idnits 2.17.1 draft-xia-i2nsf-sec-object-dm-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 109 instances of too long lines in the document, the longest one being 356 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 205 has weird spacing: '...address yan...' == Line 206 has weird spacing: '...ss-mask yang:...' == Line 220 has weird spacing: '...nstance strin...' == Line 253 has weird spacing: '...ng-time uin...' == Line 263 has weird spacing: '...er-port inet:...' == (33 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 1, 2018) is 2125 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-netmod-acl-model' is defined on line 1848, but no explicit reference was found in the text == Unused Reference: 'RFC7950' is defined on line 1866, but no explicit reference was found in the text == Outdated reference: A later version (-05) exists of draft-ietf-i2nsf-capability-01 == Outdated reference: A later version (-08) exists of draft-ietf-i2nsf-terminology-05 ** Downref: Normative reference to an Informational draft: draft-ietf-i2nsf-terminology (ref. 'I-D.ietf-i2nsf-terminology') == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-19 ** Downref: Normative reference to an Informational RFC: RFC 8329 Summary: 3 errors (**), 0 flaws (~~), 13 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Interface to Network Security Functions (I2NSF) L. Xia 3 Internet-Draft Q. Lin 4 Intended status: Standards Track Huawei 5 Expires: January 2, 2019 July 1, 2018 7 I2NSF Security Policy Object YANG Data Model 8 draft-xia-i2nsf-sec-object-dm-00 10 Abstract 12 This document describes a set of policy objects which are reusable 13 and can be referenced by variable I2NSF policy rules. And the YANG 14 data models of these policy objects are provided. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on January 2, 2019. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 52 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 4. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 3 54 5. Policy Object . . . . . . . . . . . . . . . . . . . . . . . . 4 55 5.1. Address Object and Address Group . . . . . . . . . . . . 4 56 5.2. Service Object and Service Group . . . . . . . . . . . . 5 57 5.3. Application Object and Application Group . . . . . . . . 8 58 5.4. User Object, User Group and Security Group . . . . . . . 10 59 5.5. Time Range Object . . . . . . . . . . . . . . . . . . . . 12 60 5.6. Region Object and Region Group . . . . . . . . . . . . . 12 61 5.7. Domain Object . . . . . . . . . . . . . . . . . . . . . . 13 62 6. I2NSF Security Policy Object YANG Module . . . . . . . . . . 14 63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 40 64 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 40 66 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 67 10.1. Normative References . . . . . . . . . . . . . . . . . . 40 68 10.2. Informative References . . . . . . . . . . . . . . . . . 41 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 71 1. Introduction 73 As described in [RFC8329], provisioning to NSFs can be standardized 74 by using policy rules, and I2NSF uses Event-Condition-Action (ECA) 75 model to represent policy rules. According to 76 [I-D.ietf-i2nsf-terminology], an I2SNF condition is defined as a set 77 of attributes, features, and/or values that are to be compared with a 78 set of known attributes, features, and/or values in order to 79 determine whether the set of actions in that I2NSF policy rules can 80 be executed or not. Information Model of NSFs Capabilities 81 [I-D.ietf-i2nsf-capability] describes attributes of different 82 condition subclasses. When configuring I2NSF condition clause by 83 attributes or features, it is common to see that the same value of an 84 attribute or the same value set of several attributes are configured 85 for many times. And modifications of the policy rules are also very 86 tedious and time-consuming. 88 To facilitate the provisioning of NSF instances, this document 89 describes a set of policy objects which are reusable. These policy 90 objects can then be referenced in the condition clause of variable 91 I2NSF policy rules. A policy object consists of a name attribute 92 that identifies itself and one or several attributes that are 93 typically used together to represent a certain condition. For 94 example, protocol type and port number are usually used together to 95 represent a certain service. Each policy object should be predefined 96 and named in order to be used in I2NSF policy rules. By defining 97 policy objects, the creation and maintenance of policy rules are 98 greatly simplified. 100 o A policy object can be referenced in different policy rules as 101 required to provide re-usability. And a policy rule can reference 102 several policy objects. 104 o The modification of a policy object will be propagated to the 105 I2NSF policy rules that reference this object. No modification 106 should be made to the related policy rules. 108 According to [I-D.ietf-i2nsf-terminology], there are two kinds of 109 I2NSF policy rules, I2NSF Directly Consumable Policy Rule and I2NSF 110 Indirectly Consumable Policy Rule. The former one can be executed by 111 a network device without translating its content or structure, while 112 the latter one can not be executed by a network device without first 113 translating its content or structure. In this document, policy 114 objects are defined for I2NSF directly consumable policy rules. 116 2. Requirements Language 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in [RFC2119]. 122 3. Terminology 124 This document uses the terms defined in [I-D.ietf-i2nsf-terminology]. 126 4. Tree Diagrams 128 Tree diagram defined in [RFC8340] is used to represent the policy 129 objects defined in this document. The meaning of the symbols used in 130 the tree diagrams of following sections and the syntax are as 131 follows: 133 o Groupings, offset by 2 spaces, and identified by the keyword 134 "grouping" followed by the name of the grouping and a colon (":") 135 character. 137 o Each node in the tree is prefaces with "+--". Schema nodes that 138 are children of another node are offset from the parent by 3 139 spaces. 141 o Brackets "[" and "]" enclose list keys. 143 o Abbreviations before data node names: "rw" means configuration 144 (read-write) and "ro" means state data (read-only). 146 o Symbols after data node names: "?" means an optional node, "!" 147 means a presence container, and "*" denotes a "list" and "leaf- 148 list". 150 o Parentheses enclose choice and case nodes, and case nodes are also 151 marked with a colon (":"). 153 o Curly brackets and a question mark "{...}?" are combined to 154 represent the features that node depends on. 156 5. Policy Object 158 These document defines policy objects that are commonly used. 159 Figure 1 shows all the defined policy objects and their 160 relationships. 