-rule* [rule-id] 510 | +--rw rule-id uint8 511 +--: (cfg-single-packet-attack) 512 +--rw (cfg-single-packet-attack-type)? 513 +--: (cfg-scan-and-sniff-attack) 514 | +--rw (cfg-scan-and-sniff-attack-type)? 515 | +--: (cfg-ip-sweep-attack) 516 | | +--rw ip-sweep-attack-rule* [rule-id] 517 | | +--rw rule-id uint8 518 | +--: (cfg-port-scanning-attack) 519 | +--rw prot-scanning-attack-rule* [rule-id] 520 | +--rw rule-id uint8 521 +--: (cfg-malformed-packet-attack) 522 | +--rw (cfg-malformed-packet-attack-type)? 523 | +--: (cfg-ping-of-death-attack) 524 | | +--rw ping-of-death-attack-rule* [rule-id] 525 | | +--rw rule-id uint8 526 | +--: (cfg-teardrop-attack) 527 | +--rw teardrop-attack-rule* [rule-id] 528 | +--rw rule-id uint8 529 +--: (cfg-special-packet-attack) 530 +--rw (cfg-special-packet-attack-type)? 531 +--: (cfg-oversized-icmp-attack) 532 | +--rw oversized-icmp-attack-rule* [rule-id] 533 | +--rw rule-id uint8 534 +--: (cfg-tracert-attack) 535 +--rw tracert-attack-rule* [rule-id] 536 +--rw rule-id uint8 538 Figure 1: Information Model of I2NSF NSF Facing Interface 540 5. YANG Model 542 This section introduces a YANG model for the information model of 543 network security functions, as defined in the 544 [i2nsf-cap-interface-im]. 546 file "ietf-i2nsf-nsf-facing-interface@2017-03-12.yang" 548 module ietf-i2nsf-nsf-facing-interface { 549 namespace 550 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-facing-interface"; 551 prefix 552 nsf-facing-interface; 554 import ietf-inet-types{ 555 prefix inet; 556 } 557 import ietf-yang-types{ 558 prefix yang; 559 } 561 organization 562 "IETF I2NSF (Interface to Network Security Functions) 563 Working Group"; 565 contact 566 "WG Web: 567 WG List: 569 WG Chair: Adrian Farrel 570 572 WG Chair: Linda Dunbar 573 575 Editor: Jingyong Tim Kim 576 578 Editor: Jaehoon Paul Jeong 579 581 Editor: Susan Hares 582 "; 584 description 585 "This module defines a YANG data module for network security 586 functions."; 587 revision "2017-03-12"{ 588 description "Initial revision"; 589 reference 590 "draft-xibassnez-i2nsf-capability-00 591 draft-kim-i2nsf-nsf-facing-interface-data-model-01"; 592 } 594 //Groupings 596 grouping cfg-network-security-conrol { 597 description 598 "Configuration for Network Security Control."; 600 container policy { 601 description 602 "policy is a grouping 603 including a set of security rules according to certain logic, 604 i.e., their similarity or mutual relations, etc. The network 605 security policy is able to apply over both the unidirectional 606 and bidirectional traffic across the NSF."; 608 leaf policy-name { 609 type string; 610 mandatory true; 611 description 612 "The name of the policy. 613 This must be unique."; 614 } 615 leaf policy-id { 616 type string; 617 mandatory true; 618 description 619 "The ID of the policy. 620 This must be unique."; 621 } 623 list rules { 624 key "rule-id"; 625 description 626 "This is a rule for network security control."; 628 leaf rule-name { 629 type string; 630 mandatory true; 631 description 632 "The name of the rule. 633 This must be unique."; 634 } 636 leaf rule-id { 637 type uint8; 638 mandatory true; 639 description 640 "The ID of the rule. 641 This is key for rule-list. 642 This must be unique."; 643 } 645 leaf rule-msg { 646 type string; 647 mandatory true; 648 description 649 "The keyword msg gives more information about 650 the signature and the possible alert."; 651 } 653 leaf rule-rev { 654 type uint8; 655 mandatory true; 656 description 657 "The sid keyword is almost every time 658 accompanied by reb."; 659 } 661 leaf rule-gid { 662 type uint8; 663 mandatory true; 664 description 665 "The gid keyword can be used to give different 666 groups of signatures another id value 667 (like in sid).."; 668 } 670 leaf rule-class-type { 671 type string; 672 mandatory true; 673 description 674 "The classtype keyword gives information about 675 the classification of rules and alerts."; 676 } 678 leaf rule-reference { 679 type string; 680 mandatory true; 681 description 682 "The reference keywords direct to places where 683 information about the signature and about 684 the problem the signature tries to address, 685 can be found."; 686 } 688 leaf rule-priority { 689 type uint8; 690 mandatory true; 691 description 692 "The priority keyword comes with a mandatory 693 numeric value which can range from 1 till 255."; 694 } 696 container event { 697 description 698 " An Event is defined as any important occurrence in time 699 of a change in the system being managed, and/or in the 700 environment of the system being managed. When used in 701 the context of policy rules for a flow-based NSF, it is 702 used to determine whether the Condition clause of the 703 Policy Rule can be evaluated or not. Examples of an 704 I2NSF Event include time and user actions (e.g., logon, 705 logoff, and actions that violate any ACL.)."; 706 list user-security-event { 707 key usr-sec-event-id; 708 description 709 "The purpose of this class is to represent Events that 710 are initiated by a user, such as logon and logoff 711 Events. Information in this Event may be used as part 712 of a test to determine if the Condition clause in 713 this ECA Policy Rule should be evaluated or not. 714 Examples include user identification data and the 715 type of connection used by the user."; 717 leaf usr-sec-event-id { 718 type uint8; 719 mandatory true; 720 description 721 "The ID of the usr-sec-event. 722 This is key for usr-sec-event-list. 723 This must be unique."; 724 } 726 leaf usr-sec-event-content { 727 type string; 728 mandatory true; 729 description 730 "This is a mandatory string that contains the content 731 of the UserSecurityEvent. The format of the content 732 is specified in the usrSecEventFormat class 733 attribute, and the type of Event is defined in the 734 usrSecEventType class attribute. An example of the 735 usrSecEventContent attribute is a string hrAdmin, 736 with the usrSecEventFormat set to 1 (GUID) and the 737 usrSecEventType attribute set to 5 (new logon)."; 738 } 740 leaf usr-sec-event-format { 741 type uint8; 742 mandatory true; 743 description 744 "This is a mandatory uint 8 enumerated integer,which 745 is used to specify the data type of the 746 usrSecEventContent attribute. The content is 747 specified in the usrSecEventContent class attribute, 748 and the type of Event is defined in the 749 usrSecEventType class attribute. An example of the 750 usrSecEventContent attribute is string hrAdmin, 751 with the usrSecEventFormat attribute set to 1 (GUID) 752 and the usrSecEventType attribute set to 5 753 (new logon)."; 754 } 756 leaf usr-sec-event-type { 757 type uint8; 758 mandatory true; 759 description 760 "This is a mandatory uint 8 enumerated integer, which 761 is used to specify the type of Event that involves 762 this user. The content and format are specified in 763 the usrSecEventContent and usrSecEventFormat class 764 attributes, respectively. An example of the 765 usrSecEventContent attribute is string hrAdmin, 766 with the usrSecEventFormat attribute set to 1 (GUID) 767 and the usrSecEventType attribute set to 5 768 (new logon)."; 769 } 770 } 772 list device-security-event { 773 key dev-sec-event-id; 774 description 775 "The purpose of a DeviceSecurityEvent is to represent 776 Events that provide information from the Device that 777 are important to I2NSF Security. Information in this 778 Event may be used as part of a test to determine if 779 the Condition clause in this ECA Policy Rule should be 780 evaluated or not. Examples include alarms and various 781 device statistics (e.g., a type of threshold that was 782 exceeded), which may signal the need for further 783 action."; 785 leaf dev-sec-event-id { 786 type uint8; 787 mandatory true; 788 description 789 "The ID of the dev-sec-event. 