162 +-------------------------------------------------------------------+ 163 | Policy Object | 164 +-------------------------------------------------------------------+ 165 | | | | | | | | 166 | | | | | | | | 167 +-------+ +-------+ +-----------+ +-----+ +--------+ | | | 168 |Address| |Service| |Application| |User | |Security| | | | 169 |Group | |Group | |Group | |Group| |Group | | +------+ | 170 +-------+ +-------+ +-----------+ +-----+ +--------+ | |Domain| | 171 | | | | | | |Object| | 172 | | | +--------+ | +------+ | 173 | | | | | | 174 +-------+ +-------+ +-----------+ +------+ +----------+ +------+ 175 |Address| |Service| |Application| |User | |Time Range| |Region| 176 |Object | |Object | |Object | |Object| |Object | |Object| 177 +-------+ +-------+ +-----------+ +------+ +----------+ +------+ 179 Figure 1: The Policy Objects Overview 181 5.1. Address Object and Address Group 183 An address object is identified by an unique name, which contains a 184 set of IPv4/IPv6 addresses or MAC addresses. Several address objects 185 can be organized into an address group object. 187 This document defines groupings for address objects and address 188 groups. 190 The tree diagram of address object is: 192 grouping addr-objects: 193 +--rw addr-object* [name] 194 +--rw name address-set-name 195 +--rw desc? string 196 +--rw vpn-instance? string 197 +--rw elements* [elem-id] 198 +--rw elem-id uint16 199 +--rw (object-items) 200 +--:(ipv4) 201 | +--rw address-ipv4 inet:ipv4-prefix 202 +--:(ipv6) 203 | +--rw address-ipv6 inet:ipv6-prefix 204 +--:(mac) 205 | +--rw mac-address yang:mac-address 206 | +--rw mac-address-mask yang:mac-address 207 +--:(ipv4-range) 208 | +--rw start-ipv4 inet:ipv4-address 209 | +--rw end-ipv4 inet:ipv4-address 210 +--:(ipv6-range) 211 +--rw start-ipv6 inet:ipv6-address 212 +--rw end-ipv6 inet:ipv6-address 214 The tree diagram of address group is: 216 grouping addr-groups: 217 +--rw addr-group* [name] 218 +--rw name address-set-name 219 +--rw desc? string 220 +--rw vpn-instance string 221 +--rw elements* [elem-id] 222 +--rw elem-id uint16 223 +--rw addr-object-name address-set-name 225 5.2. Service Object and Service Group 227 A service object is a kind of service based on IP, or ICMP, or UDP, 228 or TCP, or SCTP. Several related objects consist a service group. 229 To identify different kinds of services, different kinds of 230 attributes should be specified. 232 o UDP, TCP, or SCTP based service is recognized by port number. The 233 source port number and destination port number are used to 234 identify the sending and receiving service respectively. 236 o ICMP or ICMPv6 based service is recognized by two header fields in 237 the ICMP/ICMPv6 packets: type field and code field. 239 o IP based service is recognized by the value of the protocol field 240 in IP packet header. 242 Besides, a set of well-known services should be predefined by NSFs as 243 service objects to support direct usage. 245 The tree diagram of service object is: 247 grouping service-objects: 248 +--ro pre-defined-service* [name] 249 | +--ro name string 250 | +--ro session-aging-time uint16 251 +--rw service-object* [name] 252 +--rw name service-set-name 253 +--rw session-aging-time uint16 254 +--rw desc? string 255 +--rw items* [id] 256 +--rw id uint16 257 +--rw (item) 258 +--:(tcp-item) 259 | +--rw tcp 260 | +--rw source-port 261 | | +--rw (port-range-or-operator) 262 | | +--:(range) 263 | | | +--rw lower-port inet:port-number 264 | | | +--rw upper-port inet:port-number 265 | | +--:(operator) 266 | | +--rw operator? operator 267 | | +--rw port inet:port-number 268 | +--rw destination-port 269 | +--rw (port-range-or-operator) 270 | +--:(range) 271 | | +--rw lower-port inet:port-number 272 | | +--rw upper-port inet:port-number 273 | +--:(operator) 274 | +--rw operator? operator 275 | +--rw port inet:port-number 276 +--:(udp-item) 277 | +--rw udp 278 | +--rw source-port 279 | | +--rw (port-range-or-operator) 280 | | +--:(range) 281 | | | +--rw lower-port inet:port-number 282 | | | +--rw upper-port inet:port-number 283 | | +--:(operator) 284 | | +--rw operator? operator 285 | | +--rw port inet:port-number 286 | +--rw destination-port 287 | +--rw (port-range-or-operator) 288 | +--:(range) 289 | | +--rw lower-port inet:port-number 290 | | +--rw upper-port inet:port-number 291 | +--:(operator) 292 | +--rw operator? operator 293 | +--rw port inet:port-number 294 +--:(sctp-item) 295 | +--rw sctp 296 | +--rw source-port 297 | | +--rw (port-range-or-operator) 298 | | +--:(range) 299 | | | +--rw lower-port inet:port-number 300 | | | +--rw upper-port inet:port-number 301 | | +--:(operator) 302 | | +--rw operator? operator 303 | | +--rw port inet:port-number 304 | +--rw destination-port 305 | +--rw (port-range-or-operator) 306 | +--:(range) 307 | | +--rw lower-port inet:port-number 308 | | +--rw upper-port inet:port-number 309 | +--:(operator) 310 | +--rw operator? operator 311 | +--rw port inet:port-number 312 +--:(icmp-item) 313 | +--rw (icmp-type) 314 | +--:(name-type) 315 | | +--rw icmp-name icmp-name-type 316 | +--:(type-code) 317 | +--rw icmp-type-code 318 | +--rw icmp-type-number uint8 319 | +--rw icmp-code-number string 320 +--:(icmp6-item) 321 | +--rw (icmp6) 322 | +--:(name-type) 323 | | +--rw icmp6-name icmp6-name-type 324 | +--:(type-code) 325 | +--rw icmp6-type-code 326 | +--rw icmp-type-number uint8 327 | +--rw icmp-code-number string 328 +--:(protocol-id) 329 +--rw proto-id proto-id-range 331 The tree diagram of service group is: 333 grouping service-groups: 334 +--rw service-group* [name] 335 +--rw name service-set-name 336 +--rw desc? string 337 +--rw items* [id] 338 +--rw id uint16 339 +--rw service-set-name service-set-name 341 5.3. Application Object and Application Group 343 Due to the diversity and large amount of applications, it is not able 344 to identify a certain application based on protocol type and port 345 number. For example, there are many web applications with different 346 risk levels run on ports 80 and 443 using HTTP and HTTPS, such as web 347 gaming application and web chat application. Protocol type and port 348 number could not distinguish applications using the same application 349 protocol. In this document, category, subcategory, data transmission 350 model, and risk level are used to describe an application. A set of 351 well-known application objects should be predefined in NSFs to 352 support direct reference. 354 The tree diagram of application object is: 356 grouping application-objects: 357 +--rw user-defined-application {user-defined-application}? 358 | +--rw application* [name] 359 | +--rw name string 360 | +--rw label* string 361 | +--rw data-model? string 362 | +--rw category? string 363 | +--rw subcategory? string 364 | +--rw desc? string 365 | +--rw rule* [name] 366 | +--rw name string 367 | +--rw protocol? protocol 368 | +--rw signature 369 | | +--rw mode? mode 370 | | +--rw direction? direction 371 | | +--rw pattern-type? pattern-type 372 | | +--rw pattern? string 373 | | +--rw field? identityref 374 | +--rw ip-address* inet:ip-prefix 375 | +--rw port* inet:port-number 376 | +--rw desc? string 377 +--ro predefined-application 378 +--ro application* [name] 379 +--ro name string 380 +--ro protocol* string 381 +--ro risk-value? uint32 382 +--ro label* string 383 +--ro abandon? boolean 384 +--ro multichannel? boolean 385 +--ro data-model? string 386 +--ro category? string 387 +--ro subcategory? string 388 +--ro desc? string 390 The tree diagram of application group is: 392 grouping application-groups: 393 +--rw application-group* [name] 394 +--rw name string 395 +--rw desc? string 396 +--rw items* [id] 397 +--rw id uint16 398 +--rw application-object-name string 400 5.4. User Object, User Group and Security Group 402 A user object identifies a person who may access network resources. 403 It is the basis of implementing user-based policy control. The user 404 objects may be created locally on the NSFs, or be imported from third 405 parties, such as authentication servers. User objects that require 406 the same policy enforcement are grouped as user group objects or 407 security group objects. The user group objects are organized as a 408 hierarchical structure. A security group object consists of user 409 objects from different user group objects that require the same 410 policy enforcement. 412 +---------------------------+ 413 | UserGroup_3 | 414 +---------------------------+ 415 | | 416 | | 417 +--------------+ +--------------+ 418 | UserGroup_1 | | UserGroup_2 | 419 +--------------+ +--------------+ 420 | | | | 421 | | | | 422 +--------+ +--------+ +--------+ +--------+ 423 | User_1 | | User_2 | | User_a | | User_b | 424 +--------+ +--------+ +--------+ +--------+ 425 \ / 426 \ / 427 +-----------------+ 428 | SecurityGroup_1 | 429 +-----------------+ 431 Figure 2: Example of User, User Group and Security Group Structure 433 The tree diagram of user object is: 435 grouping user-objects: 436 +--rw user-object* [name aaa-domain] 437 +--rw name user-name 438 +--rw aaa-domain string 439 +--rw desc? string 440 +--rw password? ianach:crypt-hash 441 +--rw parent-user-group user-group-name 442 +--rw parent-security-group user-security-group-name 443 +--rw expiration-time 444 | +--:(expiration-type) 445 | +--rw (never-expire) 446 | | +--rw never-expire 447 | +--rw (expire-after-this-time) 448 | +--rw expiration-time yang:date-and-time 449 +--rw ip-mac-binding 450 +--: (bind-state) 451 +--rw (no-binding) 452 | +--rw no-binding 453 +--rw (binding) 454 +--rw bind-mode ip-mac-binding-type 455 +--rw ip-binding* inet:ipv4-address 456 +--rw mac-binding* yang:mac-address 457 +--rw ip-mac-bindings [ip-binding] 458 +--rw ip-binding inet:ipv4-address 459 +--rw mac-binding yang:mac-address; 461 The tree diagram of user group is: 463 grouping user-groups: 464 +--rw user-group* [name] 465 +--rw name user-group-name 466 +--rw desc? string 467 +--rw parent-user-group user-group-name 469 The tree diagram of security group is: 471 grouping security-groups: 472 +--rw security-group* [name] 473 +--rw name user-security-group-name 474 +--rw desc? string 475 +--rw parent-security-group*? user-security-group-name 476 +--rw filter-action 477 +--:(filter-type) 478 +--rw (static) 479 | +--rw static 480 +--rw (dynamic) 481 +--rw dynamic 482 +--rw filter-rule* string 484 5.5. Time Range Object 486 There are two kinds of time ranges: periodic time range and absolute 487 time range. A periodic time range occurs every week. An absolute 488 time range occurs only once. 490 The tree diagram of time range object is: 492 grouping time-range-objects: 493 +--rw time-range-object* [name] 494 +--rw name time-range-name 495 +--rw period-time* [start end] 496 | +--rw start hour-minute-second 497 | +--rw end hour-minute-second 498 | +--rw weekday weekday 499 +--rw absolute-time* [start end] 500 +--rw start yang:date-and-time 501 +--rw end yang:date-and-time 503 5.6. Region Object and Region Group 505 A region object is a set of public IP addresses that are assigned to 506 a certain geographic location. A region group consists of a set of 507 region objects. 509 The tree diagram of region object is: 511 grouping region-objects: 512 +--ro pre-defined-region* [name] 513 | +--ro name region-name 514 | +--ro desc? string 515 | +--ro region-ipv4-address 516 | | +--ro address-ipv4* inet:ipv4-prefix 517 | | +--ro address-ipv4-range* [start-ipv4 end-ipv4] 518 | | +--ro start-ipv4 inet:ipv4-address 519 | | +--ro end-ipv4 inet:ipv4-address 520 | +--ro region-ipv6-address {support-ipv6-address}? 521 | +--ro address-ipv6* inet:ipv6-prefix 522 | +--ro address-ipv6-range* [start-ipv6 end-ipv6] 523 | +--ro start-ipv6 inet:ipv6-address 524 | +--ro end-ipv6 inet:ipv6-address 525 +--rw user-defined-region* [name] 526 +--rw name region-name 527 +--rw desc? string 528 +--rw coordinate 529 | +--rw longitude region-longitude 530 | +--rw latitude region-latitude 531 +--rw region-ip-address 532 | +--rw address-ipv4* inet:ipv4-prefix 533 | +--rw address-ipv4-range* [start-ipv4 end-ipv4] 534 | +--rw start-ipv4 inet:ipv4-address 535 | +--rw end-ipv4 inet:ipv4-address 536 +--rw region-ipv6-address {support-ipv6-address}? 537 +--rw address-ipv6* inet:ipv6-prefix 538 +--rw address-ipv6-range* [start-ipv6 end-ipv6] 539 +--rw start-ipv6 inet:ipv6-address 540 +--rw end-ipv6 inet:ipv6-address 542 The tree diagram of region group is: 544 grouping region-groups: 545 +--rw region-group* [name] 546 +--rw name region-name 547 +--rw desc? string 548 +--rw region-name* region-name 549 +--rw region-group-name* region-name 551 5.7. Domain Object 553 The tree diagram of domain object is: 555 grouping domain-objects: 556 +--rw domain-object* [name] 557 +--rw name domain-name 558 +--rw desc? string 559 +--rw domain* string 561 6. I2NSF Security Policy Object YANG Module 563 file "ietf-policy-object@2018-06-15.yang" 564 module ietf-policy-object { 565 yang-version 1.1; 566 namespace "urn:ietf:params:xml:ns:yang:ietf-policy-object"; 567 prefix policy-object; 569 import ietf-inet-types { 570 prefix inet; 571 reference 572 "RFC 6991 - Common YANG Data Types."; 573 } 575 import ietf-yang-types { 576 prefix yang; 577 reference 578 "RFC 6991 - Common YANG Data Types."; 579 } 581 import iana-crypt-hash { 582 prefix ianach; 583 reference 584 "RFC7317 - A YANG Data Model for System Management."; 585 } 587 import ietf-packet-fields { 588 prefix pf; 589 reference 590 "draft-ietf-netmod-acl-model - Network Access Control List (ACL) YANG Data Model."; 591 } 593 organization 594 "IETF I2NSF (Interface To Network Security Functions) Working Group"; 596 contact 597 "WG Web: http://tools.ietf.org/wg/i2nsf/ 598 WG List: i2nsf@ietf.org 600 Editor: Liang Xia 601 frank.xialiang@huawei.com 602 Editor: Qiushi Lin 603 linqiushi@huawei.com"; 605 description 606 "This YANG module defines groupings that are used by ietf-policy-object YANG module. Their usage is not limited to ietf-policy-object and can be used anywhere as applicable."; 608 revision 2018-06-15 { 609 description "Initial version."; 610 reference "draft-xia-i2nsf-sec-object-dm"; 611 } 613 /* 614 * Typedefs for address object and address group 615 */ 616 typedef address-set-name { 617 type string { 618 length "1..63"; 619 } 620 description "This type represents an address object or an address group name."; 621 } 623 /* 624 * Typedefs for service object and service group 625 */ 626 typedef service-set-name { 627 type string { 628 length "1..63"; 629 } 630 description "This type represents a service object or a service group name."; 631 } 633 typedef port-range { 634 type uint16; 635 description "This type represents a port number, which may be a start port of a port range or an