790 This is key for dev-sec-event-list. 791 This must be unique."; 792 } 794 leaf dev-sec-event-content { 795 type string; 796 mandatory true; 797 description 798 "This is a mandatory string that contains the content 799 of the DeviceSecurityEvent.The format of the content 800 is specified in the devSecEventFormat class 801 attribute, and the type of Event is defined in the 802 devSecEventType class attribute. An example of the 803 devSecEventContent attribute is alarm, with the 804 devSecEventFormat attribute set to 1 (GUID), the 805 devSecEventType attribute set to 5 (new logon)."; 806 } 808 leaf dev-sec-event-format { 809 type uint8; 810 mandatory true; 811 description 812 "This is a mandatory uint 8 enumerated integer, which 813 is used to specify the data type of the 814 devSecEventContent attribute."; 815 } 817 leaf dev-sec-event-type { 818 type uint8; 819 mandatory true; 820 description 821 "This is a mandatory uint 8 enumerated integer, which 822 is used to specify the type of Event that was 823 generated by this device."; 824 } 826 leaf dev-sec-event-type-severity { 827 type uint8; 828 mandatory true; 829 description 830 "This is a mandatory uint 8 enumerated integer, which 831 is used to specify the perceived severity of the 832 Event generated by this Device."; 833 } 834 } 836 list system-security-event { 837 key sys-sec-event-id; 838 description 839 "The purpose of a SystemSecurityEvent is to represent 840 Events that are detected by the management system, 841 instead of Events that are generated by a user or a 842 device. Information in this Event may be used as part 843 of a test to determine if the Condition clause in 844 this ECA Policy Rule should be evaluated or not. 845 Examples include an event issued by an analytics 846 system that warns against a particular pattern of 847 unknown user accesses, or an Event issued by a 848 management system that represents a set of correlated 849 and/or filtered Events."; 851 leaf sys-sec-event-id { 852 type uint8; 853 mandatory true; 854 description 855 "The ID of the sys-sec-event. 856 This is key for sys-sec-event-list. 857 This must be unique."; 858 } 860 leaf sys-sec-event-content { 861 type string; 862 mandatory true; 863 description 864 "This is a mandatory string that contains a content 865 of the SystemSecurityEvent. The format of a content 866 is specified in a sysSecEventFormat class attribute, 867 and the type of Event is defined in the 868 sysSecEventType class attribute. An example of the 869 sysSecEventContent attribute is string sysadmin3, 870 with the sysSecEventFormat attribute set to 1(GUID), 871 and the sysSecEventType attribute set to 2 872 (audit log cleared)."; 873 } 875 leaf sys-sec-event-format { 876 type uint8; 877 mandatory true; 878 description 879 "This is a mandatory uint 8 enumerated integer, which 880 is used to specify the data type of the 881 sysSecEventContent attribute."; 882 } 884 leaf sys-sec-event-type { 885 type uint8; 886 mandatory true; 887 description 888 "This is a mandatory uint 8 enumerated integer, which 889 is used to specify the type of Event that involves 890 this device."; 891 } 892 } 893 list time-security-event { 894 key time-sec-event-id; 895 description 896 "Purpose of a TimeSecurityEvent is to represent Events 897 that are temporal in nature (e.g., the start or end of 898 a period of time). Time events signify an individual 899 occurrence, or a time period, in which a significant 900 event happened. Information in the Event may be used as 901 part of a test to determine if the Condition clause in 902 this ECA Rule should be evaluated or not. Examples 903 include issuing an Event at a specific time to indicate 904 that a particular resource should not be accessed, or 905 that different authentication and authorization 906 mechanisms should now be used (e.g., because it is now 907 past regular business hours)."; 909 leaf time-sec-event-id { 910 type uint8; 911 mandatory true; 912 description 913 "The ID of the time-sec-event. 914 This is key for time-sec-event-list. 915 This must be unique."; 916 } 918 leaf time-sec-event-period-begin { 919 type yang:date-and-time; 920 mandatory true; 921 description 922 "This is a mandatory DateTime attribute, and 923 represents the beginning of a time period. 924 It has a value that has a date and/or a time 925 component (as in the Java or Python libraries)."; 926 } 928 leaf time-sec-event-period-end { 929 type yang:date-and-time; 930 mandatory true; 931 description 932 "This is a mandatory DateTime attribute, and 933 represents the end of a time period. It has 934 a value that has a date and/or a time component 935 (as in the Java or Python libraries). If this is 936 a single Event occurrence, and not a time period 937 when the Event can occur, then the 938 timeSecEventPeriodEnd attribute may be ignored."; 939 } 940 leaf time-sec-event-time-zone { 941 type string; 942 mandatory true; 943 description 944 "This is a mandatory string attribute, and defines a 945 time zone that this Event occurred in using the 946 format specified in ISO8601."; 947 } 948 } 949 } 951 container condition { 952 description 953 "TBD"; 954 list packet-security-condition { 955 key pkt-security-id; 956 description 957 "The purpose of this Class is to represent packet header 958 information that can be used as part of a test to 959 determine if the set of Policy Actions in this ECA 960 Policy Rule should be executed or not. This class is 961 abstract, and serves as the superclass of more detailed 962 conditions that involve different types of packet 963 formats."; 965 leaf pkt-security-id { 966 type uint8; 967 mandatory true; 968 description 969 "The ID of the packet-security-condition."; 970 } 972 container packet-security-mac-condition { 973 description 974 "The purpose of this Class is to represent packet MAC 975 packet header information that can be used as part of 976 a test to determine if the set of Policy Actions in 977 this ECA Policy Rule should be execute or not."; 979 leaf-list pkt-sec-cond-mac-dest { 980 type inet:port-number; 981 description 982 "The MAC destination address (6 octets long)."; 983 } 985 leaf-list pkt-sec-cond-mac-src { 986 type inet:port-number; 987 description 988 "The MAC source address (6 octets long)."; 989 } 991 leaf-list pkt-sec-cond-mac-8021q { 992 type string; 993 description 994 "This is an optional string attribute, and defines 995 The 802.1Q tab value (2 octets long)."; 996 } 998 leaf-list pkt-sec-cond-mac-ether-type { 999 type string; 1000 description 1001 "The EtherType field (2 octets long). Values up to 1002 and including 1500 indicate the size of the payload 1003 in octets; values of 1536 and above define which 1004 protocol is encapsulated in the payload of the 1005 frame."; 1006 } 1008 leaf-list pkt-sec-cond-mac-tci { 1009 type string; 1010 description 1011 "This is an optional string attribute, and defines 1012 the Tag Control Information. This consists of a 3 1013 bit user priority field, a drop eligible indicator 1014 (1 bit), and a VLAN identifier (12 bits)."; 1015 } 1016 } 1018 container packet-security-ipv4-condition { 1019 description 1020 "The purpose of this Class is to represent packet IPv4 1021 packet header information that can be used as part of 1022 a test to determine if the set of Policy Actions in 1023 this ECA Policy Rule should be executed or not."; 1025 leaf-list pkt-sec-cond-ipv4-header-length { 1026 type uint8; 1027 description 1028 "The IPv4 packet header consists of 14 fields, 1029 of which 13 are required."; 1030 } 1032 leaf-list pkt-sec-cond-ipv4-tos { 1033 type uint8; 1034 description 1035 "The ToS field could specify a datagram's priority 1036 and request a route for low-delay, high-throughput, 1037 or highly-reliable service.."; 1038 } 1040 leaf-list pkt-sec-cond-ipv4-total-length { 1041 type uint16; 1042 description 1043 "This 16-bit field defines the entire packet size, 1044 including header and data, in bytes."; 1045 } 1047 leaf-list pkt-sec-cond-ipv4-id { 1048 type uint8; 1049 description 1050 "This field is an identification field and is 1051 primarily used for uniquely identifying 1052 the group of fragments of a single IP datagram."; 1053 } 1055 leaf-list pkt-sec-cond-ipv4-fragment { 1056 type uint8; 1057 description 1058 "IP fragmentation is an Internet Protocol (IP) 1059 process that breaks datagrams into smaller pieces 1060 (fragments), so that packets may be formed that 1061 can pass through a link with a smaller maximum 1062 transmission unit (MTU) than the original 1063 datagram size."; 1064 } 1066 leaf-list pkt-sec-cond-ipv4-fragment-offset { 1067 type uint16; 1068 description 1069 "Fragment offset field along with Don't Fragment 1070 and More Fragment flags in the IP protocol 