end port of a port range."; 636 } 638 typedef proto-id-range { 639 type uint8 { 640 range "0..255"; 641 } 642 description "This type represents the range of protocol id."; 643 } 645 typedef icmp-name-type { 646 type enumeration { 647 enum echo { 648 description "ICMP type number 8, ICMP code number 0"; 649 } 650 enum echo-reply { 651 description "ICMP type number 0, ICMP code number 0"; 652 } 653 enum fragmentneed-DFset { 654 description "ICMP type number 3, ICMP code number 4"; 655 } 656 enum host-redirect { 657 description "ICMP type number 5, ICMP code number 1"; 658 } 659 enum host-tos-redirect { 660 description "ICMP type number 5, ICMP code number 3"; 661 } 662 enum host-unreachable { 663 description "ICMP type number 3, ICMP code number 1"; 664 } 665 enum information-reply { 666 description "ICMP type number 16, ICMP code number 0"; 667 } 668 enum information-request { 669 description "ICMP type number 15, ICMP code number 0"; 670 } 671 enum net-redirect { 672 description "ICMP type number 5, ICMP code number 0"; 673 } 674 enum net-tos-redirect { 675 description "ICMP type number 5, ICMP code number 2"; 676 } 677 enum net-unreachable { 678 description "ICMP type number 3, ICMP code number 0"; 679 } 680 enum parameter-problem { 681 description "ICMP type number 12, ICMP code number 0"; 682 } 683 enum port-unreachable { 684 description "ICMP type number 3, ICMP code number 3"; 685 } 686 enum protocol-unreachable { 687 description "ICMP type number 3, ICMP code number 2"; 688 } 689 enum reassembly-timeout { 690 description "ICMP type number 11, ICMP code number 1"; 691 } 692 enum source-quench { 693 description "ICMP type number 4, ICMP code number 0"; 694 } 695 enum source-soute-failed { 696 description "ICMP type number 3, ICMP code number 5"; 697 } 698 enum timestamp-reply { 699 description "ICMP type number 14, ICMP code number 0"; 700 } 701 enum timestamp-request { 702 description "ICMP type number 13, ICMP code number 0"; 703 } 704 enum ttl-exceeded { 705 description "ICMP type number 11, ICMP code number 0"; 706 } 707 } 708 description "This type is an enumeration of ICMP type names."; 709 } 711 typedef icmp6-name-type { 712 type enumeration { 713 enum redirect { 714 description "ICMPv6 type number 137, ICMPv6 code number 0"; 715 } 716 enum echo { 717 description "ICMPv6 type number 128, ICMPv6 code number 0"; 718 } 719 enum echo-reply { 720 description "ICMPv6 type number 129, ICMPv6 code number 0"; 721 } 722 enum err-Header-field { 723 description "ICMPv6 type number 4, ICMPv6 code number 0"; 724 } 725 enum frag-time-exceeded { 726 description "ICMPv6 type number 3, ICMPv6 code number 1"; 727 } 728 enum hop-limit-exceeded { 729 description "ICMPv6 type number 3, ICMPv6 code number 0"; 730 } 731 enum host-admin-prohib { 732 description "ICMPv6 type number 1, ICMPv6 code number 1"; 733 } 734 enum host-unreachable { 735 description "ICMPv6 type number 1, ICMPv6 code number 3"; 736 } 737 enum neighbor-advertisement { 738 description "ICMPv6 type number 136, ICMPv6 code number 0"; 739 } 740 enum neighbor-solicitation { 741 description "ICMPv6 type number 135, ICMPv6 code number 0"; 742 } 743 enum network-unreachable { 744 description "ICMPv6 type number 1, ICMPv6 code number 0"; 745 } 746 enum packet-too-big { 747 description "ICMPv6 type number 2, ICMPv6 code number 0"; 748 } 749 enum port-unreachable { 750 description "ICMPv6 type number 1, ICMPv6 code number 4"; 751 } 752 enum router-advertisement { 753 description "ICMPv6 type number 134, ICMPv6 code number 0"; 754 } 755 enum router-solicitation { 756 description "ICMPv6 type number 133, ICMPv6 code number 0"; 757 } 758 enum unknown-ipv6-opt { 759 description "ICMPv6 type number 4, ICMPv6 code number 2"; 760 } 761 enum unknown-next-hdr { 762 description "ICMPv6 type number 4, ICMPv6 code number 1"; 763 } 764 } 765 description "This type is an enumeration of ICMPv6 type names."; 766 } 768 /* 769 * Typedefs for application object and application group 770 */ 771 typedef protocol { 772 type enumeration { 773 enum tcp { 774 description "tcp protocol"; 775 } 776 enum udp { 777 description "udp protocol"; 778 } 779 enum any { 780 description "any"; 781 } 782 } 783 description "The protocol of user-defined application rule:tcp/udp/any."; 784 } 786 typedef mode { 787 type enumeration { 788 enum flow { 789 description "Keyword exists in multiple packets"; 790 } 791 enum packet{ 792 description "Keyword exists in one packet"; 793 } 794 } 795 description "The mode of keyword identification. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow."; 796 } 798 typedef direction { 799 type enumeration { 800 enum request; 801 enum response; 802 enum both; 803 } 804 description "The direction of user-defined application rule:request/response/both. Request indicates that data to the server is detected, Response indicates that data from the server is detected, and Both indicates that data from and to the server is detected."; 805 } 807 typedef pattern-type { 808 type enumeration { 809 enum regular; 810 enum plain; 811 } 812 description "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression."; 813 } 815 /* 816 * Typedefs for user object, user group, and security group 817 */ 819 typedef user-name { 820 type string { 821 length "1..63"; 822 } 823 description "This type represents a user name."; 824 } 826 typedef user-group-name { 827 type string { 828 length "1..63"; 829 } 830 description "This type represents a user group name."; 831 } 833 typedef user-security-group-name { 834 type string { 835 length "1..63"; 836 } 837 description "This type represents a security group name."; 838 } 840 typedef ip-mac-binding-type { 841 type enumeration { 842 enum bidirectional; 843 enum unidirectional; 844 } 845 description "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users. In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users."; 846 } 848 /* 849 * Typedefs for time range object 850 */ 851 typedef time-range-name { 852 type string { 853 length "1..32"; 854 } 855 description "This type represents a time-range name."; 856 } 858 typedef hour-minute-second { 859 type string { 860 pattern '\d{1,2}:\d{1,2}:\d{1,2}'; 861 } 862 description "hh:mm:ss"; 863 } 865 typedef weekday { 866 type enumeration { 867 enum sunday { 868 description "Sunday of the week"; 869 } 870 enum monday { 871 description "Monday of the week"; 872 } 873 enum tuesday { 874 description "Tuesday of the week"; 875 } 876 enum wednesday { 877 description "Wednesday of the week"; 878 } 879 enum thursday { 880 description "Thursday of the week"; 881 } 882 enum friday { 883 description "Friday of the week"; 884 } 885 enum saturday { 886 description "Saturday of the week"; 887 } 888 } 889 description "A type modeling the weekdays in the Greco-Roman tradition."; 890 } 892 /* 893 * Typedefs for region object and region group 894 */ 895 typedef region-name { 896 type string; 897 description "This type represents a location or location set name."; 898 } 900 typedef region-longitude { 901 type string; 902 description "This type represents a region longitude number(-180.00 - 180.00)."; 903 } 905 typedef region-latitude { 906 type string; 907 description "This type represents a region latitude number(-90.00 - 90.00)."; 908 } 910 typedef domain-name { 911 type string { 912 length "1..63"; 913 } 914 description "This type represents a domain object name."; 915 } 917 /* 918 * Identities for application object and application group 919 */ 920 identity protocol-field { 921 description "Base type of protocol field."; 922 } 924 identity general-payload { 925 base protocol-field; 926 description "The field of signature is general-payload."; 927 } 929 identity http-method { 930 base protocol-field; 931 description "The field of signature is http.method."; 932 } 934 identity http-uri { 935 base protocol-field; 936 description "The field of signature is http.uri."; 937 } 939 identity http-user-agent { 940 base protocol-field; 941 description "The field of signature is http.user-agent."; 942 } 944 identity http-host { 945 base protocol-field; 946 description "The field of signature is http.host."; 947 } 949 identity http-content-type { 950 base protocol-field; 951 description "The field of signature is http.content-type."; 952 } 954 identity http-cookie { 955 base protocol-field; 956 description "The field of signature is http.cookie."; 957 } 959 identity http-body { 960 base protocol-field; 961 description "The field of signature is http.body."; 962 } 964 /* 965 * Features for application object and application group 966 */ 967 feature user-defined-application { 968 description "This feature means the NSF supports user-defined application function that can be used to define application rule."; 969 } 971 /* 972 * Groupings for address object and address group 973 */ 974 grouping address-object-item { 975 choice object-items { 976 case ipv4 { 977 leaf address-ipv4 { 978 type inet:ipv4-prefix; 979 description "A set of IPv4 addresses that are represented by an IPv4 address prefix."; 980 } 982 } 983 case ipv6 { 984 leaf address-ipv6 { 985 type inet:ipv6-prefix; 986 description "A set of IPv6 addresses that are represented by an IPv6 address prefix."; 987 } 988 } 989 case mac { 990 leaf mac-address { 991 type yang:mac-address; 992 description "MAC address. This leaf is combined with the mac-address-mask leaf to represent a single MAC address or a set of MAC addresses. If the mac-address-mask leaf is not presented, this leaf represents a single MAC address. If the mac-address-mask leaf is setted, this leaf represents a range of contiguous MAC addresses."; 993 } 994 leaf mac-address-mask { 995 type yang:mac-address; 996 description "If this leaf is not presented, the mac-address leaf represents a single MAC address. If this leaf is setted, the mac-address leaf represents a range of contiguous MAC addresses."; 997 } 998 } 999 case ipv4-range { 1000 leaf start-ipv4 { 1001 type inet:ipv4-address; 1002 description "The start IPv4 address of an IPv4 address range."; 1003 } 1004 leaf end-ipv4 { 1005 type inet:ipv4-address; 1006 description "The end IPv4 address of an IPv4 address range."; 1007 } 1008 } 1009 case ipv6-range { 1010 leaf start-ipv6 { 1011 type inet:ipv6-address; 1012 description "The start IPv6 address of an IPv6 address range."; 1013 } 1014 leaf end-ipv6 { 1015 type inet:ipv6-address; 1016 description "The end IPv6 address of an IPv6 address range."; 1017 } 1018 } 1019 description "Diffrent types of addresses: IPv4, IPv6, MAC."; 1020 } 1021 description "This grouping consists of IPv4/IPv6 addresses or MAC addresses, which can be used in address objects."; 1022 } 1024 grouping addr-objects { 1025 list addr-object { 1026 key "name"; 1027 leaf name { 1028 type address-set-name; 1029 description "The name of the address object."; 1031 } 1032 leaf desc { 1033 type string{ 1034 length "1..127"; 1035 } 1036 description "The description of the address object."; 1037 } 1038 leaf vpn-instance { 1039 type string; 1040 description "The name of the vpn-instrance."; 1041 } 1042 list elements { 1043 key "elem-id"; 1044 leaf elem-id { 1045 type uint16; 1046 description "The id of the element in address object."; 1047 } 1048 uses address-object-item; 1049 description "A list of addresses that belong to a specific address object."; 1050 } 1051 description "A list of address objects."; 1052 } 1053 description "This grouping represents a list of address objects. An address object is identified by an unique name and contains a set of IPv4/IPv6 addresses or MAC addresses. This grouping reuse the predefined address-object-item grouping."; 1054 } 1056 grouping addr-groups { 1057 list addr-group { 1058 key "name"; 1059 leaf name { 1060 type address-set-name; 1061 description "The name of the address group."; 1062 } 1063 leaf desc { 1064 type string{ 1065 length "1..127"; 1066 } 1067 description "The description of the address group."; 1068 } 1069 leaf vpn-instance { 1070 type string; 1071 description "The name of the vpn-instrance."; 1072 } 1073 list elements { 1074 key "elem-id"; 1075 leaf elem-id { 1076 type uint16; 1077 description "The id of the element in address group."; 1078 } 1079 leaf addr-object-name { 1080 type address-set-name; 1081 mandatory true; 1082 description "The name of the address object that consists the address group."; 1083 } 1084 description "A list of address objects that consists the address group object."; 1085 } 1086 description "A list of address group objects."; 1087 } 1088 description "An address group object is comprised of several address objects that require the same policy enforcement. This grouping represents a list of address groups."; 1089 } 1091 /* 1092 * Groupings for service object and service group 1093 */ 1094 grouping port-items { 1095 list source-port { 1096 uses pf:port-range-or-operator; 1097 description "Source port definition from range or operator."; 1098 } 1099 list dest-port { 1100 key "start"; 1101 uses pf:port-range-or-operator; 1102 description "Destination port definition from range or operator."; 1103 } 1104 description "This grouping consists of the source port numbers and destination port numbers that represent UDP, TCP or SCTP based services."; 1105 } 1107 grouping service-object-item { 1108 choice item { 1109 case tcp-item { 1110 container tcp { 1111 uses port-items; 1112 description "TCP based service is recognized by source port number and destination port number. This container reuse the port-items grouping."; 1113 } 1114 } 1115 case udp-item { 1116 container udp { 1117 uses port-items; 1118 description "UDP based service is recognized by source port number and destination port number. This container reuse the port-items grouping."; 1119 } 1120 } 1121 case sctp-item { 1122 container sctp { 1123 uses port-items; 1124 description "SCTP based service is recognized by source port number and destination port number. This container reuse the port-items grouping."; 1125 } 1127 } 1128 case icmp-item { 1129 choice icmp-type { 1130 case name-type { 1131 leaf icmp-name { 1132 type icmp-name-type; 1133 mandatory true; 1134 description "The ICMP based service is identified by the predefined ICMP name type."; 1135 } 1136 } 1137 case type-code { 1138 container icmp-type-code { 1139 leaf icmp-type-number { 1140 type uint8; 1141 mandatory true; 1142 description "The ICMP type number."; 1143 } 1144 leaf icmp-code-number { 1145 type