1071 header are used for fragmentation and reassembly 1072 of IP datagrams."; 1073 } 1075 leaf-list pkt-sec-cond-ipv4-ttl { 1076 type uint8; 1077 description 1078 "The ttl keyword is used to check for a specific 1079 IP time-to-live value in the header of 1080 a packet."; 1081 } 1083 leaf-list pkt-sec-cond-ipv4-protocol { 1084 type uint8; 1085 description 1086 "Internet Protocol version 4(IPv4) is the fourth 1087 version of the Internet Protocol (IP)."; 1088 } 1090 leaf-list pkt-sec-cond-ipv4-src { 1091 type inet:ipv4-address; 1092 description 1093 "Defines the IPv4 Source Address."; 1094 } 1096 leaf-list pkt-sec-cond-ipv4-dest { 1097 type inet:ipv4-address; 1098 description 1099 "Defines the IPv4 Destination Address."; 1100 } 1102 leaf pkt-sec-cond-ipv4-ipopts { 1103 type string; 1104 description 1105 "With the ipopts keyword you can check if 1106 a specific ip option is set. Ipopts has 1107 to be used at the beginning of a rule."; 1108 } 1110 leaf pkt-sec-cond-ipv4-sameip { 1111 type boolean; 1112 description 1113 "Every packet has a source IP-address and 1114 a destination IP-address.It can be that 1115 the source IP is the same as 1116 the destination IP."; 1117 } 1119 leaf-list pkt-sec-cond-ipv4-geoip { 1120 type string; 1121 description 1122 "The geoip keyword enables (you)to match on 1123 the source, destination or source and destination 1124 IP addresses of network traffic and to see to 1125 which country it belongs To be able to do this, 1126 Suricata uses GeoIP API of Max mind."; 1127 } 1128 } 1130 container packet-security-ipv6-condition { 1131 description 1132 "The purpose of this Class is to represent packet 1133 IPv6 packet header information that can be used as 1134 part of a test to determine if the set of Policy 1135 Actions in this ECA Policy Rule should be executed 1136 or not."; 1138 leaf-list pkt-sec-cond-ipv6-dscp { 1139 type string; 1140 description 1141 "Differentiated Services Code Point (DSCP) 1142 of ipv6."; 1143 } 1145 leaf-list pkt-sec-cond-ipv6-ecn { 1146 type string; 1147 description 1148 "ECN allows end-to-end notification of network 1149 congestion without dropping packets."; 1150 } 1152 leaf-list pkt-sec-cond-ipv6-traffic-class { 1153 type uint8; 1154 description 1155 "The bits of this field hold two values. The 6 1156 most-significant bits are used for 1157 differentiated services, which is used to 1158 classify packets."; 1159 } 1161 leaf-list pkt-sec-cond-ipv6-flow-label { 1162 type uint32; 1163 description 1164 "The flow label when set to a non-zero value 1165 now werves as a hint to routers and switches 1166 with multiple outbound paths that these 1167 packets should stay on the same path so that 1168 they will not be reordered."; 1169 } 1171 leaf-list pkt-sec-cond-ipv6-payload-length { 1172 type uint16; 1173 description 1174 "The size of the payload in octets, 1175 including any extension headers."; 1176 } 1178 leaf-list pkt-sec-cond-ipv6-next-header { 1179 type uint8; 1180 description 1181 "Specifies the type of the next header. 1182 This field usually specifies the transport 1183 layer protocol used by a packet's payload."; 1184 } 1186 leaf-list pkt-sec-cond-ipv6-hop-limit { 1187 type uint8; 1188 description 1189 "Replaces the time to live field of IPv4."; 1190 } 1192 leaf-list pkt-sec-cond-ipv6-src { 1193 type inet:ipv6-address; 1194 description 1195 "The IPv6 address of the sending node."; 1196 } 1198 leaf-list pkt-sec-cond-ipv6-dest { 1199 type inet:ipv6-address; 1200 description 1201 "The IPv6 address of the destination node(s)."; 1202 } 1203 } 1205 container packet-security-tcp-condition { 1206 description 1207 "The purpose of this Class is to represent packet 1208 TCP packet header information that can be used as 1209 part of a test to determine if the set of Policy 1210 Actions in this ECA Policy Rule should be executed 1211 or not."; 1213 leaf-list pkt-sec-cond-tcp-seq-num { 1214 type uint32; 1215 description 1216 "If the SYN flag is set (1), then this is the 1217 initial sequence number."; 1218 } 1220 leaf-list pkt-sec-cond-tcp-ack-num { 1221 type uint32; 1222 description 1223 "If the ACK flag is set then the value of this 1224 field is the next sequence number that the sender 1225 is expecting."; 1226 } 1227 leaf-list pkt-sec-cond-tcp-window-size { 1228 type uint16; 1229 description 1230 "The size of the receive window, which specifies 1231 the number of windows size units (by default,bytes) 1232 (beyond the segment identified by the sequence 1233 number in the acknowledgment field) that the sender 1234 of this segment is currently willing to recive."; 1235 } 1237 leaf-list pkt-sec-cond-tcp-falgs { 1238 type uint8; 1239 description 1240 "This is a mandatory string attribute, and defines 1241 the nine Control bit flags (9 bits)."; 1242 } 1243 } 1245 container packet-security-udp-condition { 1246 description 1247 "The purpose of this Class is to represent packet UDP 1248 packet header information that can be used as part 1249 of a test to determine if the set of Policy Actions 1250 in this ECA Policy Rule should be executed or not."; 1252 leaf-list pkt-sec-cond-udp-length { 1253 type string; 1254 description 1255 "This is a mandatory string attribute, and defines 1256 the length in bytes of the UDP header and data 1257 (16 bits)."; 1258 } 1259 } 1261 container packet-security-icmp-condition { 1262 description 1263 "The internet control message protocol condition."; 1265 leaf-list pkt-sec-cond-icmp-type { 1266 type uint8; 1267 description 1268 "ICMP type, see Control messages."; 1269 } 1271 leaf-list pkt-sec-cond-icmp-code { 1272 type uint8; 1273 description 1274 "ICMP subtype, see Control messages."; 1276 } 1278 leaf-list pkt-sec-cond-icmp-seg-num { 1279 type uint32; 1280 description 1281 "The icmp Sequence Number."; 1282 } 1283 } 1284 } 1285 list packet-payload-security-condition { 1286 key "pkt-payload-id"; 1287 description 1288 "The ID of the pkt-payload. 1289 This is key for pkt-payload-list. 1290 This must be unique."; 1291 leaf pkt-payload-id { 1292 type uint8; 1293 mandatory true; 1294 description 1295 "The ID of the packet payload. 1296 This must be unique."; 1297 } 1299 leaf pkt-payload-content { 1300 type string; 1301 mandatory true; 1302 description 1303 "The content keyword is very important in 1304 signatures Between the quotation marks you 1305 can write on what you would like the 1306 signature to match."; 1307 } 1309 leaf pkt-payload-nocase { 1310 type boolean; 1311 mandatory true; 1312 description 1313 "If you do not want to make a distinction 1314 between uppercase and lowercase characters, 1315 you can use nocase."; 1316 } 1318 leaf pkt-payload-depth { 1319 type uint32; 1320 mandatory true; 1321 description 1322 "The depth keyword is a absolute content 1323 modifier."; 1325 } 1327 leaf pkt-payload-offset { 1328 type uint32; 1329 mandatory true; 1330 description 1331 "The offset keyword designates from which byte 1332 in the payload will be checked to fined to find 1333 a match."; 1334 } 1336 leaf pkt-payload-distance { 1337 type uint32; 1338 mandatory true; 1339 description 1340 "The keyword distance is a relative content 1341 modifier. This means it indicates a relation 1342 between this content keyword and the content 1343 preceding it."; 1344 } 1346 leaf pkt-payload-within { 1347 type uint32; 1348 mandatory true; 1349 description 1350 "The keyword within is relative to the preceding 1351 match. The keyword within comes with a mandatory 1352 numeric value."; 1353 } 1355 leaf pkt-payload-isdataat { 1356 type uint32; 1357 mandatory true; 1358 description 1359 "The purpose of the isdataat keyword is to 1360 look if there is still data at a specific part 1361 of the payload."; 1362 } 1364 leaf pkt-payload-dsize { 1365 type uint32; 1366 mandatory true; 1367 description 1368 "With the dsize keyword, you can match on the 1369 size of the packet payload."; 1370 } 1372 leaf pkt-payload-replace { 1373 type string; 1374 mandatory true; 1375 description 1376 "The replace content modifier can only be used 1377 in ips. It adjusts network traffic."; 1378 } 1380 leaf pkt-payload-pcre { 1381 type string; 1382 mandatory true; 1383 description 1384 "For information about pcre check the pcre 1385 (Perl Compatible Regular Expressions)page."; 1386 } 1388 container pkt-payload-rpc{ 1389 description 1390 "The rpc keyword can be used to match in the 1391 SUNRPC CALL on the RPC procedure numbers and 1392 the RPC version."; 1393 leaf pkt-payload-rpc-app-num { 1394 type uint32; 1395 mandatory true; 1396 description 1397 "."; 1398 } 1400 leaf pkt-payload-rpc-version-num { 1401 type uint32; 1402 mandatory true; 1403 description 1404 "|*."; 1405 } 1407 leaf pkt-payload-rpc-procedure-num { 1408 type uint32; 1409 mandatory true; 1410 description 1411 "|*."; 1412 } 1413 } 1414 } 1415 list target-security-condition { 1416 key "target-sec-cond-id"; 1417 description 1418 "Under the circumstances of network, it mainly 1419 refers to the service, application, and device."; 1420 leaf target-sec-cond-id { 1421 type uint8; 1422 mandatory true; 1423 description 1424 "The ID of the target. 1425 This must be unique."; 1426 } 1427 container service-sec-context-cond{ 1428 description 1429 "A service is an application identified by a 1430 protocol type and port number, such as TCP, 1431 UDP, ICMP, and IP."; 1432 leaf name { 1433 type string; 1434 mandatory true; 1435 description 1436 "The name of the service. 1437 This must be unique."; 1438 } 1439 leaf id { 1440 type uint8; 1441 mandatory true; 1442 description 1443 "The ID of the service. 1444 This must be unique."; 1445 } 1446 container protocol { 1447 description 1448 "Protocol types: 1449 TCP, UDP, ICMP, ICMPv6, IP, and etc."; 1450 leaf tcp { 1451 type boolean; 1452 mandatory true; 1453 description 1454 "TCP protocol type."; 1455 } 1456 leaf udp { 1457 type boolean; 1458 mandatory true; 1459 description 1460 "UDP protocol type."; 1461 } 1462 leaf icmp { 1463 type boolean; 1464 mandatory true; 1465 description 1466 "ICMP protocol type."; 1467 } 1468 leaf icmpv6 { 1469 type boolean; 1470 mandatory true; 1471 description 1472 "ICMPv6 protocol type."; 1473 } 1474 leaf ip { 1475 type boolean; 1476 mandatory true; 1477 description 1478 "IP protocol type."; 1479 } 1480 } 1481 leaf src-port{ 1482 type inet:port-number; 1483 description 1484 "It can be used for finding programs."; 1485 } 1486 leaf dest-port{ 1487 type inet:port-number; 1488 description 1489 "It can be used for finding programs."; 1490 } 1491 } 1492 container application-sec-context-cond { 1493 description 1494 "An application is a computer program for 1495 a specific task or purpose. It provides 1496 a finer granularity than service in matching 1497 traffic."; 1498 leaf name{ 1499 type string; 1500 mandatory true; 1501 description 1502 "The name of the application. 1503 This must be unique."; 1504 } 1505 leaf id{ 1506 type uint8; 1507 mandatory true; 1508 description 1509 "The ID of the application. 1510 This must be unique."; 1511 } 1512 container category{ 1513 description 1514 "Category types: Business system, Entertainment, 1515 Interest, Network, General, and etc."; 1516 leaf business-system { 1517 type boolean; 1518 description 1519 "Business system category."; 1520 } 1521 leaf entertainment { 1522 type boolean; 1523 description 1524 "Entertainment category."; 1525 } 1526 leaf interest { 1527 type boolean; 1528 description 1529 "Interest category."; 1530 } 1531 leaf network { 1532 type boolean; 1533 description 1534 "Network category."; 1535 } 1536 leaf general { 1537 type boolean; 1538 description 1539 "General category."; 1540 } 1541 } 1542 container subcategory{ 1543 description 1544 "Subcategory types: Finance, Email, Game, 1545 Media sharing, Social network, Web posting, 1546 and etc."; 1547 leaf finance { 1548 type boolean; 1549 description 1550 "Finance subcategory."; 1551 } 1552 leaf email { 1553 type boolean; 1554 description 1555 "Email subcategory."; 1556 } 1557 leaf game { 1558 type boolean; 1559 description 1560 "Game subcategory."; 1561 } 1562 leaf media-sharing { 1563 type boolean; 1564 description 1565 "Media sharing subcategory."; 1566 } 1567 leaf social-network { 1568 type boolean; 1569 description 1570 "Social network subcategory."; 1571 } 1572 leaf web-posting { 1573 type boolean; 1574 description 1575 "Web posting subcategory."; 1576 } 1577 } 1578 container data-transmission-model{ 1579 description 1580 "Data transmission model types: Client-server, 1581 Browser-based, Networking, Peer-to-Peer, 1582 Unassigned, and etc."; 1583 leaf client-server { 1584 type boolean; 1585 description 1586 "client-server data transmission model."; 1587 } 1588 leaf browser-based { 1589 type boolean; 1590 description 1591 "Browser-based data transmission model."; 1592 } 1593 leaf networking { 1594 type boolean; 1595 description 1596 "Networking data transmission model."; 1597 } 1598 leaf peer-to-peer { 1599 type boolean; 1600 description 1601 "Peer-to-Peer data transmission model."; 1602 } 1603 leaf unassigned { 1604 type boolean; 1605 description 1606 "Unassigned data transmission model."; 1607 } 1608 } 1609 container risk-level{ 1610 description 1611 "Risk level types: Exploitable, 1612 Productivity loss, Evasive, Data loss, 1613 Malware vehicle, Bandwidth consuming, 1614 Tunneling, and etc."; 1615 leaf exploitable { 1616 type boolean; 1617 description 1618 "Exploitable risk level."; 1619 } 1620 leaf productivity-loss { 1621 type boolean; 1622 description 1623 "Productivity loss risk level."; 1624 } 1625 leaf evasive { 1626 type boolean; 1627 description 1628 "Evasive risk level."; 1629 } 1630 leaf data-loss { 1631 type boolean; 1632 description 1633 "Data loss risk level."; 1634 } 1635 leaf malware-vehicle { 1636 type boolean; 1637 description 1638 "Malware vehicle risk level."; 1639 } 1640 leaf bandwidth-consuming { 1641 type boolean; 1642 description 1643 "Bandwidth consuming risk level."; 1644 } 1645 leaf tunneling { 1646 type boolean; 1647 description 1648 "Tunneling risk level."; 1649 } 1650 } 1651 } 1652 container device-sec-context-cond { 1653 description 1654 "The device attribute that can identify a device, 1655 including the device type (i.e., router, switch, 1656 pc, ios, or android) and the device's owner as 1657 well."; 1658 leaf pc { 1659 type boolean; 1660 description 1661 "If type of a device is PC."; 1662 } 1663 leaf mobile-phone { 1664 type boolean; 1665 description 1666 "If type of a device is mobile-phone."; 1667 } 1668 leaf tablet { 1669 type boolean; 1670 description 1671 "If type of a device is tablet."; 1672 } 1673 leaf voip-volte-phone { 1674 type boolean; 1675 description 1676 "If type of a device is voip-volte-phone."; 1677 } 1678 } 1679 } 1680 list user-security-cond { 1681 key "usr-sec-cond-id"; 1682 description 1683 "TBD"; 1684 leaf usr-sec-cond-id { 1685 type uint8; 1686 description 1687 "The ID of the user-sec-cond. 1688 This is key for user-sec-cond-list. 1689 This must be unique."; 1690 } 1691 container user{ 1692 description 1693 "The user (or user group) information with which 1694 network flow is associated: The user has many 1695 attributes such as name, id, password, type, 1696 authentication mode and so on. Name/id is often 1697 used in the security policy to identify the user. 1698 Besides, NSF is aware of the IP address of the 1699 user provided by a unified user management system 1700 via network. Based on name-address association, 1701 NSF is able to enforce the security functions 1702 over the given user (or user group)"; 1703 choice user-name { 1704 description 1705 "The name of the user. 1706 This must be unique."; 1707 case tenant { 1708 description 1709 "Tenant information."; 1710 leaf tenant { 1711 type uint8; 1712 mandatory true; 1713 description 1714 "User's tenant information."; 1715 } 1716 } 1717 case vn-id { 1718 description 1719 "VN-ID information."; 1720 leaf vn-id { 1721 type uint8; 1722 mandatory true; 1723 description 1724 "User's VN-ID information."; 1725 } 1726 } 1727 } 1728 } 1729 container group { 1730 description 1731 "The user (or user group) information with which 1732 network flow is associated: The user has many 1733 attributes such as name, id, password, type, 1734 authentication mode and so on. Name/id is often 1735 used in the security policy to identify the user. 1736 Besides, NSF is aware of the IP address of the 1737 user provided by a unified user management system 1738 via network. Based on name-address association, 1739 NSF is able to enforce the security functions 1740 over the given user (or user group)"; 1741 choice group-name { 