string; 1146 mandatory true; 1147 description "The ICMP code number."; 1148 } 1149 description "The ICMP based service is recognized by two header fields in the ICMP packets: type field and code field."; 1150 } 1151 } 1152 description "The ICMP based service object and its attributes."; 1153 } 1154 } 1155 case icmp6-item { 1156 choice icmp6-type { 1157 case name-type { 1158 leaf icmp6-name { 1159 type icmp6-name-type; 1160 mandatory true; 1161 description "The ICMPv6 based service is identified by the predefined ICMPv6 name type."; 1162 } 1163 } 1164 case type-code { 1165 container icmp6-type-code { 1166 leaf icmp6-type-number { 1167 type uint8; 1168 mandatory true; 1169 description "The ICMPv6 type number."; 1170 } 1171 leaf icmp6-code-number { 1172 type string; 1173 mandatory true; 1174 description "The ICMP code number."; 1176 } 1177 description "The ICMPv6 based service is recognized by two header fields in the ICMPv6 packets: type field and code field."; 1178 } 1179 } 1180 description "The ICMPv6 based service object and its attributes."; 1181 } 1182 description "The ICMPv6 based service object and its attributes."; 1183 } 1184 case protocol-id { 1185 leaf proto-id { 1186 type proto-id-range; 1187 mandatory true; 1188 description "IP based service is identified by the value of the protocol field in IP packet header."; 1189 } 1190 } 1191 description "Diffrent types of protocols for service definition."; 1192 } 1193 description "This grouping lists different protocol attributes, which can be used in service objects."; 1194 } 1196 grouping service-objects { 1197 list pre-defined-service { 1198 key "name"; 1199 config false; 1200 leaf name { 1201 type service-set-name; 1202 config false; 1203 description "The name of the predefined service object."; 1204 } 1205 leaf session-aging-time { 1206 type uint16; 1207 units second; 1208 config false; 1209 description "The aging time of the predefined service object."; 1210 } 1211 description "A list of the predefined service objects."; 1212 } 1213 list service-object { 1214 key "name"; 1215 leaf name { 1216 type service-set-name; 1217 description "The name of the service object."; 1218 } 1219 leaf session-aging-time { 1220 type uint16; 1221 units second; 1222 description "The aging time of the service object."; 1223 } 1224 leaf desc { 1225 type string{ 1226 length "1..127"; 1227 } 1228 description "The description of the service object."; 1229 } 1230 list items { 1231 key "id"; 1232 leaf id { 1233 type uint16; 1234 description "The id of the element in service object."; 1235 } 1236 uses service-object-item; 1237 description "A list of service items that consist an service object."; 1238 } 1239 description "A list of user defined service objects."; 1240 } 1241 description "A list of the predefined service objects and user defined service objects."; 1242 } 1244 grouping service-groups { 1245 list service-group { 1246 key "name"; 1247 leaf name { 1248 type service-set-name; 1249 description "The name of the service group."; 1250 } 1251 leaf desc { 1252 type string{ 1253 length "1..127"; 1254 } 1255 description "The description of the service group."; 1256 } 1257 list items { 1258 key "id"; 1259 leaf id { 1260 type uint16; 1261 description "The id of the element in service group."; 1262 } 1263 leaf service-object-name { 1264 type service-set-name; 1265 mandatory true; 1266 description "The name of the service object that consists the service group."; 1267 } 1268 description "A list of service objects that consists the service group object."; 1269 } 1270 description "A list of service group objects."; 1271 } 1272 description "A service group object is comprised of several service objects that require the same policy enforcement. This grouping represents a list of service groups."; 1273 } 1275 /* 1276 * Groupings for application object and application group 1277 */ 1278 grouping application-objects { 1279 container user-defined-application { 1280 if-feature user-defined-application; 1281 container applications { 1282 list application { 1283 key "name"; 1284 leaf name { 1285 type string; 1286 description "The name of user-defined application object."; 1287 } 1288 leaf-list label { 1289 type string; 1290 description "A list of labels for user-defined application."; 1291 } 1292 leaf data-model { 1293 type string; 1294 description "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF."; 1295 } 1296 leaf category { 1297 type string; 1298 description "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category."; 1299 } 1300 leaf subcategory { 1301 type string; 1302 description "The subcategory of user-defined application. "; 1303 } 1304 leaf desc { 1305 type string; 1306 description "The description information of user-defined application."; 1307 } 1308 list rule { 1309 key "name"; 1310 leaf name { 1311 type string; 1312 description "The name of the user-defined application rule."; 1313 } 1314 leaf protocol { 1315 type protocol; 1316 description "The protocol that user-defined application is based on."; 1317 } 1318 container signature { 1319 leaf mode { 1320 type string; 1321 description "The mode of keyword identification. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow."; 1322 } 1323 leaf direction { 1324 type direction; 1325 description "The traffic direction for application identification. Request indicates that data to the server is detected, Response indicates that data from the server is detected, and Both indicates that data from and to the server is detected."; 1326 } 1327 leaf pattern-type{ 1328 type pattern-type; 1329 description "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression."; 1330 } 1331 leaf pattern { 1332 type string; 1333 description "The keyword of user-defined application rule."; 1334 } 1335 leaf field { 1336 type identityref { 1337 base protocol-field; 1338 } 1339 default general-payload; 1340 description "The protocol field to search for a signature. The default protocol field is General-payload."; 1341 } 1342 description "The signature/characteristics of user-defined application."; 1343 } 1344 description "The rule used to identify the user-defined application."; 1345 } 1346 leaf-list ip-address { 1347 type inet:ip-prefix; 1348 description "The destination IPv4/IPv6 address of user-defined application."; 1349 } 1350 leaf-list port { 1351 type inet:port-number; 1352 description "The destination port number of user-defined application."; 1353 } 1354 description "A list of user-defined application objects."; 1355 } 1356 description "When the NSF supports user-defined application function, these are a list of user-defined application objects."; 1357 } 1358 description "When the NSF supports user-defined application function, this container is used to configure application objects."; 1359 } 1360 container predefined-application { 1361 config false; 1362 list application { 1363 key "name"; 1364 leaf name { 1365 type string; 1366 config false; 1367 description "The name of the predefined application."; 1368 } 1369 leaf-list protocol { 1370 type string; 1371 config false; 1372 description "The protocol information of application."; 1373 } 1374 leaf risk-value { 1375 type uint32; 1376 config false; 1377 