1742 description 1743 "The name of the user. 1744 This must be unique."; 1745 case tenant { 1746 description 1747 "Tenant information."; 1748 leaf tenant { 1749 type uint8; 1750 mandatory true; 1751 description 1752 "User's tenant information."; 1753 } 1754 } 1755 case vn-id { 1756 description 1757 "VN-ID information."; 1758 leaf vn-id { 1759 type uint8; 1760 mandatory true; 1761 description 1762 "User's VN-ID information."; 1763 } 1764 } 1765 } 1766 } 1767 } 1768 list generic-context-condition { 1769 key "gen-context-cond-id"; 1770 description 1771 "TBD"; 1772 leaf gen-context-cond-id { 1773 type uint8; 1774 description 1775 "The ID of the gen-context-cond. 1776 This is key for gen-context-cond-list. 1777 This must be unique."; 1778 } 1779 container geographic-location { 1780 description 1781 "The location where network traffic is associated 1782 with. The region can be the geographic location 1783 such as country, province, and city, 1784 as well as the logical network location such as 1785 IP address, network section, and network domain."; 1786 leaf-list geographic-location { 1787 type uint8; 1788 description 1789 "This is mapped to ip address. We can acquire 1790 region through ip address stored the database."; 1791 } 1792 } 1793 } 1794 } 1795 container action { 1796 description 1797 "TBD."; 1798 choice action-type { 1799 description 1800 "The flow-based NSFs realize the network security 1801 functions by executing various Actions, which at least 1802 includes ingress-action, egress-action, and 1803 advanced-action."; 1804 case ingress-action { 1805 description 1806 "The ingress actions consist of permit, deny, 1807 and mirror."; 1808 choice ingress-action-type { 1809 description 1810 "Ingress action type: permit, deny, and mirror."; 1811 case pass { 1812 description 1813 "Pass case."; 1814 leaf pass { 1815 type boolean; 1816 mandatory true; 1817 description 1818 "Packet flow is passed."; 1819 } 1820 } 1821 case drop { 1822 description 1823 "Drop case."; 1824 leaf drop { 1825 type boolean; 1826 mandatory true; 1827 description 1828 "Packet flow is droped."; 1829 } 1830 } 1831 case reject { 1832 description 1833 "Reject case."; 1834 leaf reject { 1835 type boolean; 1836 mandatory true; 1837 description 1838 "Packet flow is rejected."; 1839 } 1840 } 1841 case alert { 1842 description 1843 "Alert case."; 1844 leaf alert { 1845 type boolean; 1846 mandatory true; 1847 description 1848 "Packet flow is alerted."; 1849 } 1850 } 1851 case mirror { 1852 description 1853 "Mirror case."; 1854 leaf mirror { 1855 type boolean; 1856 mandatory true; 1857 description 1858 "Packet flow is mirroried."; 1859 } 1860 } 1861 } 1862 } 1863 case egress-action { 1864 description 1865 "The egress actions consist of invoke-signaling, 1866 tunnel-encapsulation, and forwarding."; 1867 choice egress-action-type { 1868 description 1869 "Egress-action-type: invoke-signaling, 1870 tunnel-encapsulation, and forwarding."; 1871 case invoke-signaling { 1872 description 1873 "Invoke-signaling case."; 1874 leaf invoke-signaling { 1875 type boolean; 1876 mandatory true; 1877 description 1878 "TBD."; 1879 } 1880 } 1881 case tunnel-encapsulation { 1882 description 1883 "tunnel-encapsulation case."; 1884 leaf tunnel-encapsulation { 1885 type boolean; 1886 mandatory true; 1887 description 1888 "TBD."; 1889 } 1890 } 1891 case forwarding { 1892 description 1893 "forwarding case."; 1894 leaf forwarding { 1895 type boolean; 1896 mandatory true; 1897 description 1898 "TBD."; 1899 } 1900 } 1902 } 1903 } 1904 case apply-profile-action { 1905 description 1906 "Applying a specific Functional Profile or signature 1907 - e.g., an IPS Profile, a signature file, an 1908 anti-virus file, or a URL filtering file. The 1909 functional profile or signature file corresponds to 1910 the security capability for the content security 1911 control and attack mitigation control which will be 1912 described afterwards. It is one of the key properties 1913 that determine the effectiveness of the NSF, and is 1914 mostly vendor specific today. One goal of I2NSF is 1915 to standardize the form and functional interface of 1916 those security capabilities while supporting vendor- 1917 specific implementations of each."; 1918 choice apply-profile-action-type { 1919 description 1920 "Advanced action types: Content Security Control 1921 and Attack Mitigation Control."; 1922 case content-security-control { 1923 description 1924 "Content security control is another category of 1925 security capabilities applied to application layer. 1926 Through detecting the contents carried over the 1927 traffic in application layer, these capabilities 1928 can realize various security purposes, such as 1929 defending against intrusion, inspecting virus, 1930 filtering malicious URL or junk email, and blocking 1931 illegal web access or data retrieval."; 1933 container content-security-control-types { 1934 description 1935 "Content Security types: Antivirus, IPS, IDS, 1936 url-filtering, data-filtering, mail-filtering, 1937 file-blocking, file-isolate, pkt-capture, 1938 application-control, and voip-volte."; 1939 container antivirus { 1940 description 1941 "Antivirus is computer software used to 1942 prevent, detect and remove malicious 1943 software."; 1944 leaf antivirus-insp { 1945 type boolean; 1946 description 1947 "Additional inspection of antivirus."; 1948 } 1949 } 1950 container ips { 1951 description 1952 "Intrusion prevention systems (IPS) are 1953 network security appliances that monitor 1954 network and/or system activities for 1955 malicious activities."; 1956 leaf ips-insp { 1957 type boolean; 1958 description 1959 "Additional inspection of IPS."; 1960 } 1961 } 1962 container ids { 1963 description 1964 "IDS security service."; 1965 leaf ids-insp { 1966 type boolean; 1967 description 1968 "Additional inspection of IDS."; 1969 } 1970 } 1971 container url-filtering { 1972 description 1973 "URL filtering security service."; 1974 leaf url-filtering-insp { 1975 type boolean; 1976 description 1977 "Additional inspection of URL filtering."; 1978 } 1979 } 1980 container data-filtering { 1981 description 1982 "Data filtering security service."; 1983 leaf data-filtering-insp { 1984 type boolean; 1985 description 1986 "Additional inspection of data filtering."; 1987 } 1988 } 1989 container mail-filtering { 1990 description 1991 "Mail filtering security service."; 1992 leaf mail-filtering-insp { 1993 type boolean; 1994 description 1995 "Additional inspection of mail filtering."; 1996 } 1997 } 1998 container file-blocking { 1999 description 2000 "File blocking security service."; 2001 leaf file-blocking-insp { 2002 type boolean; 2003 description 2004 "Additional inspection of file blocking."; 2005 } 2006 } 2007 container file-isolate { 2008 description 2009 "File isolate security service."; 2010 leaf file-isolate-insp { 2011 type boolean; 2012 description 2013 "Additional inspection of file isolate."; 2014 } 2015 } 2016 container pkt-capture { 2017 description 2018 "Packet capture security service."; 2019 leaf pkt-capture-insp { 2020 type boolean; 2021 description 2022 "Additional inspection of packet capture."; 2023 } 2024 } 2025 container application-control { 2026 description 2027 "app-control security service."; 2028 leaf application-control-insp { 2029 type boolean; 2030 description 2031 "Additional inspection of app control."; 2032 } 2033 } 2034 container voip-volte { 2035 description 2036 "VoIP/VoLTE security service."; 2037 leaf voip-volte-insp { 2038 type boolean; 2039 description 2040 "Additional inspection of VoIP/VoLTE."; 2041 } 2042 } 2043 } 2044 } 2045 case attack-mitigation-control { 2046 description 2047 "This category of security capabilities is 2048 specially used to detect and mitigate various 2049 types of network attacks."; 2050 choice attack-mitigation-control-type { 2051 description 2052 "Attack-mitigation types: DDoS-attack and 2053 Single-packet attack."; 2054 case ddos-attack { 2055 description 2056 "A distributed-denial-of-service (DDoS) is 2057 where the attack source is more than one, 2058 often thousands of unique IP addresses."; 2059 choice ddos-attack-type { 2060 description 2061 "DDoS-attack types: Network Layer DDoS Attacks 2062 and Application Layer DDoS Attacks."; 2063 case network-layer-ddos-attack { 2064 description 2065 "Network layer DDoS-attack."; 2066 container network-layer-ddos-attack-types { 2067 description 2068 "Network layer DDoS attack types: 2069 Syn Flood Attack, UDP Flood Attack, 2070 ICMP Flood Attack, IP Fragment Flood, 2071 IPv6 Related Attacks, and etc"; 2072 container syn-flood-attack { 2073 description 2074 "If the network layer DDoS-attack is 2075 a syn flood attack."; 2076 leaf syn-flood-insp { 2077 type boolean; 2078 mandatory true; 2079 description 2080 "Additional Inspection of 2081 Syn Flood Attack."; 2082 } 2083 } 2084 container udp-flood-attack { 2085 description 2086 "If the network layer DDoS-attack is 2087 a udp flood attack."; 2088 leaf udp-flood-insp { 2089 type boolean; 2090 mandatory true; 2091 description 2092 "Additional Inspection of 2093 UDP Flood Attack."; 2095 } 2096 } 2097 container icmp-flood-attack { 2098 description 2099 "If the network layer DDoS-attack is 2100 an icmp flood attack."; 2101 leaf icmp-flood-insp { 2102 type boolean; 2103 mandatory true; 2104 description 2105 "Additional Inspection of 2106 ICMP Flood Attack."; 2107 } 2108 } 2109 container ip-frag-flood-attack { 2110 description 2111 "If the network layer DDoS-attack is 2112 an ip fragment flood attack."; 2113 leaf ip-frag-flood-insp { 2114 type boolean; 2115 mandatory true; 2116 description 2117 "Additional Inspection of 2118 IP Fragment Flood."; 2119 } 2120 } 2121 container ipv6-related-attacks { 2122 description 2123 "If the network layer DDoS-attack is 2124 ipv6 related attacks."; 2125 leaf ipv6-related-insp { 2126 type boolean; 2127 mandatory true; 2128 description 2129 "Additional Inspection of 2130 IPv6 Related Attacks."; 2131 } 2132 } 2133 } 2134 } 2135 case app-layer-ddos-attack { 2136 description 2137 "Application layer DDoS-attack."; 2138 container app-ddos-attack-types { 2139 description 2140 "Application layer DDoS-attack types: 2141 Http Flood Attack, Https Flood Attack, 2142 DNS Flood Attack, and 2143 DNS Amplification Flood Attack, 2144 SSL DDoS Attack, and etc."; 2145 container http-flood-attack { 2146 description 2147 "If the application layer DDoS-attack is 2148 a http flood attack."; 2149 leaf http-flood-insp { 2150 type boolean; 2151 mandatory true; 2152 description 2153 "Additional Inspection of 2154 Http Flood Attack."; 2155 } 2156 } 2157 container https-flood-attack { 2158 description 2159 "If the application layer DDoS-attack is 2160 a https flood attack."; 2161 leaf https-flood-insp { 2162 type boolean; 2163 mandatory true; 2164 description 2165 "Additional Inspection of 2166 Https Flood Attack."; 2167 } 2168 } 2169 container dns-flood-attack { 2170 description 2171 "If the application layer DDoS-attack is 2172 a dns flood attack."; 2173 leaf dns-flood-insp { 2174 type boolean; 2175 mandatory true; 2176 description 2177 "Additional Inspection of 2178 DNS Flood Attack."; 2179 } 2180 } 2181 container dns-amp-flood-attack { 2182 description 2183 "If the application layer DDoS-attack is 2184 a dns amplification flood attack."; 2185 leaf dns-amp-flood-insp { 2186 type boolean; 2187 mandatory true; 2188 description 2189 "Additional Inspection of 2190 DNS Amplification Flood Attack."; 2192 } 2193 } 2194 container ssl-ddos-attack { 2195 description 2196 "If the application layer DDoS-attack is 2197 an ssl DDoS attack."; 2198 leaf ssl-ddos-insp { 2199 type boolean; 2200 mandatory true; 2201 description 2202 "Additional Inspection of 2203 SSL Flood Attack."; 2204 } 2205 } 2206 } 2207 } 2208 } 2209 } 2210 case single-packet-attack { 2211 description 2212 "Single Packet Attacks."; 2213 choice single-packet-attack-type { 2214 description 2215 "DDoS-attack types: Scanning Attack, 2216 Sniffing Attack, Malformed Packet Attack, 2217 Special Packet Attack, and etc."; 2218 case scan-and-sniff-attack { 2219 description 2220 "Scanning and Sniffing Attack."; 2221 container scan-and-sniff-attack-types { 2222 description 2223 "Scanning and sniffing attack types: 2224 IP Sweep attack, Port Scanning, 2225 and etc."; 2226 container ip-sweep-attack { 2227 description 2228 "If the scanning and sniffing attack is 2229 an ip sweep attack."; 2230 leaf ip-sweep-insp { 2231 type boolean; 2232 mandatory true; 2233 description 2234 "Additional Inspection of 2235 IP Sweep Attack."; 2236 } 2237 } 2238 container port-scanning-attack { 2239 description 2240 "If the scanning and sniffing attack is 2241 a port scanning attack."; 2242 leaf port-scanning-insp { 2243 type boolean; 2244 mandatory true; 2245 description 2246 "Additional Inspection of 2247 Port Scanning Attack."; 2248 } 2249 } 2250 } 2251 } 2252 case malformed-packet-attack { 2253 description 2254 "Malformed Packet Attack."; 2255 container malformed-packet-attack-types { 2256 description 2257 "Malformed packet attack types: 2258 Ping of Death Attack, Teardrop Attack, 2259 and etc."; 2260 container ping-of-death-attack { 2261 description 2262 "If the malformed packet attack is 2263 a ping of death attack."; 2264 leaf ping-of-death-insp { 2265 type boolean; 2266 mandatory true; 2267 description 2268 "Additional Inspection of 2269 Ping of Death Attack."; 2270 } 2271 } 2272 container teardrop-attack { 2273 description 2274 "If the malformed packet attack is 2275 a teardrop attack."; 2276 leaf teardrop-insp { 2277 type boolean; 2278 mandatory true; 2279 description 2280 "Additional Inspection of 2281 Teardrop Attack."; 2282 } 2283 } 2284 } 2285 } 2286 case special-packet-attack { 2287 description 2288 "special Packet Attack."; 2289 container special-packet-attack-types { 2290 description 2291 "Special packet attack types: 2292 Oversized ICMP Attack, Tracert Attack, 2293 and etc."; 2294 container oversized-icmp-attack { 2295 description 2296 "If the special packet attack is 2297 an oversized icmp attack."; 2298 leaf oversized-icmp-insp { 2299 type boolean; 2300 mandatory true; 2301 description 2302 "Additional Inspection of 2303 Oversize ICMP Attack."; 2304 } 2305 } 2306 container tracert-attack { 2307 description 2308 "If the special packet attack is 2309 a tracert attack."; 2310 leaf tracert-insp { 2311 type boolean; 2312 mandatory true; 2313 description 2314 "Additional Inspection of 2315 Tracrt Attack."; 2316 } 2317 } 2318 } 2319 } 2320 } 2321 } 2322 } 2323 } 2324 } 2325 } 2326 } 2327 } 2328 } 2329 } 2330 } 2332 grouping cfg-content-security-conrol { 2333 description 2334 "Configuration for Content Security Control."; 2336 choice cfg-content-security-control-type { 2337 description 2338 "Content Security types: Antivirus, IPS, IDS, 2339 url-filtering, data-filtering, mail-filtering, 2340 file-blocking, file-isolate, pkt-capture, 2341 application-control, and voip-volte."; 2343 case cfg-antivirus { 2344 description 2345 "Antivirus Case."; 2347 list antivirus-rule { 2348 key rule-id; 2349 description 2350 "Rule of Antivirus."; 2352 leaf rule-id { 2353 type uint8; 2354 mandatory true; 2355 description 2356 "The ID of the rule about antivirus."; 2357 } 2358 } 2359 } 2360 case cfg-ips { 2361 description 2362 "IPS Case."; 2364 list ips-rule { 2365 key rule-id; 2366 description 2367 "Rule of IPS."; 2369 leaf rule-id { 2370 type uint8; 2371 mandatory true; 2372 description 2373 "The ID of the rule about IPS."; 2374 } 2375 } 2376 } 2377 case cfg-ids { 2378 description 2379 "IDS Case."; 2381 list ids-rule { 2382 key rule-id; 2383 description 2384 "Rule of IDS."; 2386 leaf rule-id { 2387 type uint8; 2388 mandatory true; 2389 description 2390 "The ID of the rule about IDS."; 2391 } 2392 } 2393 } 2394 case cfg-url-filter { 2395 description 2396 "URL Filter Case."; 2398 list url-filter-rule { 2399 key rule-id; 2400 description 2401 "Rule of URL filter."; 2403 leaf rule-id { 2404 type uint8; 2405 mandatory true; 2406 description 2407 "The ID of the rule about URL filter."; 2408 } 2409 } 2410 } 2411 case cfg-data-filter { 2412 description 2413 "Data Filter Case."; 2415 list data-filter-rule { 2416 key rule-id; 2417 description 2418 "Rule of Data Filter."; 2420 leaf rule-id { 2421 type uint8; 2422 mandatory true; 2423 description 2424 "The ID of the rule about data filter."; 2425 } 2426 } 2427 } 2428 case cfg-mail-filter { 2429 description 2430 "Mail Filter Case."; 2432 list mail-filter-rule { 2433 key rule-id; 2434 description 2435 "Rule of Mail Filter."; 2437 leaf rule-id { 2438 type uint8; 2439 mandatory true; 2440 description 2441 "The ID of the rule about mail filter."; 2442 } 2443 } 2444 } 2445 case cfg-file-blocking { 2446 description 2447 "File Blocking Case."; 2449 list file-blocking-rule { 2450 key rule-id; 2451 description 2452 "Rule of File Blocking."; 2454 leaf rule-id { 2455 type uint8; 2456 mandatory true; 2457 description 2458 "The ID of the rule about file blocking."; 2459 } 2460 } 2461 } 2462 case cfg-file-isolate { 2463 description 2464 "File Isolate Case."; 2466 list file-isolate-rule { 2467 key rule-id; 2468 description 2469 "Rule of File Isolate."; 2471 leaf rule-id { 2472 type uint8; 2473 mandatory true; 2474 description 2475 "The ID of the rule about file isolate."; 2476 } 2477 } 2478 } 2479 case cfg-pkt-capture { 2480 description 2481 "Packet Capture Case."; 2483 list pkt-capture-rule { 2484 key rule-id; 2485 description 2486 "Rule of Packet Capture."; 2488 leaf rule-id { 2489 type uint8; 2490 mandatory true; 2491 description 2492 "The ID of the rule about pacekt capture."; 2493 } 2494 } 2495 } 2496 case cfg-app-control { 2497 description 2498 "App Control Case."; 2500 list app-control-rule { 2501 key rule-id; 2502 description 2503 "Rule of App Control."; 2505 leaf rule-id { 2506 type uint8; 2507 mandatory true; 2508 description 2509 "The ID of the rule about app control."; 2510 } 2511 } 2512 } 2513 case cfg-voip-volte { 2514 description 2515 "VoIP/VoLTE Case."; 2517 list voip-volte-rule { 2518 key "rule-id"; 2519 description 2520 "For the VoIP/VoLTE security system, a VoIP/ 2521 VoLTE security system can monitor each 2522 VoIP/VoLTE flow and manage VoIP/VoLTE 2523 security rules controlled by a centralized 2524 server for VoIP/VoLTE security service 2525 (called VoIP IPS). The VoIP/VoLTE security 2526 system controls each switch for the 2527 VoIP/VoLTE call flow management by 2528 manipulating the rules that can be added, 2529 deleted, or modified dynamically."; 2531 leaf rule-id { 2532 type uint8; 2533 mandatory true; 2534 description 2535 "The ID of the voip-volte-rule. 2536 This is the key for voip-volte-rule-list. 2537 This must be unique."; 2538 } 2539 container event { 2540 description 2541 "Event types: VoIP and VoLTE."; 2542 leaf called-voip { 2543 type boolean; 2544 mandatory true; 2545 description 2546 "If content-security-control-type is 2547 voip."; 2548 } 2549 leaf called-volte { 2550 type boolean; 2551 mandatory true; 2552 description 2553 "If content-security-control-type is 2554 volte."; 2555 } 2556 } 2557 container condition { 2558 description 2559 "TBD."; 2560 list sip-header { 2561 key "sip-header-uri"; 2562 description 2563 "TBD."; 2564 leaf sip-header-uri { 2565 type string; 2566 mandatory true; 2567 description 2568 "SIP header URI."; 2569 } 2570 leaf sip-header-method { 2571 type string; 2572 mandatory true; 2573 description 2574 "SIP header method."; 2575 } 2576 leaf sip-header-expire-time { 2577 type yang:date-and-time; 2578 mandatory true; 2579 description 2580 "SIP header expire time."; 2581 } 2582 leaf sip-header-user-agent { 2583 type uint32; 2584 mandatory true; 2585 description 2586 "SIP header user agent."; 2587 } 2588 } 2589 list cell-region { 2590 key "cell-id-region"; 2591 description 2592 "TBD."; 2593 leaf cell-id-region { 2594 type uint32; 2595 mandatory true; 2596 description 2597 "Cell region."; 2598 } 2599 } 2600 } 2601 container action { 2602 description 2603 "The flow-based NSFs realize the security 2604 functions by executing various Actions."; 2605 choice action-type { 2606 description 2607 "Action type: ingress action and 2608 egress action."; 2609 case ingress-action { 2610 description 2611 "The ingress actions consist of permit, 2612 deny, and mirror."; 2613 choice ingress-action-type { 2614 description 2615 "Ingress-action-type: permit, deny, 2616 and mirror."; 2617 case pass { 2618 description 2619 "Pass case."; 2620 leaf pass { 2621 type boolean; 2622 mandatory true; 2623 description 2624 "Packet flow is passed."; 2625 } 2626 } 2627 case drop { 2628 description 2629 "Drop case."; 2630 leaf drop { 2631 type boolean; 2632 mandatory true; 2633 description 2634 "Packet flow is droped."; 2635 } 2636 } 2637 case reject { 2638 description 2639 "Reject case."; 2640 leaf reject { 2641 type boolean; 2642 mandatory true; 2643 description 2644 "Packet flow is reject."; 2645 } 2646 } 2647 case alert { 2648 description 2649 "Alert case."; 2650 leaf alert { 2651 type boolean; 2652 mandatory true; 2653 description 2654 "Packet flow is alert."; 2655 } 2656 } 2657 case mirror { 2658 description 2659 "Mirror case."; 2660 leaf mirror { 2661 type boolean; 2662 mandatory true; 2663 description 2664 "Packet flow is mirrored."; 2665 } 2666 } 2667 } 2668 } 2669 case egress-action { 2670 description 2671 "The engress actions consist of 2672 mirror and etc."; 2673 choice egress-action-type { 2674 description 2675 "Engress-action-type: redirection, 2676 and etc."; 2677 case redirection { 2678 description 2679 "Redirection case."; 2680 leaf redirection { 2681 type boolean; 2682 mandatory true; 2683 description "TBD."; 2684 } 2685 } 2686 } 2687 } 2688 } 2689 } 2690 } 2691 } 2692 } 2693 } 2695 grouping cfg-attack-mitigation-conrol { 2696 description 2697 "Configuration for Attack Mitigation Control."; 2699 choice cfg-attack-mitigation-control-type { 2700 description 2701 "Attack-mitigation types: DDoS-attack and 2702 Single-packet attack."; 2704 case cfg-ddos-attack { 2705 description 2706 "A distributed-denial-of-service (DDoS) is 2707 where the attack source is more than one, 2708 often thousands of unique IP addresses."; 2710 choice cfg-ddos-attack-type { 2711 description 2712 "DDoS-attack types: Network Layer DDoS Attacks 2713 and Application Layer DDoS Attacks."; 2715 case cfg-network-layer-ddos-attack { 2716 description 2717 "Network layer DDoS-attack."; 2719 choice cfg-network-layer-ddos-attack-type { 2720 description 2721 "Network layer DDoS attack types: 2722 Syn Flood Attack, UDP Flood Attack, 2723 ICMP Flood Attack, IP Fragment Flood, 2724 IPv6 Related Attacks, and etc."; 2726 case cfg-syn-flood-attack { 2727 description 2728 "Syn Flood Attack Case."; 2730 list syn-flood-attack-rule { 2731 key rule-id; 2732 description 2733 "Rule of Syn Flood Attack."; 2735 leaf rule-id { 2736 type uint8; 2737 mandatory true; 2738 description 2739 "The ID of the rule about syn flood attack."; 2740 } 2741 } 2742 } 2743 case cfg-udp-flood-attack { 2744 description 2745 "UDP Flood Attack Case."; 2747 list udp-flood-attack-rule { 2748 key rule-id; 2749 description 2750 "Rule of UDP Flood Attack."; 2752 leaf rule-id { 2753 type uint8; 2754 mandatory true; 2755 description 2756 "The ID of the rule about udp flood attack."; 2757 } 2758 } 2759 } 2760 case cfg-icmp-flood-attack { 2761 description 2762 "ICMP Flood Attack Case."; 2764 list icmp-flood-attack-rule { 2765 key rule-id; 2766 description 2767 "Rule of ICMP Flood Attack."; 2769 leaf rule-id { 2770 type uint8; 2771 mandatory true; 2772 description 2773 "The ID of the rule about icmp flood attack."; 2774 } 2775 } 2776 } 2777 case cfg-ip-frag-flood-attack { 2778 description 2779 "IP Fragment Flood Attack Case."; 2781 list ip-frag-flood-attack-rule { 2782 key rule-id; 2783 description 2784 "Rule of Ip Fragment Flood Attack."; 2786 leaf rule-id { 2787 type uint8; 2788 mandatory true; 2789 description 2790 "The ID of the rule about 2791 ip fragment flood attack."; 2792 } 2793 } 2794 } 2795 case cfg-ipv6-related-attacks { 2796 description 2797 "IPv6 Related Attacks Case."; 2799 list ipv6-related-attacks-rule { 2800 key rule-id; 2801 description 2802 "Rule of Ipv6 Related Attacks."; 2804 leaf rule-id { 2805 type uint8; 2806 mandatory true; 2807 description 2808 "The ID of the rule about 2809 ipv6 related attacks."; 2810 } 2811 } 2812 } 2813 } 2814 } 2815 case cfg-app-layer-ddos-attack { 2816 description 2817 "Application layer DDoS-attack."; 2819 choice cfg-app-ddos-attack-type { 2820 description 2821 "Application layer DDoS-attack types: 2822 Http Flood Attack, Https Flood Attack, 2823 DNS Flood Attack, and 2824 DNS Amplification Flood Attack, 2825 SSL DDoS Attack, and etc."; 2827 case cfg-http-flood-attack { 2828 description 2829 "HTTP Flood Attack Case."; 2831 list http-flood-attack-rule { 2832 key rule-id; 2833 