description "The risk value of predefined application."; 1378 } 1379 leaf-list label { 1380 type string; 1381 config false; 1382 description "The label of predefined application,an application may have multiple labels."; 1383 } 1384 leaf abandon { 1385 type boolean; 1386 config false; 1387 description "The abandon flag of predefined application."; 1388 } 1389 leaf multichannel { 1390 type boolean; 1391 config false; 1392 description "The multi channel flag of predefined application."; 1393 } 1394 leaf data-model { 1395 type string; 1396 description "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF."; 1397 } 1398 leaf category { 1399 type string; 1400 config false; 1401 description "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category."; 1402 } 1403 leaf subcategory { 1404 type string; 1405 config false; 1406 description "The name of application subcategory."; 1407 } 1408 leaf desc { 1409 type string; 1410 config false; 1411 description "The description information of application."; 1412 } 1413 description "The attributes of a predefined application."; 1414 } 1415 description "The information of all predefined applications."; 1416 } 1417 description "A list of predefined application objects."; 1418 } 1420 grouping application-groups { 1421 list application-group { 1422 key "name"; 1423 leaf name { 1424 type string; 1425 description "The name of the application group."; 1426 } 1427 leaf desc { 1428 type string{ 1429 length "1..127"; 1430 } 1431 description "The description of the application group."; 1432 } 1433 list items { 1434 key "id"; 1435 leaf id { 1436 type uint16; 1437 description "The id of the element in application group."; 1438 } 1439 leaf application-object-name { 1440 type string; 1441 mandatory true; 1442 description "The name of the application object that consists the application group."; 1443 } 1444 description "A list of application objects that consist an application group object."; 1445 } 1446 description "A list of application group objects."; 1447 } 1448 description "An application group object is comprised of several application objects that require the same policy enforcement. This grouping represents a list of application groups."; 1449 } 1451 /* 1452 * Groupings for user object, user group and security group 1453 */ 1454 grouping user-objects { 1455 list user-object { 1456 key "name aaa-domain"; 1457 leaf name { 1458 type user-name; 1459 description "The name of the user."; 1460 } 1461 leaf aaa-domain { 1462 type string { 1463 length "1..64"; 1464 } 1465 description "The name of the domain to which the user belong."; 1466 } 1467 leaf desc { 1468 type string { 1469 length "1..127"; 1470 } 1471 description "The description of the user."; 1472 } 1473 leaf password { 1474 type ianach:crypt-hash; 1475 description "If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name."; 1476 } 1477 leaf parent-user-group { 1478 type user-group-name; 1479 description "The name of the parent group. User objects and user groups are in a hierarchical structure. A user object can only belong to one user group."; 1480 } 1481 leaf-list parent-security-group { 1482 type user-security-group-name; 1483 max-elements 40; 1484 description "The name of the parent security group. A user object can belong to several security groups."; 1485 } 1486 container expiration-time { 1487 choice expiration-type { 1488 case never-expire { 1489 leaf never-expire { 1490 type empty; 1491 description "This case indicates that the user never expire."; 1492 } 1493 } 1494 case expire-after-this-time { 1495 leaf expiration-time { 1496 type yang:date-and-time; 1497 description "User expired time."; 1498 } 1499 } 1500 description "Two types of user expiration configurations."; 1501 } 1502 description "User expiration time."; 1503 } 1504 container ip-mac-binding { 1505 choice bind-state { 1506 case no-binding { 1507 leaf no-binding{ 1508 type empty; 1509 mandatory true; 1510 description "No binding: Indicates that a user is not bound to any IP or MAC address."; 1512 } 1513 } 1514 case binding { 1515 leaf bind-mode{ 1516 type ip-mac-binding-type; 1517 description "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users. In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users."; 1518 } 1519 leaf-list ip-binding { 1520 type inet:ipv4-address; 1521 description "The IP address bound to the user."; 1522 } 1523 leaf-list mac-binding { 1524 type yang:mac-address; 1525 description "The MAC address bound to the user."; 1526 } 1527 list ip-mac-bindings { 1528 key "ip-binding"; 1529 unique "mac-binding"; 1530 leaf ip-binding { 1531 type inet:ipv4-address; 1532 description "The bound IPv4 address"; 1533 } 1534 leaf mac-binding { 1535 type yang:mac-address; 1536 description "The bound mac address"; 1537 } 1538 description "Configure the IP address and MAC address pairs bound to the user."; 1539 } 1540 } 1541 description "The binding state: no-binding, binding."; 1542 } 1543 description "Whether there are IP/MAC addresses bound to the user."; 1544 } 1545 description "User Object and its attributes."; 1546 } 1547 description "A list of user objects."; 1548 } 1550 grouping security-groups { 1551 list security-group { 1552 key "name"; 1553 leaf name { 1554 type user-security-group-name; 1555 description "The name of the security-group."; 1556 } 1557 leaf desc { 1558 type string { 1559 length "1..127"; 1561 } 1562 description "The description of the security-group."; 1563 } 1564 leaf-list parent-security-group { 1565 type user-security-group-name; 1566 max-elements 40; 1567 description "Configure the name of the parent-security-group."; 1568 } 1569 container filter-action { 1570 choice filter-type { 1571 case static { 1572 leaf static { 1573 type empty; 1574 mandatory true; 1575 description "Empty leaf indicates that this is a static security group."; 1576 } 1577 } 1578 case dynamic { 1579 leaf dynamic { 1580 type empty; 1581 mandatory true; 1582 description "Empty leaf indicates that this is a dynamic security group."; 1583 } 1584 leaf-list filter-rule { 1585 type string { 1586 length "1..256"; 1587 } 1588 max-elements 5; 1589 description "Filter rules for dynamic security group."; 1590 } 1591 } 1592 description "The filter type: static, dynamic."; 1593 } 1594 description "The filter type of the security group, static and dynamic. For dynamic security group, an filter rule needs to be configured."; 1595 } 1596 description "Security group and its attributes."; 1597 } 1598 description "A list of security groups."; 1599 } 1601 grouping user-groups { 1602 list user-group { 1603 key "name"; 1604 leaf name { 1605 type user-group-name; 1606 description "The name of the user group."; 1607 } 1608 leaf desc { 1609 type string { 1610 length "1..63"; 1611 } 1612 description "The description of the user group."; 1613 } 1614 leaf parent-user-group { 1615 type user-group-name; 1616 description "The name of the user group. A user group can only belong to one parent user group."; 1617 } 1618 description "User group and its attributes."; 1619 } 1620 description "A list of user groups"; 1621 } 1623 /* 1624 * Groupings for time range object 1625 */ 1626 grouping time-range-objects { 1627 list time-range-object { 1628 key "name"; 1629 leaf name { 1630 type time-range-name; 1631 description "The name of the time range object."; 1632 } 1633 list period-time { 1634 key "start end"; 1635 leaf start { 1636 type hour-minute-second; 1637 mandatory true; 1638 description "Start time of the periodic time range."; 1639 } 1640 leaf end { 1641 type hour-minute-second; 1642 mandatory true; 1643 description "End time of the periodic time range."; 1644 } 1645 leaf-list weekday { 1646 type weekday; 1647 min-elements 1; 1648 max-elements 7; 1649 description "The weekday to which the periodic time range belongs."; 1650 } 1651 description "Periodic time that the associated function starts going into effect."; 1652 } 1653 list absolute-time { 1654 key "start end"; 1655 leaf start { 1656 type yang:date-and-time; 1657 description "Absolute start time and date"; 1658 } 1659 leaf end { 1660 type yang:date-and-time; 1661 description "Absolute end time and date"; 1662 } 1663 description "Absolute time and date that the associated function starts going into effect."; 1664 } 1665 description "The time range object and its attributes."; 1666 } 1667 description "A list of time range objects"; 1668 } 1670 /* 1671 * Groupings for region object and region group 1672 */ 1673 grouping region-ipv4-address-item { 1674 leaf-list address-ipv4 { 1675 type inet:ipv4-prefix; 1676 description "IPv4 address."; 1677 } 1678 list address-ipv4-range { 1679 key "start-ipv4 end-ipv4"; 1680 leaf start-ipv4 { 1681 type inet:ipv4-address; 1682 description "Start ipv4 address."; 1683 } 1684 leaf end-ipv4 { 1685 type inet:ipv4-address; 1686 description "End ipv4 address."; 1687 } 1688 description "A list of ipv4 address ranges"; 1689 } 1690 description "A list of ipv4 addresses that are located at a specific region."; 1691 } 1693 grouping region-ipv6-address-item { 1694 leaf-list address-ipv6 { 1695 type inet:ipv6-prefix; 1696 description "IPv6 address."; 1697 } 1698 list address-ipv6-range { 1699 key "start-ipv6 end-ipv6"; 1700 leaf start-ipv6 { 1701 type inet:ipv6-address; 1702 description "Start ipv6 address."; 1704 } 1705 leaf end-ipv6 { 1706 type inet:ipv6-address; 1707 description "End ipv6 address."; 1708 } 1709 description "A list of ipv6 address ranges"; 1710 } 1711 description "A list of ipv6 addresses that are located at a specific region."; 1712 } 1714 grouping region-objects { 1715 list pre-defined-region { 1716 key "name"; 1717 config false; 1718 leaf name { 1719 type region-name; 1720 config false; 1721 description "The name of the predefined region."; 1722 } 1723 leaf desc { 1724 type string; 1725 config false; 1726 description "The description of the predefined region."; 1727 } 1728 container region-ipv4-address { 1729 uses region-ipv4-address-item; 1730 config false; 1731 description "The IPv4 addresses of the predefined region."; 1732 } 1733 container region-ipv6-address { 1734 uses region-ipv6-address-item; 1735 config false; 1736 description "The IPv6 addresses of the predefined region."; 1737 } 1738 description "A list of predefined region objects."; 1739 } 1740 list user-defined-region { 1741 key "name"; 1742 leaf name { 1743 type region-name; 1744 description "The name of the user-defined region."; 1745 } 1746 leaf desc { 1747 type string; 1748 description "The description of the user-defined region."; 1749 } 1750 container coordinate { 1751 leaf longitude { 1752 type region-longitude; 1753 description "The latitude of the user-defined region."; 1754 } 1755 leaf latitude { 1756 type region-latitude; 1757 description "The longitude of the user-defined region."; 1758 } 1759 description "The latitude and longitude of the user-defined region."; 1760 } 1761 container region-ipv4-address { 1762 uses region-ipv4-address-item; 1763 description "The IP address of the user-defined region."; 1764 } 1765 container region-ipv6-address { 1766 uses region-ipv6-address-item; 1767 description "The IPv6 address of the user-defined region."; 1768 } 1769 description "A list of user-defined region objects."; 1770 } 1771 description "A list of predefined region objects and a list of user-defined region objects."; 1772 } 1774 grouping region-groups { 1775 list region-group { 1776 key "name"; 1777 leaf name { 1778 type region-name; 1779 description "The name of the region group."; 1780 } 1781 leaf desc { 1782 type string; 1783 description "The description of the region group."; 1784 } 1785 leaf-list region-name { 1786 type region-name; 1787 description "A list of region objects."; 1788 } 1789 leaf-list region-group-name { 1790 type region-name; 1791 description "A list of region groups."; 1792 } 1793 description "Region group consists of a set of region objects or region groups."; 1794 } 1795 description "A list of region group objects."; 1796 } 1798 /* 1799 * Groupings for domain object 1800 */ 1801 grouping domain-objects { 1802 list domain-object { 1803 key "name"; 1804 leaf name { 1805 type domain-name; 1806 description "The name of the domain object."; 1807 } 1808 leaf desc { 1809 type string; 1810 description "The description of the domain object."; 1811 } 1812 leaf-list domain { 1813 type string; 1814 description "A list of domains that consists the domain objects."; 1815 } 1816 description "Domain object and its attributes."; 1817 } 1818 description "A list of domain objects."; 1819 } 1820 } 1822 7. Acknowledgements 1824 8. IANA Considerations 1826 This document requires no IANA actions. 1828 9. Security Considerations 1830 Secure transport should be used to retrieve the current status of 1831 management plane security baseline. 1833 10. References 1835 10.1. Normative References 1837 [I-D.ietf-i2nsf-capability] 1838 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1839 "Information Model of NSFs Capabilities", draft-ietf- 1840 i2nsf-capability-01 (work in progress), April 2018. 1842 [I-D.ietf-i2nsf-terminology] 1843 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 1844 Birkholz, "Interface to Network Security Functions (I2NSF) 1845 Terminology", draft-ietf-i2nsf-terminology-05 (work in 1846 progress), January 2018. 1848 [I-D.ietf-netmod-acl-model] 1849 Jethanandani, M., Huang, L., Agarwal, S., and D. Blair, 1850 "Network Access Control List (ACL) YANG Data Model", 1851 draft-ietf-netmod-acl-model-19 (work in progress), April 1852 2018. 1854 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1855 Kumar, "Framework for Interface to Network Security 1856 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 1857 . 1859 10.2. Informative References 1861 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1862 Requirement Levels", BCP 14, RFC 2119, 1863 DOI 10.17487/RFC2119, March 1997, 1864 . 1866 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1867 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1868 . 1870 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1871 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1872 . 1874 Authors' Addresses 1876 Liang Xia 1877 Huawei 1878 101 Software Avenue, Yuhuatai District 1879 Nanjing, Jiangsu 210012 1880 China 1882 Email: Frank.xialiang@huawei.com 1884 Qiushi Lin 1885 Huawei 1886 Huawei Industrial Base 1887 Shenzhen, Guangdong 518129 1888 China 1890 Email: linqiushi@huawei.com