description 2834 "Rule of HTTP Flood Attack."; 2836 leaf rule-id { 2837 type uint8; 2838 mandatory true; 2839 description 2840 "The ID of the rule about 2841 http flood attack."; 2842 } 2843 } 2844 } 2845 case cfg-https-flood-attack { 2846 description 2847 "HTTPs Flood Attack Case."; 2849 list https-flood-attack-rule { 2850 key rule-id; 2851 description 2852 "Rule of HTTPs Flood Attack."; 2854 leaf rule-id { 2855 type uint8; 2856 mandatory true; 2857 description 2858 "The ID of the rule about 2859 https flood attack."; 2860 } 2861 } 2862 } 2863 case cfg-dns-flood-attack { 2864 description 2865 "DNS Flood Attack Case."; 2867 list dns-flood-attack-rule { 2868 key rule-id; 2869 description 2870 "Rule of DNS Flood Attack."; 2872 leaf rule-id { 2873 type uint8; 2874 mandatory true; 2875 description 2876 "The ID of the rule about 2877 dns flood attack."; 2878 } 2879 } 2880 } 2881 case cfg-dns-amp-flood-attack { 2882 description 2883 "DNS Amp Flood Attack Case."; 2885 list dns-amp-flood-attack-rule { 2886 key rule-id; 2887 description 2888 "Rule of DNS Amp Flood Attack."; 2890 leaf rule-id { 2891 type uint8; 2892 mandatory true; 2893 description 2894 "The ID of the rule about 2895 dns amp flood attack."; 2896 } 2897 } 2898 } 2899 case cfg-ssl-ddos-attack { 2900 description 2901 "SSL DDoS Attack Case."; 2903 list ssl-ddos-attack-rule { 2904 key rule-id; 2905 description 2906 "Rule of SSL DDoS Attack."; 2908 leaf rule-id { 2909 type uint8; 2910 mandatory true; 2911 description 2912 "The ID of the rule about 2913 ssl ddos attack."; 2914 } 2915 } 2916 } 2917 } 2918 } 2919 } 2920 } 2921 case cfg-single-packet-attack { 2922 description 2923 "Single Packet Attacks."; 2924 choice cfg-single-packet-attack-type { 2925 description 2926 "DDoS-attack types: Scanning Attack, 2927 Sniffing Attack, Malformed Packet Attack, 2928 Special Packet Attack, and etc."; 2929 case cfg-scan-and-sniff-attack { 2930 description 2931 "Scanning and Sniffing Attack."; 2932 choice cfg-scan-and-sniff-attack-type { 2933 description 2934 "Scanning and sniffing attack types: 2935 IP Sweep attack, Port Scanning, 2936 and etc."; 2938 case cfg-ip-sweep-attack { 2939 description 2940 "IP Sweep Attack Case."; 2942 list ip-sweep-attack-rule { 2943 key rule-id; 2944 description 2945 "Rule of IP Sweep Attack."; 2947 leaf rule-id { 2948 type uint8; 2949 mandatory true; 2950 description 2951 "The ID of the rule about 2952 ip sweep attack."; 2953 } 2954 } 2955 } 2956 case cfg-port-scanning-attack { 2957 description 2958 "Port Scanning Attack Case."; 2960 list port-scanning-attack-rule { 2961 key rule-id; 2962 description 2963 "Rule of Port Scanning Attack."; 2965 leaf rule-id { 2966 type uint8; 2967 mandatory true; 2968 description 2969 "The ID of the rule about 2970 port scanning attack."; 2971 } 2972 } 2973 } 2974 } 2975 } 2976 case cfg-malformed-packet-attack { 2977 description 2978 "Malformed Packet Attack."; 2979 choice cfg-malformed-packet-attack-type { 2980 description 2981 "Malformed packet attack types: 2982 Ping of Death Attack, Teardrop Attack, 2983 and etc."; 2985 case cfg-ping-of-death-attack { 2986 description 2987 "Ping of Death Attack Case."; 2989 list ping-of-death-attack-rule { 2990 key rule-id; 2991 description 2992 "Rule of Ping of Death Attack."; 2994 leaf rule-id { 2995 type uint8; 2996 mandatory true; 2997 description 2998 "The ID of the rule about 2999 ping of death attack."; 3000 } 3001 } 3002 } 3003 case cfg-teardrop-attack { 3004 description 3005 "Teardrop Attack Case."; 3007 list teardrop-attack-rule { 3008 key rule-id; 3009 description 3010 "Rule of Teardrop Attack."; 3012 leaf rule-id { 3013 type uint8; 3014 mandatory true; 3015 description 3016 "The ID of the rule about 3017 teardrop attack."; 3018 } 3019 } 3020 } 3021 } 3022 } 3023 case cfg-special-packet-attack { 3024 description 3025 "special Packet Attack."; 3026 choice cfg-special-packet-attack-type { 3027 description 3028 "Special packet attack types: 3029 Oversized ICMP Attack, Tracert Attack, 3030 and etc."; 3032 case cfg-oversized-icmp-attack { 3033 description 3034 "Oversized ICMP Attack Case."; 3036 list oversized-icmp-attack-rule { 3037 key rule-id; 3038 description 3039 "Rule of Oversized ICMP Attack."; 3041 leaf rule-id { 3042 type uint8; 3043 mandatory true; 3044 description 3045 "The ID of the rule about 3046 oversized icmp attack."; 3047 } 3048 } 3049 } 3050 case cfg-tracert-attack { 3051 description 3052 "Tracert Attack Case."; 3054 list tracert-attack-rule { 3055 key rule-id; 3056 description 3057 "Rule of Tracert Attack."; 3059 leaf rule-id { 3060 type uint8; 3061 mandatory true; 3062 description 3063 "The ID of the rule about 3064 tracert attack."; 3065 } 3066 } 3067 } 3068 } 3069 } 3070 } 3071 } 3072 } 3073 } 3075 } 3077 3079 Figure 2: Data Model of I2NSF NSF Facing Interface 3081 6. Security Considerations 3083 This document introduces no additional security threats and SHOULD 3084 follow the security requirements as stated in [i2nsf-framework]. 3086 7. Acknowledgements 3088 This work was supported by Institute for Information & communications 3089 Technology Promotion (IITP) grant funded by the Korea government 3090 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 3091 Technology Development for the Customized Security Service 3092 Provisioning). 3094 This document has greatly benefited from inputs by Daeyoung Hyun, 3095 Hyoungshick Kim, Tae-Jin Ahn, and Se-Hui Lee. 3097 8. References 3099 8.1. Normative References 3101 [RFC2119] Bradner, S., "Key words for use in RFCs to 3102 Indicate Requirement Levels", BCP 14, 3103 RFC 2119, March 1997. 3105 [RFC6020] Bjorklund, M., "YANG - A Data Modeling 3106 Language for the Network Configuration 3107 Protocol (NETCONF)", RFC 6020, 3108 October 2010. 3110 8.2. Informative References 3112 [i2nsf-cap-interface-im] Xia, L., Strassner, J., Zhang, D., Li, K., 3113 Basile, C., Lioy, A., Lopez, D., Lopez, E., 3114 BOUTHORS, N., and L. Fang, "Information 3115 Model of NSFs Capabilities", 3116 draft-xibassnez-i2nsf-capability-00 (work 3117 in progress), Novemver 2016. 3119 [i2rs-rib-data-model] Wang, L., Ananthakrishnan, H., Chen, M., 3120 Dass, A., Kini, S., and N. Bahadur, "A YANG 3121 Data Model for Routing Information Base 3122 (RIB)", draft-ietf-i2rs-rib-data-model-07 3123 (work in progress), January 2017. 3125 [supa-policy-info-model] Strassner, J., Halpern, J., and S. Meer, 3126 "Generic Policy Information Model for 3127 Simplified Use of Policy Abstractions 3128 (SUPA)", draft-ietf-supa-generic-policy- 3129 info-model-02 (work in progress), 3130 January 2017. 3132 [i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., 3133 Strassner, J., and R. Kumar, "Framework for 3134 Interface to Network Security Functions", 3135 draft-ietf-i2nsf-framework-04 (work in 3136 progress), October 2016. 3138 Appendix A. Changes from 3139 draft-kim-i2nsf-nsf-facing-interface-data-model-00 3141 The following changes are made from 3142 draft-kim-i2nsf-nsf-facing-interface-data-model-00: 3144 o Rules for network security (e.g., iptables) and contents security 3145 (e.g., Suricata) are added. 3147 o Some lists are replaced with containers, and also some leafs are 3148 correspondingly replaced with leaf-lists. 3150 Authors' Addresses 3152 Jinyong Tim Kim 3153 Department of Computer Engineering 3154 Sungkyunkwan University 3155 2066 Seobu-Ro, Jangan-Gu 3156 Suwon, Gyeonggi-Do 16419 3157 Republic of Korea 3159 Phone: +82 10 8273 0930 3160 EMail: wlsdyd0930@nate.com 3162 Jaehoon Paul Jeong 3163 Department of Software 3164 Sungkyunkwan University 3165 2066 Seobu-Ro, Jangan-Gu 3166 Suwon, Gyeonggi-Do 16419 3167 Republic of Korea 3169 Phone: +82 31 299 4957 3170 Fax: +82 31 290 7996 3171 EMail: pauljeong@skku.edu 3172 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 3174 Jung-Soo Park 3175 Electronics and Telecommunications Research Institute 3176 218 Gajeong-Ro, Yuseong-Gu 3177 Daejeon 34129 3178 Republic of Korea 3180 Phone: +82 42 860 6514 3181 EMail: pjs@etri.re.kr 3183 Susan Hares 3184 Huawei 3185 7453 Hickory Hill 3186 Saline, MI 48176 3187 USA 3189 Phone: +1-734-604-0332 3190 EMail: shares@ndzh.com 3191 Liang Xia (Frank) 3192 Huawei 3193 101 Software Avenue, Yuhuatai District 3194 Nanjing, Jiangsu 3195 China 3197 Phone: 3198 EMail: Frank.xialiang@huawei.com